Skip to content

ESET named an Overall Leader in KuppingerCole’s report for its endpoint protection, detection and response capabilities

Bratislava, May 18, 2022 – ESET, a global leader in digital security, announced that it has been named an Overall Leader in the KuppingerCole Leadership Compass Endpoint Protection, Detection & Response (EPDR) 2022 report, where the business’ EPDR solutions were awarded Leader status in all categories of Product Leadership, Innovation Leadership and Market Leadership. KuppingerCole analyzed vendors based on a correlated view of Market and Product Leadership rankings, where ESET was recognized as a Market Champion. Furthermore, based on a correlated view of the Product and Innovation Leadership rankings, ESET came out as a Technology Leader.

KuppingerCole, an international and independent analyst organization, helps IT organizations by defining leaders amongst market vendors and the KuppingerCole Leadership Compass EPDR 2022 report provides a specific overview of vendors’ EPDR solutions. The report covers the trends influencing this segment and the essential capabilities required of EPDR solutions, and also provides ratings on how well the solutions meet expectations.

Analyzed in the report, ESET Inspect is the foundation of ESET’s extended detection and response (XDR) capabilities and works together with ESET PROTECT to offer a complete security solution that is optimized for customers’ ease of use. Furthermore, the latest MITRE Engenuity ATT&CK® Evaluations for Enterprise demonstrate that ESET Inspect is able to provide organizations with excellent visibility and context throughout all attack stages. As an XDR-enabling solution, ESET Inspect is a sophisticated tool with advanced threat hunting and incident response capabilities, and together with ESET PROTECT offers deep network visibility, cloud-based threat defenses, and more. Overall, ESET has continuously been named a top player and a leader in the industry for its balanced protection, detection and response security offering.

“We are honored to be recognized as a Leader in all the categories of KuppingerCole’s report, because at ESET, we believe in taking a multi-layered, high performance approach to our technologies, working closely with our customers for an optimized and complete security solution,” said Ignacio Sbampato, chief business officer at ESET. “Since our inception, we have been a pioneer in developing our machine learning capabilities to fight the toughest digital security challenges of today. And this recognition is testament to our relentless drive for progressive and innovative solutions for our customers.”

For more information on ESET’s results in this report, click here.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET launches a global search for ‘Heroes of Progress’, looking for the most progressive minds of the 21st century

BRATISLAVA — May 11, 2022 — ESET a global leader in digital security, today announces the launch of a new initiative, ‘Heroes of Progress’ – where it will be searching for visionary thinkers who have contributed to progress across a variety of industries, with technology at the core of the progress made.

Behind all forms of progress, sits a team of brilliant, often maverick, creators that ensure great things happen. ESET is on a mission to find these progressives and shine a light on the unsung heroes that keep the world turning.

Nominations will open on 11th May and close on 26th June 2022, through Heroes of Progress website. The entries, made through a 300-word executive summary, must outline examples of best-in-class work by the nominees that have made an impact through technology. This includes any technology invented, adopted, and improved, which advanced industries, society, or communities. To qualify for the award, nominees must work within at least one of the below fields, be actively involved in the work they are nominated for; and be over the age of 18.

The 15 different categories will include the following industries:

  1. Arts & Creative industries
  2. Business
  3. Digital security
  4. Education
  5. Energy & Sustainability
  6. Financial Services
  7. Food & Agriculture
  8. Healthcare & Life Sciences
  9. Logistics industry
  10. Manufacturing
  11. Research & Development
  12. Science
  13. Sport
  14. Smart Cities, IoT & IT industry
  15. Transport & Travel industries

An expert judging panel, headed up by ESET’s Chief Business Officer, Ignacio Sbampato will review all applications and the list of the unsung agents of change across the world will be launched in September 2022.

Ignacio Sbampato, CBO commented: “If we imagine for a moment what losing the contributions of history’s creative thinkers would mean to today’s technology, it becomes clear why their efforts need to be applauded. That is why ESET places immense importance on the development of science, and the technology, research, and corporate responsibility initiatives that our business pursues with our colleagues, customers, partners, and the communities in which we operate. We are excited to start our search for true Heroes of Progress, so we can celebrate all their amazing achievements across the world and shine a light on the progressive minds helping make our planet a better place.”

All nominations can be submitted on ESET Heroes of Progress website.

To find out more about ESET’s take on progress, please read here.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET participates in joint efforts to strengthen cyber-resilience with NATO´s Locked Shields exercise

BRATISLAVA — May 5, 2022 — From April 19 to April 22, 2022, Locked Shields, the biggest international live-fire cyber defense exercise, took place in Tallinn, Estonia. Since 2010, the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) has been organizing this annual event, putting the cyber capability of NATO member countries to the test. This exercise took more than six months to prepare to ensure its success. It aims to strengthen the collective digital defense across the Alliance and test the skills of Allies. The participants had a unique opportunity to prove their ability to protect national civilian and military IT systems and critical infrastructure.

The Locked Shields 2022 exercise subjected around 5,500 virtualized systems to more than 8,000 live-fire attacks. However, the exercise is not as significant in its size as in its complexity. The involved teams had not only to prove their ability to protect entrusted critical infrastructure of an imaginary country, but also their effectiveness in reporting details about the situation on the digital battlefield, executing strategic decisions and solving forensic, legal and information operations challenges. For the first time, in 2022, the technical exercise also included the simulation of reserve management and financial messaging systems of a central bank. The main focus of the exercise was on the interdependencies of international IT systems.

This year, more than 2000 participants from 32 nations were involved. Twenty-four were NATO member nations, including the Slovak Republic who has taken part in the exercise every year and was joined in 2022 by cybersecurity experts from the Czech Republic. Since there was interest from many nations, several nations joined forces to create joint teams like the Slovak-Czech, Lithuanian-Polish, and Estonian-Georgian ones.

The Slovak-Czech team was formed from experts in the armed forces, government organizations, and the private sector, including ESET. Twenty-nine of ESET´s security experts participated in the exercise, helping the SK-CZ team to fifth place overall, and the top position in two subcategories: forensics and reporting.

ESET is glad to have had the opportunity to join Slovakia in this exercise once more and thus prove itself as a valuable member and partner to the country.

“Once again, the team from ESET demonstrated its technical expertise at Locked Shields 2022 and helped the Slovak-Czech blue team achieve a very good ranking. ESET’s products had high incident detection efficiency and enabled us to proactively respond to emerging threats in a short period of time. At thank you to everyone involved for their participation and high level of professionalism,” says, the Director of the Cyber Defence Center of the Slovak Republic.

The need for digital security and locking shields is increasingly evident given current events like the invasion in Ukraine and the COVID-19 pandemic. As the global community becomes increasingly dependent on technology, malicious cyber actors are growing their efforts to attack both public and private sectors. In response, the Locked Shields exercise uses the latest technologies to train national teams within an exercise environment based on realistic scenarios.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Threat Awareness: The Spectre of Ransomware

An extract from GDR The Guide to Data as a Critical Asset – Edition 1. The whole publication is available at https://globaldatareview.com/guide/the-guide-data-critical-asset/edition-1

Introduction1

Twenty-first-century businesses rely on data to run their operations; data is their life-blood and any interference can be deadly – a risk identified by criminals.

The task of defending information technology (IT) networks, therefore, is all about the data moving across them; inactive data is a risk or potential threat at worst. The challenge when data is moving is knowing what it is doing.

