Managed Detection and Response: Helping to Fill in Business Security Gaps

Managed Detection and Response: Helping to Fill in Business Security Gaps

Managed detection and response (MDR) is an outsourced service that provides organizations with threat hunting service and responds to threats once they are discovered.  What sets it apart from other security services is the human element in which security providers provide access to their security resources such as their researchers and engineers who will now provide analysis to incidents while monitoring their networks.

The challenges MDR can solve

One of the more significant solutions MDR can provide to businesses is solving the lack of security skills within their organization.  Unlike bigger organizations, not all businesses can afford to hire and train dedicated security personnel that can do full-time threat hunting, which then gives them access to security which normally would be out of their reach.  This benefit is more apparent in medium sized organizations as they are targeted by cyberattacks while not having the proper resources or manpower to defend themselves adequately.  However, it must be pointed out that even if organizations budget costs and manpower to a dedicated team, they might not be able to find the right personnel in the first place.  In 2016, there were 2 million unfilled cybersecurity positions, a number that is expected to rise to 3.5 million by 2021.

                      What an organization stands to gain when MDR comes into play

Another challenge that is often overlooked by businesses is the sheer amount of alerts the security team receive on a daily basis.  Not all the alerts are malicious, but they can’t be easily identified so they must be checked individually, and threats found must also be scanned for correlation to see if there is a connection to find any bigger attacks planned in the future, and all of this take time.   MDR tries to address this problem by not only discovering the threats but also doing an analysis on the factors and indicators involved in an alert.  Analyzing and contextualizing are the most important skills of a security professionals’ arsenal, as security technologies can block threats but knowing the reasons and the patterns of the incidents can help you block bigger threats in the future.  MDR tries to solve the skill gap in cybersecurity that smaller organizations cannot usually afford due to their limited resources.

How does Trend Micro’s MDR work?

Trend Micro’s MDR provides a wide array of security services, including alert monitoring, alert prioritization, investigation, and threat hunting. It uses artificial intelligence models and applies them to endpoint, network, and server data in order to correlate and prioritize advanced threats. By investigating prioritized alerts, Trend Micro threat researchers can then work with organizations to provide a detailed remediation plan.

To learn more about Trend Micro’s MDR, you may read the original article or you can contact us at 893-9515 and we will be happy to answer your questions!

New Exploit “Faxploit” affects HP OfficeJet All-in-One Printers

New Exploit “Faxploit” affects HP OfficeJet All-in-One Printers

Security researchers have recently demonstrated at the security conference DEF CON 2018 a vulnerability that can be exploited via HP OfficeJet All-in-One Printers.  It is being dubbed “Faxploit” by the researchers, Eyal Itkin and Yaniv Balmas.  The attack takes advantage of security flaws in the implementation of the fax protocol used by OfficeJet printers, making many businesses susceptible to the attacks.

The researchers have stated that for this particular exploit, all the attackers need is a fax number to exploit the vulnerability, which they can then hijack the network and all systems connected to it.  They then can infect the network with their malware or even worse, outright steal your business’ important data.  Researchers have said that the impact of this exploit is not a small one as it is surveyed that businesses have actually increased their fax usage by almost 82% in 2017, so even with many new technologies, fax is still one of the most used ways to move documents.

Faxploit is yet another example where unsecured devices that businesses use on a daily basis can result into vulnerabilities in their network that many cyber criminals can use to steal data or hold them ransom.  Especially now that the Internet-of-things (IoT) ready devices are getting more and more mainstream, attackers are finding more ways to hit businesses where they are at least protected since this is more or less still in the beginning phases.   These threats can stay longer in the system due to the device’s inability to protect itself, making attacks stealthier and more destructive to the organizations network.

However, HP has released patches for the vulnerabilities (CVE-2018-5924 and CVE-2018-5925) and users are recommended to apply the firmware updates to make sure they will not be affected.

