Skip to main content

Resources

Modern Cyberattack’s Big Secret: We Are All Targets

Modern Cyberattack’s Big Secret: We Are All Targets

Excuses Get in the Way of Cybersecurity

Have you heard these excuses for not understanding or mitigating your cyber risk before? Have you used one of these excuses before?

  • “We don’t have anything of value; why would someone want to hack us?”
  • “We’re too small of a company for a hacker to target.”
  • “We’re in a small, rural area; no one knows who we are.”
  • “We’ve got a firewall, so we’re protected.”
  • “We trust our people not to fall for scams.”
  • “We’ve got insurance; we’re covered.”


Here’s a much better quote: “Excuses destroy success every time.” – Jon Taffer


Let’s put all of these excuses to bed quickly and discuss why none are true.

 

Modern Cyberattacks are Automated

Many organizations make the mistake of thinking that most cyberattacks are “targeted” attacks against large businesses or high-value targets. In today’s environment, nothing could be further from the truth.


Today’s “hacker” doesn’t look like the mental image of a hacker that most people imagine. It’s not some 15-year old kid in his (or her) mom’s basement, drinking a liter of soda, eating a bowl of Cheetos, wearing a hoodie, and “hacking the planet.” Today’s hacker is a professional (in nearly every sense) that gets paid (well) to do a job (just like you).


The second thing to keep in mind is a hacker isn’t sitting around in his or her hacker cubicle somewhere in the world using the command prompt to repeatedly ping IP addresses manually. Modern hackers have numerous programs that automatically search the internet for devices that are “alive” – i.e. have an IP address and are willing to communicate with other devices on the internet.


Taking this a step further, attackers are not simply looking for active IP addresses, they’re automatically looking at WHAT type of devices that IP address is associated with, and what OS that device is running. Again, this process is automated through most standard vulnerability management software applications today. Is the device associated with that IP address a workstation, a laptop, a server, a firewall, or an IoT device? What version of Windows/iOS/Linux/firmware is that device running? Are there open ports? Known security vulnerabilities with this device? There are? Cool, I’ll see myself in; thanks.
 

Hello Tag with IP Address

 

The last important thing to keep in mind is that hackers typically don’t know who you are, where you are, what you have, and how much of what you have until after they’ve compromised your device or network. To an attacker, you’re simply an IP address to compromise. And remember, all devices you own or use that are connected to the internet have an IP address – your corporate network (typically fronted by a firewall), the smartphone sitting next to your computer, your Amazon Echo (Alexa) or Google Home, your car (if you can start your car from your phone, it’s connected to the internet), the cameras you use to keep track of your home or kids, and many more. If it touches the internet, it’s got an IP address. And IP addresses are easily inventoried, scanned, and potentially exploited automatically if you haven’t taken steps to mitigate your risk.

 

Hacking is Easier Than Ever Before

In addition to automatically scanning for and exploiting IP addresses, modern attackers deploy a variety of other cost-effective and readily-available tools that make hacking easier than ever before.
 

Phishing is CHEAP

Modern cyberattacks predominantly begin with a simple phishing email – in fact, 91% of all cyberattacks start with a phish. Everyone reading this blog post has received a phishing email, and your junk/spam folder is (hopefully) currently littered with all the proof you need to believe that statistic.


The reality that email is essentially free – anyone can set up a Gmail, Outlook (formerly Hotmail), or even a nicely secured Proton email account for free in minutes. Email lists are easy to find around the internet if you don’t already have a large distribution list. You can purchase a list if you’d like, or better yet, you could target an organization’s employees using social media or a site like https://hunter.io/ to find all email addresses associated with a specific company or domain.


Phishing is only limited to the number of emails an attacker can send out at one time or in one day, but one can easily simply sign up for other free email accounts to get around that little speedbump.

 

Shodan

In case you aren’t sold on the idea, check out the website called Shodan and simply search for a few common computing terms, such as: remote desktop, windows XP, camera, SQL, or root. You’ll be surprised how many results come back for each search term, and you can do some YouTube’ing and find out some even more interesting commands to use on Shodan. Just remember, kids – it’s legal to look, but one you set foot inside the front door, you’ve crossed the line.

 

PowerShell Empire

PowerShell Empire is another free, open-source tool used by good and bad guys alike. PowerShell Empire bills itself as a “post-exploitation agent built on cryptologically-secure communications and a flexible architecture. PowerShell Empire allows attackers to run PowerShell (a powerful command-line shell and scripting language tool built into Microsoft operating systems) without having to access the tool on an OS, along with some additional tools for maneuvering around the inside of a network.

 

Compromised Email Addresses and Password Dumps

Password reuse is a very common mistake made by users of… well, every online platform. If you have re-used the same password for LinkedIn as you do for Facebook, Instagram, Gmail, Yahoo, Dropbox, or [insert website of your choice], please change your password(s) immediately.


Each of these websites has been compromised in the last few years, and if you re-use the same email/user ID and password for those compromised sites as you do for your online banking accounts or your work email, you will find yourself in trouble.


Hackers know that a majority of internet users re-use usernames and password combinations. However, rather than manually entering usernames and passwords into 100 different websites themselves, hackers have built tools to access thousands of websites using lists of usernames and passwords automatically.

 

Cyber Crime as a Service

If you’re not a professional hacker, fear not! You can subscribe to rent-a-hacker services, such as Phishing-as-a-Service, Ransomware-as-a-Service, or DDoS-as-a-Service by simply doing some research and hiring the right hacker/vendor. Modern “hackers” don’t need to develop their own malicious code, they can simply sign up for a ransomware service, much like you subscribe to Netflix or Spotify, and begin their attacks.