Ideally a company would want to know what happens to every piece of data in transit on its network and set rules about its use. However, this is a potentially technically challenging solution and an inflexible method requiring significant amounts of data storage.

Furthermore, such a system would present serious problems for the move to home working popularised by the covid-19 pandemic because it would mean that each device would need to authenticate via insecure, public networks to access a corporate network. The virtual private network (VPN) method that most companies currently use to achieve this is designed for flexibility, which means that it is open to all internet protocol addresses, apart from those that are blacklisted.

The freedom this gives to employees reflects the risks to data from a potential attacker. Data can be stolen, it can be put out of reach or it can be destroyed. This means each organisation must decide several security issues, such as the perceived value of data, the capability of tracking its movement and the balance that can be struck between the employees’ freedom and the threats to that data.

There are a number of cybercrime threats to data, ranging from data breaches that focus on the theft of passwords, usernames and financial information to threats to networks, such as distributed denial of service attacks (DDoS), which attempt to overload a network or computer (in most cases, a web server hosting a website) with automated junk traffic to make it unavailable for its intended users for a certain period.

The most reported form of attack is ransomware, which has refined most cybercrime techniques and has become the most effective method of making money using modern developments in technology. Ransomware relies on an attacker gaining access to a company network, encrypting the data on it and denying the company access to either data or devices unless a ransom is paid.

Although not a new threat – in the 1990s there were several cases of disgruntled employees encrypting data and demanding ransoms for access – the advent of cryptocurrencies and the internet have generated a huge increase in the activity. In the 20th century, the ransom had to be picked up either in cash or by bank transfer, which left the extortioner very vulnerable to arrest. That risk no longer exists.

As a result, the sheer scale of the attacks is forcing businesses to factor a response to a ransomware attack into their business models, which could expose a business to legal issues over whether to pay.

What is even more problematic is that, often, even if a ransom is paid, a company may not regain access to all its data.

Another factor is that the payment of a ransom not only confirms to the criminals that their crime pays, it also has reputational issues: first, regarding the business’s cybersecurity and second, regarding the future integrity of the business’s data.

A final factor is the legality of payment as cybercriminals are often either sanctioned or operating from sanctioned states.

This issue received stark emphasis in November 2021 from the US Department of Treasury’s Office of Foreign Asset Control (OFAC), which updated the Sanction List with a number of cryptocurrency wallets specifically concerning individuals associated with cybercrime, who were the alleged perpetrators of ransomware attacks. The update also included for the second time a crypto exchange known as Chatex, which is suspected of facilitating financial transactions for hackers.

The regulatory landscape has also changed. The US Federal Deposit Insurance Corporation, a US regulator of the financial industry, announced on 18 November 20212 that banking organisations will be required, from 1 April 2022, to report computer security incidents within 36 hours. The new regulations, which other industry sectors are likely to adopt, mean that organisations will find it more difficult to hide an incident.

The Ransomware Disclosure Act proposed by Senators Elizabeth Warren and Deborah Ross3 is likely to make payment even more problematic. The Act, if passed, will require companies that are the victims of ransomware attacks to report ransom payment information to the Department of Homeland Security, which will provide the US government with critical data on cybercrime activity. It may also have the effect of reducing a company’s or its insurer’s willingness to pay, knowing that they may face government scrutiny when they disclose the payment, which is likely to include how payment was made, how much was paid and to whom. Similar legislation is being proposed in other parts of the world, such as Australia.4

So, perhaps a business’s first step in developing a response should be to seek legal advice regarding a ransomware insurance policy.

Ransomware is big business

Although no exact figures exist for the annual criminal proceeds of ransomware, the activities of law enforcement in arresting gang members and recovering stolen funds do give an indication of the scale of the activity. This policing activity has led to seizures of millions of dollars in cash and expensive assets, as well as the freezing of criminal cryptocurrency accounts.

To gain an insight into the scale of the issue, in one notable event on 14 January 2022, Russian Federal Security Service (FSB) agents arrested 14 members of one of the most notorious ransomware gangs – Sodinokibi (aka REvil)5 – and confiscated US$6.6 million worth of cash assets, 20 luxury cars and a parcel of cryptocurrency wallets used to run its affiliate business.

Before the Russian raid, law enforcement agencies had already arrested seven affiliates of the gang, and even recovered US$6.1 million from another affiliate still at large.

In a business model often used in computer crime, the Sodinokibi gang runs ransomware-as-a-service (RaaS) affiliate operations, and takes a cut of 30 to 40 per cent from ransom payouts made to their affiliates around the world.

According to the US Department of Justice,6 in November 2021, the Sodinokibi ransomware operation collected more than US$200 million in ransom payouts and encrypted no fewer than 175,000 computers.

The impact of ransomware on global business and its data has been severe. This trend has been reflected in media headlines, most notably the 2021 attack on the US company Colonial Pipeline.7 This incident resulted in petrol shortages because of panic buying of fuel and a US$4.4 million ransom demand.

An idea of the scale of the problem can be gauged from analysis carried out by the European Union’s cybersecurity agency ENISA, which in 2019 put the cost of ransomware payouts at €10 billion, and the US Financial Crimes Enforcement Network, which, in the first part of 2021, estimated bitcoin payments it associated with ransomware to be in the region of US$5.2 billion.

These figures also mask one other often overlooked factor, which is that the success of ransomware is only possible because of the criticality of data to run modern businesses. Lose access to your data and you lose your business.

<>The psychological pressure ransomware generates for critical data

Ransomware  generates  huge  psychological  pressure  because  organisations  are  conscious of potential reputational damage, service outages and legal and financial penalties, to which is added the obvious knowledge of losing control of core data. It is a mark of the importance of critical data that the ransomware trend has reached such levels as its specific purpose is to take advantage of how dependent businesses are on their computer networks.

In November 2019, the Maze ransomware gang started a trend called doxing (taking valuable or sensitive data from victims’ systems before encrypting it). The gang then threatens to either publicly release the data or sell it to other malicious actors unless they are paid an additional fee on top of the ransom – a type of double extortion.

To increase the pressure still further on their victims, some ransomware operators take the step of directly contacting business partners or customers of victim organisations that have not paid a ransom demand. They will imply that sensitive data has been accessed in the attack and suggest that the business partners or customers also put pressure on the victim organisation to pay the ransom, or even demand payment directly from the business partners or customers.8

What is also particularly interesting about the crime trend is the acute awareness that criminals have developed regarding the value and use of information in the internet age.

In a final brazen twist, they have begun to offer insider information to short the stock of publicly traded companies in tandem with a public announcement of a ransomware attack. The DarkSide ransomware gang used this technique in April 20219 when it released a notice on its dark web portal offering information about companies listed on NASDAQ and other stock exchanges that had fallen victim to the gang. The group’s ruse was that the combination of bad publicity, a dip in stock prices and the sale of insider information might put pressure on some companies to pay the ransom.

Gangs have homed in on market pressure in the wake of Verizon’s 2017 acquisition of Yahoo. Following news of two data breaches, Verizon reduced its original offer for Yahoo by US$350 million, which was noted by the cyber gangs. This was a development the US Federal Bureau of Investigation (FBI) highlighted in November 202110 when it released a private industry notification warning that ransomware actors now coordinate their attacks with current mergers and acquisitions to maximise extortion bids.

