Monday, September 30, 2019

Intel Server Processors Are Vulnerable To Attack


Researchers at Vrije Universiteit, in Amsterdam have discovered a disturbing new side-channel attack. All Intel server-grade processors made since 2012 are vulnerable to what has been dubbed NetCAT.

That stands for Network Cache Attack and it exploits a weakness in Intel's Data Direct I/O (DDIO) feature.

DDIO is specific to Intel's server-grade processors and is enabled by default on the Intel Xeon E5, E7 and SP families from 2012 onwards.  The idea behind DDIO is that enhances system performance by sharing the CPU with network devices and peripherals.

Unfortunately, a flaw in DDIO's design gives hackers the ability to infer data in the CPU's last-level cache of a remote machine.  Researchers were able to demonstrate that an attacker controlling a machine on the network can use this method to infer confidential data from an SSH session. That is, without running any sort of malware on the target system, which naturally makes it notoriously difficult to detect.

The researchers had this to say about their discovery:

"...with NetCAT, we can leak the arrival time of the individual network packets from a SSH session using a remote side channel."

The researchers went onto explain that during an interactive SSH session, network packets are sent with each keystroke.  Via NetCAT, it is possible for an attacker to deduce what characters are typed inside an encrypted (SSH) session.

"For example, typing 's' right after 'a'" is faster than typing 'g' after 's.'  As a result, NetCAT can operate statistical analysis of the inter-arrival timings of packets in what is known as a keystroke timing attack to leak what you type in your private SSH session."

As disturbing as that sounds, it should be noted that this is an incredibly exotic form of attack that has yet to be seen anywhere in the wild.  The day is surely coming when we do see hackers making use of this, but for the moment, it serves more as a dire warning of things to come than anything else.

Instances like this are the very reason you need IT Managed services from SpartanTec, Inc. in Wilmington. We constantly monitor your network and are on top of the latest threats.  Call us today for a complete analysis of your system.

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255

Tuesday, September 24, 2019

New Ransomware Called TFlower Hacks Into Company Networks

Over the last two years, ransomware attacks have become increasingly common against businesses of all shapes and sizes.

While the attack vector saw a dip in popularity last year, this year it has come roaring back to the fore with several new strains of ransomware being developed and enjoying widespread use by hackers around the world.

One of the most recent entrants into the ransomware family is a new strain called "TFlower", which made its first appearance in August of this year (2019).  Since that time, it has begun seeing increasingly widespread use, so if this is the first time you're hearing about it, know that it likely won't be the last.

TFlower is introduced into company networks when hackers take advantage of exposed Remote Desktop services.  Once the hackers have a toehold inside a company's network, they'll use that machine to connect to and infect as many other machines on the network as possible. Like many similar forms of malware, TFlower attempts to distract infected users while it's encrypting their files.  In this case, it will display a PowerShell Window that makes it appear that some harmless software is being deployed.

While it's encrypting a victim's files, it connects to its Command and Control Server to keep the software owners apprised of its activities. Then it attempts to clear the Shadow Volume Copies and attempt to disable the Windows 10 repair environment. This makes it difficult, if not impossible to recover files via conventional means.  Note that it also attempts to terminate the Outlook.exe process so its data files can be encrypted.

When the software has done as much damage as it can do, it will litter the infected computer with a file named "!_Notice_!.txt" which explains that the computer's files have been encrypted and in order to get them back, you'll need to contact the malware owners at the email address provided for additional details.

Be sure your IT staff is aware, and given how this one is spread, check the security of your Remote Desktop services.

Call SpartanTec Inc. in Wilmington and let our team of IT experts help in making sure that your business is protected against potentially damaging online threats. 

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255

Tuesday, September 17, 2019

Report Shows 118 Percent Increase In Ransomware Attacks In 2019

Ransomware roared onto the global stage in 2017. Companies and government agencies around the world felt the impact with widespread campaigns like NotPetya and WannaCry.

By 2018, the number of ransomware attacks had begun to fall off while hackers found new tools to attack with, shifting toward cryptojacking, credential theft, and trojan malware.

Granted, ransomware attacks didn't fade completely from the picture in 2018, but they were overshadowed by the emergence of new attack vectors.  Unfortunately, according to data collected by McAfee Labs, and published in their August 2019 Threat Report, Ransomware is back with a vengeance.

Christopher Beek, a lead scientist at McAfee had this to say about the report:

"After a periodic decrease in new families and developments at the end of 2018, the first quarter of 2019 was game on again for ransomware, with code innovations and a new, much more targeted approach."

The dramatic increase in ransomware attacks is being driven primarily by three families of ransomware:  Ryuk, GrandCrab, and Dharma.

