The Russian invasion of Ukraine has shocked the world, driving millions from their homes as they seek safety. However, in the internet age, wars aren’t fought in the physical world alone, and cyber warfare has become an increasingly serious threat.
While the Kremlin has denied they are behind the denial of service attacks, the disruption has brought concerns about the threat of cyberconflict into the spotlight. Ilya Vitayuk, the cybersecurity chief of Ukraine’s SBU intelligence agency, has stated that it is still too early to definitively identify the perpetrators behind the attack. This is because, as with most cyberattacks, the perpetrators worked hard to cover their tracks. However, he also added, “The only country that is interested in such … attacks on our state, especially against the backdrop of massive panic about a possible military invasion, the only country that is interested is the Russian Federation.”
Cyberattacks, even those specifically targeting Ukraine, could seriously impact the United States.
In response to the invasion of Ukraine, CISA (Cybersecurity and Infrastructure Security Agency) has issued a statement. Entitled Shields Up, it states (as of the writing of this article):
“While there are no specific or credible cyber threats to the US homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region. Every organization—large and small—must be prepared to respond to disruptive cyber activity. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber-attacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.”
However, as the Shields Up announcement indicates, cyberwarfare concerns are not contained to the national and international stage. Organizations of all sizes and in all verticals need to be taking appropriate steps to proactively safeguard their digital assets.
What Sort of Cyberattacks Should We Anticipate?
While we have no way of knowing exactly what sort of attacks the cyber warfare front of the Ukraine-Russia conflict will bring, we can look to a history of previous international attacks for guidance. According to Forbes, organizations should be prepared to handle:
Advanced Persistent Threats (APTs)
APTs is a broad term used to describe any attack campaign where an attacker, or group of attackers, establishes an illicit, long-term presence on a network in order to covertly mine highly sensitive data. Most intrusions of this nature that target private companies tend to focus on the theft of intellectual property, compromising sensitive data (such as employee or private user data), sabotaging critical infrastructure (such as deleting database data), or taking over websites with a goal of illegal financial enrichment, the strategies deployed against private companies can be used against nations and companies alike.
With cyber warfare on our doorstep, now is the time to batten down the hatches and strengthen your cybersecurity posture. By improving your overall security posture, you can proactively guard against ATPs by making it difficult for intruders to infiltrate your network in the first place, preventing them from establishing a covert, long-term presence.
Malware refers to any form of malicious software, typically spread by infected email attachments and suspicious website links deployed as part of phishing scams. While most email providers automatically filter out suspicious messages, one of the best steps organizations can take to improve their cybersecurity posture is to invest in employee cybersecurity training.
Cybersecurity is everyone’s responsibility, from the CEO down to the summer intern. Teaching workers to identify and report suspicious activities can stop an attack before it even begins, so all team members should receive robust cybersecurity training as both part of their onboarding process and on an ongoing basis.
Ransomware is a subset of malware, which uses malicious code to encrypt files and prevent legitimate users from accessing data or systems on either their individual machine or the organization’s network.
DDoS (Distributed Denial of Service) attacks are attempts to crash a web server or other online service by flooding the supporting infrastructure with more traffic than the network can reasonably handle.
This type of attack can be instigated by either a large group of attackers working together or a single attacker with a sufficiently large botnet (connected computers performing repetitive tasks as directed by the user in charge). The goal of DDoS attacks is to overload the server, forcing it offline and preventing legitimate users from accessing the organizations’ products or services.
Network Security Attacks
Network security attacks is an umbrella term for attacks aimed at disrupting an organization’s network and system for a variety of reasons, including causing service disruptions, stealing data, or corrupting files. While this is often done for financial gain, in the case of the cyberwarfare front of Russia’s attack on Ukraine, it is likely to be for political or military gain.
To help safeguard themselves from these types of attacks, organizations should be taking proactive steps to safeguard their networks from network breaches.
What Steps Should Your Organization Be Taking to Best Safeguard Your Digital Assets
Follow All Current Advice From Your National Cybersecurity Authority
The situation, both on the ground in Ukraine and in the digital sphere, is continually evolving, with new threats always on the horizon. To best safeguard your organization, it is vital to stay up to date on the situation and follow the current advice of your national cybersecurity authority.
In the European Union, organizations should follow the advice of ENISA (the European Union Agency for Cybersecurity).
Establish A Relationship With Local Governments in Jurisdictions Where Your Company Operates
In the United States, InfraGard is responsible for coordinating information sharing between critical infrastructure providers.
Organizations operating in the United Kingdom should review information provided by NCSC’s Critical National Infrastructure hub.
Organizations in the European Union should speak to their local CSIRT (Computer Security Incident Response Team) and CERT (Computer Emergency Response Teams) contacts. A full list of these can be found here.
In Germany, the BSI (Federal Office for Information Security) has released several cybersecurity warnings related to the situation. Current security warnings can be found here.
Even the most comprehensive, best-designed cybersecurity strategy can be easily undermined if your organization lacks interdepartmental trust. A solid relationship between stakeholders and your security team is critical if you want to keep your organization secure.
Clear, concise, focused, and on-point communication is critical, and there is no such thing as too much information. Too many stakeholder-security team conflicts are rooted in a lack of communication, miscommunications, or misunderstandings. Opening the lines of communication, and keeping them open, is an excellent way to build trust.
Honesty & Transparency
When it comes to cybersecurity, honesty is the best policy. When it comes to admitting fault, acknowledging a mistake, or delivering bad news, stakeholders and security teams alike appreciate honesty. By being honest about your organization’s current security posture (including any deficiencies), security and stakeholders can work together to fortify your organization’s cybersecurity posture.
On the other hand, lies, omissions, and misrepresentations cause cracks in your cybersecurity posture and foster inter-organizational distrust, with potentially disastrous consequences. All trusting relationships are built on a foundation of honesty.
Hard work, dedication, and commitment from both your security team and your stakeholders is critical for building organizational trust. Both sides of the table need to know that the other side is working hard to fulfill their obligations and is willing to own up to any mistakes or shortcomings. It’s a lot easier to build trust when you know the rest of the team has your back.
A Willingness to Listen & Accept Feedback
Communication is a two-way street, and both stakeholders and security teams need to be willing to listen and accept honest feedback and not dismiss the other side’s suggestions and concerns out of hand. When one side feels that the other isn’t taking their concerns, expertise, or advice seriously, it undermines the relationship and damages trust, weakening the organization and compromising its security posture.
Talk is great, but only when it is followed by concrete action. When either the security team or the stakeholders promise to do something, the other side needs to see that they will follow through. When we can’t trust our teammates to act on their promises, those promises become meaningless.
That being said, we are only human, and sometimes promises are broken. When this happens, it is critical to acknowledge that the promise was not honored, provide an explanation (budgetary concerns, staffing shortages, etc.), amend the promise so it can be reasonably accomplished, commit to action, and then act to fulfill the promise. A cycle of inaction and broken promises can impact more than your cybersecurity posture; it can poison your organization, driving away good workers and demoralizing those who remain.