Acutely conscious of the value of the data it is denying to the company, the gangs’ modus operandi is usually to keep ratcheting up the pressure with a range of other attacks. Furthermore, if victims refuse to pay, ransomware gangs will often threaten multiple follow-up disruptions. These range from DDoS attacks on victims’ websites11 to personal threats against company executives12 using data found on their devices.

Sometimes, the criminals advertise their presence on a network using shock tactics such as print bombing, in which multiple printers on a network are commanded to print a ransom note – threatening management’s ability to control internal and external communication about an incident.13 Some gangs have also taken to cold calling executives using data on companies’ databases to further increase the sense of being under siege.

In a 2020 attack, the Ragnar Locker ransomware gang even used funds from a US man’s hacked Facebook account to run a Facebook Ads campaign14 against Campari, in a bid to coerce it to pay for a ransomware attack. The campaign failed when Facebook detected the advertisements and quickly capped the campaign spend at US$35.

Preamble to a ransomware attack and other threats to data

A corporate ransomware attack is typically preceded by a two-stage preparation process that begins with initial access and is followed by reconnaissance, possibly accompanied by the theft of data. 

Typically, ransomware operators rely on access brokers who specialise in gaining initial access to a network. To gain entry, these attackers probe networks for insecure system configurations, especially in remote access software tools such as remote desktop protocol (RDP, a tool that allows a device to be accessed via a network), or look for vulnerable software to exploit. Other lines of attack involve spearphishing (i.e., targeting individuals with an email they are likely to reply to because it appears to come from someone they trust) or bulk phishing emails. Both types of email contain malicious attachments or links that aim to trick unwary recipients into unwittingly giving up their credentials or allowing malware to be downloaded and installed.

For these access brokers, often hired via the dark net, the coronavirus pandemic was a godsend because of the number of office employees forced to work from home who suddenly became dependent on remote access tools. As a result, RDP became an essential requirement for people working from home. It works both ways, also enabling support staff to remotely manage employees’ machines.

Unfortunately, RDP can be a significant risk, and to expose it to the internet – especially at scale – is a decision that should not be taken without some thought.15

Although gaining access from the internet to devices running RDP may require more effort than ransomware delivered via other channels, such as email, RDP does offer attackers significant benefits, such as misuse of legitimate access, the potential to evade protections and the ability to compromise multiple systems, or whole networks within a single organisation, especially if attackers successfully elevate their privileges to ‘admin’ or compromise an administrator’s machine. Since RDP is a legitimate service – unlike malware – attacks via RDP can also fly under the radar of many detection methods, meaning fewer records and less threat awareness.

Full-on search for vulnerabilities

The quest for vulnerable companies by access brokers is relentless. Once one avenue has been exhausted, they switch to another, taking advantage of unpatched vulnerabilities in legitimate system software both to gain initial access and, once inside, to extend access to additional connected systems. It is a process like that used in the animal world by predators on herds – they search for weaknesses and the target is pursued because of its weakness. It is only afterwards, once identified, that it is examined for its potential exploitation value.

Another method of attack used as part of this pattern of victim identification is the use of ‘zero days’. A vulnerability is a mistake in the coding of some software of which a cyber criminal can take advantage to conduct an attack. A zero-day vulnerability occurs when there is no yet a patch in place to mitigate it, there being ‘zero days’ since a patch has been made available to the public. Discovering zero-day vulnerabilities can be an expensive process that generally involves well-funded and sophisticated threat actors such as advanced persistent threat (APT) groups and nation state-sponsored actors.

In one example in March 2021, a spate of attacks occurred when Microsoft rushed out emergency updates to address a chain of four ‘zero-day’ flaws – subsequently named ProxyLogon16 – that affected versions of Microsoft Exchange, a server software used by organisations to deliver email via Outlook.

The speed and scale of the attack on Exchange servers around the world by more than 10 APT groups was striking. Companies that were too slow to patch or had not protected their systems sufficiently saw threat actors accessing their Exchange servers and attempting to steal email, download data and compromise machines with stealth malware to obtain long-term access to their networks.17

When coupled with ransomware, the automated exploitation of a vulnerability can become devastating. One of the best examples of this was WannaCry ransomware,18 one of whose victims was the United Kingdom National Health Service in 2017. That attack came about because of the misuse of a high-severity vulnerability in Microsoft’s Server Message Block (SMB) protocol, which is used for file and printer sharing in large company networks. Despite patches having been available for two months before the WannaCry outbreak on 12 May 2017, attackers still found and encrypted more than 200,000 vulnerable machines.19

That ransomware gangs do their homework is obvious as is their attention to detail, aware that some companies have managed to avoid paying them by backing up their data. It is therefore not surprising that the network-attached storage (NAS) devices commonly used to share files and make backups have also attracted their attention. This was confirmed in 2021, when the NAS appliance maker QNAP alerted its customers that a ransomware called eCh0raix was attacking its NAS devices, most successfully with those with weak passwords.20

In January 2022, the DeadBolt group kicked off a ransomware campaign targeting internet-connected QNAP NAS devices. The attackers claimed to be exploiting a zero-day vulnerability that they would disclose to QNAP in return for US$1.85 million.

If such a device is connected to the internet and vulnerable, the best advice is to disconnect it right away. Considering that NAS devices are commonly used to store backups that can help organisations recover from a ransomware attack, this can be a particularly damaging type of attack.

As mentioned earlier, many criminals still use email attachments to deliver the malign code that installs ransomware. The attachments will either deliver downloaders that install malware on the email recipient’s machine or establish a foothold on a machine within an organisation’s network.

Email is one of the primary routes for botnets (such as Trickbot, Qbot and Dridex), one of the blights of the internet. Botnets are software programs that link a huge number of infected computers to form a usually automated ‘robot network’ – hence ‘botnet’, one of the core criminal internet entities. They are available for hire on a metered basis (often for as little as 15 minutes) to take down websites and online computer systems by sending a stream of automated requests for information that overloads the computers and forces them to crash. They provide the essential delivery mechanism for junk email campaigns, the DDoS attacks discussed earlier, and for ransomware.

The criminals scan the internet looking for vulnerable computers to infest while simultaneously sending out junk email to catch the unwary. Once installed, the software harvests and sends data about the victims’ machines to the attackers’ server. The attackers then take control of the machine and link it with others they have infected to form a botnet, a network of computers that can be used in large-scale attacks, such as malicious email campaigns, DDoS attacks on websites and ransomware. For the owner of the computer, the only sign of the infection may be that it begins to run slowly.

Botnets such as Trickbot commonly attach Microsoft Office documents tainted with malicious code in email campaigns for initial intrusion that can later lead to ransomware as the final payload. In these cases, the botnet operators usually act as initial access brokers who sell or rent their access to compromised networks to the ransomware operators. It is because of this that there are often direct links between botnet and ransomware software.21

Criminals have also managed to pollute the legitimate software supply chain. People commonly acquire software by downloading it from websites and then, over the lifetime of using that software, receiving updates directly from the update servers of the software company. These servers routinely push updates that include bug fixes, security patches and new features.

