Agencies step up countermeasures as private, public entities lose billions to cybercriminals
Cybercriminals used an Internet protocol (IP) address based in Jamaica last Thursday to distribute some 1,160 malware attacks per hour to devices here and overseas, the agency that monitors the country’s cybersecurity space has disclosed. This...
Cybercriminals used an Internet protocol (IP) address based in Jamaica last Thursday to distribute some 1,160 malware attacks per hour to devices here and overseas, the agency that monitors the country’s cybersecurity space has disclosed.
This revelation by Jamaica Cyber-Incident Response Team (JaCIRT) comes amid worrying signs of an explosion in cyberattack incidents in the last two years that have cost Jamaican citizens as well as public and private sector entities billions of dollars.
Thursday’s incident was the most active of 206 IP addresses used that day to distribute thousands of “infected connections” – including the notorious dorkbot malware – to other IP addresses locally, in the United States (US) and other countries, according to JaCIRT.
An IP address is a unique set of numbers that identifies a device on the Internet or a local network.
“This IP address ending in [numbers redacted] is pushing the dorkbot malware,” head of JaCIRT, retired Colonel Godphey Sterling, revealed during a Sunday Gleaner interview on Thursday.
Dorkbot is a family of malware worms that is used by cybercriminals to steal confidential data such as user-account credentials, disable security protections and distribute variants to victims’ computers, according to the US Cybersecurity and Infrastructure Security Agency.
Between Monday and Friday last week, a total of 1,013 IP addresses were found to be actively distributing thousands of malware connections, according to data compiled by JaCIRT.
Sterling declined to discuss the monitoring tools available to JaCIRT.
He said a second IP address was used on Monday to distribute 877 “infected connections” per hour, while a third was used to spread 590 suspected or confirmed malware attacks per hour on Wednesday.
“So, when we talk about 24 hours at 550 [per hour], you can see the number of times it is attempting to infect another IP address,” Sterling said.
“We see this sort of thing every day. It’s a precursor to a more sophisticated attack. All they are seeking to do is to compromise the system so they can get into it to do something else,” the JaCIRT head explained.
“It’s like preparing to plant.”
He cautioned that if the use of these IP addresses is inadvertent, “it means a lot of persons are out there with unprotected systems”.
ATTACKS MORE THAN DOUBLED
Between October 2021 and October this year, 86 cyberattack incidents were reported to JaCIRT across the 10 categories it monitors, according to statistics compiled by the agency.
This is twice the 42 reported cases between October 2020 and October 2021.
Fifty-eight cases were reported by individuals; 15 by private sector firms; and 13 by public sector companies.
However, experts believe the figures are significantly more, but say a majority of cyberattack incidents are not reported. Phishing, malware and ransomware-type attacks are among the most prevalent in Jamaica.
A ransomware attack occurs when hackers take control of their victim’s data and demand monetary payments, ranging from US$4,000 to US$4 million to return it, according to experts.
“They are easy and they generate the most revenues,” said Trevor Forrest, chief executive officer of 876 Technology Solutions Limited, explaining the increased use of ransomware attacks.
Ransomware attacks accounted for six of the cases reported to JaCIRT in the last year, up from two for the previous 12 months. They were evenly split between private and public sector companies.
“There were two agencies and one department of Government. The private entities were one financial institution, one educational institution and one in the construction industry,” the JaCIRT head revealed.
The state-run National Land Agency and Massy Jamaica Distribution Limited, the largest private distributor of pharmaceutical goods locally, are believed to be among the latest victims of cyberattacks in Jamaica.
PRIVATE SECTOR ‘HAS BEEN HIT PRETTY HARD’
While acknowledging that a number of government agencies have come under cyberattack in recent times, Minister of National Security Dr Horace Chang disclosed that the private sector “has been hit pretty hard”.
Sterling said private sector entities, particularly financial institutions, often opt to keep fraud-related cases in-house, possibly out of concern for the reputational damage that could follow.
“When you check with law enforcement agencies … what you will find is that unless it gets into the public domain, they are not contacted to assist with the remediation. And one can understand there is the concern about image,” he said.
