Skip to content

How to Secure Building Management Systems

As infrastructure modernizes, building management systems (BMS) are becoming increasingly sophisticated. They provide automation, control and management of the physical environment of buildings, and to operate reliably, you need to ensure their security. This can be crucial in some buildings, such as hospitals. What can you do to make buildings safer?

An Introduction to BMS

BMS stands for Building Management System. It is a computer-based system that controls and monitors a building’s mechanical and electrical equipment, such as heating, ventilation, and air conditioning (HVAC), lighting, and other building systems. There are several common BMSs used in buildings today, each with their own specific features and capabilities, these include:
  • Siemens Desigo
  • Johnson Controls Metasys
  • Honeywell WEBs
  • Schneider Electric Andover Continuum
  • Trane Tracer
  • Delta Controls
There are many more systems and the choice of BMS depends on the specific requirements of the building and the needs of the building owner or operator. However, they have one thing in common – the BACnet protocol is frequently used between these systems and HVAC-endpoints.

BACnet Protocol: Essential for Building Management Systems Security

The Building Automation and Control Network (BACnet) protocol is a communication protocol that is widely used in building automation and control systems for HVAC, lighting, and other building systems. BACnet was designed to provide a standard way for different building systems to communicate and share data, and is now used in thousands of buildings worldwide. One of the key features of BACnet is its support for security. BACnet includes several security features to protect against unauthorized access, tampering, and other types of attacks. These features include:
  • Authentication: BACnet supports the use of passwords and other forms of authentication to ensure that only authorized users can access the building automation and control systems.
  • Encryption: BACnet supports the use of encryption to protect the confidentiality and integrity of data as it is transmitted between different devices and systems.
  • Access control: BACnet includes features to restrict access to specific objects and properties within the building automation and control systems. This allows building operators to control who can access and control different systems within the building.
  • Auditing: BACnet includes the capability to record and log all access to the building automation and control systems. This allows building operators to detect and investigate any unauthorized access or tampering.
Despite these security features, the BACnet protocol has some security weaknesses. For example, some security experts have raised concerns about the use of static passwords for authentication, which can be easily guessed or cracked by attackers. Additionally, BACnet does not include support for security certificates or other forms of digital authentication, which can make it more difficult to ensure that devices are communicating with the correct systems. Another concern with BACnet security is that its security feature is not widely implemented. Many building automation and control systems using BACnet do not have security features enabled or are configured in an insecure way. This leaves them vulnerable to attacks and can make it easy for unauthorized users to gain access to sensitive systems and data.
BACnet is a communication protocol that is widely used in building automation and control systems, and provides several security features to protect against unauthorized access and tampering. However, there are some concerns about the security of the protocol, particularly regarding the use of static passwords and the lack of wide implementation of security features. It is important for building operators to be aware of these security risks and to take steps to secure their building automation and control systems, such as regularly changing passwords, enabling encryption, and monitoring for suspicious activities.

Risk Mitigation in BMS Security

One of the most important aspects of risk mitigation is the visualization of the flows from and to a BMS, whether it is executed via BACnet or a different OT-protocol. This allows a user to optimize their network configuration, mitigating the risks of:
  • Static passwords
  • Lack of certificates
  • Disabled security features on various BACnet-enabled assets
One tool you can use for the flow visualization is GREYCORTEX Mendel, which has protocol parsers and BMS-asset identification built into its core.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

Azure security best practices

Microsoft Azure is a dominant cloud hosting platform, serving around 70 percent of organizations worldwide. A popular hosting environment for SQL databases, Azure also provides a flexible way to run up to 200 cloud applications.

This flexibility is a game-changer for many businesses. But there’s a catch. To function properly, it’s essential to create a secure Azure environment. Otherwise, cloud apps and databases can leak sensitive data. Credentials may be at risk, and companies can suffer huge compliance penalties.

Fortunately, solutions exist. This blog will explain how to secure your cloud environment with Azure security best practices. And we will look at how to create a layered security strategy that goes beyond Microsoft’s controls.

Why is securing access to Azure so important?

Azure security matters because Microsoft’s cloud platform hosts a range of critical assets. Companies use Azure to host .Net apps for web applications or gaming DevOps. Azure storage accounts host SQL databases containing client data, while Kubernetes clusters support private cloud infrastructure.