In 2017, for example, it was found that an accounting software suite named M.E.Doc was being used by criminals to push the DiskCoder.C (aka NotPetya) malware as part of its cyberwar against Ukraine,22 where M.E.Doc is widely used. The attackers penetrated the software company’s update servers and added their own code to legitimate application update files. When users of the accounting software clicked to install program updates, they were also installing a malware backdoor, opening the way for what became the most devastating cyberattack in history.23

Kaseya VSA became another target of a supply-chain attack in July 2021. Kaseya is an IT management software provider whose main clients are managed service providers (MSPs). Its VSA product delivers automated software patching, remote monitoring and other capabilities so that MSPs can manage their customers’ IT infrastructure.

The attackers compromised scores of MSPs using VSA and sent a fake update to the MSPs’ customers that contained Sodinokibi ransomware.

Definitive proof that crime gangs were attempting to suborn employees to obtain access to their employers’ networks came in July 2020 when the FBI arrested a Russian who tried to recruit a Tesla employee into a ransom scheme against the company. The employee was offered US$1 million in return for details about Tesla’s network that would be used to develop custom malware to steal the company’s data, which the employee would install during a diversionary DDoS attack.

The risk of insider threats is a continuing problem. According to a survey of IT firms in the United States conducted in December 2021, 65 per cent of employees revealed that hackers had offered them bribes to hand over access to their corporate networks. These campaigns used email, social media and even phone calls to reach out to employees.

Once inside a network, attackers will move on to the second stage and begin to explore, often with the aim of increasing their level of access. Modern operating systems typically assign a set of privileges to specific processes and users, which allows them to perform certain actions. This increases the security of a system because attackers that compromise systems as low-level users are limited in what they can do – having the highest level of privilege would allow attackers to do almost anything they want on the computer. So the attackers’ first task is to check whether the operating system or any installed applications allow them to elevate their privilege level, ideally to that of administrator. The second objective is to maintain access for future intrusions.

This task becomes easier if the attackers are on a computer storing information about the people using the network, as one option is to look for people who have not used their accounts in a long time and to assume their identities. This is a very good reason for network administrators to disable and remove the accounts of former employees, lest a ghost of them should reappear in the network. Although an attacker could create a new user account, this would likely be noticed by the IT administrator. This is why maintaining an inventory of internet-facing assets, users and software is a basic step in preventing attacks.

Another approach used by attackers to achieve future access is to introduce ‘backdoor’ software into a system that allows them to come and go at will, but ideally, an attacker will try to introduce as little malicious code as possible to minimise the chances of detection. This is a strategy known as ‘living off the land’ because it uses legitimate software, often used by the system’s actual administrators, and standard tools installed with the base operating system, to extend network penetration. There are valid reasons for these programs to be executed and so detecting abuse by an attacker can be difficult, although not impossible.

If endpoint protection is installed on the system and it can be turned off by a user with administrator privileges, the attacker will want to turn it off; therefore checking that all security solutions are protected with strong, unique passwords should be the first item in a security software audit.

How to protect your critical data

A basic step in defending against RDP attacks is to make an inventory of internet-facing accounts, listing those that have remote access enabled and deciding whether that access is necessary. Those accounts should have long and unique passwords – or passphrases, which are easier to remember.

Knowing you are under attack is useful. Some security products have brute-force attack protection that detects groups of failed external login attempts and blocks further attempts. In a brute-force attack, typically an attacker uses automated software tools to attempt to log in with standard administrator account names, such as ‘admin’, and lists of default or leaked passwords, sometimes making millions of attempts.

This can also be stopped by setting an account login threshold. For example, after three invalid login attempts, further login attempts could be blocked for a set period or still allow subsequent attempts but require longer intervals to flag the failed login.

Even better than relying on passwords is to use multi-factor authentication, which requires another piece of information in addition to the usual username and password.

Hardening and patching should be performed for all remotely accessible devices. All non-essential services and components should be removed or disabled and all system settings configured for maximum security.

Companies should adopt an email strategy. Many already have basic spam filtering and phishing detection in place but they can go further and block unused attachment types.

Organisations should protect all their endpoints and servers with endpoint protection software that stops employees going to web pages blacklisted by the software for hosting malware or deemed inappropriate for work use. The software also allows central management and updating and can control access to external devices, such as removable USB sticks, that are connected to a system.

Providing cybersecurity training for employees that reflects the latest trends significantly reduces cybersecurity incidents. Employees should report suspicious messages and attachments to the help desk or security team immediately.

Organisations should also have a comprehensive, properly managed and well thought out backup program. For example, when backup storage is ‘always on’, it can be compromised by ransomware in exactly the same way as local and other network-connected storage. This risk can be prevented by:

• ensuring that backups are not routinely and permanently online;
• protecting backed-up data from automatic and silent modification or overwriting by malware whenever online;
• protecting earlier generations of backed-up data from compromise, to provide a fallback;
• examining the organisation’s legal liability to its customers; and
• carrying out regular testing, validation of readiness and optimisation of the backup process.

Conclusion: To pay or not to pay?

The threat of cybercrime has raised the costs of the internet-enabled computer systems that are essential to modern businesses and forces three choices on organisations: invest in cybersecurity, pay for cyber insurance or foot the cost of an attack – sometimes a combination of the three.

From a technical viewpoint, there are several potential points where a ransom payment made in the hope of receiving a decryption key can go wrong:

• some of the data might have been corrupted in the encryption process and is not recoverable;
• the process for delivering the decryption key fails;
• the decryption tool might be bundled with other malware, might not work properly, or is much slower than backup recovery; or
• if the ransomware has been removed, the encrypted data may no longer be recoverable even with the cooperation of the criminals, because the decryption mechanism is often part of the malware.

Paying a ransom also has its risks: the criminals may not keep their word, although this is not ‘good’ business. It is also an acknowledgement of weakness. According to a survey carried out in 2021, almost half of the organisations that paid ransoms were attacked a second time, apparently by the same gang.

Cyber insurers now play an important part in protecting companies from cyber incidents but the increase in attacks is driving up premiums. Potentially large payments also encourage the growth of ransomware – there have already been cases of gangs digging through an attacked company’s files to discover whether it has a cybersecurity policy and how much it is covered for, suggesting the role of cyber insurers may need to change to providing insurance against the cost of recovery, rather than paying a ransom.

Regulatory attention is also beginning to be focused on ransomware gangs. This has led to a requirement in some jurisdictions to disclose incidents, and to add groups and individuals known to be associated to them to sanctions lists. A pushback is also occurring against the practice of ransom payment. It is possible governments may insist on mandatory disclosure before paying and limit the circumstances in which it can occur. As the FBI makes clear: ‘Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.’24

However, taking the moral high ground by not paying is not always the cheaper option. When WannaCryptor hit the UK’s National Health Service, experts estimated the rebuilding costs at £92 million in costs to rebuild.

When critical services such as healthcare are hit, some point out the potential harm to human life by not paying the ransom. There have already been two cases,25 in 2019 and 2020, in which a ransomware attack was named as one of the possible contributory causes of the death of a patient.

Paying ransoms also masks another issue, which is that perhaps companies should legally be obliged to protect their systems, particularly in certain industries.

In fact, the long-term costs of taking the easy path of paying now seem to be sparking new impetus among insurers to push organisations right back to the basic cybersecurity practices and tools in which they should have been investing all along.