Initiate a “Request for Intelligence” From Your Threat Intelligence Partner
You can’t adequately defend yourself if you don’t know what you are defending against. A request for intelligence is a comprehensive report compiled by your threat intelligence partner. When requesting your report, make sure you specify your intended audience (such as your board of directors or security team) and any specific concerns you may have so that your vendor can tailor the report accordingly and ensure all critical and relevant information is included.
A good request for an intelligence report should go beyond the normal overviews your partner is providing and should include specific concerns related to your vertical, industry, and operating locations. It should also provide information on threat actors you should be concerned about, as well as the TTPs (tactics, techniques, and procedures) those threat actors typically use.
Collaborate Closely With Your Security Vendors
Your security vendor needs to take a proactive role when it comes to preparing your organization for cyber conflict and defense.
Vendor account representatives can help ensure your organization receives the correct level of care and attention and help you get the most out of your security products and services.
You should also work closely with your product vendors to confirm turnaround times and automation options for ruleset and patch updates (to ensure your software automatically downloads and installs security patches as soon as they are made available).
A good vendor should be already communicating with you about the situation in Ukraine, but if you have not received any communications, you should reach out directly to your vendor, representative, or support team.
Keep an Eye Out for Disinformation & Misinformation
As such, it is vital to get your news from trustworthy sources and rely on the advice of local and national leaders as well as your security team to ensure you are getting the facts. As the situation continues to evolve, it is also vital that you are keeping your incident response plans up to date and keeping the lines of communication open both across your organization and between your organization and relevant third parties, such as your managed security services provider (MSSP) and relevant government bodies.
Consider Adopting Secure Communications Tools
Organizations that are concerned about the security and privacy of their business communications (including eavesdropping, data loss, communications metadata exposure, or non-compliance) should consider increasing communications security or switching to more secure communications tools. Organizations with employees in and around Ukraine should also be aware that those individuals may face communications disruptions.
Encrypted messaging and calling solutions like Element and Wickr are ideal for low-bandwidth environments and can be used to enhance the security of your everyday communications as well as work as out-of-band communication channels during incident responses. They can also be used to provide traveling executives with improved communications security. If you are concerned about the security of your current in-house communication tools or are looking to replace them with a more secure option, your managed security services provider can help you make the right choice for your organization.
Should an incident occur, your MSSP can help you respond effectively (mitigating, or even eliminating, damage), conduct a thorough investigation into the root cause of the incident, and help you prepare any reports required for relevant legislative bodies (such as GDPR, HIPAA, or CCPA).
Safeguard Your Endpoints & Practice Good Software Hygiene
One of the easiest yet most critical steps any organization can take to improve their security posture is to keep all their software up to date. When software developers discover vulnerabilities in their products, they release patches to address them. Cybercriminals often target recently patched software in the hopes that not all organizations have been as diligent as yours about installing new security patches. Installing patches takes a few minutes, and the process can often be automated and scheduled so that patches are installed during non-business hours to completely eliminate downtime.
Take Proactive, Preventative Steps Before an Incident Occurs
As the old saying goes, the best defense is a good offense. By being proactive and shoring up your cybersecurity defenses before an incident occurs, you stand a better chance of mitigating or even eliminating damage. Regular pen (penetration) testing, which involves hiring an ethical hacker to stress-test your defenses and search for vulnerabilities, can help highlight security deficiencies so they can be addressed before a cyber attacker is able to exploit them.
Investing in ongoing cybersecurity training is also critical: Employees who can’t identify potential threats are more likely to fall for things like phishing scams, and employees who don’t know how to respond to an incident won’t be able to respond effectively. As such, it is critical that you review your incident response plans regularly and make sure all relevant stakeholders are kept up to date.
You may also want to consider running tabletop scenarios. Tabletop scenarios work like cyber incident fire drills: Your team is presented with a hypothetical scenario and asked to respond, allowing them to put their cybersecurity training to use in a no-stakes environment. Tabletop scenarios not only familiarize your employees with potential threats and help them hone their response skills, but they are also a great way to identify and address security gaps before they can be exploited.
Concerned About Your Cybersecurity Stance? VirtualArmour is Here to Help!
The situation in Ukraine has put many organizations on edge, and trying to figure out how to shore up your organization’s cybersecurity defenses against cyber conflict may be overwhelming. Fortunately, the VirtualArmour team is always here to help.
We offer a variety of security solutions, including:
We have extensive experience working with organizations in a variety of highly-specialized industries, including energy, finance, healthcare, and retail, and are well-versed in the unique security and IT challenges faced by service providers. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring and industry-leading response times.
The situation in Ukraine is constantly shifting, and it can be hard to stay up to date and get the facts your team depends on to best inform your cybersecurity posture. To help you get the information you need, we have compiled a list of links to relevant organizations below.
Over the past few years, ransomware has become increasingly sophisticated and remains distressingly common. As such, all organizations need to be taking steps to shore up their cybersecurity defenses in the wake of this common and devastating threat. To help you get the information you need, we sat down with VirtualArmour SOC engineer Kurt Pritchard to discuss what ransomware is, a brief history of recent notable ransomware attacks, and what steps your organization can take to improve your cybersecurity posture.
The National Cyber Security Centre in the United Kingdom defines ransomware as a type of malware that prevents legitimate end-users (such as you or your employees) from accessing a computer, tablet, or smartphone on your network or the data that is stored on the infected device.
A ransomware attack can also spread quickly, locking users out of multiple infected machines and cutting you and your employees off from all the data stored on your local network. Once the device has been seized, and the files have been encrypted, the attacker typically demands payment (the ransom), frequently in cryptocurrencies, before promising to unlock the impacted devices and restore usability.
However, even if the ransom is paid, the attacker may not follow through on their end, leaving many organizations with locked devices and encrypted files even once the ransom has been paid.
Even if You’re Locked Out, The Attacker Isn’t
Users also need to be aware that while the attack prevents them from accessing the impacted device, it remains fully accessible to the attacker. As such, the data stored on it may be stolen, deleted, or encrypted during the attack. Depending on the nature of the data impacted, this can lead to serious legal and regulatory issues, as well as serious reputational damage.
Ransomware & Phishing Attacks Go Hand-in-Hand
Ransomware typically targets users using social engineering, specifically phishing attacks. During a phishing attack, the cybercriminal poses as someone the user trusts (such as their boss or the company’s bank) and then tricks them into handing over sensitive information such as usernames and passwords or granting the attacker administrative privileges.
Doxware: A Subset of Ransomware
Doxware (also called extortionate) is a type of ransomware. However, unlike traditional ransomware, doxware typically involves seizing sensitive files and threatening to release confidential information on the open internet. Such information could include private financial records, sensitive proprietary information, or other data that organizations do not want shared freely. Another major difference between ransomware and doxware also typically targets individual sensitive files (such as financial reports), while ransomware typically targets the device’s entire hard drive.
Ransomware May Have Peaked in 2017, but Remains a Serious Threat
Though information from Google Trends strongly suggests that ransomware peaked in 2017 with the devastating WannaCry attack, more recent attacks such as those conducted by the cybercriminal group REvil and the supply chain attack that targeted Kaseya software users remind us that ransomware remains a serious threat.
