Category Archives: tips

The danger of stolen data: credential stuffing attacks

credential stuffing

When we talk about cyberattacks, for companies, there is one word that normally comes to mind: malware, every computer’s nightmare, that can infect their systems and take with it not just the company’s most sensitive information, but also that of their users, clients, providers, employees, and so on.

However, malware isn’t always a cybercriminal’s tool of choice; in fact, in 2017 it started to give way to other kinds of attack, which are having similar levels of success at achieving the same goal: breaking through their victims’ corporate cybersecurity.

What is credential stuffing?

A credential stuffing attack is a kind of cyberattack in which, using details gathered from a data breach, the perpetrator manages to access user accounts on a platform by bombarding credentials until they hit upon the correct combination.

To carry out an attack of this kind, the cybercriminal must first get, steal, or buy a database made up of user accounts, with their login names and passwords. Their next step is to try to log in to the affected platform using these login details. As it is not always guaranteed that the details will coincide, the strategy is to launch multiple automatic logins until the details match up. What’s more, the identification processes are carried out by specialized botnets so that the platform believes them to be authentic. If it is possible to log in, the credential stuffing attack will have been a success.

The victims: Dunkin Donuts, Yahoo…

These cyberattacks are affecting an increasing number of companies.  The latest victim was Dunkin Donuts. In November, the company detected the theft of credentials and their subsequent use in an attack on the users of DD Perks, its loyalty and rewards program. The credentials stemmed from a data breach, although Dunkin Donuts stated that this breach didn’t happen on their system, rather on the system of a supplier, which gave access to third parties. Specifically, the user information came from a previous leak, and so the cybercriminals used this information both to access DD Perks accounts and to log in to other platforms that used the same credentials.

But there is, unfortunately, one incident that takes the crown for credential stuffing attacks: in 2016, around 500 million Yahoo accounts were seriously compromised by the prior leaking of a vast amount of information after another data breach. In this case, the breach had one more outcome: when Yahoo went public with the incident, many users received emails from people claiming to belong to the company, which contained a link to resolve the breach. These emails, however, were a phishing attempt by another group of cybercriminals.

Success rate and how to avoid them

When it comes to evaluating the potential damage of credential stuffing, it is important to get some perspective. According to a Shape Security study carried out in 2018, their success rate is usually, at best, 1%, a figure that may make this attack seem insignificant.

credential stuffing

However, we must bear in mind the fact that these cyberattacks usually use databases that can contain credentials of several million users. This means their success rate, though modest in relative terms, is large enough in absolute terms for the affected company’s reputation to be seriously damaged by the exposure of its corporate cybersecurity.

Companies must therefore take appropriate steps to avoid both data breaches and possible credential stuffing attacks.

1.- Two factor authentication? Two-factor authentication (2FA) is one of the most commonly used methods for companies and platforms that want ensure a secure login for their users. However, as we have already seen, two factor authentication is not infallible, since it can be broken by getting users to introduce their details on fake portals.

2.- Cybersecurity solutions. A company’s security cannot rely 100% on users correctly managing their passwords, especially since the attack very often comes first: i.e., data breaches are often a consequence of poor corporate cybersecurity management, rather than as a result of poor password management by users. This is where Panda Adaptive Defense comes in: it has a data protection module, Panda Data Control, that is able to monitor data in all its states, including when it is at rest, helping the solution to know at all times what processes are being run and what data is being used.

3.- Employee awareness Companies must also instill in their employees a series of prevention measures, as they are often the easiest point of entry for cybercrime. Employees must remain alert, as well as not giving out their credentials via email (to avoid phishing, tech support scams or BEC scams) and, if they come across any problems, report the incident to the company’s head of IT.

The post The danger of stolen data: credential stuffing attacks appeared first on Panda Security Mediacenter.