 

Endnotes

1 René Holt is a security writer at ESET. The author acknowledges that the main source of the information in this chapter is a white paper, updated by ESET Security Awareness Specialist Ondrej Kubovič in August 2021, that includes contributions by Stephen Cobb, former senior security researcher at ESET, and current ESET colleagues Research Fellow Bruce P Burrell and Chief Security Evangelist Tony Anscombe. See https://www.welivesecurity.com/wp-content/uploads/2021/08/ransomware_paper.pdf (last accessed 10 Mar. 2022).

2 https://www.fdic.gov/news/financial-institution-letters/2021/fil21074.html (last accessed 8 Mar. 2022).

3 https://www.warren.senate.gov/newsroom/press-releases/warren-and-ross-introduce-bill-to-require-disclosures-of-ransomware-payments (last accessed 8 Mar. 2022).

4 ‘New Australian bill would force companies to disclose ransomware payments’, The Record (21 Jun. 2021), https://therecord.media/new-australian-bill-would-force-companies-to-disclose-ransomware-payments/ (last accessed 8 Mar. 2022).

5 ‘Russia arrests REvil ransomware gang members, seize $6.6 million’, Bleeping Computer (14 Jan. 2022)),  https://www.bleepingcomputer.com/news/security/russia-arrests-revil-ransomware-gang-members-seize-66-million/ (last accessed 8 Mar. 2022).

6 ‘DOJ charges 2 men allegedly behind REvil ransomware attacks’, ABC News (8 No. 2021), https://abcnews.go.com/Politics/doj-charges-men-men-allegedly-revil-ransomware-attacks/story?id=81037690 (last accessed 8 Mar. 2022).

7 https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack (last accessed 8 Mar. 2022).

8 ‘Ransomware gang urges victims’ customers to demand a ransom payment’, Bleeping Computer (26 Mar. 2022),  https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/ (last accessed 8 Mar. 2022).

9 ‘Ransomware gang wants to short the stock price of their victims’, The Record (22 Apr. 2022)), https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/ (last accessed 8 Mar. 2022).

10 ‘Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims’, Federal Bureau of Investigation (1 Nov. 2021), https://www.ic3.gov/Media/News/2021/211101.pdf (last accessed 8 Mar. 2022).

11 ‘Another ransomware now uses DDoS attacks to force victims to pay’, Bleeping Computer (24 Jan. 2021),  https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/ (last accessed 8 Mar. 2022).

12 ‘Some ransomware gangs are going after top execs to pressure companies into paying’, ZDNet (9 Jan. 2021), https://www.zdnet.com/article/some-ransomware-gangs-are-going-after-top-execs-to-pressure-companies-into-paying/ (last accessed 8 Mar. 2022).

13 This is highlighted by ESET in its 2020 Q4 Threat Report, at  https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf (last accessed 8 Mar. 2022).

14 ‘Ransomware Group Turns to Facebook Ads’, Krebs on Security (10 Nov. 2020), https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/ (last accessed 8 Mar. 2022).

15 Data collected by ESET security products deployed around the world shows that attackers have been making billions of attempts to brute force RDP logins by guessing passwords and usernames. The data revealed 29 billion malicious password guesses in 2020 alone. This number exploded in 2021, closing the year with 288 billion attacks, an almost tenfold increase in absolute numbers (897 per cent increase year-on-year).

16 ‘Exchange servers under siege from at least 10 APT groups’, We Live Security (10 Mar. 2021), https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ (last accessed 8 Mar. 2022).

17 ESET’s detection data for 2021 showed the ProxyLogon vulnerability chain to be the second most frequently used attack avenue, at 14 per cent, beaten only by password guessing at 47 per cent.

18 ‘WannaCryptor remains a global threat three years on’, WeLiveSecurity (12 May 2020), https://www.welivesecurity.com/2020/05/12/wannacryptor-remains-global-threat-three-years-on/ (last accessed 8 Mar. 2022).

19 ‘Microsoft Exchange exploits – step one in ransomware chain’, ESET (29 Mar. 2021), https://www.eset.com/blog/enterprise/microsoft-exchange-exploits-step-one-in-ransomware-chain/ (last accessed 8 Mar. 2022).

20 ESET research from Q4 2020 showed that eCh0raix was the most prominent ransomware targeting NAS devices.

21 Some of the many known relationships between botnet and ransomware families include Emotet with Qbot, and Trickbot and Ryuk.

22 ‘TeleBots are back: Supply-chain attacks against Ukraine’, We Live Security (30 Jun. 2017), https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ (last accessed 8 Mar. 2022).

23 ‘New TeleBots backdoor: First evidence linking Industroyer to NotPetya’, We Live Security (11 Oct. 2018), https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/ (last accessed 8 Mar. 2022).

24 FBI Cyber Division Assistant Director James Trainor quoted in ‘Incidents of Ransomware on the Rise – Protect Yourself and Your Organization’, FBI News (29 Apr. 2016), https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise (last accessed 8 Mar. 2022).

25 The first was in connection with a baby’s death (30 Sep. 2021), https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116; the second with a woman’s death (17 Sep. 2020),  https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/; and a third clarifying the impact of ransomware (12 Nov. 2020), https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/ (web pages last accessed 8 Mar. 2022).

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Shields up!

If you’re a sci-fi fan, especially if you’re 40 or over, you have heard “shields up” so many times in your reading and viewing career that you might see shields, deflectors, and force fields as lame carryovers from the early days of sci-fi film and TV. While perhaps Buck Rogers’ or Flash Gordon’s ships didn’t have shields, there aren’t too many space adventurers that have gone boldly into the cosmos without them.

Since most of us now stream our sci-fi addictions, perhaps you too simultaneously watch and research strange bits of geekdom and trivia. If that’s the case, while exploring the web for space and sci-fi geekery, let’s not strike out too boldly into the internet galaxy. Why? Because just like our heroes, we too can have chance encounters with hostile alien forces. When that does happen, our anxiety triggers the call to raise shields. The feeling is nearly universal.

Again, just like our heroes, we are also equipped with sophisticated tech. While we may not pilot the Starship Enterprise or the fabled Millennium Falcon, we still need to be observant and assess the risks that may hinder us from keeping our cyberspace vessels in good shape. Of course, many PC users secure their cyberspace ships with digital security solutions, but have you ever wondered about the built-in settings that your “shields” have and how these can meet your needs in different conditions?

Familiar terms
“General quarters, general quarters! All hands man your battle stations!” In US Navy lingo, this announcement is used to alert the crew to prepare the vessel for potential combat. Fandom’s Military Wiki site characterizes general quarters as follows: “Off-duty or sleeping crew members report to their stations and prepare for action, watertight doors and fireproof doors between bulkheads are shut and security is increased around sensitive areas, such as the bridge and engineering rooms.” For IT users armed with digital security products, we can identify the default “balanced” settings as equivalent to general quarters.

The “balanced” settings for ESET’s consumer security products are ideal for practically every scenario; however, they can be modulated to “aggressive.” The differences between these might be comparable to placing a 21st century warship side by side with a 20th century one. In the last century, warships were designed for aggressive protection and could feature hardened steel armor plate upwards of 30 cm thick to repel projectiles. Today, warships are designed with a more balanced approach, relying less on armored plates and more on electronic sensors to be lightweight and fast, and to detect and neutralize missile threats before they strike. This comparison provides a simple analog: balanced protection brings speed, adaptability, and intelligence vs. aggressive protection, which uses hardened protective armor as a shield to withstand attacks head-on.