The WannaCry ransomware attack on the NHS ran from May 12th, 2017, to May 19th the same year and left doctors, nurses, and other healthcare professionals scrambling to care for patients while the IT system remained completely inaccessible. As a result of the attack, healthcare professionals were unable to access vital information, such as patients’ electronic documents, and critical life-saving devices such as MRI and CT scanning facilities were knocked offline.
The attackers demanded $300 in Bitcoin per machine in exchange for unencrypting the impacted files. However, the attackers also introduced a time limit: If the payment wasn’t submitted within three days, it would double to $600 in Bitcoin. Unfortunately, some researchers who did pay the ransom were still unable to decrypt their files, and priceless research data was lost forever.
The Kaseya Attach Highlighted a New Trend in Ransomware: Supply Chain Attacks
Though WannaCry may be behind us, ransomware attacks continue to grow in both number and sophistication, with an increasing number of devices being impacted.
One way ransomware is evolving is the recent trend of using ransomware directly, like in the case of the Kaseya attack of 2021. The group behind the attack, the Russian cybercrime group REvil, launched a ransomware attack targeting Kaseya (a cybersecurity company well known for their remote monitoring and management software) on July 2nd, 2021. However, unlike most ransomware attacks, the cybercriminals didn’t attack their victims directly but instead used Kaseya as an unknowing intermediary to target organizations that relied on Kaseya’s monitoring software.
Unfortunately for the 200 businesses affected by the attack, Kaseya was the perfect target. According to John Hammond, a senior security researcher at Huntress, the Kaseya attack was “a colossal and devastating supply chain attack”, noting that because Kaseya is plugged into everything from large enterprises to small companies, “it has the potential to spread to any size or scale businesses.” This is because Kaseya’s VSA (virtual system/server administrator) is integrated into desktops, network devices, printers, and servers – leading to a potentially limitless impact. Ransoms varied from user to user, with demands ranging from a few thousand dollars to $5 million or more per organization.
Next, the ransomware program asked users to grant it administrative permissions. Once the ransomware had admin access, the ransomware would begin to run, locking users out of their devices and demanding payment. The message warned that users who failed to pay up would remain locked out (ransomware) and have portions of the private information they had stored on their phone sold on the internet “black market” every 30 minutes (doxware).
Though it is still unclear who was behind the Charger ransomware, researchers noticed that one of the first things Charger did when installed was check the device’s location settings. If the device was located in Ukraine, Russia, or Belarus, the malicious code remained dormant, suggesting the cybercriminals behind the attack may be based in Eastern Europe.
Android’s security team has since removed the EnergyRescue app from the Play Store, and though the malware is thought to have infected only a handful of devices, it remains an important example of how ransomware is evolving and may now include both ransomware and doxware strategies in a single attack. This incident also illustrates why it is important to only download applications and other forms of software from companies and developers that you know and trust and that if something appears too good to be true, it likely is.
Safeguarding Your Business and Its Digital Assets
Ransomware remains a serious threat to organizations of all sizes and in all industries and verticals. However, there are steps you can take to improve your cybersecurity posture and better secure your organization’s data and devices.
Trust is Key: Opt for Reputable (& Verified) App & Software Developers
Make sure you, your employees, and anyone else whose devices have access to your network are only using apps and software from trusted companies such as Microsoft or Adobe rather than unknown, potentially malicious companies.
It also doesn’t hurt to independently verify that “new Microsoft app” was actually developed by Microsoft and not a suspicious actor looking to catch less distracted users unaware.
Everything Has a Price: Don’t Let it Be Your Privacy or Security
Everything has a price, whether the cost is laid out upfront or not. An app that promises to give you access to normally expensive software (such as the Adobe suite or a program that promises the same functionality) for free or at a fraction of the cost should give you pause. If you aren’t paying for it, it usually means you’re the product, not the customer.
It’s always better to opt for a paid program or app from a reputable source than to download the “free version” from an unknown or suspicious entity in the name of saving a bit of money. If the app or program is full of ransomware or other forms of malware, you could end up paying much more than you bargained for.
Read Your Emails Carefully
Before you open that file or download that form, make sure to do your due diligence and check who it is from. If the sender appears to be your boss, your bank, or another trusted entity but they are asking you to do something irregular (such as purchase a large number of gift cards, hand over your login credentials, or provide your banking details), make sure you reach out independently (such as by phone) to verify the request.
You should also look for things like typos in the domain name (such as an email from Your Trusted Bank, not Your Trusted Bank) or variations on the sender’s name. For example, if your boss is Jane Smith, and her work email is [email protected]com, but this email came from [email protected]org, [email protected]hotmail.com, or jansmith instead of janesmith, you should proceed with extreme caution and reach out to the purported sender independently for verification before you click on any links, download any files, or complete any other actions the sender has asked you to.
If you don’t recognize the sender it’s always safer to leave the attachment unopened or the link unclicked and consider forwarding the email to your security team. Passing the email along will not only help you determine if the request is legitimate, but can help your security team track phishing attacks targeting your organization and its employees and improve security for everyone.
Backup Everything Regularly
Ransomware attacks prey on our fear of losing critical data. By regularly backing up all data stored on your network, you may be able to recover most, if not all, of the data that you can’t currently access without having to pay the ransom. Depending on the nature of your business, and the nature of the data being stored, you may want to consider opting for a cloud system such as iCloud, Google Drive, Microsoft OneDrive, or Dropbox or consider backing up your files locally using an external hard drive.
An Up to Date Operating System is a More Secure Operating System
One of the simplest things you can do to help keep your security posture strong is to keep your operating system and other software up to date. When developers discover vulnerabilities, bugs, or other security issues with their products, they develop and release patches to fix them. However, you can only take advantage of a new security patch if you actually download it, making out-of-date software a security liability.
Because security patches are publicly announced, everyone, including cybercriminals, now knows about the vulnerability the patch is designed to fix. As such, attackers frequently target companies running recently patched software in the hopes that not all organizations are as diligent as yours about keeping their software up to date: It’s always better to invest the 20 minutes it takes to update your software than risk compromising your operational security.
Anti-Virus Software Still Plays a Critical Role
While many people may think antivirus software is outdated, it still plays an important role in your cybersecurity defenses when combined with other security measures. Antivirus software is just one of many tools that, when combined appropriately with other security measures, help keep your organization safe.
It Always Pays to Have a Plan & Invest in Cybersecurity Training
Should your organization fall victim to ransomware or another type of cyberattack, it is critical you have an incident response program in place to help you and your team respond swiftly and effectively. All new employees should undergo cybersecurity training as part of your onboarding process, and all employees, from the CEO downwards, should also undergo regular cybersecurity training to keep their skills and knowledge top of mind and up to date.
Worried About Ransomware? VirtualArmour is Here to Help!
Phishing scams tend to peak during and around the winter holiday season, catching individuals and businesses alike unprepared. To help ensure you and your team have the information you need to identify and avoid these scams, we sat down with one of our VirtualArmour cybersecurity engineers to learn more about this common cybersecurity threat.