Beware the man in the cloud: How to protect against a new breed of cyberattack

One malicious tactic that has become quite prevalent in recent years is known as a ‘man in the cloud’ (MitC) attack. This attack aims to access victims’ accounts without the need to obtain compromised user credentials beforehand. Below, this article explains the anatomy of MitC attacks and offers practical advice about what can be done to defend against them. What is MitC attack? To gain access to cloud accounts, MitC attacks take advantage of the … More

The post Beware the man in the cloud: How to protect against a new breed of cyberattack appeared first on Help Net Security.

Ten corporate cybersecurity New Year’s resolutions

corporate cybersecurity resolutions

New Year is a moment when many of us set ourselves a series of resolutions to try to improve some part of our lives. And one resolution that should be on everyone’s list is an improvement in cybersecurity habits. With this in mind, we’re sharing these 10 tips for online security that will help you to protect your digital life, as well as that of your company.

In our PandaLabs Annual Report 2018, we compiled many cases where cybersecurity went wrong. And the fact is that many of these incidents — and the serious consequences they entailed — could have been avoided by following some basic security tips.

Download the infographic

Good practices for 2019

  • One good habit to bear in mind is the use of firewalls to block unwanted access to our devices. In many cases, this solution is the first line of defense against cyberattacks. The most dramatic example of what can happen if we do away with firewalls is the case of Exactis. This US data broker left around 350 million records exposed in June last year. Anyone could have accessed details about hundreds of millions of US citizens. The cause? A lack of firewalls to protect this information.
  • Multifactor authentication. This method of confirming a user’s identity when logging in adds another layer of protection by asking for a code received on a mobile phone or on a computer. It means that, even if someone gets their hands on our password, accessing our account is more complicated. In July last year, the app Timehop gave us an example of what can happen if we don’t use multifactor authentication: the company blamed a data breach that affected 21 million users on a lack of multifactor authentication on a cloud account.corporate cybersecurity
  • Updating operating systems and installing patches helps to minimize the threats of malware and vulnerabilities. This is especially important if we consider one of the predictions found in our PandaLabs Report: in 2019, new catastrophic vulnerabilities will be discovered, similar to Meltdown and Spectre, which were discovered at the start of last year. Installing all necessary updates and patches is the only way to protect yourself against the vulnerabilities that may threaten corporate cybersecurity, and thus reduce the attack surface.
  • It is very important to be selective when it comes to sharing personal information on the Internet. This information could be used to guess passwords and logins. Discretion is particularly relevant for another of our predictions for 2019. The massive analysis of data, through readily available Big Data tools, allows detailed profiles of personal preferences and trends in many areas to be extracted. Personal information spread over different social networks (Facebook, Twitter, LinkedIn, etc.), correctly analyzed and correlated, can allow the development of highly sophisticated and personalized social engineering attacks with malicious intentions.

Discover the 10 corporate cybersecurity resolutions for 2019 in our infographic, and stay protected this year.

Download the infographic

The post Ten corporate cybersecurity New Year’s resolutions appeared first on Panda Security Mediacenter.

Three cybersecurity tips to help train your employees

cybersecurity training

It’s typically believed that the most sophisticated and complex cyberattacks are the biggest threat to a business.

In reality, however, the biggest cybersecurity threat for many businesses is their own employees. In fact, four of the five top causes of data breaches are down to human or process error. This includes loss or theft of paperwork, data emailed to the wrong recipient and insecure web pages.

In an ever-changing digital-first landscape, where cyberattacks are becoming more and more sophisticated, keeping up with the methods used by cybercriminals and making sure employees are aware of the dangers have become significant challenges.

In this blog, we list three cybersecurity training tips for businesses looking to get employees up to speed and in turn keep business information protected.

Update cybersecurity policies and procedures and educate employees

Employees who aren’t aware of their cybersecurity obligations are more likely to ignore relevant policies and procedures, which could lead to unintentional disclosures of data or successful cyberattacks.