For those who are interested in a more proactive approach for these types of attacks, Trend Micro’s managed detection and response service allows customers to investigate security alerts without the need to hire qualified incident response staff. It provides alert monitoring, alert prioritization, investigation, and threat hunting services to Trend Micro customers. By applying artificial intelligence models to customer endpoint data, network data, and server information, the service can correlate and prioritize advanced threats. Trend Micro threat researchers can determine the extent and spread of the attack and work with the customer to provide a detailed remediation plan.

To learn more about “Faxploit” you may read Trend’s original article here, or you may contact us at 893-9515 and we will be happy to answer your inquiries!

Security Tips: Business Email Compromise (BEC) Schemes

Security Tips: Business Email Compromise (BEC) Schemes

Business Email Compromise (BEC) Schemes

In the past few years, millions of dollars have been lost to fraudsters and scammers.  However, not all have been lost through malware attacks such as ransomware.  Business email compromise (BEC) schemes are sophisticated attacks focused mostly on companies who do wireless transfers frequently.  The FBI have estimated that nearly $750 million dollars have been lost to this type of schemes and affected more than 7,000 people between October 2013 and August 2015.  Below are a few versions of the scheme:

 

The Bogus Invoice Scheme

Referred to as “The Bogus Invoice Scheme”, “The Supplier Swindle”, and “Invoice Modification Scheme”. This scam is usually done by using the name of established partners of the business, they impersonate being an employee of the established partner while asking for wire funds for invoice payments to their fraudulent account by using a spoofed email, telephone, or facsimile.

CEO Fraud

Also referred to as “CEO Fraud”, “Business Executive Scam”, “Masquerading”, and “Financial Industry Wire Frauds”. The scammers impersonate high-level executives (CFO, CEO, CTO, etc.), lawyers, or other types of legal representatives while urging the victim that they are handling confidential and time-sensitive matters then pressuring the victim into wire transferring funds to a separate account which they control.

Account Compromise

In this scam, an email account of an employee is hacked and then used to make requests for invoice payments to fraudster-controlled bank accounts. Messages are sent to multiple vendors identified from the employee’s contact list.

Data Theft

This scam usually involves compromising an email of a role-specific employees (usually HR) in the victim’s company, then using the said email to gather identifiable information of other employees and executives which is later used as a jump-off point for more damaging BEC attacks to the company later on.

Below are some quick prevention tips on how you can avoid these types of attacks:

Prevention tips

  • Carefully scrutinize all emails. Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Review emails that request transfer of funds to determine if the requests are irregular.
  • Educate and train employees. While employees are a company’s biggest asset, they’re also usually its weakest link when it comes to security. Commit to training employees according to the company’s best practices. Remind them that adhering to company policies is one thing, but developing good security habits is another.
  • Verify any changes in vendor payment location by using a secondary sign-off by company personnel.
  • Stay updated on your customers’ habits including the details, and reasons behind payments.
  • Confirm requests for transfer of funds when using phone verification as part of two-factor authentication, use known familiar numbers, not the details provided in the email requests.

 

To learn more about BEC attacks, you can read a more in-depth article from our partner’s, Trend Micro, informative article here.  If you have inquiries that you would like answered about this topic, you can also contact us at 893-9515 and we will be happy to help!

Malware VPNFilter is on the Rise as Infected Routers Increase

Malware VPNFilter is on the Rise as Infected Routers Increase

On May 24, a report was published by security researchers upon the discovery of a group who had infected more than 500,000 home and small-enterprise routers in at least 54 countries with their malware VPNFilter.  This malware can attack, collect research, steal key credentials, monitor SCADA protocols, and install a kill command to destroy your device via your infected router.  These attacks have been happening since 2016, however there has been a spike in infections in recent weeks, mostly in Ukraine.  This has prompted the researchers to publish their report early due to its high threat and vulnerability level to the identified systems involved.

From observations from the researchers, they’ve noticed that VPNFilter’s infection goes through 3 stages:

Stage 1

Infected router enables the deployment and spread of the malware by locating target servers with downloadable images from Photobucket.com, extracting an IP address, and recognize several types of CPU architectures running on Busybox and Linux-based firmware. Redundant command and control mechanisms identify and adapt, such that if the Photobucket download fails, Stage 1 will download from ToKnowAll.com. It also listens for a trigger packet from the attackers, checking for the IP from api.ipify.org and stores it for later use. In this stage, the core malware code survives in infected systems even when rebooted.

