“Oh No….”
My insides turned upside down as I looked at the CEO’s machine. I started panicking a little bit. This is not good. The more I looked the worse it got. So…. Many…. red…. flags…
Spidey Senses Tingling
A few days before I got a call from the controller at this business. Not a huge organization, and they didn’t have any IT internally. Like many small businesses in that situation, IT rolls up under accounting.
He had worked there for a couple of years at this point. Prior he worked for a much larger company with an internal IT team and more sophisticated security compliance needs. That experience made him aware of the many security controls most businesses typically have in place. His Spidey senses were tingling because he had recently taken note that their business had basically none. He called me because he felt like they might be at risk. He wasn’t wrong.
We Have an IT Guy
The thing was this company had an IT provider. They had been doing their IT for several years at this point. They were also responsible for IT security and had told them they were “all good”. When he questioned them about some of the controls he’d seen elsewhere, and why they didn’t have them, he got brushed off.
This company works in the construction industry, and because of that their provider didn’t think that IT security was a priority. Unfortunately, in the last year a lot of the companies that I’ve seen targeted have been in construction. For attackers it’s the perfect combination of less sophisticated users and large payments that make them so attractive.
In 2024, there is really no industry that doesn’t need cyber security. There is also no such thing as security through obscurity anymore. If you have a small business, it needs to be protected. Full stop. If your provider hasn’t talked to you about security lately it’s time to find someone that will. It’s the number one risk to your business.
The Breach
The CEO had a project he was working on and got into work extra early one morning. As he walked into his office, he noticed his computer was already on. Strange…. Then he noticed that his mouse was moving…. Someone was remotely controlling his machine at that very moment. As soon as he touched the machine the person panicked and disconnected.
There was a piece of software installed on his computer for remote access. He hadn’t installed it, and it wasn’t the remote support software that their IT provider used either. Further investigation found that there was also keylogging software installed on his machine, and a complete list of every login and password he had used for the last 4 months. They were dated, so we could see how far back they went. It contained a scheduled task to email any updated login info it stole to the bad guys every night.
That means that the bad guys had persistent access to the CEO’s machine for the past 4 months, and now had his logins and passwords to just about everything. Including his business banking and others.
How Deep?
Typically, if we see a breach where an attacker has had persistent access to a machine on the network for this period, they’ve been using that machine to gain additional access, elevated permissions, and control of other network resources. They’re likely in all servers, firewalls, etc. In this case the short answer is that I’m not sure.
The attack was so severe that I was nervous about engaging this client at that moment. Since their current IT provider had all logins and access, it would have taken us some time to get in and start work. Frequently if the bad guys get caught like they did in this case it will force them to immediately move ahead with any attack they had been planning before the users get wise and shut down their access. Time was of the essence.
I gave them a list of what needed to be done and stressed that they needed to get their current IT team working on it immediately. Luckily, we were just in time, and managed to get the bad guys locked out before they could launch whatever larger attack they had planned. There was a lengthy cleanup process, but the client didn’t suffer any significant damage.
Everything is For Sale
One of the scary things we’ve seen evolve in cyber crime over the last few years is an entire marketplace built for fraud. Stolen credentials can be bought on the dark web. You can buy access to computer systems gained by other bad actors on the web. You can even buy a subscription to ransomware software so you can exploit those targets.
Ransomware As a Service
A ransomware attack is easier than ever to perpetrate. In fact, you don’t even have to be particularly technical to be able to do it. You can now simply get on the dark web and pay a monthly subscription fee to have access to predeveloped ransomware tools. The guys at Palo Alto wrote up a pretty good summary.
”Ransomware as a service (RaaS) is a malicious adaptation of the software as a service (SaaS) business model. It is a subscription-based model that sells or rents predeveloped ransomware tools to buyers, called ransomware affiliates, to execute ransomware attacks.
Before introducing the RaaS model, threat actors needed some proficiency in writing or accessing code before attempting a ransomware attack. Ransomware as a service opens these attacks to criminals who lack coding knowledge; however, many RaaS organizations are specific about who is given access. Some high-profile groups even interview potential affiliates or check their background and digital footprint.
The RaaS operations model makes it easy for anyone to execute a ransom campaign, providing threat actors with expert-level software to encrypt and decrypt files as well as 24/7 software support. Once they have access to the ransomware, it is the affiliates’ job to launch a successful attack through phishing or software exploits, for example.
Through its recent success, RaaS has identified itself as a significant cybersecurity threat. Understanding what it is, how it works, and how to safeguard your organization against it is crucial for protecting your valuable data.”
Entry Points
There are a lot of ways that a bad actor could gain access to your network. I’ll touch on a few of the most common ones.
- Phishing Emails – This is one of the most common attack vectors in 2024. Attackers will frequently impersonate trusted entities and leverage some kind of urgency to trick users into providing sensitive info or logins. Alternatively, they will try to get a user to click on a malicious link that will install malware, keyloggers, etc. on the system.
- Weak Passwords – The good ol’ password crack is still in vogue.
- Unpatched Vulnerabilities – If your system is behind on security patches, or you use software that has know security vulnerabilities you’re probably at risk.
- Social Engineering – Bad actors leverage humans to get them to tell them sensitive data that will allow access. Phone calls, emails, and fake websites are all leveraged for this purpose.
- External Remote Access – If you have a VPN or RDP server that is not secured with multifactor authentication, your remote access is vulnerable. This is a common entry point if left unsecured.
- Misconfigurations – Did you know that most routers installed by the ISP have a default password on them that is widely available with a google search? If your network hasn’t been configured for security, you could be at risk.
Security solutions should be designed with multiple layers that help to protect you from various attack methods. In addition, all the humans on your business network need to receive training that will help them avoid phishing, and social engineering attacks.
Takeaways
Don’t take it for granted when your IT team says you’re “all good”. Dig in with them and ask some questions so you can better understand your cyber security posture. If you need a guide to help direct that conversation, I’ve written about that as well. Check out 7 Questions CEOs Should Be Asking for a handy guide.
It’s easier than ever to be a cyber-criminal. New services like Ransomware as a Service make it so that you don’t even have to have technical or coding skills to perpetrate ransomware or other attacks. Access, passwords and more are available for sale on the dark web.
Act now to ensure that you have the right solutions in place for cybersecurity. Specifically look for a layered solution that protects all the potential entry points on your network. Don’t forget to train your humans as well.
We can help. i.t.NOW has been helping business with IT support and cybersecurity for over 30 years. If this is daunting, we know how to make it easier. Odds are that you didn’t get into business to manage cybersecurity solutions, and our experts can unburden you and put the layered security solutions you need in place to lower your risk. Check out our digital cybersecurity map to learn more about the protections available, and feel free to sign up for a complimentary cyber security assessment.
Photo by Glenn Carstens-Peters on Unsplash