The fundamental issue here is that policies and procedures are never actively taught, shown or provided in context. Instead of showing how these policies and procedures protect the business in a real-life scenario, employees are instead handed the business’s cybersecurity handbook or tip sheet and told to remember it, often alongside the rest of the company’s policies (working hours, holiday protocol, dress-code, benefits, etc.) during induction. The policies and procedures can often be complex and confusing, may not have been updated properly, and could be difficult to apply.

Taking this into account, businesses need to carefully review their cybersecurity policies and procedures to make sure they are not only easy to understand and apply, but also up to date. For example, if a BYOD culture exists within the organisation and the cybersecurity policies have not been updated to take this into account, security holes are inevitable.

Similarly, if those policies have no information to govern how business devices are used – i.e. if the devices are specifically for business only – employees will naturally use them for personal activities and potentially expose crucial business information to cybercriminals.

The last thing businesses need to do to ensure employees are up to scratch is to run regular cybersecurity training courses. Show employees how these policies and procedures work to protect the business and get senior members of staff to champion and emphasise them to employees. This will ensure that a culture of cybersecurity is developed at every level within the business.

Underline the importance of password management

According to a study carried out by OneLogin in 2017, less than a third (31%) of IT decision makers require employees to rotate passwords monthly. Another report by OpenVPN revealed that 25% of employees admit that they use the same password for every enterprise system they access.

Evidently, password management is a major issue and challenge for businesses when it comes to cybersecurity. With employees disregarding basic password management and IT decision makers failing to remind those employees, there needs to be a drastic change in attitude if businesses are to improve cybersecurity practices.

Businesses need to take a more positive approach to the password management process. Not only should they implement more advanced password management tools – multifactor authentication or even PKI authentication – but they should also reward employees that follow the password procedures outlined in their cybersecurity policies.

At the same time, employees also need to realise their responsibility in the process – and this starts with senior business members and C-suite executives teaching the importance of this to the rest of the employees. At every stage they should sit down with employees and explain the business benefits of comprehensive password security in a way those employees can understand. Providing real-world examples such as identity theft and data theft, for instance, can help to get employees on board.

Help employees to understand phishing

Phishing is on the rise, and cybercriminals are getting better and better at it. More than 2,500 complaints were recently made about fake TV licence emails, while a US university was breached after two students fell for a phishing scam.

Cybercriminals have recognised the futility of targeting other attack vectors due to the sophistication of current solutions. Instead of attacking software, cybercriminals are going after the individuals and targeting endpoints – such as mobile phones and laptops – to get access to a business’ wider network.

The challenge is educating employees on phishing so that they can identify a phishing email – particularly if they are using an endpoint device such as a mobile phone or laptop – and follow through with reporting it.

On that basis, IT departments should run employees through the basics of spotting a phishing email; some of the things to look out for are:

  • Email address

Cybercriminals have methods to disguise fake emails and know how to trick victims into thinking a sender is legitimate. Businesses should have a process or solution in place to highlight unknown senders and block known fraudulent email correspondence. If employees spot a rogue email address, they should flag it with their IT department before proceeding.

  • Greetings in the email

Phishing emails are often automated and lack personal greetings. These emails have generic terms like “customer”, “employee” or “dear sir/madam” with no recognition of the recipient’s name. Employees should be cautious of these emails, especially if they are asking for personal information.

  • Grammar and style

Many phishing attacks come from other countries, so these emails are often written by non-native English speakers. These emails typically include grammar and stylistic issues. If an email comes from a supposedly reputable brand or company but includes spelling and grammar mistakes, it’s probably a scam.

  • Link destination

Before clicking on links in emails – employees should hover over them to check the link destination. If the website URL looks suspicious, is different to the sender’s supposed brand/company – employees should be cautious and check it online or flag it.

  • Calls to action

Emails demanding immediate action or response (and have a number of the issues mentioned above) are most likely scams. These emails are designed in such a way to scare people into taking action and/or giving up confidential information.

  • Images and logos

Don’t trust images and logos. They can easily be downloaded and replicated. Cybercriminals can insert any kind of visual content into emails to persuade victims that their emails are legitimate. Take them with a pinch of salt.

