The global scale of the recent Exchange server attacks deserves the designation “saga.” The fallout, resulting in data theft and further malware deployment, has likely led to intensive changes in security protocols at thousands of institutions, and will surely be felt for a long time.

In an update to ESET’s original research piece detailing the global impact of the attacks, ESET’s telemetry picked up almost 27,000 attack attempts via web shells against around 5,500 unique servers:

Along with our well-received research into advanced persistent threat groups leveraging the Exchange vulnerabilities, ESET has set out to provide proactive advice via its Knowledgebase and a Customer Advisory. As the saga moves forward and we continue to compile and analyze data from the networks we protect, we would like to share how our cloud sandbox technology, ESET Dynamic Threat Defense (EDTD), and our endpoint detection and response solution, ESET Enterprise Inspector (EEI), offer protection to our clients.

With respect to malicious files, EDTD not only handles executables (as is the case with ESET LiveGrid®) but also documents, scripts, installers and other file types commonly used to deliver threats. As such, the technology gives greater visibility into, and protection against, various threat types. Leveraging EDTD in combination with endpoint security—both of which are backed by our core detection technologies—brings a multilayered approach to the table that significantly increases the likelihood an attack is automatically detected.

Looking closely at the samples related to the exploitation of Exchange servers, ESET has seen that some of the post-compromise attack components, for example, the loaders for the PlugX RAT (also known as Korplug), are being detected by EDTD when the most sensitive detection threshold – Suspicious – is applied. The same applies to the CobaltStrike-related components.

These kinds of detections also trigger alerts in the ESET Lab, where our researchers are actively monitoring EDTD detection data. The knowledge gained from malware analysis of these samples can then be applied further as we investigate possible intrusion vectors and remediation. With respect to post-compromise investigation and monitoring of servers, security operations center teams can use ESET Enterprise Inspector to address what amounts to a global challenge.

From the point of view of EEI’s rule set, the current modus operandi of the attackers can be fairly generic, meaning that creating a rule that detects such generic activity—even though possibly malicious—might cause a high number of false positives. For example, it is quite normal for w3wp.exe, the IIS worker process, to execute cmd.exe and powershell.exe, meaning that a rule monitoring this event would flood EEI’s dashboard with false positives.

However, ESET security teams have investigated how EEI faces up against malicious activity following the exploitation of Exchange. Our findings suggest that EEI deployed on exploited servers can cut investigation time by at least 80%.

EEI can not only shorten the time for investigation, but also show the path of attack. Critically, the security admin at EEI’s dashboard would have data at hand to see what was happening, when and where, which is a significant help in identifying and cleaning up malware, as well as providing for the overall security of compromised email servers.

Please follow our blog where ESET will share additional information to help customers return to normal operations following the extensive global exploitation of Exchange.

Did you know that in 2018, Singapore suffered its largest-ever data breach in history when 1.5 million patients of SingHealth’s specialist outpatient clinics had their personal information stolen? This included names, NRIC numbers, dates of birth, and even addresses. However, a couple of years after this event, cyber attacks have not gone away. In fact, not long since its occurrence, the Cyber Security Agency of Singapore (CSA) reported a 51.7% increase in cyber attacks.

With more frequent data breaches expected in the near future, CSA has underscored the need for consumers to exercise constant vigilance and improve data security to keep increasingly sophisticated threats at bay. Here are five ways you can enhance data security at home.

1. Encrypt Your Data

The safest way to secure your private data is to utilise encryption to make it indecipherable for people other than those that are authorised to access it. Encryption takes your data and then converts it into an unreadable form, thus maintaining the privacy of your records.

You can begin by activating an encryption tool and enabling it across all your connected devices. This way, your data will be secure even in the event that the devices are stolen or lost. In addition, ensure that you only visit websites that have SSL encryption. SSL encrypted websites are visibly distinguished as their URL starts with “https://” and has a padlock icon that precedes the name of the domain in the address bar of your web browser.

2. Update Your Software

In today’s environment of hyperconnected and multi-platform devices, manufacturers go to great lengths to ensure connected devices are as user-friendly as possible. One adverse result of this is that software changes sometimes take place in the background, making it easy to lose track of their status.

An overwhelming bulk of hardware-related cyber attacks take place due to unpatched software vulnerabilities that cybercriminals use to obtain backdoor access to your system. If you ignore software updates, you are practically opening doors to hackers to infiltrate your system.

For this purpose, you should keep all software on your device as updated as possible. Alternatively, you can allow automatic updates to ensure your devices are protected at all times. These updates include fixes for newly found security vulnerabilities that could be exploited by malicious actors.

3. Backup Your Data Regularly

In light of persistent risks to your private information, it is likely that no protection will be 100% safe. This is particularly true in the face of the recent exponential increase in ransomware attacks in Singapore. They provide evidence that cybercriminals can pose just as much a challenge by refusing you access to your private data as they can by hacking and stealing it for themselves.

This is why it’s important to back up all your critical data regularly so that you can easily recover from data breaches should they happen. You can do this by backing up your local data to cloud-based backup services. In addition, you can also run an antivirus software on your PC to keep it infection-free. This will decrease the probability of experiencing a ransomware attack and also alert you to issues before they can be replicated in your backup data.

4. Create Strong Passwords and Change Them Often

Singaporeans are lax when it comes to password security, as reported in a study conducted by the CSA. The report stated that 33% of respondents store their passwords in their computer and use the same password for multiple accounts. Moreover, between 50-70% of respondents don’t change their passwords until prompted by their online service providers.

With cybercriminals getting smarter, it’s best to not leave internet security to chance and create strong passwords while ensuring you change them frequently. This allows you to sidestep brute-force attacks, where malicious actors use a number of password variations in the hope of guessing a combination correctly. If you feel password management is a hassle, you can use a password manager to store your passwords and access them with one master password whenever you want.

5. Invest in Antivirus Software

An antivirus software solution is a crucial component of your broader system security plan and is the best way to enhance data protection. It discovers hidden viruses, points you to possible risks in your system, and then deletes them before they can corrupt your data. This ensures that almost all threats are stopped before they can deal any damage to your systems.

A powerful antivirus software solution like ESET NOD32 Antivirus also protects you against malicious websites and ads, which are the most popular gateways through which viruses infect your systems. This eliminates the risk of a data breach due to a ransomware attack by restricting its immediate access to your computer network.