Phishing is a type of social engineering typically used to steal user data such as login credentials, personally identifiable information (PII), or payment card information. This type of cyber attack involves a threat actor masquerading as a trusted party (such as your bank) in order to trick you into opening an email, text message, instant message, or other electronic message and inadvertently handing over sensitive information such as personally identifiable information (such as your full name, birth date, or social insurance number) or payment information (such as your credit card number).
Phishing attacks pose a serious threat at both the personal and corporate levels. Though most email spam filters are able to stop the most egregious attempts at phishing, even the best filters and firewalls aren’t able to catch everything. Phishing scams continue to evolve, and the sheer number of phishing emails alone is staggering. Research into the volume of email, spam, and malicious attachments and URLs directed at companies found that a company with 5000 employees will still have an average of 14,400 phishing emails arrive in employee inboxes each year, and those are just the emails that were savvy enough to get past the spam filter.
With so many emails alone slipping past our defenses, employee training on how to spot and report potential phishing scams is key. However, many threat actors are changing tactics and moving away from email and towards other forms of electronic communication.
Phishing Tactics Have Evolved
When many of us think of phishing emails, we likely still picture some scammer pretending to be a fabulously wealthy prince from some faraway land promising riches in return to helping them covertly move money out of their home country (a common ruse referred to as an advance-fee scam).
The advanced-fee scam is a classic ruse that involves the threat actor asking you to help them by either transferring money to the target (purportedly for “safekeeping” or to evade authorities) while also asking you to pay a fee to help move the money with the promise that they will both send you money to cover the advanced payment and reward you handsomely for your cooperation.
Though this elaborate ruse has become cliche even outside of cybersecurity circles, unfortunately, many individuals and companies still fall for this and similar advance fee scams. A recent CNBC article found that these advanced fee scams still net cybercriminals well over $700,000 USD per year.
Why Do Phishing Scams Peak Around the Holiday Season?
Phishing campaigns typically soar in popularity over the holiday season in an attempt to prey on festive (and often frazzled) shoppers using increasingly sophisticated phishing scams.
One common example of a popular business-targeted phishing scam involves sending the target an email with a domain that appears to link to the company website and contain innocuous information (such as a festive meal menu with a .doc file extension, paired with an email asking the employee to please indicate their meal preference and dietary restrictions for the company party). However, though the email appears legitimate at first glance, a red flag such as a misspelled domain (for example, virtaularmour.com’ rather than ‘virtualarmor.com’, note the transposed ‘u’ and ‘a’) indicates that this email is likely malicious and should be both flagged as spam and reported to your company’s IT or cybersecurity team.
“Smishing” (SMS Phishing) Scams Are On the Rise
Though these types of scams tend to peak around the holiday season, they are still common year-round. The fake delivery text is a new form of this age-old scam that has been making the rounds and is rapidly becoming one of the most common formats for smishing scams.
One theory behind the rise in this particular style of phishing scam is the increase in lockdowns worldwide, prompting a rise in online shopping, particularly during the holiday period. Before clicking on any links in a suspicious text message, it is critical to verify whether the text message is legitimate (such as by calling your local post office or delivery depot to verify if there really is a parcel waiting for you).
How to Recognize (& Avoid Falling Prey To) a Smishing Attack
If you receive a suspicious text that may be part of a smishing scam, there are a few steps you can take to help avoid falling prey:
Never respond to a potentially suspicious text message. If a response appears to be necessary, respond via a verified official channel (such as calling your delivery company or local post office directly).
Never click on any links or phone numbers sent from a user you don’t recognize.
Never share any payment information or personally identifiable information, such as your social security number, birth date, or full name.
Report any messages that appear suspicious to the relevant authority.
In the United Kingdom, reports can be filed with the National Cyber Security Centre here.
In the United States, reports can be filed with the FCC here and FTC here.
A common example of a scam asking for payment information is a scammer posing as your bank and asking you to update your account information (usually under threat of being locked out of your accounts or some other undesirable outcome). In this case, you should contact your bank immediately via an official channel (most banks print a toll-free number on the back of their credit or debit cards or somewhere on your bank statement) and independently verify that your information requires updating. This not only helps you avoid falling victim to a potential phishing scam but also alerts your bank so they can warn other customers about the scam so they can avoid falling prey as well.
Investing in employee cybersecurity training is vital. When it comes to scams, your employees are one of your first lines of defense, which is why all employees, from the summer intern up to the CEO, should undergo regular cybersecurity training. To help set everyone up for success, you should also include cybersecurity training as part of your company’s onboarding process.
Vulnerability Scanning Offers Total Visibility Into Your Infrastructure
You can’t defend yourself against cybersecurity threats if you don’t know they exist. Vulnerability scanning helps ensure that no threat makes its way past your defenses by providing detailed information on threat intelligence, device health, threat mapping, and support ticketing. Being able to view all traffic on your network at all times is critical for spotting suspicious activities, so you can respond swiftly and effectively to safeguard both your data and your organization should a threat actor sneak past your defenses.
Social Engineering Takes Many Forms
Many of these attacks depend on social engineering. Social engineering involves manipulating potential victims into revealing personally identifiable information and can be used to access either personal or organizational accounts. Social engineering attacks typically rely on consistent communication between the attacker and the target and frequently take the form of text messages, instant messages, or emails.
As COVID-19 continues to force workers to trade their desks at work for their kitchen tables, spare rooms, and home offices, attacks of this nature are becoming more frequent and more effective. This, combined with more mundane but still frustrating events such as a purportedly missed delivery (which you can conveniently reschedule by clicking on this completely legitimate link), has created an ideal environment for threats like phishing scams to flourish.
Worried About Phishing Scams? VirtualArmour is Here to Help
GoDaddy responded swiftly and effectively, working with law enforcement and an IT forensics firm to thoroughly investigate the incident and take appropriate steps to safeguard users.
On November 17, GoDaddy identified suspicious activity inside their Managed WordPress hosting environment, triggering an internal investigation with the help of an IT forensics firm. It was later determined that an unauthorized third party had used a compromised password to access the provisioning system for their Managed WordPress legacy codebase.
In response to this troubling discovery, GoDaddy immediately blocked the unauthorized third party from their system and began alerting affected users.
So far, the investigation reveals that the unauthorized third party had been using these compromised credentials to gain access to the system beginning on September 6, with a goal of obtaining private customer information, including:
The email addresses and customer numbers of as many as 1.2 million active and inactive Managed WordPress customers were accessed, which the company said may increase the chances of phishing attacks.
The original WordPress Admin passwords set on these accounts, which were also exposed. As a preemptive measure, any account still using its original WordPress Admin password was subject to a password reset.
SFTP and database usernames and passwords of active users. Once this was discovered, GoDaddy immediately reset the passwords on these accounts.
The SSL private keys of a subset of active customers. To address this, GoDaddy immediately began issuing and installing new certificates on affected accounts.
The investigation is ongoing, and in addition to the actions outlined above, all impacted customers will be contacted directly by the GoDaddy team and provided with specific details. Customers can also contact the GoDaddy team via their online help center, which also includes country-specific phone numbers.