Ryuk is a scary bit of code that has been used to lock down entire large corporations and government agencies.  It was originally credited to North Korea, but subsequent research points to the malware as being the work of a highly sophisticated cybercrime syndicate, rather than the product of a nation-state.

GrandCrab is a relatively new arrival on the ransomware scene, first emerging in 2018.  Often described as one of the most aggressive families of ransomware, the original authors of the code have leased it out to other hackers around the world in exchange for a cut of the profits.

Dharma is the oldest family of the big three, first emerging on the scene in 2016.  Originally, it was an offshoot of another, even older ransomware family known as Crysis. However, since branching off, it has become a potent threat in its own right, and the hackers who control the code regularly release new updates and continue to enhance its capabilities.

All that to say, it's too soon to breathe a sigh of relief where ransomware is concerned.  It's back in 2019, and it's back with a vengeance.

Lower your risks of ransomeware attack by setting in place safety and security measures for your network and computers. Call SpartanTec, Inc. in Wilmington for effective IT services.

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255

Monday, September 9, 2019

Texas Government Gets Hit With Major Ransomware Attack


This year stands to shatter last year's record in terms of the number of successful hacks against businesses and government agencies. It seems that the hackers have a new favored tool:  The ransomware attack.

According to statistics gathered by Malwarebytes, attacks against government and business are up by a whopping 365 percent.

IBM's consumer statistics aren't much better, reporting a 116 percent increase in ransomware attacks targeting individuals.

Set against this backdrop, the fact that Texas local government offices have recently been paralyzed by a ransomware attack is unsurprising.  What is more surprising, however, is the scope, scale and highly coordinated nature of those attacks. In all, a total of 22 local government agencies were affected, which had the impact of stopping local services in towns across the state.

The incident is being managed by the Texas Department of Information Resources (TDIR). To date, they have not revealed the names of the local agencies that were impacted, nor been forthcoming with any other details other than the following.

"At this time, the evidence gathered indicates the attacks came from one single threat actor.  Investigations into the origins of this attack are ongoing; however, responses and recovery are the priority at this time."

Give yourself a moment to let that sink in.

A single threat actor coordinated a successful state-wide attack that brought down services in 22 different local agencies.  It's no secret that hackers around the world are learning from each other, creating "hacking best practices," and congregating into larger and more organized groups.

As they do so, they're able to tackle increasingly larger and more robust targets.  If these groups can impact a significant portion of a state like Texas today, what will they be capable of by next year?  This has all the earmarks of a trial run for an even larger attack, and that should unsettle everyone.

It is imperative in today's business climate that your protect your company's data and the data you store for your customers from outside attack. SpartanTec, Inc. can help you create a plan that prevents ransomware attacks and alerts you of potential threats. Call us today for a complete in-depth analysis of your network.

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255





Monday, September 2, 2019

Choice Hotel Data Breach Affects up To 700,000 Customers

Recently, an independent researcher named Bob Diachenko worked collaboratively with Comparitech. They discovered an unsecured database containing nearly 700,000 hotel records belonging to Choice Hotels.  Unfortunately, although Diachenko reported his finding to the company, hackers had beaten him to the punch and had already downloaded the file. They are now demanding a ransom for its return.

An investigation into the matter is ongoing. A spokesman for Choice Hotels reported that the bulk of the file consisted of test information, including dummy payment card numbers, passwords and populated reservation fields.  They did confirm, however, the presence of some 700,000 genuine guest records and included names, addresses and phone numbers.

The hackers left a ransom note in the database, demanding 0.4 Bitcoin for the safe return of the data.  Based on recent prices, that amounts to about $4,000. Assuming the company decides to pay and assuming the hackers keep their word, that is a small price to pay given the number of compromised records.

Choice Hotels reported that the database was exposed when a third-party vendor accessed it as part of a proposal to provide a tool.  Due to the lapse in security, Choice Hotels has decided not to work with that vendor again.

Their announcement about the incident reads, in part, as follows:

"We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature... We are also establishing a Responsible Disclosure Program and we welcome Mr. Diachenko's assistance in helping us identify any gaps."
This lukewarm response to the incident has done little to ease the concerns of Choice Hotels' customers. To this point, no notifications have been sent out to customers whose data has been compromised.  If you stay at Choice Hotels when you travel, be mindful that you may be receiving targeted phishing emails and that your payment card information may have been compromised.

Don't wait for a data breach to happen before you realize the importance of information security. Call SpartanTec, Inc. in Wilmington for a thorough review of your network. Our team will help identify potential vulnerabilities and help set in place security measures to protect your network and your client's information. 


SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255