Whatever Azure services companies rely on, security is a priority. Insecure Azure apps can leak data and provide an entry point for cyber attackers. And you cannot rely on Microsoft to cover every security challenge.

Azure clients have wide areas of responsibility to secure their cloud configuration. Clients need to restrict access to sensitive data. Users must manage access and exclude malicious actors. They also have to manage how data flows between cloud apps. The need for an Azure security policy is obvious when you put these tasks together.

Microsoft Azure security best practices

Any companies that rely on Microsoft’s cloud services should get to know Azure security best practices.

The best approach is adopting a layered strategy. Users should exploit security tools provided by Microsoft. But they should add additional security controls where necessary. These Azure security best practices will explain how the layered security approach works.

1. Map Azure assets and create a compliance strategy

The first step in layering Azure security is understanding the cloud environment. Before applying any of the best practices below, you must understand what assets need to be protected.

Map the cloud assets on your Azure platform. Include all apps and data stores, and classify data according to importance. You should know exactly where client data is stored and who has access to that data.

It is also advisable to create a clear compliance strategy for Azure environments. Define your core goals, including HIPAA, DCI-PSS, or GDPR compliance. Use these data security frameworks as a baseline to improve Azure security and meet regulatory requirements.

Track your compliance progress with the scoring tools in the Azure Security Center. The compliance dashboard provides detailed information about security levels and required actions.

2. Encrypt critical data

Data security on Azure apps is the responsibility of clients, not Microsoft. So take action to encrypt data and hide it from malicious actors.

Encrypt sensitive data at rest using Microsoft’s server-side symmetric key encryption tools. You can use these tools to segment data by importance. This ensures that operational data is available to employees. But financial or personal information is only accessible to users with specific encryption keys.

Azure Disk Encryption works alongside Microsoft’s SSE. It creates another layer of data security for virtual machines and data containers. This reduces the risk of attackers exploiting Virtual Hard Disk (VHD) files. Attackers will find it much harder to create virtual machines within Azure environments.

When you apply Azure encryption, key storage is your responsibility. Secure encryption keys in IAM controls in place to prevent unauthorized access. The Azure Key Vault is a good key management solution and integrates well with Azure app environments.

Users should also encrypt sensitive data in transit. Data constantly flows between Azure apps, remote devices, and on-premises workstations. VPN encryption provides a solution, adding another layer of protection above Azure security controls.

3. Create a backup and disaster recovery plan

A strong Azure security posture features a fall-back plan when systems fail, or attackers succeed. Microsoft offers an end-to-end DR service via Azure Site Recovery (ASR). Combine this with Azure Backup to create tailored data backup plans.

With an ASR failover plan, you can recover application states with minimal information loss. You might also add Azure Storage Replication, which regularly generates multiple copies of important files.

4. Secure sensitive data with robust controls

Encryption is not the only data security control for Azure users. Consider a range of additional tools and find a mix that secures sensitive data without compromising user experience. Options to think about include:

  • Activate auditing tools. Users can instruct Azure to audit databases. This creates a data stream that tracks database changes. Data visibility makes it easier for security teams to detect anomalies and unsafe user activity.

  • Add Azure SQL threat detection. Many Azure apps rely on SQL, but SQL presents critical security threats. Using SQL databases, turn on SQL threat detection to isolate security weaknesses and secure the threat surface.

  • Use Azure Firewall. Azure Firewall adds another layer of data security protection for Azure-hosted apps. You can manage firewall settings centrally, and coverage can increase as new apps come online. Cloud-native TLS inspection provides valuable protection against malware attacks.

  • Enable Azure Monitor alerts. Gain additional awareness by engaging Azure Monitor alerts. Users can target alerts at single resources and use many metrics to identify vulnerabilities. Azure Monitor Action Groups make it easy to automate alerts and deliver precise information when threats arise.

  • Implement Azure Defender. Defender is a subscription-based security service that leverages extended threat detection and response (XDR) and contextual security. It covers hybrid and multi-cloud environments, delivering threat protection and remediation advice. Azure Defender may well be a sensible addition when securing complex cloud environments,

  • Use Shared Access Signatures. Created via Active Directory, Shared Access Signatures let you manage access to Azure resources to third parties and employees for limited periods. Best practices include creating a SAS for all short-term network users, as it allows admins to set granular controls.