<image 1. Detection Settings, Aggressive, Balanced, Cautious, Off>

 

Is cyberwar sci-fi? Although long anticipated, the potential emergence of cyberwar is now palpable. Misinformation, cyberespionage, surveillance, and the hacking of critical infrastructure are now on the table. Under such conditions home users might upgrade their digital security solutions, moving from a popular, but basic, product like ESET NOD32 Antivirus to ESET Smart Security Premium. Businesses may feel less flexibility to protect their business continuity as they’ve likely already committed to a particular course of action. Home users faced a similar dilemma with the move to remote work at the height of the COVID-19 pandemic.

But imagine you are in an acutely risky situation. Perhaps you are literally in a war zone or in a digital relationship with a business or individual that is likely to be targeted. What options do you have to beef up your protection?

Suppose you have assessed your risks and come up with the following:
– I work at an organization in possession of sensitive data or provides critical services.
– One or more digital relationships I hold have experienced digital disruption and security impacts.
– There is a failure in diplomatic relations with a powerful country.
– There have already been multiple cyberattacks and there is a high likelihood of more to come.

Now, if you were on one of sci-fi’s storied spacecraft, it would be easy: just raise shields to the aggressive setting, buy yourself some time, and think through the problem. But how is that done in cyberspace with your PC?

<image 2.Detection Settings for Firewall, Web and Email, and More>


“General quarters!” “Battle stations!” Or maybe not

There is a reason why you’ve likely never toyed with the advanced settings of your security software: I could screw it up! This is a distinct possibility. Luckily, in the case of ESET products, you can return to the default settings with a few clicks. To lessen any risks when experimenting with your settings, let’s compare the default “balanced” setting to the “aggressive” setting.

The balanced mode allows your PC to engage with the internet without raising overly suspicious alarms that might burden the user experience. The aggressive setting will set off multiple, paranoia-inducing alerts, appearing as:

– A blocked URL
– A warning about an untrustworthy URL
– A parental control warning about forbidden content

You will certainly encounter these alerts if you try to access mature or explicit content, or illegal download or streaming sites. However, in “aggressive” mode, even mundane websites may get flagged.

But back to sci-fi and shields. Clearly, having your shields up has a cost. That cost, among other things, would likely be the deterioration of usability. The right settings – the ability to modulate the shield’s protection – depend on what the shield is trying to block. The comparison with digital security holds up well here. Using the aggressive setting could yield a higher number of suspicious URLs blocked, but some useful resources could also be flagged and blocked too. The involved detections are largely based on longitudinal threat data held by ESET on the behavior of malicious websites and IP addresses, on malware samples, and on potentially unwanted applications, meaning ESET security products adjust in real-time to encountered threats.

Takeaway
Imagine that as an intergalactic explorer, large amounts of your attention and your ship’s energy supply is diverted to security and defensive shields. Logically, this slows down your efforts to discover new quadrants of the universe. Well, the internet is a universe too, and your exploration of it is also affected by how much attention and energy is diverted to your security.

This says a lot about why security software, malware research, and security awareness are all critical to our digital lives. We depend on each of these elements working in concert, and on each other as digital participants, for collective security.

After all, each machine running security software is part of an active sensor network feeding samples to be processed as clean, suspicious, or outright malicious. Once categorized, each machine in this network is updated with new detections and tuned or “modulated” in its defensive capability. Luckily, this journey into the “what if we used…?” aggressive settings was hypothetical. If we were really forced into an “aggressive” defensive posture on the internet, much of the fun and utility would be gone. In that scenario, we lose considerable benefit from digitalization and, instead of sci-fi fun, our user experience would become more akin to a zombie apocalypse.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET Research reveals the workings of three teams behind TA410 and a new version of FlowCloud, their complex espionage tool

  • TA410 is an umbrella group comprised of three teams ESET researchers named FlowingFrog, LookingFrog and JollyFrog, each with its own toolset and targets.
  • ESET telemetry shows victims all around the world, mainly in the governmental and education sectors.
  • TA410 had access to the most recent known Microsoft Exchange remote code execution vulnerabilities, (e.g., ProxyLogon in March 2021 and ProxyShell in August 2021).
  • ESET researchers found a new version of FlowCloud, a complex and modular C++ RAT used by FlowingFrog with several interesting capabilities, including:
  1. Controlling connected microphones and triggering recording when sound levels above a specified threshold volume are detected.
  2. Monitoring clipboard events to steal clipboard content.
  3. Monitoring file system events to collect new and modified files.
  4. Controlling attached camera devices to take pictures of the compromised computer’s surroundings.

BRATISLAVA, MONTREAL — APRIL 27, 2022 — ESET Research reveals a detailed profile of TA410, a cyberespionage umbrella group loosely linked to APT10, known mostly for targeting US-based organizations in the utilities sector, and diplomatic organizations in the Middle East and Africa. ESET researchers believe this group consists of three different teams using different toolsets, including a new version of FlowCloud discovered by ESET. It is a very complex backdoor with interesting espionage capabilities. ESET will present its latest findings about TA410, including results from ongoing research, during Botconf 2022.

These teams, referred to as FlowingFrog, LookingFrog, and JollyFrog, have overlaps in TTPs, victimology and network infrastructure. ESET researchers also assume that these subgroups operate somewhat independently, but that they may share intelligence requirements, an access team that runs their spearphishing campaigns, and also the team that deploys network infrastructure.

Most TA410 targets are high-profile organizations in the diplomacy and education sectors, but ESET has also identified victims in the military sector, a manufacturing company in Japan, a mining company in India, and a charity in Israel. An element worth mentioning is that TA410 targets foreign individuals in China. According to ESET telemetry, this happened at least twice; for instance, one victim is a French academic, and another is a member of a diplomatic mission of a South Asian country in China.

Since 2018, ESET has seen various targets of TA410, as depicted on the map.

Map of countries and verticals targeted by TA410

Initial access to targets is obtained by exploiting vulnerable internet-facing applications such as Microsoft Exchange, or by sending spearphishing emails with malicious documents. “This indicates to us that their victims are targeted specifically, with the attackers choosing which entry method has the best chance of infiltrating the target,” explains ESET malware researcher Alexandre Côté Cyr. Even though ESET researchers believe that this version of FlowCloud, used by the FlowingFrog team, is still undergoing development and testing, the cyberespionage capabilities of this version include the ability to collect mouse movements, keyboard activity, and clipboard content, along with information about the current foreground window. This information can help attackers understand stolen data by contextualizing it.

FlowCloud can also gather information about things happening around the victim’s computer by taking pictures using connected camera peripherals and recording audio using a computer’s microphone. “This latter function is triggered automatically by any sound over a threshold of 65 decibels, which is in the upper range of normal conversation volume. Typical sound recording functions in cyberespionage malware are triggered either when an action on the affected machine is performed – for instance, when a videoconference app is run – or when a specific command is sent to the malware by its operators,” clarifies Côté Cyr.

TA410 has been active since at least 2018, and was first publicly revealed in August 2019 by Proofpoint in its LookBack blogpost. A year later, the then-new and very complex malware family called FlowCloud was also attributed to TA410.