It Isn’t Just GoDaddy; All Hosting Providers Are Vulnerable
Common web host vulnerabilities fall into three main categories: general web hosting vulnerabilities, shared hosting vulnerabilities, VPS and cloud hosting vulnerabilities:
General Web Hosting Vulnerabilities
This is when attackers attempt to use publicly available exploits to hijack your web servers and use your infrastructure as part of a botnet (connected computers instructed by a third party to perform repetitive tasks) to attack other organizations.
Less secure web hosting providers are particularly vulnerable. However, once these vulnerabilities are discovered, they are typically patched fairly quickly.
DDoS (distributed denial of service) attacks flood web servers or other online services with traffic in an attempt to crash the system. This can be done either by a large group of cybercriminals or a single criminal commanding a botnet. The goal of DDoS attacks is to overload the server and prevent legitimate users from accessing a company’s services or products.
Web Server Misconfigurations
Many basic website owners, particularly those using low-cost shared hosting, often have no idea whether or not their servers have been correctly configured. This is problematic because misconfigured servers are often left vulnerable and may be running unpatched or outdated applications.
Incorrectly configured servers may also be unable to accurately verify access rights, and hiding restricted functions or links to the URL alone is unlikely to deter attackers. This is because attackers are likely technologically savvy enough to guess the probable parameters and typical locations of this sensitive information and then simply use brute-force attacks to gain access.
Shared Hosting Vulnerabilities
If having your own server is like owning a single-family home, shared hosting environments act more like apartment buildings, where each account has its own unit within the larger structure. Unfortunately, that means a single attack can impact all of the accounts on a single server.
Organizations that op for shared hosting accounts are particularly vulnerable because these types of accounts exist like large pools of data. Though each account is allocated its own select resources, they all exist within a single environment, so all data, content, and other files occupy the same space and are only divided based on the file structure.
Since all of this data is stored in one location, shared hosting sites are intrinsically linked. This means that if an attacker is able to access the main directory, all sites within the pool may be at risk, and a single compromised account could provide the attacker with a way into the supposedly closed system.
All types of hosting accounts can contain software vulnerabilities, but shared servers are typically more at risk. This is because the large number of accounts per server means that each server is likely to host a variety of different applications, each of which will need to be updated regularly to take advantage of security patches and other updated security measures. A single unpatched or out-of-date application may leave the entire server vulnerable.
Malware (Including Ransomware)
Malware, and particularly ransomware, is a growing problem. Though a ransomware attack may target any hosting provider, shared hosting servers are particularly ill-adapted to contain such an attack. Because multiple accounts are hosted on a single server, it is easy for a ransomware attack to spread from one company’s account and infect the rest of the accounts on the same server.
Shared IP Addresses
Shared hosting accounts also share IP addresses, with multiple sites typically being identified by a single IP address, much like all units in a single apartment building share one street address. Unfortunately, this means that if one account is compromised and begins sending out spam or otherwise behaving badly and is blacklisted by a company or service, all other sites sharing that IP address will be blacklisted as well.
This is problematic because getting an IP address removed from a blacklist is typically quite difficult, and organizations are unlikely to cooperate if one of the accounts attached to that IP address continues to behave badly or disregard the organization’s terms of service.
VPS & Cloud Hosting Vulnerabilities
Though virtual private servers (VPS) or cloud hosting options are typically more secure than shared hosting options, they are still vulnerable. Attackers often target these types of hosting accounts because of the advanced interconnected nature of these servers, presenting a lucrative payday for hackers. As such, these types of attacks are also typically carried out by more experienced attackers using advanced methods.
Cross-Site Security Forgery
Cross-site security forgery, also called cross-site request forgery (CSRF), is a flaw that generally affects websites built using unsecured or poorly secured infrastructure. For convenience, many users save their credentials on select platforms, which can be a risky decision if the corresponding website is not secure.
During a CSRF attack, the end-user is forced to execute an unwanted action, such as automatically transferring funds, on a web application in which they are currently authenticated. Using social engineering (such as sending a compromised link via chat or email), an attacker may be able to trick users of a specific web application into doing what the attacker wants without the attacker having to bother trying to determine a username or password.
This works because the attacker has already queued up the action they wish to perform (such as transferring funds) and because the credentials are saved when the unsuspecting user clicks the link, they are automatically logged in (because their credentials are saved), and the application will go ahead and complete the action before the user is even aware of what happened.
This can be particularly devastating on admin accounts and can compromise the entire web application.
SQL injections work by extracting data, such as customer information or financial data, from a system as the data is sent to and from your database server. If this route is not secure, attackers can insert SQL scripts into the infrastructure and scan all data queries before they even reach the server.
This attack works like a postal delivery worker opening and reading all of your mail and copying down any private information they discover before delivering your letters and parcels.
Exploiting XSS Flaws
Harmful XSS-based scripts are small programs that can be used to either access confidential information or redirect legitimate users to fraudulent websites.
Though this attack is most commonly used by attackers looking to capture usernames and passwords or trick users into entering their credit card number or other sensitive information into a fraudulent website (such as one that is designed to look almost exactly like your bank’s website), this technique can also be used by organizations to carry out fraudulent business operations.
Cryptography algorithms typically rely on random number generators, but not all random number generators are made equal, and some random number generators may produce easily guessable numbers which attackers can use to their advantage.
Virtual Machine Vulnerabilities
Multiple virtual machines can be run on top of hypervisors in physical servers. However, if there is a vulnerability in the hypervisor, attackers may be able to infiltrate the system remotely and gain access to all virtual machines hosted on a physical server. Though this type of attack is rare, it is still possible, and organizations that use virtual machines should take appropriate steps to safeguard their infrastructure.
Supply Chain Weaknesses
One of the benefits of cloud hosting is resource distribution, but unfortunately, this can also be a source of vulnerabilities. If not all organizations in the cloud supply chain are as studious as your organization about security, they could leave the entire chain vulnerable.
APIs (application user interfaces) are designed to help streamline cloud computing processes, but they can allow attackers to easily infiltrate your cloud infrastructure if they aren’t secured properly.
Reusable components are incredibly popular, which can make it difficult to safeguard your organization against this type of attack. In an attempt to gain unauthorized access, an attacker can simply try basic access attempts repeatedly until they find a single vulnerability that allows them into the system.
Steps You Can Take to Protect Your Organization & Your Website
In the modern era, it is an unfortunate truth that it isn’t so much if your organization will experience a cybersecurity incident, but when. Luckily, there are steps you can take to safeguard your website and your organization as a whole.
If you have a static site, you should ensure that you have an SSL certificate and keep your software up to date. You should also keep an eye on your website using uptime monitoring programs so that you are altered any time your site undergoes an unexpected content change.
By keeping an eye on your website, you can quickly learn if an incident has occurred, allowing you to mitigate or even prevent damage if your website is defaced or otherwise compromised.
For WordPress or Other Database Websites (Like Those Impacted by the GoDaddy Attack)
There are a few things you can do to better safeguard your WordPress website. This includes implementing a robust username and password policy and adding multi-factor authentication. If you need to store passwords on your website for any reason, you should ensure that all passwords are encrypted, and you may want to consider using OAuth or another third-party identity management site.
You should also consider implementing rate limiting or limiting user logins based on the number of failed login attempts. This can help safeguard your website from brute-force attacks. You should also strongly consider changing your admin username from the default “Admin” to something harder to guess.
