What happen if your email password is compromised?

The typical situation where an email password is compromised is from a successful phishing attempt – password was leaked to a fake Microsoft or Google site after clicking on a suspicious email and authenticating with credentials.

phishing password expiry

First picture shows a typical phishing email. Subsequent picture shows phisher's destination site when hovering mouse over the link.

The perpetrator will then authenticated and maintain a persistent session on web mail, stealthily monitor your email communications and then get information on the correspondence that you have.

This is particularly damaging if the email account is a business account. It does not matter if you are a trade creditor or trade debtor. Once these details are available to them, they can construct another email engineered to trick either you (posing as your supplier) or to your supplier (posing as you) and request a pending payment to be paid to another bank account due to some banking issues.

A misspelled domain (1 as l or vice versa) or a similar sounding domain will be registered and a fake email account created. It will be so similar to such an extend that other than the domain name, the sender’s name (even case sensitively similar), signature, message content and sentence construct will be exactly the same.

The victim will then be instructed to pay to the scammer’s bank account and may realize only when supplier start asking them for payment.

Some steps that IT administrators can take are:

  1. Enforce Multi-factor authentication for email access using mobile OTP or authenticator apps.
  2. Train users to identify phishing email through phishing simulator (Microsoft or third party) and conduct constant training for new and existing users.
  3. Enforce modern authentication, password strength, complexity and set a password expiry period.
  4. Force sign-out all sessions for each password change to prevent session using cached credential.
  5. For users not accessing email externally, disable Outlook Web Access (webmail), insecure protocol, POP3 and IMAP access.
  6. Monitor Azure AD sign-in logs for suspicious failed or successful sign-ins outside of your geographic location as it may indicate successful phish attempts. If necessary, force password reset and sign-out all sessions.
  7. Tag external emails with warning message and educate users on why an email is tagged as external when it seems to be from someone within the organization and to be cautious of attachments/links within such emails. Explain to users that emails tagged as external are sent from external parties even though it may appears to be from someone within the organization. All such emails especially the later should be handled with caution.
23
Aug, 2023

Disable App Install from External Sources – Android

Mobile OS’s default app store like Apple Playstore, Android’s Google Play or Huawei App Gallery published only approved apps that are checked for malicious or suspicious code and it is the safest way to install mobile apps.

Scammers utilizes ads to entice unknowing users to install malicious remote access/control tool through directly downloading to your device, disable security checks, installing and running it.

Enabling 3rd party APK installation permission on an app in android (e.g. Chrome) also risks allowing future drive-by installation of unknown apps that may be contains malicious code as it does not require intervention to download and install malicious program files.

Here are steps to check if any of your installed apps is allowing APK installation from unknown sources on your Android device. My device is a Huawei and it may varies slightly from your mobile brand.

1. Click Settings

2. Scroll through the list for Security option and click on it.

3. Look for More Settings. On some version, there may be an App option which can allow you to toggle and disable install permission directly on each of the installed apps in the list.

3. Click install apps from external sources

4. Scroll through your list of installed apps and look for any that has “Allowed” instead of “No”.

5. Toggle the button off (grey out) to disable it.

Stealing passwords and impersonation are some of their key agendas and with present day’s powerful smartphones, there are no telltale signs of your device being compromised.

To minimize malicious apps from capturing passwords using keylogger programs, you should enable biometric login to your important apps (e.g. bank, government, even SMS) if it is available. Also, turn off data and wifi access when your are charging at night. (reducing availability to unauthorized call home or remote access)

Consider getting a robust antivirus and security tool to protect and actively monitor for suspicious activities on your device.

Consider getting an antivirus program for your PCs and portable devices to monitoring and block any malicious activities.

Dr Web Security Space consist a suite of security tool to protect both your PC and your mobile device using on a single license.

Actively preventing is better than reacting only after suffering financial loss due to compromised account from malwares.

Contact us if you require assessment on business licensing for your environment.

7
Aug, 2023

What causes data loss?

Some common scenarios would be – two disks failure in a RAID 5 system, disk controller failure in any type of setup, ransomware (delete shadow, encrypt and delete), mechanical failure, accidental or malicious deletion.

Well planned backup is important. Poorly planned backup may fill your disks with stale data or old data while denying any additional new data from being backed up. Data that has not been accessed for a long time should be archived and moved to offsite facility for long term retention e.g. Iron Mountain.

Other option would be cheaper cold-tier cloud storage e.g. Azure Cloud or Google Cloud. There is also BackBlaze B2 that is reasonably cheap but offers hot storage. These are generally cheap to archive but expensive to restore.