For detailed technical analysis, read the blogpost “A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity” on WeLiveSecurity, and follow ESET Research on Twitter for the latest news from ESET Research. For YARA and Snort rules, consult ESET’s GitHub account.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Every Moment Secured on Your Android

Our mobile phones are an undeniable part of our lives in the 21st century. We use them to contact our nearest and dearest, check the news, access the internet, make online purchases and even log into accounts, ideally via multi-factor authentication (MFA). Using MFA can block up to 99% of automated attacks. Undeniably, MFA is important for safe mobile use; however, have you ever thought about which types of MFA are riskiest and why?

Many individuals as well as companies are using call- and SMS-based MFA. It may seem like a great way to authenticate the user. Everyone has a mobile phone they can use to take a secure phone call or receive an SMS. Well, it may not be as straightforward as it seems at first glance.

There are many reasons why you should consider replacing SMS-based MFA:

  • SMS and voice calls are not encrypted. Unfortunately, these are transmitted in cleartext, which makes them more vulnerable to attackers.
  • They are vulnerable to phishing attacks via open source and readily available phishing tools, such as Modlishka.
  • Employees of phone network companies may fall prey to a SIM-swapping attack. They can be tricked into transferring phone numbers to a threat actor’s SIM, allowing attackers to receive MFA codes instead of the victim.
  • Phone service failure. As authentication apps and security keys work offline, SMS needs the phone service to be available. Phone network companies are also exposed to changing regulations, which may also impact the availability of MFA.
  • It is likely that SMS and voice calls are not getting more secure any time soon.

It is not a surprise, then, that in 2020 Microsoft advised its users to stop using SMS- and voice call-based MFA and instead use an authentication app or a hardware key. This by no means suggests that you should completely abandon SMS MFA; it is still better than no MFA. Microsoft itself has kept the option for its users to continue to use SMS-based MFA, proving that it is more secure than not using any form of multifactor authentication.

Keeping Your Mobile Device Secure
If you choose to keep your SMS-based MFA, make sure your mobile device is as secure as it can be. A great way to start is with ESET Mobile Security on your Android mobile devices. It is a solution that ensures security against a multitude of mobile threats while securing users’ data.

ESET Mobile Security aims to provide a safe environment by leveraging its Anti-Phishing feature. It also aims to protect and secure your device from criminal activity using manipulation of users, known as social engineering, into gaining access to sensitive data such as bank account credentials, card numbers, PIN numbers, usernames and passwords.

The feature allows the products to scan its malware and phishing database and determine a website’s security—or not—thus making sure you do not fall prey to a phishing attack. The product’s Anti-Phishing feature integrates with the most common web browsers (Chrome and many others) available on Android devices to provide protection to any and all online activities you desire to carry out.

We recommend you keep Anti-Phishing enabled at all times. All malicious websites, listed in the ESET malware and phishing database, will be blocked and a warning notification will be displayed informing you of the attempted attack.

Other features of ESET Mobile Security include:

  • Antivirus – protection against malware: intercepts threats and cleans them from your device
  • Payment protection – lets you shop and bank safely online
  • App lock – requires extra authentication to access sensitive apps; protects content when you’re sharing a device
  • Anti-Theft – a powerful feature to help protect your phone and find it if it goes missing
  • Network inspector – scans your network and all connected devices to identify security gaps
  • Call filter – blocks calls from specified numbers, contacts and unknown numbers
  • Adware detector – identifies and removes apps that display ads unexpectedly
  • Real-time scanning – scans all files and apps for malware
  • Scheduled scans – checks your device every time you charge it, or whenever you want
  • Security audit – checks an app’s permissions
  • Security report – provides an overview of how secure your device is
  • USB on-the-go scanner – checks any connected USB device for threats
    Up to 5 devices – pay once, protect 5 devices associated with the same Google account

ESET Mobile Security makes your Android phones and devices easy to find and harder to steal, and it helps to protect your valuable data. ESET helps protect the Google Play store and is trusted by millions of users like you around the world, and is dedicated to the online safety and education of children and their parents. Click here to find out more.

If you want to protect your phone with ESET Mobile Security, you’re in luck! From April 25 to May 1, the premium version of ESET Mobile Security will be 50% off. No need for a promotional code; the discount will automatically be added to your checkout! It couldn’t be easier.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Protecting small businesses with multiple layers of defense

Post Russia unleashing its attack on Ukraine, there’s a high chance that if you’re working in the cybersecurity sector like me, you’re being asked a series of questions like: Do you think Russia will launch a cyberattack? Should I be worried? What can I do to protect my devices?

These questions are justified as the conflict prompted a series of alerts from government agencies and cybersecurity organizations, setting an expectation of a potentially devastating cyberattack on Ukraine and possibly on those supporting Ukraine. The messages keep coming. More recently on March 21, 2022, the White House issued a Statement by President Biden on our Nation’s Cybersecurity, warning that there is the potential of malicious cyberactivity by Russia against the United States in response to the economic sanctions imposed by western governments.

These messages continue to be broadcast and to encourage maintaining vigilance and ensuring that there are no weaknesses in existing cybersecurity operations and practices. Although the advice is especially targeted at organizations and businesses that fall into the critical infrastructure category, where a disruption can potentially cause chaos as witnessed in the case of Colonial Pipeline, all businesses should take heed and prepare accordingly. Malicious attacks can spread well beyond their intended targets, as has been seen with attacks utilizing the EternalBlue exploit, one of the tools chosen to deliver malicious payloads such as WannaCryptor and NotPetya, which caused unprecedented damage, disruption, and financial loss to victims.

The potential of a zero-day vulnerability being exploited as a cyberweapon is, unfortunately, a real risk. A book authored by Nicole Perlroth, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race, published in February 2021, documents the thriving underground marketplace where governments are often the main customers of zero-day vulnerabilities and exploits.

Having set the scene with the need for preparedness, what technologies and actions should cybersecurity admins at small businesses consider? First, I refer you to an article I published on WeLiveSecurity regarding cyber-resilience and the US’s Cybersecurity and Infrastructure Security Agency (CISA) Shields Up campaign. The advice mentions ESET Dynamic Threat Defense, now known as ESET LiveGuard Advanced, a technology designed to detect zero-day exploits, which should be a priority given that the conflict in Ukraine is ongoing.

ESET LiveGuard Advanced can detect new and previously unknown threats by running them in a cloud sandbox. Detecting threats the first time they are encountered can sometimes demand more processing power and memory than is readily available on employees’ machines. ESET LiveGuard offloads the task of detecting such threats to more powerful machines in the cloud. Once these samples are in the cloud sandbox, they can be subjected to multiple machine learning models and robust detection techniques to classify them as clean, suspicious, or malicious. It’s a zero-day game changer.

Another area of focus should be the reduction of the attack surface to minimize the risk of a bad actor gaining access to your network and identifying a zero-day vulnerability to be exploited either now or in the future. Employee devices typically account for a significant portion of the attack surface, and with hybrid workforces being the new norm, revisiting the policies and technology used to protect endpoint devices will assist with reducing risk. To address the heightened need to protect corporate endpoints with multiple layers of defense, a combined package of protection, such as ESET PROTECT Complete or ESET PROTECT Advanced, is recommended.

If you’re a small business and believe you’re not in danger because you’re not as interesting to bad actors as large enterprises, consider the following statistics. According to ITRC’s 2021 Business Aftermath Report, 58% of small businesses suffered at least one security or data breach, and 44% paid between $250,000 and $500,000 to cover their breach costs.