Rate limiting can help safeguard your website from botnets involved in brute force attacks. Rate limiting allows users almost unlimited login attempts but artificially installs a delay between each attempt. Even a seemingly insignificant delay of a second or two can slow down a brute force attack, buying your organization more time for someone to notice something is amiss and take appropriate action.
You should also seriously consider changing your login path from the default URL. WordPress is the most commonly used content management system on Earth, and many WordPress websites continue to use the /wp-admin/ login path. As such, attackers may use this knowledge to quickly locate and access your login page. By making the login page harder to find, you can help dissuade attackers or at least buy your team more time to respond.
Interview Your Hosting Provider & Review Your SLA Carefully
The GoDaddy security incident has demonstrated how much a website’s security depends on the security of its hosting provider. Though life, and cybersecurity, in particular, offer no guarantees, here are a few questions you should ask your hosting provider in light of this recent attack.
Ask your hosting provider how they monitor their network. Suspicious activities can’t be stopped if they aren’t detected, so you want to make sure your hosting provider is carefully monitoring their internal network by asking them how their network is monitored, who is responsible for monitoring, and what sort of red flags they are actively looking for.
Ask about their antivirus and malware scanning and removal processes. Malware continues to be a threat, so you need to know what sort of malware protection your host offers and what steps they take to secure your website. You should also ask if their support team is scanning your account and request a copy of these internal reports. You also need to be clear on what will happen if your account is infected and what steps your hosting provider will take to help you identify and remove malware on your website.
Don’t forget SSL, firewalls, and DDoS prevention. You should also ask your provider what sort of protocols they have in place to prevent cyberattacks like the one experienced by GoDaddy. You should also find out if your hosting provider offers SSL certificates or if that is something your team will need to handle. Most providers don’t handle SSL certificate implementation, but they do need to provide you with the certificate so your team can implement it.
You should be able to find at least some of this information in your SLA (service level agreement), but if the answers to any of these questions are missing, you should reach out to your contact at your hosting provider for more information.
You should also lock down your folders and subdirectories to make it more difficult for unauthorized users to access exploits or vulnerabilities associated with back-end software and upload files containing malware. You should also consider adding bot filters and maintaining an active blacklist to help you filter out bots and prevent brute-force attacks.
Create an Incident Response Plan & Invest in Cybersecurity Training for All Employees
When it comes to cybersecurity, it is always best to be proactive instead of reactive. A robust incident response plan in place will allow you to respond to attacks quickly and effectively while helping limit damage and make your recovery smoother.
In their statement, GoDaddy specified that customers whose email addresses were exposed are now more likely than ever to be targeted by phishing attacks. However, all organizations should ensure their employees know what sort of red flags to look for when it comes to phishing scams. To help improve your employee cybersecurity training and educate your team, please consider reviewing our educational article Don’t Let Phishing Scams Catch You Unaware.
Whether your organization has been directly impacted by the GoDaddy security incident or not, now is an excellent time to review your website’s cybersecurity best practices. For more information, or to start improving your cybersecurity stance, please contact our team today.
Cybersecurity is a complex and continually evolving field, so keeping up to date is critical for safeguarding both your website and your broader organization.
To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.
Cyber attacks, and ransomware attacks, in particular, are on the rise, and this troubling trend is likely to continue. Having an effective incident response plan in place is vital for protecting your organization and its digital assets, but even the best plan is only as good as the facts that inform it.
To create a solid incident response plan, you need specific, actionable information about your current cybersecurity posture. A vulnerability scan gives your cybersecurity team invaluable insight into your current cybersecurity posture’s weaknesses or deficiencies so those cracks in your armor can be addressed before cybercriminals are able to use them against you.
What is a Vulnerability Scan?
A vulnerability scan involves having trained cybersecurity experts evaluate your IT infrastructure for software and firmware vulnerabilities, as well as evaluate all devices that connect to your network for configuration issues that pose security gaps. Using this valuable information, your cybersecurity team or partner can develop strategies and solutions to address these shortcomings before cybercriminals are able to leverage them and sneak past your defenses.
Whether you opt for a one-time engagement scan or ongoing vulnerability scanning as part of a larger suite of managed services (such as managed SIEM), a vulnerability scan is a critical component of any robust cybersecurity posture.
What Should All SMBs Look for in their Vulnerability Scans?
What weaknesses your vulnerability scan will look for will vary slightly between organizations, but all comprehensive scans should assess your systems for:
Software vulnerabilities are the most common vulnerability discovered. This type of scan involves checking for known weaknesses in all the third-party hardware and software your system relies on. These known weaknesses are discovered by security researchers and typically only pose an issue in select versions of particular technologies.
When software engineers employed by software companies discover a vulnerability or other issue in their code, they create security patches (small corrective snippets of code) to address the issue. However, you can only take advantage of the security patch if you download it, which is one of the many security reasons you should be keeping your software up to date. Cybercriminals frequently try to exploit known vulnerabilities in recently patched software in the hope that not all organizations are as studious as yours about keeping their software up to date.
Web Application Vulnerabilities
Another common type of vulnerability cybercriminals often seek to exploit are security gaps in web applications, which can be used to gain unauthorized access to sensitive data, compromise your web server, or attack web application users.
Whether you are using third-party applications designed by other companies or proprietary in-house applications, make sure any vulnerability scan you commission includes web application vulnerability scanning.
Common Misconfigurations & Mistakes
Sometimes the issue isn’t the software or the hardware, but the people using it or configuring it. Incorrectly configured software can inadvertently leave your entire system vulnerable, and you may not even realize it.
Not following established security best practices can also leave your network vulnerable. After all, investing in a high-quality, unbreakable lock is only useful if you don’t leave the key under the mat (or your password written on a sticky note under your keyboard).
Make sure you have security best practices in place and that those practices are effectively communicated to all network users. Investing in employee cybersecurity training can not only help curtail network vulnerabilities but can also help secure your network in other ways by making it less likely employees will fall for phishing scams (or other social engineering based attacks). Security-minded employees are also better able to identify potentially suspicious activities (such as strange network traffic), so they can alert your security team.
Encryption Configuration Weaknesses
A good vulnerability scan will also assess the encryption configurations used to safeguard data in transit between your users and your servers.
An effective strategy for improving your cybersecurity posture is to limit your attack surface area. You should only publicly expose core services or systems if you absolutely have to, and those exposed surfaces should be continuously monitored for suspicious activities. When choosing a vulnerability scanner, make sure you select one that assesses your attack surface area for issues such as unprotected ports and services that are exposed to the wider internet. Examples of vulnerable attack surfaces include exposed databases, exposed administrative interfaces, and sensitive services such as SMB (server message block).
Information leaks involve exposing information to end users when that data should remain private.
In addition to assessing your system, the final report of your vulnerability scan should include both the weaknesses discovered (in plain, accessible language so that even non-technical team members are able to understand what was discovered) as well as concrete, actionable recommendations for remedying the situation. When it comes to cybersecurity, information is only useful if it can be easily understood and actioned upon. That’s why it is vital you choose a cybersecurity partner whose goal is to educate and inform your team and help you improve your cybersecurity posture.