5. Manage access with IAM

Preventing illegitimate access to cloud infrastructure is one of the most important Azure security best practices. The best way to manage user access is by adding Identity and Access Management (IAM) to your security arsenal.

Microsoft provides a cloud-native IAM system called Azure Active Directory (AAD). AAD authenticates logins and compares user credentials to a secure Active Directory database.

IAM best practices for Azure include using AAD to set role-based access controls (RBAC). With RBAC, admins can put the Zero Trust ‘principle of least privilege’ into action. Every user has very limited privileges. Privileges only apply after users supply multiple credentials.

Role-based privileges have big practical benefits. Developers will not retain access to resources when their project involvement ends. Attackers obtaining their credentials will be relatively powerless. They will struggle to achieve Virtual Machine access. Breaching Azure SQL databases will be much harder.

Add another layer to your security posture by combining AAD with Single-Sign-On (SSO). SSO combines all cloud and on-premises assets. Remote workers can log in to the apps they need via a single sign-on portal.

Users can apply Multi-Factor Authentication (MFA) at this stage. This requests an extra authentication factor for each login, such as biometric data or one-time codes delivered to smartphones.

IP allowlisting also features in recommended Azure security best practices. Allowlisting lets you specify trusted IP addresses. You can add remote work devices or employee smartphones and exclude every other device until it passes MFA and IAM controls.

6. Add workload and VM protection

Azure security best practices include securing virtual machines via specialist controls. For instance, Azure includes the option of applying just-in-time controls for VMs. These Azure security controls allow users to access VMs for limited periods, removing the possibility of accessing assets after sessions expire.

VM controls also allow administrators to lock vulnerable ports and limit access to authorized users. Restrict access to RDP, WinRM, and SSH ports commonly used by VMs. Access should only be available when absolutely required.

You can apply controls easily by assigning workloads and VMs to Network Security Groups (NSGs). These groups define security procedures for each asset and add another protective layer via the Azure Firewall.

Additionally, remember to keep workload patches up to date. Unpatched Azure apps can be vulnerable to exploits. Automate software updates where possible and audit unpatched tools to minimize your exploit vulnerability.

7. Control the cloud perimeter with network security

Internal Azure cloud security works alongside general network security. Attackers can steal credentials from devices outside the cloud or launch attacks via internet-facing endpoints. This is why Azure’s best practices include measures to harden on-premises security. These measures can protect the whole network perimeter:

  • Track internet-facing cloud endpoints and minimize the contact between the wider web and company resources.

  • Use a Security Information and Event Management solution. SIEM tracks network traffic and identifies potential threats. Integrate it with Azure Defender to cover external and cloud-based vulnerabilities.

  • Apply network segmentation. Separate cloud endpoints from data centers and workstations with internet access.

  • Install a VPN or similar security tool to encrypt data and conceal user identities.

8. Audit user identities and access policies

Your Azure cloud security posture can weaken over time. What works now may degrade and create new vulnerabilities.

Azure security teams must audit every cloud security control and ensure continuing app and data protection. Audit app ownership regularly to ensure only active users have administrative privileges. Clean up Azure platforms by removing obsolete services, groups, and users.

Use the Azure Security Center to improve auditing procedures. The ASC includes machine learning analysis tools that provide feedback and suggest security posture improvements. Real-time monitoring and audit logs provide evidence to fine-tune your security setup.

How can NordLayer secure your access to Microsoft Azure?

Microsoft Azure cloud security requires a layered mix of internal cloud-based controls and solid external security. Users must protect data at the app level, followed by workgroups, platforms, and the entire company network.

The best practices listed above provide a roadmap to achieve security at the cloud level. Encrypt data and manage Active Directory identities. Leverage the Security Center to track user activity and run regular audits. And target virtual machines and apps with specific protection.

But that’s not enough. Add an extra security layer for rock-solid SaaS access control by safeguarding the network edge and protecting credentials outside the cloud.

NordLayer will help you achieve this. Encrypt in-transit data, apply for SSO, and screen access with IP allowlisting. Limit access to trusted IP addresses and exclude everything else – an important step towards a Zero Trust security posture.