Stage 2

It deploys intelligence collection such as file collection, command execution, device management and data exfiltration. It also deploys self-destruct capabilities. It can assess the network value the server holds, especially if the system holds potential interest to the threat actors. The actors can then decide if they can use the network to continue gathering data or use the system to propagate through the connections. The self-destruct function in this stage overwrites critical portions of the device for a reboot directive, destroying the firmware once attackers trigger the built-in kill command and leaving the device unrecoverable.

Stage 3

This stage contains modules that act as plugins for Stage 2. One packet acts as a sniffer for collecting data and intercepting traffic, such as website credentials theft and Modbus SCADA protocols, while another plugin allows for automated communication to ToR. Other plugins that have yet to be identified were observed to be included in this stage.

According to the researchers, you should take the following steps to help protect your systems from VPNFilter:

  • Reset your routers to restore its factory default settings. Rebooting stops Stages 2 and 3 from running on infected devices, at least until Stage 1 reinstalls both processes
  • Update the router’s firmware immediately once the manufacturers release the patch

For Trend Micro Smart Home Network users, you can be assured protection from this threat with the following rules implemented:

  • 1054456 WEB Linksys Unauthenticated Remote Code Execution -1 (OSVDB-103321)
  • 1054457 WEB Linksys Unauthenticated Remote Code Execution -2 (OSVDB-103321)
  • 1055170 EXPLOIT Generic Arbitrary Command Execution -1
  • 1056614 WEB Cisco Linksys E1500/E2500 apply.cgi Remote Command Injection -1 (BID-57760)
  • 1058664 WEB Cisco Linksys E1500 and E2500 Router Directory Traversal Vulnerability (BID-57760)
  • 1058665 WEB Cisco Linksys E1500 and E2500 Router Password Change Vulnerability (BID-57760)
  • 1058980 WEB Cross-site Scripting -14
  • 1059209 WEB Cisco Linksys E1500 and E2500 Router OS Command Injection Vulnerability (BID-57760)
  • 1059253 WEB Netgear DGN1000 And Netgear DGN2200 Security Bypass Vulnerability (BID-60281)
  • 1059264 WEB QNAP VioStor NVR and QNAP NAS Remote Code Execution Vulnerability (CVE-2013-0143)
  • 1059672 WEB Cisco Linksys E1500/E2500 apply.cgi Remote Command Injection -2 (BID-57760)
  • 1132723 WEB GD Library libgd gd_gd2.c Heap Buffer Overflow -1 (CVE-2016-3074)
  • 1133310 WEB Netgear R7000 Command Injection -1.1 (CVE-2016-6277)
  • 1133463 SSDP Simple Service Discovery Protocol Reflection Denial of Service Vulnerability
  • 1133464 WEB Netgear WNDR1000v4 Router Remote Authentication Bypass
  • 1133572 WEB Shell Spawning Attempt via telnetd -1.b
  • 1133802 WEB Netgear NETGEAR DGN2200 dnslookup.cgi Remote Command Injection (CVE-2017-6334)
  • 1133908 EXPLOIT QNAP Transcode Server Command Execution
  • 1134566 NETBIOS MikroTik RouterOS SMB Buffer Overflow -1 (CVE-2018-7445)
  • 1134567 NETBIOS MikroTik RouterOS SMB Buffer Overflow -2 (CVE-2018-7445)

If you have further inquiries on the above malware, you may contact us at 893-9515 and we will be happy to answer them!

Cryptomalware attacks become more prevalent with the increased popularity of Cryptocurrency

Cryptomalware attacks become more prevalent with the increased popularity of Cryptocurrency

Cyptocurrency has been a hot topic over the last year, you may have heard plenty of people investing in this currency (such as BitCoin) hoping to strike it rich as its value has been highly volatile.  As revolutionary of an idea as it is for the market, there also those who wish to profit through this new-found trend by using unscrupulous means as well.  This is apparent with the introduction of a new type of malware which specifically targets such users whom use cryptocurrency, cryptomalware.

