Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Spot the signs of potential malware infection
Despite safeguards and best practices, malware can still slip through onto your computer. Would you know the signs of potential infection? Watch for any of the following behaviours on your system – they may be an indication that a problem is brewing, and that you should bring the matter to the attention of a system administrator as soon as possible:
– Unfamiliar desktop shortcuts or icons
– Sluggish performance of browser or computer over-all
– Unexplained lack of storage space
– Constant CPU or disk activity even when the computer should be idle
– Unexpected toolbars, plug-ins, pop-ups, or new home page in browsers
– Unexpected pop-up ads or upgrade offers on the computer
– Unusual error messages or frequent program/computer crashes
– Mouse icon appears to move on its own
NCC to lead Canadian cyber innovation network
On February 17, the National Cybersecurity Consortium (NCC) announced that they have been appointed to lead the Government of Canada’s new Cyber Security Innovation Network (CSIN). The NCC will receive up to $80 million (all figures CDN$) over four years towards a potential total project well above $160 million.
According to the statement, the NCC-led CSIN “will be an innovative and highly collaborative national network that will enhance research and development, increase commercialization, and develop skilled cybersecurity talent across Canada. CSIN will fund high-impact projects in these domains, to be delivered by collaborations between universities and colleges, private sector firms of all sizes, and public sector and not-for-profit organizations, from all regions of Canada”.
Leveraging extensive collaboration across researchers, post-secondary institutions across Canada, as well a variety of public and private sector concerns, the CSIN is intended to bring its stakeholders together to advance Canadian leadership and diversity in cybersecurity.
The NCC is a federally incorporated not-for-profit corporation established in 2020 with a mandate to keep Canada’s cyber and critical infrastructures and citizens safe while ensuring Canada’s global competitiveness and leadership in cybersecurity.
Researchers develop Hive ransomware decryption algorithm
In a February 17 paper, researchers from South Korea’s Kookmin University have detailed what they call the “first successful attempt” at decrypting data infected with Hive ransomware without relying on the private key used to lock access to the content.
According to the report, the researchers “were able to recover the master key for generating the file encryption key without the attacker’s private key, by using a cryptographic vulnerability identified through analysis”. The researchers exploited the bug to devise a method that reliably recovers a significant quantity of compromised data.
“The master key recovered 92% succeeded in decrypting approximately 72% of the files, the master key restored 96% succeeded in decrypting approximately 82% of the files, and the master key restored 98% succeeded in decrypting approximately 98% of the files,” the researchers detailed in the report.
The Hive ransomware gang first appeared on the scene in June 2021 with an attack on real estate software company Altus Group. Since then, hundreds of victims have been reported, highlighted by Ohio’s Memorial Health System in August 2021 and European consumer electronics retailer MediaMarkt in November. Hive operates a ransomware-as-a-service that compromises business networks, exfiltrates data, and encrypts network data in support of its “double extortion” attack strategy. If ransom demands aren’t met, Hive publishes the stolen data on its HiveLeaks portal on the dark web.
FBI, Check Point issue warnings about virtual meeting abuse
This week saw two new warnings of emerging trends in hackers’ abuse of teleconferencing and virtual meeting platforms. On February 16, the FBI issued a PSA warning about increased activity among hackers using virtual meetings as central parts of their ploys to trick employees into sending money or disclosing financial information. According to the alert, three key trends were identified: the use of still photos and deep fake audio to masquerade as a senior executive; skulking on virtual meetings to gather corporate information; and using teleconferences as a ruse for spear phishing campaigns and business email compromise (BEC).
The second bulletin came from researchers at Check Point subsidiary Avanan on February 17, who reported seeing a significant increase in the use of Microsoft Teams to distribute malware. Threat actors, after gaining access to a company’s meeting platform, are embedding “.exe” files in the application’s chat streams. Assuming that the virtual space is a safe one, unsuspecting users are clicking on the malware programs, leading to compromise. Currently, the malware is often called “UserCentric.exe” but other variants are appearing regularly, with thousands of threats spotted this year alone.
Threat actors see virtual meeting spaces as easy targets due to the huge growth in remote access during the COVID-19 pandemic. In a January 25, 2022 tweet, Frank X. Shaw – Corporate Vice President, Communications at Microsoft – indicated that Teams on its own has in excess of 270 million monthly active users.
Users should be vigilant about any links in virtual meeting threads, just as they should be cautious about regular email communications. Unexpected meeting invitations, especially those on unfamiliar platforms, should be double-checked independently. And any request for financial assistance should be verified and validated independently, backed by multi-factor authentication.