Not all vulnerability scans will include checks in all of the above categories, and the quality and number of checks a scan includes will vary between organizations. As such, it is critical to do your research before conducting a scan, particularly if you are opting for a paid option, to ensure the scan will meet your needs.
Free vs Paid Vulnerability Scanning
User Beware: “Free” Doesn’t Always Actually Mean Free
Also, the term “free” can vary from scanner to scanner, with some offering a free trial, a free version for non-commercial use only, or limited functionality at the free tier. As such, make sure you are clear about what the free version does and does not include before you sign up and do your research to ensure the free scan will actually give you the information you need in a format you can actually use to improve your security posture.
Just Because You Aren’t Paying with Money Doesn’t Mean There Isn’t a Cost
When it comes to many “free” vulnerability scans, you may not be paying with money, but there is still a cost. These tools are often limited in scope, so you likely aren’t getting the whole picture. This can lead to a false sense of security as you metaphorically check that the front door is locked while leaving the back door wide open.
As you will soon see, these tools are also frequently not very user friendly (at least for individuals who aren’t already technology experts), which can mean either hiring a tech expert just to perform your free scan or setting time and personnel aside to learn how to use this product, pulling them away from critical tasks. Free software is typically developed on an extremely limited budget, and UX design is often an “extra” that is left out, making it difficult for even the most technically inclined to get useful information out of these tools.
Free vulnerability scans are also not carried out by teams of experts and are frequently just tools you can use to assess select aspects of your infrastructure on your own, so even the most comprehensive versions will still require your team to take the information they have gathered and turn it into actionable suggestions.
Paid options are almost always more user-friendly and typically come with ongoing support and guidance. They are more likely to offer a polished, easy-to-understand report detailing what vulnerabilities were discovered, as well as actionable advice on how to address these issues and improve your security posture.
Top 4 Free Vulnerability Scanning Tools (& What They Can Tell You)
While paid vulnerability scan options typically yield more detailed and in-depth information (and cover a wider range of checks), free scanning tools can help small organizations on a tight budget assess specific areas of their networks (such as their web applications or security patches).
However, these scanning tools tend to be limited in scope, so you may need to run several in order to piece together a full list of all vulnerabilities on your network.
Burp Suite (Owned by PortSwigger)
Burp Suite is a popular web vulnerability scanner used by a variety of organizations and offers a free version (referred to as their Community Edition). However, this free version has limited functionality and does not include automation capabilities. This version contains essential manual tools and is mostly aimed at researchers and hobbyists.
Burp Suite is Java-based and can be used to check for SQL injections, cross-site scripting (XSS), and other web vulnerabilities, as well as for security auditing and compliance purposes.
Nmap bills itself as a pen-testing tool but works more as a port scanner. Nmap scans your network and flags ports that are vulnerable, which can aid in pen-testing. In addition to port scanning, Nmap can also look for other vulnerabilities in your systems and networks, monitor host uptime, service uptime, and map network attacks when they occur. By pointing out potential weaknesses, it has its strengths as an auditing tool, but it isn’t able to actually show users how the vulnerabilities it discovers could be penetrated.
Nmap is an open-source tool aimed at ethical hackers looking for network weaknesses. Like all open-source software, Nmap is free, but like other open-source programs, it isn’t particularly easy to use unless you are already familiar with using open-source software.
Wireshark is a well-known open-source network protocol analyzer designed to help with select network vulnerability scanning tasks. It relies on packet sniffing to understand your network traffic patterns, which is useful for network administrators looking to design effective countermeasures.
By detecting suspicious network traffic, Wireshark can help you discover errors and detect if an attack is underway, categorize the attack, and help you implement rules to protect your network. However, like other open-source options, it isn’t particularly easy to use for the non-technically inclined and will need to be carefully managed and configured in order to meet your organization’s needs.
The Open Vulnerability Assessment System (OpenVAS) is a free, open-source platform offering a variety of vulnerability management services. Designed as an all-in-one scanner and maintained by Greenbone Networks, it is designed to perform over 50,000 vulnerability tests and is updated daily.
OpenVAS is designed to run in a Linux-based environment and is aimed at experienced open-source users looking to perform pen-tests or targeted scans. However, like the other open-source tools in this list, it isn’t particularly easy to use for the non-technically savvy, and installing and using this tool poses a significant learning curve. Because it is so difficult to install and learn to use correctly, it can take a lot of time to get up and running smoothly, which can eat up employee time and pull them away from other tasks.
What Information Does Your VirtualArmour Vulnerability Scan Contain?
VirtualArmour offers both one-time vulnerability scanning engagements (vulnerability assessment) and ongoing managed security scanning (vulnerability scanning premium).
One-Time Scan: Vulnerability Assessment
Our one-time vulnerability assessments include both an external scan and a certificate scan and can be useful for auditing purposes or to prove compliance.
Our ongoing vulnerability scanning solution (Vulnerability Scanning Premium) is designed to expose and notify you of potential security gaps in your environment before they can be exploited by cybercriminals. As part of this process, our team of experts will identify:
Software and firmware vulnerabilities
Weak security policies and configurations
Outdated software and operating systems that could be used to penetrate your endpoints and infrastructure
Our team will also scan and audit your publicly exposed resources (such as file servers and web applications) with the goal of minimizing your attack surface as much as possible.
Vulnerability Scanning Premium can also be integrated with our managed SIEM option, offering more comprehensive data and additional context for alerts.
Vulnerability Scanning Premium also includes:
Custom vulnerability severity levels
Defined processes and escalation procedures
A record of all vulnerabilities detected across your environment, both on-premises and in the cloud
Threat intelligence feeds
SIEM platform enrichment using vulnerability analytics
This premium option also offers both periodic and on-demand reports, so you always know exactly what is going on, improving your organizational agility by making it easy to respond to issues as they come to light. All asset vulnerabilities are correlated with network configuration and traffic data, allowing us to identify active attack paths across your network. This vital information is used to simulate threat vectors and predict how a theoretical attack could potentially spread across your network. This can help you adjust your incident response plan as necessary and help you take a proactive rather than reactive approach.
In addition to these security benefits, continuous vulnerability scanning can help ensure your organization is complying with relevant legislation, helping you avoid the costly fines associated with noncompliance. Our team of security engineers will continuously analyze the results of your vulnerability scans and use this information to craft concrete, actionable recommendations designed to improve your overall security posture across your organization’s infrastructure, from core to cloud.
For more information about the importance of vulnerability scanning, or to learn more about our vulnerability scanning options, please contact our team today.
Cybersecurity is a complex and continually evolving field. To help keep your knowledge up to date, please visit our articles and resources page and consider reviewing these suggested educational articles and resources.
However, in recent years, a growing number of hackers have been putting their skills to use for a different reason: activism. This trend, dubbed “hacktivism”, is on the rise and can have serious consequences for businesses of all sizes in all verticals and industries.
What is Hacktivism?
Information security researcher Dorothy Denning defines hacktivism as “the marriage of hacking and activism”, more specifically, using computers to achieve a political agenda through legally ambiguous means. As a general rule, hacktivism aims to obstruct normal computer and business activities in some way but, unlike other forms of hacking, does not necessarily aim to cause permanent injury or significant financial loss and is rarely motivated by financial gain.