A recent story from BankInfoSecurity highlights a popular 2019 Ransomware-as-a-Service (RaaS) group known as Sodinokibi, which has taken over the top RaaS provider mantle from the recently “retired” CandGrab operation. Sodinokibi claims to have earned more than $2 billion since May 31st, 2019, when CandGrab announced their retirement.


Sodinokibi’s average ransom demand is about 0.45 bitcoin, worth around $4000 today. Subscribers are provided with the ransomware and instructions on how to launch effective attacks. Sodinokibi, for example, keeps 40% of the ransom-paid for the first three (3) payments (60% to the subscriber), then drops the rate to 30% (70% to the subscriber) after the 3rd successful ransomware payment.


Wild, isn’t it? Cyber Crime as a Service is an extremely lucrative business to be in, and organizations like Sodinokibi have deep pockets, large budgets, and operate just as a normal, growing business would operate – including marketing its services and running a large affiliate program.
 

Your Computer Has Been Infected Graphic

 

Free Hacker Tools

The internet is FULL of hacker tools that nearly anyone with 30 minutes of free time and some curiosity can learn to use, including:

  • Kali Linux: the Pen Tester’s Operating System
  • OSINT: Open Source Intelligence (find out all kinds of publicly listed information on people, businesses, IP addresses, email, government contracts, building plans, etc.)
  • CIRT.net: Default passwords for most networking devices
  • SecTools: Top Hacker Tools – Top 125 Network Security Tools
  • Caller ID Spoofing: Hundreds of free apps available for desktop or mobile
  • People Search: Find family members, phone numbers, property records, business records, court records, etc.

 

You Have Value to an Attacker

The other frequent misconception from organizations is that they don’t have anything of “value” to an attacker, but again, nothing could be further from the truth.


Your organization may not have top-secret, classified government information or millions of dollars in your bank account, but you certainly have information or assets that hacker can either use or sell, including:

  • Customer information, including (but not in all cases) social security numbers, bank account numbers, birthdates, addresses, and contact information
  • Employee information, such as social security numbers, bank account numbers, birthdates, addresses, and contact information
  • Sensitive corporate information, such as trade secrets, software licenses
  • Online banking information, including usernames and passwords
  • Email accounts, which can be compromised and used to send more phishing email or initiate email fraud attacks
  • Social media accounts, which can be compromised to spread false information or defamatory statements
  • Computer assets, which hackers can use to host their information, serve as pivot-points for other attacks, or use to attack (DDos) other computers or networks

For more information about how a hacker can use whatever information or device access they can get, check out Brian Kreb’s article on the Value of a Hacked PC.

 

Testing the Theory

On a few different occasions, SBS has set up a honeypot (a decoy device connected directly to the internet designed to be a desirable attack surface for hackers, with logging enabled to view the attack and understand the attack times and vectors) to see how long it would take an attacker to compromise a device.


We’ve set up different versions throughout 2019, with compromise times ranging from 58 seconds to 58 minutes. Our most recent experiment involved a virtual machine (VM) that appears to the internet as a Windows Server OS, placed it in a DMZ, and installed an open-source honeypot application called “Artillery” from Dave Kennedy’s Binary Defense to monitor the attack. This VM had open ports for RDP (3389), VNC (5800 and 5900), SSH (22), SMTP (25), SNMP (161 and 162), and HTTP (80).


In this example, the VM was enabled at 4:50 PM, and port scans were detected within seconds. The first true attack was recorded at 5:50 PM, then was actively brute-forced at 6:08 PM. Full compromise of the VM, including the default administrative account, occurred shortly thereafter.


Scan logs from Honeypot attack

 

In previous experiments, vulnerable VMs designed to look like Windows XP were attacked and compromised in under 1 minute.  


From a security perspective, it’s extremely important to remember that you’re simply a number on the internet; a number that hackers are scanning regularly, just looking for an opportunity. Continue reading Top 5 Ways Mitigate Your Risk – the Basics for a better understanding of basic cybersecurity steps you can take to mitigate your risk and learn what your network looks like to an attacker from the outside. 

 


Written by: Jon Waldman
Partner, EVP of IS Consulting 
SBS CyberSecurity, LLC


 

SBS Resources: 

  • {Blog} Top 5 Ways to Mitigate Your Risk - The Basics: To protect yourself from falling victim to a cyberattack, consider these five basic cybersecurity steps to mitigate your risk and begin understanding what your network looks like to an attacker from the outside. Read Blog
     
  • {Service} Vulnerability Assessment: Stay one step ahead of a cybercriminal by identifying and investigating weaknesses in your network before they do. A Vulnerability Assessment is a proactive approach to identifying shortcomings and arming your organization with information to fortify your systems. Vulnerability Assessments from SBS are completed remotely and provide your institution more visibility into how well your patch management program is functioning. Learn more!
     
  • {Service} Penetration Test: Harden your network to defend a cybercriminal’s malicious attack by having an SBS ethical hacker safely simulate a cyber-attack and exploit vulnerabilities. External Penetration Testing is the process of working from outside your organization’s network to discover, actively exploit, and report vulnerabilities that affect the confidentiality, integrity, and availability of your IT systems.  Learn more!

 

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Vulnerability Assessor


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Tuesday, December 17, 2019
Categories: Blog