Getting employees to look at all of the above will help businesses to keep employees and data safe and secure. A good rule of thumb is if unsure of the legitimacy of an email – flag it.

Regular cybersecurity training and review of policies and procedures will help to build a culture of cybersecurity within a business. As employees come to appreciate the importance of it, they will follow process in everything they do – and teach the same to new employees.

The post Three cybersecurity tips to help train your employees appeared first on Panda Security Mediacenter.

Ryuk ransomware attacks businesses over the holidays

While families gathered for food and merriment on Christmas Eve, most businesses slumbered. Nothing was stirring, not even a mouse—or so they thought.

For those at Tribune Publishing and Data Resolution, however, a silent attack was slowly spreading through their networks, encrypting data and halting operations. And this attack was from a fairly new ransomware family called Ryuk.

Ryuk, which made its debut in August 2018, is different from many other ransomware families we’ve analyzed, not because of its capabilities, but because of the novel way it infects systems.

So let’s take a look at this elusive new threat. What is Ryuk? What makes it different from other ransomware attacks? And how can businesses stop it and similar threats in the future?

What is Ryuk?

Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts.

Despite a successful infection run, Ryuk itself possesses functionality that you would see in a few other modern ransomware families. This includes the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. By doing this, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups.

Ryuk “polite” ransom note

One interesting aspect of this ransomware is that it drops more than one note on the system. The second note is written in a polite tone, similar to notes dropped by BitPaymer ransomware, which adds to the mystery.

Ryuk “not-so-polite” ransom note

Similarities with Hermes

Researchers at Checkpoint have already conducted deep analysis of this threat, and one of their findings was that Ryuk shares many similarities with another ransomware family: Hermes.

Inside of both Ryuk and Hermes, there are numerous instances of similar or identical code segments. In addition, several strings within Ryuk have been discovered that refer to Hermes—in two separate cases.

When launched, Ryuk will first look for the Hermes marker that is inserted into each encrypted file. This is a means to identify if the file or system has already been attacked and/or encrypted.

The other case involves whitelisted folders, and while not as damning as the first, the fact that both ransomware families whitelist certain folder names is another clue that the two families might share originators. For example, both Ryuk and Hermes whitelist a folder named “Ahnlab”, which is the name of a popular South Korean security software.

If you know your malware, you might remember that Hermes was attributed to the Lazarus group, who are associated with suspected North Korean nation-state operations. This has led many analysts and journalists to speculate that North Korea was behind this attack.

We’re not so sure about that.

Notable attacks

Multiple notable Ryuk attacks have occurred over the last few months primarily in the United States, in which the ransomware infected large numbers of endpoints and demanded higher ransoms than what we typically see (15 to 50 Bitcoins).

One such attack was on the Onslow Water and Sewer Authority (OWASA) on October 15, 2018, which kept the organization from being able to use their computers for a time. While water and sewage services, as well as customer data, were untouched by the ransomware attack, it still caused significant damage to the organization’s network and resulted in numerous databases and systems being rebuilt from the ground up.

Infection method

According to Checkpoint and multiple other analysts and researchers, Ryuk is spread as a secondary payload through botnets, such as TrickBot and Emotet.

Here is the running theory: Emotet makes the initial infection on the endpoint. It has its own abilities to spread laterally throughout the network, as well as launch its own malspam campaign from the infected endpoint, sending additional malware to other users on the same or different networks.

From there, the most common payload that we have seen Emotet drop over the last six months has been TrickBot. This malware has the capability to steal credentials, and also to move around the network laterally and spread in other ways.

Both TrickBot and Emotet have been used as information stealers, downloaders, and even worms based on their most recent functionality.

At some point, for reasons we will explore later in this post, TrickBot will download and drop Ryuk ransomware on the system, assuming that the infected network is something that the attackers want to ransom. Since we don’t see even a fraction of the number of Ryuk detections as we see of Emotet and TrickBot through our product telemetry, we can assume that it’s not the default standard operation to infect systems with Ryuk after a time, but rather something that is triggered by a human attacker behind the scenes.


