Security Vulnerabilities: A Closer look at a Cyber Criminal’s Window to your System

Security Vulnerabilities: A Closer look at a Cyber Criminal’s Window to your System

You may be hearing more and more these days of new security vulnerabilities being discovered in the news and may be wondering what exactly it may imply?  Simply, a vulnerability represents the ideal opportunity for cyber criminals to infiltrate your system to compromise your data or to perform data theft.

According to current data now, we can see that these vulnerabilities will be popping up more often as 2017 had a record-breaking year for reported exploitable vulnerabilities, with almost 20,000 security flaws reported over the year.   For the year 2018, the data is still being tallied however, a report from RiskBased Security has already noted that more than 10,000 vulnerabilities have been reported in which 3,000 potential flaws which enterprises have failed to patch.

To better understand vulnerabilities, our friends from Trend Micro has segregated them into types in which to classify them:

Traditional vulnerability – is a programming error or other type of software issue that hackers can use to sidestep password protection or security measures and gain unauthorized access to legitimate systems. These are the most rampant types of security vulnerabilities.

Zero-days – are brand new software issues that have only just been identified and have not yet been patched by vendors.  As Trend Micro explained, “that’s because the vendor essentially has zero days to fix the issue or has chosen not to fix it.”

Undisclosed vulnerability – these are flaws that have been identified and reported, but are not yet disclosed to public users, giving vendors time to patch the issue.

So, what can you do to help address these vulnerabilities?

To help keep your enterprise safe from these vulnerabilities, Trend Micro suggests that you pay attention to current security research so that you can apply the necessary findings to help keep your business safe.  Another would be to make sure that you keep yourself up to date with updates and patches.  However, with the number of vendors and patches, it can sometimes be too much for your IT to patch immediately due to the volume.  Trend suggests the following patching prioritization scheme to help ease the load of your IT team:

  • The severity of the patched issue. Microsoft and other vendors will rate vulnerabilities according to how critical they are to overall risk. More critical patches should be applied as soon as possible, whereas less critical updates can represent a lower priority.
  • Vulnerabilities impacting your enterprise’s particular key software. Similarly, updates for software systems that are used on a daily basis within the enterprise and provide essential functionality should be prioritized over other updates. A patch for a software that is only intermittently used, or only impacts a small number of users in a single department of the company, for instance, can be put on the back burner.
  • Those currently being exploited. It’s important to prioritize patches for vulnerabilities that hackers are currently using to mount attacks.

To learn more, you may visit the original Trend Micro article here, visit our product page here, or you can also contact us directly at 893-9515 and we will be happy to answer your inquiries!

Trend Micro Awards CT Link as Partner of the Year for 2018!

Trend Micro Awards CT Link as Partner of the Year for 2018!

On February 26, 2019, Trend Micro hosted their annual Partners Appreciation Night, at the B1 Sports lounge New World Makati, to celebrate the achievements that each partner has contributed to help make 2018 a successful one.  Here they presented CT Link Systems, Inc. with four awards, which included the biggest award of the night, Partner of the Year!  This award is to acknowledge the partner with highest total of new and renewal revenues of all TM products for the year.

Below is the full list of awards CT Link received:

  • FY18 Partner of the Year – CT Link Systems, Inc.
  • FY18 User Protection Champion – CT Link Systems, Inc.
  • FY18 Sales Person of the Year – Malou Cruz
  • FY18 Sales Engineer of the Year – Bren Natal

Trend Micro awarded CT Link with the FY18 User Protection Champion award to acknowledge our efforts in providing endpoint security solutions to our customers.  These solutions include the following:

OfficeScan – provides advanced endpoint and ransomware protection for Windows, Mac and Virtual Desktop Infrastructure

Vulnerability Protection – prevents network-based exploits and zero-day ransomware threats via vulnerability shielding

Endpoint Encryption – secures data with full disk, folder, file and removable media encryption

Integrated Data Loss Prevention – guards private data and intellectual property with integrated modules

Keep your data secure. Contact CT Link Systems, Inc. via our contact form or through our landline 893-9515.

Security Advisory: Vulnerabilities found on DHCP and Microsoft Exchange

Security Advisory: Vulnerabilities found on DHCP and Microsoft Exchange

Microsoft released patches for vulnerabilities that were actively being exploited via their regular security release on the last few months of 2018. They released 49 security patches and two advisories for 2019, seven were vulnerabilities rated as critical while 40 were important.