On Windows servers or desktops, a forfiles command from command prompt will give you an indication of what are the files that have not been modified for the period you specify.

e.g. ForFiles /p “D:\LogFiles” /s /d -365
shows modified files 1 year before

Keep your initial disk array information in your documentation if it is not the default as it will make your data recovery from a RAID setup less painful. Create multiple images of varying setup will be stressful in situation where the disks are already failing.

Backup is a specialized area in IT and it requires proper planning, sizing, managing of duplicate / stale data, and ultimately to achieve your recovery point objective and recovery time objective. A unified backup strategy has to cover an array of different data structures – hypervisors, virtual machines, containers, databases and cloud. We provide solutions for backup and data recovery.

Tired of managing IT daily operation, security, malwares, backups, system updates and patches? Talk to us on our IT managed service and let us take care of your office’s IT needs.

Extending your wireless coverage

When trying to extend your wireless coverage to an area where it is hard to reach and it is close to ethernet cable length limit, a range extender may not be a good idea. Rather, a wireless point-to-point network will bridge the gap and provide a wireless backhaul from your perimeter back to your main site.

With the correct access point deployed and proper planning, it can even be an outdoor area that is extended from indoor or an area with limited line of sight.

Check with us for solution on providing wifi coverage to stretch existing network to cover your perimeters or nearby site office. Such features can usually be an option to running fiber cables and/or provide additional redundancy to support existing infrastructure.

4
Aug, 2023

What is Zero Day Threat?

A zero-day threat refers to a security vulnerability or software flaw that is discovered by cyber attackers before the software vendor becomes aware of it. As a result, there is no patch or fix available to defend against the threat, making it particularly dangerous.

Zero-day threat protection is a cybersecurity strategy designed to defend against threats that exploit previously unknown vulnerabilities in software or hardware. These vulnerabilities are called “zero-day vulnerabilities” because they are discovered by attackers before the software vendor is aware of them, leaving zero days for the vendor to develop and release a patch.

Zero-day threat protection typically involves a combination of proactive and reactive measures to detect and mitigate zero-day attacks. Here’s how it generally works:

  1. Behavior-based Analysis: One approach to zero-day threat protection is behavior-based analysis. Security solutions monitor the behavior of files, applications, and network traffic in real-time. If an unknown file exhibits suspicious or malicious behavior, the security system may quarantine or block it to prevent potential harm.
  2. Heuristics and Machine Learning: Security tools use heuristics and machine learning algorithms to identify patterns and behaviors associated with malware and exploits. They compare files and code against known threat profiles to identify potential zero-day threats.
  3. Sandboxing: Some security solutions use sandboxing to analyze potentially malicious files or code in a controlled environment. Sandboxing isolates suspicious files from the main system, allowing security experts to observe their behavior without risking the host system’s security.
  4. Threat Intelligence Sharing: Companies and organizations often share threat intelligence and information about zero-day threats with each other and security vendors. This collaboration helps identify and respond to new threats more effectively.
  5. Rapid Patching and Updates: When zero-day vulnerabilities are discovered, software vendors work swiftly to develop patches and updates to fix the vulnerabilities. Users are urged to apply these patches as soon as they become available to protect their systems.
  6. Security Policies and Access Controls: Implementing robust security policies and access controls can limit the attack surface and reduce the impact of zero-day threats. By restricting unnecessary privileges and controlling access to critical systems, organizations can minimize the potential damage.
  7. User Education and Awareness: Educating users about the risks of social engineering attacks, phishing emails, and malicious downloads can help prevent zero-day exploits. Encouraging users to be cautious and vigilant can reduce the likelihood of successful attacks.

While zero-day threat protection strategies can significantly reduce the risk of zero-day attacks, no security measure is foolproof. The cybersecurity landscape is constantly evolving, and attackers are continually developing new techniques. A multi-layered security approach that includes regular updates, strong access controls, user education, and threat intelligence sharing is crucial for a comprehensive defense against zero-day threats.

What is Zero Trust?

Zero Trust is a network security concept and architectural approach that challenges the traditional perimeter-based security model. In a Zero Trust model, trust is never assumed, regardless of whether a user or device is inside or outside the corporate network. Instead, every request for access to resources is carefully verified and authenticated before being granted, regardless of the user’s location.