Let’s take a look at the stats for Emotet, Ryuk, and TrickBot from August until present-day and see if we can’t identify a trend.

Malwarebytes’ detections from August 1, 2018 – January 2, 2019

The blue line represents Emotet, 2018’s biggest information-stealing Trojan. While this chart only shows us August onward, rest assured that for much of the year, Emotet was on the map. However, as we sailed into Q4 2018, it became a much bigger problem.

The orange line represents TrickBot. These detections are expected to be lower than Emotet, since Emotet is usually the primary payload. This means that in order for TrickBot to be detected, it must have either been delivered directly to an endpoint or dropped by an Emotet infection that was undetected by security software or deployed on a system without it. In addition, TrickBot hasn’t been the default payload for Emotet for the entire year, as the Trojan has continuously swapped payloads, depending on time of year and opportunity.

Based on this, to get hit with Ryuk (at least until we figure out the real intention here) you would need to have either disabled, not installed, or not updated your security software. You would need to refrain from conducting regular scans to identify TrickBot or Emotet. You would need to either have unpatched endpoints or weak credentials for TrickBot and Emotet to move laterally throughout the network and then, finally, you would need to be a target.

That being said, while our detections of Ryuk are small compared to the other families on this chart, that’s likely because we caught the infection during an earlier stage of the attack, and the circumstances for a Ryuk attack need to be just right—like Goldilocks’ porridge. Surprisingly enough, organizations have created the perfect environment for these threats to thrive. This may also be the reason behind the huge ransom payment, as fewer infections lead to fewer payouts.

Christmas campaign

While active earlier in the year, Ryuk didn’t make as many headlines as when it launched its “holiday campaign,” or rather the two largest sets of Ryuk infections, which happened around Christmastime.

The chart below shows our detection stats for Ryuk from the beginning of December until now, with the two infection spikes noted with stars.

Malwarebytes’ Ryuk detections December 5, 2018 – January 2, 2019

These spikes show that significant attacks occurred on December 24 and December 27.

Data Resolution attack

The first attack was on, a Cloud hosting provider, on Christmas Eve. As you can see from above, it was the most Ryuk we had detected in a single day over the last month.

According to Data Resolution, Ryuk was able to infect systems by using a compromised login account. From there, the malware gave control of the organization’s data center domain to the attackers until the whole network was shut down by Data Resolution.

The company assures customers that no user data was compromised, and the intent of the attack was to hijack, not steal. Although, knowing how this malware finds its way onto an endpoint in the first place is a good sign that they’ve probably lost at least some information.

Tribune Publishing attack

Our second star represents the December 27 attack, when multiple newsprint organizations under the Tribute Publishing umbrella (now or in the recent past) were hit with Ryuk ransomware, essentially disabling these organizations’ ability to print their own papers.

The attack was discovered late Thursday night, when one of the editors at the San Diego Union-Tribune was unable to send finished pages to the printing press. These issues have since been resolved.


We believe Ryuk is infecting systems using Emotet and TrickBot to distribute the ransomware. However, what’s unclear is why criminals would use this ransomware after an already-successful infection.

In this case, we can actually take a page from the Hermes playbook. We witnessed Hermes being used in Taiwan as a means to cover the tracks of another malware family already on the network. Is Ryuk being used in the same way?

Since Emotet and TrickBot are not state-sponsored malware, and they are usually automatically launched to a blanket of would-be victims (rather than identifying a target and being launched manually), it seems odd that Ryuk would be used in only a few cases to hide the infection. So perhaps we can rule this theory out.

A second, more probable theory is that the purpose of Ryuk is as a last ditch effort to extort more value from an already-juicy target.

Let’s say that the attackers behind Emotet and TrickBot have their bots map out networks to to identify a target organization. If the target has a large enough infection spread of Emotet/TrickBot, and/or if its operations are critical or valuable enough that disruption would trigger an inclination to pay the ransom, then that might make them the perfect target for a Ryuk infection.