Just like large enterprises, small businesses handle sensitive data and can become collateral damage from attacks aimed at other targets. Small businesses can also be seen as stepping-stones to attack large enterprises or critical infrastructure business partners. Indeed, no company is too small to be noticed by criminals and, therefore, no company should feel exempt from basic cybersecurity practices.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

When NFT Is the Creative Limit

Imagine this: It’s a nice spring afternoon and you decide to visit an art gallery. You get dressed up, grab your keys and face mask (depending on COVID restrictions in your area) and leave your house. You walk through the city to your favorite gallery, feeling the light breeze on your cheeks. You pay for a ticket and start walking around. You can see the art, almost touch it. You might meet a few people who are also admiring paintings and sculptures. You wave and smile with your eyes. Now imagine none of it is true. There is no need to physically go to the gallery and view art. We’ve arrived in an era when virtual galleries are becoming a reality. Digital art is gaining popularity, and Non-Fungible Tokens (NFTs) are making it that much more profitable for artists. By now, we’re so used to sharing and viewing content online for free that it is second nature. But what if an art piece was enriched by a unique feature—an NFT? We have been hearing so much about NFTs over the past few months. But what exactly are they? Non-Fungible Tokens. That’s it. It’s a piece of digital data, embedded in a file that is unique for that piece and that piece only. Just like a physical piece of art, a digital piece with an NFT is non-replicable. There is only one of its kind. And that is what gives it its value. These pieces cannot be exchanged or substituted with similar items of the same value. Just like physical art cannot be swapped by a similar piece with the same value. NFTs have been around since 2015, but have recently gained in popularity. Many thanks to the National Basketball Association (NBA) in the US, which started selling “NBA Top Shots” in 2020—non-fungible short clips of basketball shots, similar to formerly popular basketball cards. Each is unique, has its own value and cannot be substituted by another. This new development has the potential to revolutionize the art world. NFTs act as a digital certificate of ownership of an art piece. After an NFT art piece is created, it is tokenized on a Blockchain (cryptocurrency service). This proves the artist’s legal ownership of the piece they created. And since a blockchain is secure and is hard to hack, tracking ownership is pretty easy. This helps the artist gain popularity and get their art out into the world. Anyone online can view their piece, even share and copy it. You may think that this kind of defeats the purpose. If you can freely access it, view it and share it, why pay for the ownership? The trick is, unless you purchase the NFT, you can’t fake ownership. Just like with physical art, you can take a photo of it, or even make a copy. But unless you own the original piece with a certificate, your copy/photo is not of the same value as the original. When you buy an NFT, it becomes your property and you can do with it as you please. However, the buyer does not possess any Intellectual Property Rights, such as the right of adaptation or reproduction. This is an exclusive right of the creator. Creating digital art breaks bounds artists have been bound by. Artists can now work more freely and independently. They have the right to sell their piece at a price they believe it deserves, set conditions before selling and much more. They also have the authority to rent and display their art as they please. It makes it also easier for them to distribute their art globally without limitations of their location. It all sounds great, but every digital advancement comes with its risks. NFTs are sold on digital trading platforms. Those operate similar to online shops. Vulnerabilities in these platforms are often caused by insufficient security considerations during the development phases. These oversights become the criminals’ target, once uncovered. They might either upload an artwork containing malicious code, steal people’s accounts or trade NFTs at a low price and resell them for profit. According to HKCERT, there have been several cases of cybersecurity breaches in the NFT area. One of the latest occurred in February 2022 via a phishing attack on OpenSea (an NFT trading platform). A cybercriminal sent out an email social engineering users into signing a contract and sending crypto assets to his wallet. The total amount stolen was $1.7 million. It seems that most of the attacks are of a phishing nature. But there has also been a security vulnerability found in one of the trading platforms, OpenSea. It is one of the biggest and most popular of its kind. The vulnerability allowed NFT art pieces to be sold for less than 1% of the price floor, which caused problems to creators. There are no limits to innovation and creativity. NFTs and digital art are proving that progress cannot be stopped. And it should not be. Progress is here to stay and develop. But where there is progress there are risks. ESET has been protecting progress and development since its establishment over 30 years ago. Security of digital users is priority number one; this means making sure that the progress we as humans have made is protected so we can safely step into the future. Where technology enables progress, ESET is here to protect it.
 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET Research discovers vulnerabilities in Lenovo laptops exposing users to risk of UEFI malware installation

  • Exploitation of these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware such as LoJax and ESPecter.
  • UEFI threats can be extremely stealthy and dangerous.
  • Discovered vulnerabilities are: CVE-2021-3970, CVE-2021-3971, CVE-2021-3972.
  • ESET Research strongly advises all owners of Lenovo laptops to go through the list of affected devices and update their firmware.

BRATISLAVA — April 19, 2022 — ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo laptop models. Exploitation of these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like our latest discovery ESPecter. ESET reported all discovered vulnerabilities to Lenovo in October 2021. Altogether, the list of affected devices contains more than one hundred different laptop models with millions of users worldwide.

“UEFI threats can be extremely stealthy and dangerous. They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed,” says ESET researcher Martin Smolár, who discovered the vulnerabilities. “Our discovery of these UEFI so-called “secure” backdoors demonstrates that in some cases, deployment of the UEFI threats might not be as difficult as expected, and the larger amount of real-world UEFI threats discovered in the last years suggests that adversaries are aware of this,” he adds.

The first two of these vulnerabilities – CVE-2021-3970, CVE-2021-3971 – are perhaps more accurately called “secure” backdoors built into the UEFI firmware as that is literally the name given to the Lenovo UEFI drivers implementing one of them (CVE-2021-3971): SecureBackDoor and SecureBackDoorPeim. These built-in backdoors can be activated to disable SPI flash protections (BIOS Control Register bits and Protection Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during operating system runtime.

In addition, while investigating the “secure” backdoors’ binaries, we discovered a third vulnerability: SMM memory corruption inside the SW SMI handler function (CVE-2021-3972). This vulnerability allows arbitrary read/write from/into SMRAM, which can lead to the execution of malicious code with SMM privileges and potentially lead to the deployment of an SPI flash implant.

The UEFI boot and runtime services provide the basic functions and data structures necessary for the drivers and applications to do their job, such as installing protocols, locating existing protocols, memory allocation, UEFI variable manipulation, etc. UEFI boot drivers and applications use protocols extensively.  UEFI variables are a special firmware storage mechanism used by UEFI modules to store various configuration data, including boot configuration.

SMM, on the other hand, is a highly privileged execution mode of x86 processors. Its code is written within the context of the system firmware and is usually used for various tasks including advanced power management, execution of OEM proprietary code, and secure firmware updates.

“All of the real-world UEFI threats discovered in the last years – LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy – needed to bypass or disable the security mechanisms in some way in order to be deployed and executed,” explains Smolár. ESET Research strongly advises all owners of Lenovo laptops to go through the list of affected devices and update their firmware by following the manufacturer’s instruction.

For those using End Of Development Support devices affected by the UEFI SecureBootBackdoor (CVE-2021-3970), without any fixes available: one way to help you protect against unwanted modification of the UEFI Secure Boot state is to use a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration change.

For more technical information, check out the blogpost When “secure” isn’t secure at all: High-impact UEFI vulnerabilities discovered in Lenovo consumer laptops on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.