Hacktivism Can Be a Force for Good….
When most readers think of hacktivism, they think of large-scale political movements and revolutions such as the Arab Spring, which depended at least in part on technology and hacktivism.
In 2011, when young protesters took to the streets in cities across the Middle East to rally against oppressive governments, some who had held power for decades, they were emboldened and assisted by technology. In the eyes of some, WikiLeaks and Anonymous played a key role in creating the social conditions that allowed the Arab Spring to happen by posting damning secret government documents online before the protests began.
Though most believe the Arab Spring to be a positive and necessary step, the hacktivism that accompanied it, particularly the act of disclosing confidential documents and personnel files indiscriminately, could endanger lives. Anonymous and similar hacktivist organizations do not always carefully vet what information they release, which could inadvertently expose innocent individuals to cybersecurity threats.
… But it Frequently Harms Innocent Organizations & Individuals
The goal of most hacktivists is to draw attention to a particular cause using virtual political activism. This can be a noble goal, as demonstrated during the Tunisian uprising, but not all hacktivists are so altruistic. Unfortunately, many hacktivists are also not particularly concerned about avoiding collateral damage while carrying out their activist activities, and innocent parties can be caught in the crossfire.
In a recent article by PC World, a former member of Anonymous called “SparkyBlaze” admitted that he was “fed up with [Anonymous] putting people’s data online and then claiming to be the big heroes.” He also stated that “Getting files and giving them to WikiLeaks, that sort of thing does hurt governments. But putting user names and passwords on a Pastebin doesn’t [affect governments], and posting the info of the people you fight for is just wrong.”
While some hacktivist organizations, like other activist organizations, might be doing real good, too many are using the guise of activism to cause significant harm to innocent organizations and individuals.
As one article published in the Journal of Human Rights Practice puts it, unlike more familiar forms of activism, hacktivism can often be anonymous, allowing it to operate with a kind of impunity afforded by technology. As such, hacktivists are accountable to no one, not even organizations, groups, and individuals they aim to help, which is deeply problematic.
Many hacktivist organizations, including Anonymous and WikiLeaks, engage in highly questionable activities, which they are able to do because of the anonymous nature of hacktivism. Since there is no way to hold individuals accountable, they are incredibly dangerous, both for the problematic organizations and governments they target and for the rest of us.
A Brief History of Hacktivism: Six Infamous Events
While hacking has been around since the 1950s, hacktivism as a concept didn’t really emerge until 1989, when the first “hacktivist” action (referred to as Worms Against Nuclear Killers) took place.
Worms Against Nuclear Killers (1989)
The 1989 attack, which many believe to be the work of Melbourne-based hackers “Electron” and “Pheonix”, used a malware worm to infiltrate computers at both NASA and the US Energy Department. The worm altered the login screen of infected computers to display the message ”Worms Against Nuclear Killers” and was fueled by rising anti-nuclear sentiment. A second worm, called OILZ, was also deployed and contained bugs designed to prevent access to accounts and files by changing passwords. The goal of this attack was to attempt to shut down the DECnet computer network in the days before a NASA launch, causing disruption and costing roughly half a million dollars in damages and lost time.
Hacktivism has only grown in both scope and influence. Other influential campaigns include:
Hacktivismo Declaration (2001)
Hactivismo, an offshoot of the hacker group Cult of the Dead Cow (cDc), emerged when they released their declaration that aimed to elevate freedom of speech. During this event, the group explicitly attempted to both engage in civil disobedience and explain their reasoning behind their actions.
As a result of their declaration, this group aimed to create both moral and legal grounds for future hacktivists to launch their campaigns. The group went on to release a web browser, called Peekabooty, that prevents censorship from nation-sates that deny or restrict internet access.
Project Chanology (2008)
When a video of actor Tom Cruise voicing his affiliation with the Church of Scientology appeared on YouTube, the church forced the video hosting platform to remove it. In response to the censorship, Anonymous launched a DDoS (Distributed Denial of Service) attack against the Church of Scientology website, which was also defaced. A series of prank calls and black faxes followed the DDoS attack, and Anonymous also distributed private church documents stolen from Scientology computers during a doxxing attack.
Presumably believed to be associated with Syrian President Bashar al-Assad, the Syrian Electronic Army (SEA) has carried out a number of attacks using both spear-phishing and DDoS attacks designed to compromise and deface government, media, and privately-held organizational websites.
This attack, a joint venture between WikiLeaks and Russia’s foreign military intelligence directorate Glavnoye Razvedyvatel’noye Upravleniye (GRU), focused on emails between then-presidential candidate Hilary Clinton and her campaign manager. The emails were illegally obtained by GRU and released by WikiLeaks, and the goal was to discredit Ms. Clinton in order to further the campaign of her opponent Donald Trump.
While the BLM (Black Lives Matter) movement reaches beyond the realm of hacktivism, the group Anonymous did throw their weight behind this movement protesting police corruption following the death of George Floyd. The group had also voiced similar condemnations in the past following the murders of Michael Brown and 12-year-old Tamir Rice.
In support of the social-justice-focused BLM movement, Anonymous released a video on Twitter that specifically criticized the Minneapolis police department in the wake of the shooting. As a result of the video, Anonymous’ Twitter account gained 3.5 million new followers in the following days, and the campaign has been linked to a series of DDoS attacks that briefly shut down the Minneapolis police department website, its parent website, and the Buffalo, New York government website over the course of a single weekend.
Hackers of all stripes, including some hacktivists, often use open-source hacking tools to penetrate networks with the goal of paralyzing or destroying legitimate businesses. This can be done for a variety of reasons, including retaliatory action in the case of George Hotz.
Sony vs Hotz
In 2010, then-teenage researcher George Hotz (now President at comma.ai) was able to reverse-engineer the Sony private key and published it online. This allowed almost anyone with an internet connection to rewrite Sony’s firmware and classify themselves as a developer on the Sony network, gaining free access to all of Sony’s online games. This action adheres to the philosophy that many hacktivists and other hackers share, which deems that all information, even proprietary information, should be free.
In response to his actions, Sony sued Hotz, which attracted the attention of hacktivists. The company was targeted by several DDoS attacks and a data breach, which exposed the credit card numbers of 12 million innocent customers, as well as 75,000 “music codes” and 3.5 million “music coupons”, resulting in massive financial losses for the company. All and all, Sony estimates they lost about $173 million, including the cost of increased customer support, incentives to woo customers back, legal costs, loss of sales, and the costs to improve their cybersecurity systems.
Ultimately, regardless of the goal of the hacktivist organization, gaining unauthorized access to a company’s network or other digital assets is wrong, and companies need to take steps to ensure their cybersecurity posture is robust enough to thwart attacks and avoid or at least minimize damage.
Cybersecurity is complicated, and the field continues to evolve to respond to new threats, and keeping up to date is critical for safeguarding your organization and its digital assets. To help you expand your knowledge and stay up to date, please consider visiting our blog and reviewing these suggested educational articles and resources.