The highlight of these vulnerabilities is regarding to Windows DHCP Client (CVE-2019-0547), this allows a hacker to send commands on a machine by issuing DHCP responses. Alarmingly, most machines have DHCP client enabled across all windows operating systems, therefore applying this patch is a must. Another notable vulnerability is in the Microsoft Exchange software (CVE-2019-0586), this vulnerability could allow hackers to execute code as the system users and potentially can perform various tasks such as view, change, or delete data and even create new accounts.

Luckily for Trend Micro Customers specifically for Deep Security and Tipping point customers, Trend Micro has released virtual patch rules to protect you on those vulnerabilities immediately. While testing on the security patches released by Microsoft, Trend Micro customers can first apply virtual patch rules to eliminate exposure against possible attacks.  Please see below for the recommended virtual patches:

Trend Micro Deep Security and Vulnerability Protection recommended virtual patch rules are as follows:

  • 1009452-Microsoft Windows COM Elevation Of Privilege Vulnerability (CVE-2018-8550)
  • 1009462-Microsoft Edge Elevation Of Privilege Vulnerability (CVE-2019-0566)
  • 1009463-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0539)
  • 1009464-Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2019-0541)
  • 1009465-Microsoft Edge Memory Corruption Vulnerability (CVE-2019-0565)
  • 1009466-Microsoft Windows Multiple Security Vulnerabilities (Jan-2019) – 2
  • 1009468-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0567)
  • 1009469-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2019-0568)

Trend Micro Tipping Point MainlineDV filters to be applied are as follows:

  • 33921: ZDI-CAN-7385: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 33927: HTTP: Microsoft Edge Type Confusion Vulnerability
  • 33928: HTTP: Microsoft Edge Session Boundary Memory Corruption Vulnerability
  • 33929: HTTP: Microsoft Edge Type Confusion Vulnerability
  • 33930: HTTP: Microsoft Edge Use-After-Free Vulnerability
  • 33931: HTTP: Microsoft Windows Kernel Information Disclosure Vulnerability
  • 33948: HTTP: Microsoft Edge Type Confusion Vulnerability
  • 33949: HTTP: Microsoft Internet Explorer ProgId Code Execution Vulnerability

If you have any further inquiries with regards to these vulnerabilities with Trend Micro or as a non-Trend Micro user, contact us at 893-9515 and we would be happy to answer your inquiries!

Three Important Questions to keep in mind when securing your SAP environment

Three Important Questions to keep in mind when securing your SAP environment

Are you sure you are securing your SAP environment properly?

With the sensitive data stored in most SAP systems (HR, financials, and even more important, customer data), it would not be an exaggeration to say that it would be the main priority of attacks of cyber criminals.  This doesn’t mean that SAP does not prioritize security, this just means that security solutions have been continuously improving with the help of 3rd party enhancements.  In partnership with SAP, there are security solution partners such Trend Micro that ensure that enterprises are secure from attacks such as malware, denial-of-service attacks, cross-site scripting and other advance and targeted attacks.

So if you aren’t sure if you are properly securing your SAP environment, you can refer to this security question checklist below:

What are my security risks? Are you improving your ability to respond to customer feedback by moving customer applications to the cloud? Are you improving supply chain efficiency by opening an application to provide more visibility or communication with partners?

With how business-critical applications are now web accessible, cyber criminals now have more entry points in which they can exploit vulnerabilities in operating systems, web servers and even the business-critical application itself.  Although vendors release patches to fix these vulnerabilities, if they are not implemented on a timely basis, the system will still be at risk within those transition points.

Does my security integrate with my SAP environment?

You also need to consider whether your security can integrate well with your native SAP security.  SAP provides capabilities like the SAP Virus Scan Interface (VSI) as part of SAP NetWeaver ®  to allow certified third parties, like Trend Micro,  to augment native security capabilities.

What are the security requirements for my environment?

Cloud and virtual environments each introduce unique requirements for security. Understanding how your security solution is optimized for those environments is critical to make sure you can easily manage security and reap the expect cost, performance and agility benefits.

If you have any further inquiries on how you can better secure your SAP environment, you may call us at 893-9515 and we would be happy to help!

Managed Detection and Response: Helping to Fill in Business Security Gaps

Managed Detection and Response: Helping to Fill in Business Security Gaps

Managed detection and response (MDR) is an outsourced service that provides organizations with threat hunting service and responds to threats once they are discovered.  What sets it apart from other security services is the human element in which security providers provide access to their security resources such as their researchers and engineers who will now provide analysis to incidents while monitoring their networks.