The true intention for using this malware can only be speculated at this point. However, whether it’s hiding the tracks of other malware or simply looking for ways to make more cash after stealing all the relevant data they could, businesses should be wary of writing this one off.

The fact remains that there are thousands of active Emotet and TrickBot infections all over the world right now. Any of the organizations that are dealing with these threats need to take them seriously, because an information stealer might turn into nasty ransomware at any time. This is the truth of our modern threat landscape.


As mentioned earlier, many analysts and journalists have decided that North Korea is the most likely attacker to be distributing Ryuk. While we can’t completely rule this out, we aren’t entirely sure it’s accurate.

Ryuk does match Hermes in many ways. Based on the strings found, it was likely built on top of, or is a modified version of Hermes. How the attackers got the source code is unknown, however, we have observed instances where criminals were selling versions of Hermes on hacker forums.

This introduces another potential reason the source code got into the hands of a different actor.

Identifying the attribution of this attack based on similarities between two families, one of which is associated with a known nation-state attack group (Lazarus) is a logical fallacy, as described by Robert M. Lee in a recent article, “Attribution is not Transitive – Tribute Publishing Cyber Attack as a Case Study.” The article takes a deeper dive into the errors of attribution based on flimsy evidence. We caution readers, journalists, and other analysts on drawing conclusions from correlations.


Now that we know how and potentially why Ryuk attacks businesses, how can we protect against this malware and others like it?

Let’s focus on specific technologies and operations that are proven effective against this threat.

Anti-exploit technology

The use of exploits for both infection and lateral movement has been increasing for years. The primary method of infection for Emotet at the moment is through spam with attached Office documents loaded with malicious scripts.

These malicious scripts are macros that, once the user clicks on “Enable content” (usually through some kind of social engineering trick), will launch additional scripts to cause havoc. We most commonly see scripts for JavaScript and PowerShell, with PowerShell quickly becoming the de-facto scripting language for infecting users.

While you can stop these threats by training users to recognize social engineering attempts or use an email protection platform that recognizes malicious spam, using anti-exploit technology can also block those malicious scripts from trying to install malware on the system.

In addition, using protection technologies, such as anti-ransomware add immense amounts of protection against ransomware infections, stopping them before they can do serious damage.

Regular, updated malware scans

This is a general rule that has been ignored enough times to be worth mentioning here. In order to have effective security solutions, they need to be used and updated frequently so they can recognize and block the latest threats.

In one case, the IT team of an organization didn’t even know they were lousy with Emotet infections until they had updated their security software. They had false confidence in a security solution that wasn’t fully armed with the tools to stop the threats. And because of that, they had a serious problem on their hands.


Network segmentation

This is a tactic that we have been recommending for years, especially when it comes to protecting against ransomware. To ensure that you don’t lose your mapped or networked drives and resources if a single endpoint gets infected, it’s a good idea to segment access to certain servers and files.

There are two ways to segment your network and reduce the damage from a ransomware attack. First, restrict access to certain mapped drives based on role requirements. Second, use a separate or third-party system for storing shared files and folders, such as Box or Dropbox.

Evolving threats

This last year has brought with it some novel approaches to causing disruption and devastation in the workplace. While ransomware was the deadliest malware for businesses in 2017, 2018 and beyond look to bring us multiple malware deployed in a single attack chain.

What’s more, families like Emotet and TrickBot continue to evolve their tactics, techniques, and capabilities, making them more dangerous with each new generation. While today, we might be worried about Emotet dropping Ryuk, tomorrow Emotet could simply act as ransomware itself. It’s up to businesses and security professionals to stay on top of emerging threats, however minor they may appear, as they often signal a change in the shape of things to come.

Thanks for reading and safe surfing!

The post Ryuk ransomware attacks businesses over the holidays appeared first on Malwarebytes Labs.