Just like how there is variety with ordinary malware, cryptomalware comes in different forms as well, ranging from client-side web scripts to mobile applications.  As of now, the usual modus operandi of cryptomalware are to target your computer to use its computing power to mine currency or to directly steal currency by intercepting your purchases by rerouting your payments to the criminal’s wallets instead.  Even IoT devices are now being targeted by these hackers in a way to expand their operations, knowing that the computing power of these devices are not as powerful as servers or laptops.

Cryptocurrency mining unlike many other malicious malware actively uses your computer for its computational resources to mine cryptocurrency.  This process puts a great strain on infected device and could cause its lifespan to significantly decrease.  A recent study from Trend Micro found that the most detected home event was cryptocurrency mining, showing that this is becoming more prevalent now even in the average consumers home.  To help mitigate the threat, below are a few tips on what you can do to lessen your chances on getting infected:

  • Regularly update devices with their latest firmware to prevent attackers from taking advantage of vulnerabilities to get into systems.
  • Change devices’ default credentials to avoid unauthorized access.
  • Employ intrusion detection and prevention systems to deter malicious attempts.
  • Be wary of known attack vectors, such as socially engineered links, attachments, and files from suspicious websites, dubious third-party applications, and unsolicited emails.

For increased security against these threats, you may also want to consider getting a proactive security such as Trend Micro™ XGen™ security.  With high-fidelity machine learning that can secure the gateway and endpoint, and protect physical, virtual, and cloud workloads, it will give you that second layer of defense to help secure your endpoint from threats like cryptomalware.

To learn more about cryptomalware you may check this link or you may contact us directly at 893-9515 and we will do our best to answer your inquiries.

Join Our Upcoming Event Pushstart!

Join Our Upcoming Event Pushstart!

Cloud technology is being used more by many companies due to its operational and economic benefits it can provide to them. This in turn puts more importance into securing your virtualized data centers, cloud deployments and hybrid environments. Leaving any gaps or neglecting any aspect in your security can now expose you and your company to more threats and serious breaches such as ransomware and other malicious attacks.

CT Link Systems, Inc., in partnership with Trend Micro, invites you to attend our upcoming event, Pushstart, to learn more on how you can better secure your company from the growing threats on Cloud platforms such as Microsoft Azure and Amazon Web Services!

Register HERE if you would like to learn more!

 

About Cisco

Cisco is a multinational technology corporation that specializes in networking and communication technologies. The company is headquartered in San Jose, California, and has offices and operations in over 100 countries worldwide.

Founded in 1984, Cisco has become a leading provider of networking equipment and solutions for businesses and organizations of all sizes. The company’s products and services include routers, switches, wireless access points, security solutions, collaboration tools, and software-defined networking solutions.

Cisco’s networking solutions enable businesses to connect their devices, applications, and data across local and wide-area networks, as well as the internet. The company’s products are designed to provide fast, reliable, and secure connectivity, with features such as Quality of Service (QoS), network segmentation, and advanced security protocols.

In addition to its hardware products, Cisco also offers a range of software solutions for network management, security, and collaboration. The company’s software-defined networking solutions provide a flexible and scalable approach to network management, enabling businesses to easily configure and manage their networks through a centralized dashboard.

Cisco’s collaboration tools enable teams to work together more effectively, with features such as video conferencing, messaging, and file sharing. The company’s security solutions provide protection against cyber threats, with features such as firewalls, intrusion prevention systems, and endpoint protection.

Server Security: Ransomware & Advanced Attacks

Server Security: Ransomware & Advanced Attacks

Business IT environments are now at bigger risks as more and more malware, such as Ransomware, are becoming more sophisticated.  The results of malware gaining access to your IT environment could lead to as much as disruption of your business operations – mainly your service, productivity, and more importantly – your reputation.  Cyber criminals do this through business process compromise (BPC), halting your access to business critical applications and data which can last for days if not months..