The challenges MDR can solve

One of the more significant solutions MDR can provide to businesses is solving the lack of security skills within their organization.  Unlike bigger organizations, not all businesses can afford to hire and train dedicated security personnel that can do full-time threat hunting, which then gives them access to security which normally would be out of their reach.  This benefit is more apparent in medium sized organizations as they are targeted by cyberattacks while not having the proper resources or manpower to defend themselves adequately.  However, it must be pointed out that even if organizations budget costs and manpower to a dedicated team, they might not be able to find the right personnel in the first place.  In 2016, there were 2 million unfilled cybersecurity positions, a number that is expected to rise to 3.5 million by 2021.

                      What an organization stands to gain when MDR comes into play

Another challenge that is often overlooked by businesses is the sheer amount of alerts the security team receive on a daily basis.  Not all the alerts are malicious, but they can’t be easily identified so they must be checked individually, and threats found must also be scanned for correlation to see if there is a connection to find any bigger attacks planned in the future, and all of this take time.   MDR tries to address this problem by not only discovering the threats but also doing an analysis on the factors and indicators involved in an alert.  Analyzing and contextualizing are the most important skills of a security professionals’ arsenal, as security technologies can block threats but knowing the reasons and the patterns of the incidents can help you block bigger threats in the future.  MDR tries to solve the skill gap in cybersecurity that smaller organizations cannot usually afford due to their limited resources.

How does Trend Micro’s MDR work?

Trend Micro’s MDR provides a wide array of security services, including alert monitoring, alert prioritization, investigation, and threat hunting. It uses artificial intelligence models and applies them to endpoint, network, and server data in order to correlate and prioritize advanced threats. By investigating prioritized alerts, Trend Micro threat researchers can then work with organizations to provide a detailed remediation plan.

To learn more about Trend Micro’s MDR, you may read the original article here or you can contact us at 893-9515 and we will be happy to answer your questions!

New Exploit “Faxploit” affects HP OfficeJet All-in-One Printers

New Exploit “Faxploit” affects HP OfficeJet All-in-One Printers

Security researchers have recently demonstrated at the security conference DEF CON 2018 a vulnerability that can be exploited via HP OfficeJet All-in-One Printers.  It is being dubbed “Faxploit” by the researchers, Eyal Itkin and Yaniv Balmas.  The attack takes advantage of security flaws in the implementation of the fax protocol used by OfficeJet printers, making many businesses susceptible to the attacks.

The researchers have stated that for this particular exploit, all the attackers need is a fax number to exploit the vulnerability, which they can then hijack the network and all systems connected to it.  They then can infect the network with their malware or even worse, outright steal your business’ important data.  Researchers have said that the impact of this exploit is not a small one as it is surveyed that businesses have actually increased their fax usage by almost 82% in 2017, so even with many new technologies, fax is still one of the most used ways to move documents.

Faxploit is yet another example where unsecured devices that businesses use on a daily basis can result into vulnerabilities in their network that many cyber criminals can use to steal data or hold them ransom.  Especially now that the Internet-of-things (IoT) ready devices are getting more and more mainstream, attackers are finding more ways to hit businesses where they are at least protected since this is more or less still in the beginning phases.   These threats can stay longer in the system due to the device’s inability to protect itself, making attacks stealthier and more destructive to the organizations network.

However, HP has released patches for the vulnerabilities (CVE-2018-5924 and CVE-2018-5925) and users are recommended to apply the firmware updates to make sure they will not be affected.

For those who are interested in a more proactive approach for these types of attacks, Trend Micro’s managed detection and response service allows customers to investigate security alerts without the need to hire qualified incident response staff. It provides alert monitoring, alert prioritization, investigation, and threat hunting services to Trend Micro customers. By applying artificial intelligence models to customer endpoint data, network data, and server information, the service can correlate and prioritize advanced threats. Trend Micro threat researchers can determine the extent and spread of the attack and work with the customer to provide a detailed remediation plan.

To learn more about “Faxploit” you may read Trend’s original article here, or you may contact us at 893-9515 and we will be happy to answer your inquiries!

Security Tips: Business Email Compromise (BEC) Schemes

Security Tips: Business Email Compromise (BEC) Schemes

Business Email Compromise (BEC) Schemes

In the past few years, millions of dollars have been lost to fraudsters and scammers.  However, not all have been lost through malware attacks such as ransomware.  Business email compromise (BEC) schemes are sophisticated attacks focused mostly on companies who do wireless transfers frequently.  The FBI have estimated that nearly $750 million dollars have been lost to this type of schemes and affected more than 7,000 people between October 2013 and August 2015.  Below are a few versions of the scheme:

 

The Bogus Invoice Scheme

Referred to as “The Bogus Invoice Scheme”, “The Supplier Swindle”, and “Invoice Modification Scheme”. This scam is usually done by using the name of established partners of the business, they impersonate being an employee of the established partner while asking for wire funds for invoice payments to their fraudulent account by using a spoofed email, telephone, or facsimile.