One cybersecurity expert said he was aware of at least four private sector companies in the financial, health and manufacturing sectors that have made ransomware payments over the last three years.
“Some have gotten back their data, some have not, which is why we always advise people not to pay,” the expert said.
The Private Sector Organisation of Jamaica did not respond to several questions submitted by The Sunday Gleaner last Tuesday about the issue.
Chang, who is also deputy prime minister, disclosed that a five-year, $4 billion contract with the Israeli firm Elta Systems Limited to “harden” key government entities is proceeding “smoothly” and should be completed soon.
The ministries of national security and science and technology as well as the police, the army and the Major Organised Crime and Anti-Corruption Agency (MOCA) are the five state entities being given priority at this time.
Chang noted, too, that a malware laboratory, to be operated by MOCA, is also being established.
“Cyberattack incidents are of increasing concern to the Government,” said the minister.
“It’s a matter we treat as very sensitive because if you convey the wrong impression, people will think that your systems are falling apart when they are not. And it also leads to confidence in institutions.”
Forrest believes under-investment in data security – particularly by smaller companies – and a lack of awareness of its significance are among the main reasons entities, large and small, as well as citizens fall victims to hackers.
“Yes, you are small, but you have a lot of information that is valuable. Small businesses also have big clients,” he reasoned.
“So, what hackers do is instead of going against the big companies that have all the investments in security, they go for the weak link like a small company and use that as a backdoor into the larger system.”
CYBERSECURITY INCIDENTS REPORTED TO JACIRT
October 2021-2022 October 2020-2021
• Ransonware 6 2
• Unauthorised modification of content* 10 7
• Abusive content 12 5
• Fraud* 19 12
• Identity theft 13 7
• Phishing 7 6
• Spam 6 2
• Vulnerable systems 6 1
• Denial of service 1 0
• Defacement 1 0
* Modification of content refers to the cloning of social media accounts; the creation of profiles for social media and other online content using data obtained through identity theft; and the use of fake or intercepted emails to change the monetary value of invoices or accounts for payments.
* The fraud cases were reported by 13 people, a majority of whom made purchases online. (Instagram was the main source of complaints)
NUMBER OF IP ADDRESSES THAT DISTRIBUTED INFECTED MALWARE LAST WEEK
• Monday: 243, including one that distributed 877 connections per hour
• Tuesday: 202, including one that distributed 376 connections per hour
• Wednesday: 214, including one that distributed 590 connections per hour
• Thursday: 206, including one that distributed 1,160 connections per hour
• Friday: 148 (up to midday), including one that was distributing 407 connections per hour
IMPORTANT CYBER SECURITY RECOMMENDATIONS
• BE AWARE, BE VERY AWARE
Train all users and train them often on data security, email attacks and your policies and procedures.
• TAKE STOCK
Document all the IT hardware and software you own, where they are and who has access to them. Ensure that all the software that you use is legally yours to use.
• LOCK SHOP
Enable the most secure configuration of the software and devices that you have. Remove all default passwords from the hardware and software you own. Implement multifactor authentication for access to sensitive data. Encrypt your data while at rest and in transit. Secure your internet and wi-fi with the aid of VPNs and firewalls.
• USE PLENTY PROTECTION
Anti-malware software should be installed to protect your computers, important data and to protect the privacy of your customers’ data. Have at least three backups of important data (local and one remote).
• PATCH IT
Operating systems, IT appliances and other important IT assets should be regularly updated to fix known vulnerabilities.
• Be very aware of the threats that exist. There are many free (or for a small fee) cybersecurity awareness training videos available online.
• Enable multifactor authentication on all your banking, payment, email, etc.
• Never ever give out ANY password or security code or PIN to anyone over the phone or via texts.
• When you receive an email from a person or organisation you have no dealings with requesting payment, DELETE IT. If you are expecting some communication on a similar matter, make a phone call and verify.
• Think seriously before you click links, especially on a mobile device.
SOURCE: Chris Reckord, outgoing president of information technology firm, tTech Limited.