Contrary to common belief that cyber threats are an endpoint issue, ransomware and other advanced attacks are also focused on your servers.  Servers are high value easy targets for cybercriminals due to the combination of readily available infrastructure via the public cloud and the increased speed of application delivery to create competitive advantage.  Server and endpoint security hugely differ in the sense that the applications and operating systems that run enterprise workloads in the data center, in the cloud and even in containers can be extremely dynamic.

Fundamentals DO matter – Patching

As servers are the driving force that pushes any business forward, tasked with housing your most valuable data, it is only natural that cybercriminals would start targeting it – whether it’s on premise or in the cloud.  Cybercriminals will take advantage of vulnerabilities found on your servers. A good example of this is the recent WannaCry Ransomware attack a few weeks ago which leveraged on a Microsoft Windows SMB vulnerability to inject itself onto servers and endpoints.  OS Patching is the best solution to these as to prevent the attack from executing. However, there are many reasons why servers are left unpatched one of which is server downtime.  It is estimated that enterprise firms take an average of 250 days for their IT (205 days for retail businesses) to fix the software flaws in their enterprise applications.

Layered Security

Hybrid Cloud infrastructures are complex, and these complexities can have gaps which can be exploited.  So what can be done to prevent situations such as compromised endpoints accessing a vulnerable file server?  Here is where advanced server security solutions such as Trend Micro Deep Security comes in.  Designed to protect workloads across physical, virtual, cloud and container environments with host-based security to shield servers from a wide range of threats.  With its range of cross generational security techniques, it will be able to enable you to easily:

  • Stop network attacks and shield vulnerable applications & servers, leveraging Intrusion Prevention (IDS/IPS) and firewall techniques;
  • Lock down systems and detect suspicious activity on servers, using techniques like application control and integrity monitoring that have been optimized for the hybrid cloud; and
  • Prevent malware and targeted attacks from successfully infiltrating your servers, leveraging proven anti-malware and advance techniques like behavioral analysis & sandboxing

Learn more about Trend Micro Products from our product page here!

 

An Advisory from CT Link Systems, Inc. for WannaCry Ransomware Attacks

An Advisory from CT Link Systems, Inc. for WannaCry Ransomware Attacks

You may have heard over the weekend of the recent attacks of ransomware called WannaCry, which has targeted almost 200,000 computers across 150 countries.  While a killswitch has been found to help lessen the spread of WannaCry, many still believe that a new strain of WannaCry will soon come out which will bypass this quick fix.

Microsoft has released its statement on this issue while also providing its customers the solution to prevent the malicious software from affecting you, installing the security update MS17-010  and more recently they released security patches for older operating systems such as XP which can be found on this link.  However, for those of our current Trend Micro users who cannot update their patches as soon as possible we have work arounds in which you can do in the meantime.  Below are the products of Trend Micro that can be used to prevent the attacks (please make sure to follow the correct patch or pattern for the product):

For our clients who are not using Trend Micro, we strongly urge you to patch your Windows with MS17-010 (for versions such as XP please refer to this link).  For any questions or inquiries you have with regards to ransomware or how you can protect you system, please contact us at 893 9515 and we will be happy to help!

About CT Link

CT Link Systems, Inc. is a premier IT Solutions provider based in the Philippines. We are dedicated to delivering innovative solutions that meet the evolving needs of our clients. Our goal is to be your “Link to Cloud Technology” for businesses looking to improve their digital capabilities. Our solutions include multilevel security, hybrid cloud, and workspace solutions. Established in 1998, CT Link has built a reputation as a reliable partner for companies seeking a competitive advantage.

We work with leading international vendors to offer the latest and most cost-effective solutions. Our engineers are highly skilled and trained, providing expert planning, implementation, and support services. At CT Link Systems, Inc., we understand the importance of technology and the role it plays in driving business success. That’s why we heavily invest in product training and certification for our engineers, ensuring they have the knowledge and expertise to deliver the best possible outcomes. Whether you need help with security, cloud migration, or other IT challenges, we are confident that we can be your trusted technology partner.