CEO Fraud

Also referred to as “CEO Fraud”, “Business Executive Scam”, “Masquerading”, and “Financial Industry Wire Frauds”. The scammers impersonate high-level executives (CFO, CEO, CTO, etc.), lawyers, or other types of legal representatives while urging the victim that they are handling confidential and time-sensitive matters then pressuring the victim into wire transferring funds to a separate account which they control.

Account Compromise

In this scam, an email account of an employee is hacked and then used to make requests for invoice payments to fraudster-controlled bank accounts. Messages are sent to multiple vendors identified from the employee’s contact list.

Data Theft

This scam usually involves compromising an email of a role-specific employees (usually HR) in the victim’s company, then using the said email to gather identifiable information of other employees and executives which is later used as a jump-off point for more damaging BEC attacks to the company later on.

Below are some quick prevention tips on how you can avoid these types of attacks:

Prevention tips

  • Carefully scrutinize all emails. Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Review emails that request transfer of funds to determine if the requests are irregular.
  • Educate and train employees. While employees are a company’s biggest asset, they’re also usually its weakest link when it comes to security. Commit to training employees according to the company’s best practices. Remind them that adhering to company policies is one thing, but developing good security habits is another.
  • Verify any changes in vendor payment location by using a secondary sign-off by company personnel.
  • Stay updated on your customers’ habits including the details, and reasons behind payments.
  • Confirm requests for transfer of funds when using phone verification as part of two-factor authentication, use known familiar numbers, not the details provided in the email requests.

 

To learn more about BEC attacks, you can read a more in-depth article from our partner’s, Trend Micro, informative article here.  If you have inquiries that you would like answered about this topic, you can also contact us at 893-9515 and we will be happy to help!

Malware VPNFilter is on the Rise as Infected Routers Increase

Malware VPNFilter is on the Rise as Infected Routers Increase

On May 24, a report was published by security researchers upon the discovery of a group who had infected more than 500,000 home and small-enterprise routers in at least 54 countries with their malware VPNFilter.  This malware can attack, collect research, steal key credentials, monitor SCADA protocols, and install a kill command to destroy your device via your infected router.  These attacks have been happening since 2016, however there has been a spike in infections in recent weeks, mostly in Ukraine.  This has prompted the researchers to publish their report early due to its high threat and vulnerability level to the identified systems involved.

From observations from the researchers, they’ve noticed that VPNFilter’s infection goes through 3 stages:

Stage 1

Infected router enables the deployment and spread of the malware by locating target servers with downloadable images from Photobucket.com, extracting an IP address, and recognize several types of CPU architectures running on Busybox and Linux-based firmware. Redundant command and control mechanisms identify and adapt, such that if the Photobucket download fails, Stage 1 will download from ToKnowAll.com. It also listens for a trigger packet from the attackers, checking for the IP from api.ipify.org and stores it for later use. In this stage, the core malware code survives in infected systems even when rebooted.

Stage 2

It deploys intelligence collection such as file collection, command execution, device management and data exfiltration. It also deploys self-destruct capabilities. It can assess the network value the server holds, especially if the system holds potential interest to the threat actors. The actors can then decide if they can use the network to continue gathering data or use the system to propagate through the connections. The self-destruct function in this stage overwrites critical portions of the device for a reboot directive, destroying the firmware once attackers trigger the built-in kill command and leaving the device unrecoverable.

Stage 3

This stage contains modules that act as plugins for Stage 2. One packet acts as a sniffer for collecting data and intercepting traffic, such as website credentials theft and Modbus SCADA protocols, while another plugin allows for automated communication to ToR. Other plugins that have yet to be identified were observed to be included in this stage.

According to the researchers, you should take the following steps to help protect your systems from VPNFilter:

  • Reset your routers to restore its factory default settings. Rebooting stops Stages 2 and 3 from running on infected devices, at least until Stage 1 reinstalls both processes
  • Update the router’s firmware immediately once the manufacturers release the patch

For Trend Micro Smart Home Network users, you can be assured protection from this threat with the following rules implemented:

  • 1054456 WEB Linksys Unauthenticated Remote Code Execution -1 (OSVDB-103321)
  • 1054457 WEB Linksys Unauthenticated Remote Code Execution -2 (OSVDB-103321)
  • 1055170 EXPLOIT Generic Arbitrary Command Execution -1
  • 1056614 WEB Cisco Linksys E1500/E2500 apply.cgi Remote Command Injection -1 (BID-57760)
  • 1058664 WEB Cisco Linksys E1500 and E2500 Router Directory Traversal Vulnerability (BID-57760)
  • 1058665 WEB Cisco Linksys E1500 and E2500 Router Password Change Vulnerability (BID-57760)
  • 1058980 WEB Cross-site Scripting -14
  • 1059209 WEB Cisco Linksys E1500 and E2500 Router OS Command Injection Vulnerability (BID-57760)
  • 1059253 WEB Netgear DGN1000 And Netgear DGN2200 Security Bypass Vulnerability (BID-60281)
  • 1059264 WEB QNAP VioStor NVR and QNAP NAS Remote Code Execution Vulnerability (CVE-2013-0143)
  • 1059672 WEB Cisco Linksys E1500/E2500 apply.cgi Remote Command Injection -2 (BID-57760)
  • 1132723 WEB GD Library libgd gd_gd2.c Heap Buffer Overflow -1 (CVE-2016-3074)
  • 1133310 WEB Netgear R7000 Command Injection -1.1 (CVE-2016-6277)
  • 1133463 SSDP Simple Service Discovery Protocol Reflection Denial of Service Vulnerability
  • 1133464 WEB Netgear WNDR1000v4 Router Remote Authentication Bypass
  • 1133572 WEB Shell Spawning Attempt via telnetd -1.b
  • 1133802 WEB Netgear NETGEAR DGN2200 dnslookup.cgi Remote Command Injection (CVE-2017-6334)
  • 1133908 EXPLOIT QNAP Transcode Server Command Execution
  • 1134566 NETBIOS MikroTik RouterOS SMB Buffer Overflow -1 (CVE-2018-7445)
  • 1134567 NETBIOS MikroTik RouterOS SMB Buffer Overflow -2 (CVE-2018-7445)

If you have further inquiries on the above malware, you may contact us at 893-9515 and we will be happy to answer them!

Cryptomalware attacks become more prevalent with the increased popularity of Cryptocurrency

Cryptomalware attacks become more prevalent with the increased popularity of Cryptocurrency

Cyptocurrency has been a hot topic over the last year, you may have heard plenty of people investing in this currency (such as BitCoin) hoping to strike it rich as its value has been highly volatile.  As revolutionary of an idea as it is for the market, there also those who wish to profit through this new-found trend by using unscrupulous means as well.  This is apparent with the introduction of a new type of malware which specifically targets such users whom use cryptocurrency, cryptomalware.

Just like how there is variety with ordinary malware, cryptomalware comes in different forms as well, ranging from client-side web scripts to mobile applications.  As of now, the usual modus operandi of cryptomalware are to target your computer to use its computing power to mine currency or to directly steal currency by intercepting your purchases by rerouting your payments to the criminal’s wallets instead.  Even IoT devices are now being targeted by these hackers in a way to expand their operations, knowing that the computing power of these devices are not as powerful as servers or laptops.

Cryptocurrency mining unlike many other malicious malware actively uses your computer for its computational resources to mine cryptocurrency.  This process puts a great strain on infected device and could cause its lifespan to significantly decrease.  A recent study from Trend Micro found that the most detected home event was cryptocurrency mining, showing that this is becoming more prevalent now even in the average consumers home.  To help mitigate the threat, below are a few tips on what you can do to lessen your chances on getting infected:

  • Regularly update devices with their latest firmware to prevent attackers from taking advantage of vulnerabilities to get into systems.
  • Change devices’ default credentials to avoid unauthorized access.
  • Employ intrusion detection and prevention systems to deter malicious attempts.
  • Be wary of known attack vectors, such as socially engineered links, attachments, and files from suspicious websites, dubious third-party applications, and unsolicited emails.

For increased security against these threats, you may also want to consider getting a proactive security such as Trend Micro™ XGen™ security.  With high-fidelity machine learning that can secure the gateway and endpoint, and protect physical, virtual, and cloud workloads, it will give you that second layer of defense to help secure your endpoint from threats like cryptomalware.

To learn more about cryptomalware  you may check this link or you may contact us directly at 893-9515 and we will do our best to answer your inquiries.

Join Our Upcoming Event Pushstart!

Join Our Upcoming Event Pushstart!

Cloud technology is being used more by many companies due to its operational and economic benefits it can provide to them. This in turn puts more importance into securing your virtualized data centers, cloud deployments and hybrid environments. Leaving any gaps or neglecting any aspect in your security can now expose you and your company to more threats and serious breaches such as ransomware and other malicious attacks.

CT Link Systems, Inc., in partnership with Trend Micro, invites you to attend our upcoming event, Pushstart, to learn more on how you can better secure your company from the growing threats on Cloud platforms such as Microsoft Azure and Amazon Web Services!

Register HERE if you would like to learn more!