The core principles of Zero Trust include:

  1. Verify and Authenticate: All users, devices, and applications attempting to access resources must be verified and authenticated before access is granted. This involves using strong identity verification methods like multi-factor authentication (MFA) to ensure the user’s identity.
  2. Least Privilege: Users and devices are granted the least amount of privileges necessary to perform their tasks. This principle ensures that even if a user’s credentials are compromised, an attacker’s access to sensitive resources is limited.
  3. Micro-Segmentation: The network is divided into smaller, isolated segments or zones to reduce the potential impact of a security breach. Each segment has its own security policies and controls, and communication between segments is strictly regulated.
  4. Continuous Monitoring: Continuous monitoring and analysis of user behavior, device health, and network traffic help detect anomalies and potential security threats in real-time.
  5. Access Controls: Granular access controls are applied based on user identity, device health, and other contextual information. Access decisions are dynamically made based on this context.
  6. Encryption: Data in transit and at rest is encrypted to protect sensitive information from unauthorized access.
  7. Assume Breach: Zero Trust operates on the principle of “assume breach.” Instead of relying solely on prevention, the architecture assumes that threats are already inside the network and focuses on detection, containment, and response.

Zero Trust architecture is particularly relevant in today’s distributed and cloud-based environments, where the traditional perimeter-based security model is no longer sufficient to protect against sophisticated cyber threats. By adopting a Zero Trust approach, organizations can strengthen their security posture, reduce the attack surface, and improve the overall resilience of their network against modern cyber threats.

Check File for Virus

Suspicious about a file? Check file for virus using Doctor Web’s updated virus database.

 Review
 Scan

Worry about insufficient IT security? Protect your corporate network with Dr Web Security Suite now.

HTTPS Cipher Mismatch Error

The “cipher mismatch error” typically occurs in the context of secure internet connections when there is a mismatch between the encryption algorithms supported by the client (usually a web browser) and the server it is trying to connect to. This issue prevents the establishment of a secure and encrypted connection, leading to an error message being displayed to the user.

Besides network error, common cause could be due to outdated web browser, outdated server SSL/TLS Configuration, server misconfiguration, expired SSL/TLS certificates and incompatible cipher suites.

Much has changed since 2021 after the disabling of support for TLS1.1. Many modern browsers no longer support any SSL/TLS version prior to 1.2.

connection not secure

There may be reason that you would want access to an old router or firewall, to access some old configuration, to backup config or check network info.

enabling tls 1.0

You may need to enable TLS 1.0, TLS 1.1 and for even older router SSL protocols in order to access the router’s web admin portal. Just remember to reverse the process once you’re done.

click error

You may also need to use Internet Explorer (no longer available in Windows 11) as all newer versions of Chrome/Firefox/Opera do not support the older protocols.

If you’re insistent on not using IE, you may need to look for versions prior to Chrome 84, Edge 84, Firefox 78, & Safari 14 in order for TLS 1.0 to work.

Malicious Linux Trojan Exploits WordPress Vulnerabilities to Hack Websites

Doctor Web, an anti-virus company, has uncovered a malicious Linux program called Linux.BackDoor.WordPressExploit.1 that targets websites using WordPress CMS. The malware exploits 30 vulnerabilities found in various plugins and themes for WordPress. If websites are using outdated versions of these add-ons without crucial fixes, the malware injects malicious JavaScript into their pages. This results in users being redirected to other websites when they click on any area of the attacked page.

The trojan is remotely controlled by cybercriminals, allowing them to attack specified websites, switch to standby mode, shut itself down, and pause logging its actions. It primarily focuses on hacking WordPress-based websites and injecting malicious scripts into their webpages by using known vulnerabilities in plugins and themes. The trojan collects statistics on its attacks and reports back to the C&C (command and control) server.

Additionally, Doctor Web discovered an updated version of the trojan called Linux.BackDoor.WordPressExploit.2, which has some differences in C&C server address and the list of exploited vulnerabilities.

To protect against this threat, website owners are advised to keep their WordPress platform and all its components, including third-party add-ons and themes, up-to-date. Strong and unique logins and passwords should also be used for website accounts.

WordPress plugins vulnerable are unpatched version of:

  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

Worry about insufficient IT security? Protect your corporate network with Dr Web Security Suite now.

Apple released “Rapid Response” patch to fix a second zero-day

Apple released an emergency bug fix, known as the Rapid Response patch, to address a web-browsing security hole used in real-world spyware attacks. The bug, identified as CVE-2023-37450, could lead to arbitrary code execution and had reportedly been actively exploited. The attack involved a look-and-get-pwned technique, where simply viewing a malicious web page could invisibly implant malware on the device without clicking or approving any pop-ups.

The update fixed the WebKit bug and another kernel-level code execution bug, identified as CVE-2023-38606. These updates were released for various Apple operating systems, including iOS, iPadOS, macOS, tvOS, and watchOS.

Users are advised to promptly download and install these updates to protect against known and potential exploits. Additionally, these updates addressed other cybersecurity flaws, including elevation-of-privilege bugs and data leakage flaws. It is crucial to keep Apple devices up to date to safeguard against current and future threats.