Finding the Next Generation Endpoint Protection

Finding the Next Generation Endpoint Protection

Trend Micro has recently launched the XGen™ Endpoint Security that incorporates the predictive machine learning in its endpoint security solutions effectively enhancing your protection against ransomware attacks, blocking processes associated with unauthorized encryptions, and preventing compromised executable files from infecting your network.  Packaged with Vulnerability Protection (host- based IPS).  Application Control (for whitelisting known applications), and Endpoint Encryption (for files, folders, or hard drives) – all reporting to a centralized management system.  Trend Micro’s endpoint security solutions can help keep your security posture against cybercriminals.

Ransomware is a malicious software that has been designed to block access to a computer system or files until a sum of money has been paid. For some time, cybercriminals were only targeting individuals, and has now moved on to targeting big organizations as well, racking up to millions of dollars in ransom money. To protect yourself from these kinds of cybercrime, an advanced security solution (not an anti-malware) is needed – from anti-exploits down to suspicious connections and executions protection.

We would like to invite you to learn and experience firsthand what CT Link Systems Inc. and Trend Micro can help you with this coming year.  We hope to see you in our event so you can try and see for yourself the new updates of XGen™ Endpoint Security that can help your business stay secure this 2017!

When:

January 31, 2017 from 1:00PM – 5:00PM

Where?

Contis Bakeshop, Greenbelt 2, Makati City

Program Flow:

Time Activity
12:30PM – 1:00PM Registration
1:00PM – 1:15PM Welcoming Remarks
1:15PM – 3:00PM Product Presentation
3:00PM – 3:30PM Break
3:30PM – 4:45PM Product Demo
4:45PM – 5:00PM Closing Remarks

 

To register, please email your name(s), position, company and contact details to rcruz@www.ctlink.com.ph

Don’t forget to like our Facebook page

 

Trend Micro Presents Two Major Awards to CT Link Systems for FY15 Champion Performance

Trend Micro Presents Two Major Awards to CT Link Systems for FY15 Champion Performance

September 27, 2016 — Trend Micro, on its Partner Day celebration held at 12 Monkeys Music Hall & Pub in Century City Mall, presented CT Link Systems, Inc. with two major awards:  FY15 User Protection Champion and FY15 Network Defense Champion.

The FY15 User Protection Champion Award is given to CT Link Systems for its major contributions in providing customers Trend Micro Endpoint Security solutions, which include:

  • OfficeScan – Protects physical and virtual desktops against malware
  • Vulnerability Protection – Blocks exploits and zero-day threats thru intelligent virtual patching
  • Data Loss Prevention – Guards private data and intellectual property
  • ServerProtect – Provides Server Security for Windows Server, Linux and Novell Netware
  • EndPoint Application Control – Prevents unwanted and unknown application execution
  • EndPoint Encryption – Protects PCs, USB devices and removable media thru Full Disk and Files/Folders encryption
  • Mobile Security – Fully integrated mobile device management
  • InterScan Messaging Security – On-premise E-Mail Gateway Security
  • ScanMail – Blocks viruses, spam, phishing and other email threats on Microsoft Exchange and IBM Domino mail servers
  • Cloud App Security – Security for Office 365, Dropbox and Box
  • InterScan Web Security – Secure Web Gateway that provides complete visibility and control of web activity
  • PortalProtect for Microsoft Sharepoint – Secures collaborations by blocking malicious links and scans both files and web components of SharePoint

Trend Micro also awarded CT Link Systems as  FY15 Network Defense Champion and acknowledged the major contributions of CT Link Systems in providing Trend Micro Deep Discovery solutions to customers.

Trend Micro Deep Discovery enables users to detect, analyze and respond to today’s stealthy ransomware and targeted attacks in real time. Deep Discovery provides protection against proven ransomware and advanced threat. It interoperates and integrates with user’s security infrastructure. With Deep Discovery, users will have a comprehensive defense tailored to protect their organization against targeted attacks, advanced threats and ransomware.

For more information on Trend Micro solutions and products, please contact CT Link Systems at 893-9515.