Prevent data leaks by blending NordLayer’s network security tools with Microsoft Azure’s internal controls. To find out more, get in touch with our team today.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

These days, cybercrime is rampant. It’s no longer a matter of “if” you’re going to suffer an attack but “when” it will happen. All companies want to be ready for any crisis. And this is where a business continuity plan comes into play.

But what is a business continuity plan exactly? Why is it important? What should one include? Today, we’re exploring all these questions in-depth.

What is a business continuity plan?

A business continuity plan (BCP) is a document that sets guidelines for how an organization will continue its operations in the event of a disruption, whether it’s a fire, flood, other natural disaster or a cybersecurity incident. A BCP aims to help organizations resume operations without significant downtime.

Unfortunately, according to a 2020 Mercer survey, 51% of businesses across the globe don’t have a business continuity plan in place.

What’s the difference between business continuity and disaster recovery plans?

We often confuse the terms business continuity plan and disaster recovery plan. The two overlap and often work together, but the disaster recovery plan focuses on containing, examining, and restoring operations after a cyber incident. On the other hand, BCP is a broader concept that considers the whole organization. A business continuity plan helps organizations stay prepared for dealing with a potential crisis and usually encompasses a disaster recovery plan.

Importance of business continuity planning

The number of news headlines announcing data breaches has numbed us to the fact that cybercrime is very real and frequent and poses an existential risk to companies of all sizes and industries.

Consider that in 2021, approximately 37% of global organizations fell victim to a ransomware attack. Then consider that business interruption and restoration costs account for 50% of cyberattack-related losses. Finally, take into account that most cyberattacks are financially motivated and the global cost of cybercrime topped $6 trillion last year. The picture is quite clear — cybercrime is a lucrative venture for bad actors and potentially disastrous for those on the receiving end.

To thrive in these unpredictable times, organizations go beyond conventional security measures. Many companies develop a business continuity plan parallel to secure infrastructure and consider the plan a critical part of the security ecosystem. The Purpose of a business continuity plan is to significantly reduce the downtime in an emergency and, in turn, reduce the potential reputational damage and — of course — revenue losses.

Business continuity plan template

Password security for your business

Store, manage and share passwords.

Get NordPass Business

30-day money-back guarantee

Business Continuity Plan Example

[Company Name]

[Date]

I. Introduction

  • Purpose of the Plan

  • Scope of the Plan

  • Budget

  • Timeline

The initial stage of developing a business continuity plan starts with a statement of the plan’s purpose, which explains the main objective of the plan, such as ensuring the organization’s ability to continue its operations during and after a disruptive event.

The Scope of the Plan outlines the areas or functions that the plan will cover, including business processes, personnel, equipment, and technology.

The Budget specifies the estimated financial resources required to implement and maintain the BCP. It includes costs related to technology, personnel, equipment, training, and other necessary expenses.

The Timeline provides a detailed schedule for developing, implementing, testing, and updating the BCP.

II. Risk Assessment

  • Identification of Risks

  • Prioritization of Risks

  • Mitigation Strategies

The Risk Assessment section of a Business Continuity Plan (BCP) is an essential part of the plan that identifies potential risks that could disrupt an organization’s critical functions.

The Identification of Risks involves identifying potential threats to the organization, such cybersecurity breaches, supply chain disruptions, power outages, and other potential risks. This step is critical to understand the risks and their potential impact on the organization.

Once the risks have been identified, the Prioritization of Risks follows, which helps determine which risks require the most attention and resources.

The final step in the Risk Assessment section is developing Mitigation Strategies to minimize the impact of identified risks. Mitigation strategies may include preventative measures, such as system redundancies, data backups, cybersecurity measures, as well as response and recovery measures, such as emergency protocols and employee training.

III. Emergency Response

  • Emergency Response Team

  • Communication Plan

  • Emergency Procedures

This section of the plan focuses on immediate actions that should be taken to ensure the safety and well-being of employees and minimize the impact of the event on the organization’s operations.

The Emergency Response Team is responsible for managing the response to an emergency or disaster situation. This team should be composed of individuals who are trained in emergency response procedures and can act quickly and decisively during an emergency. The team should also include a designated leader who is responsible for coordinating the emergency response efforts.

The Communication Plan outlines how information will be disseminated during an emergency situation. It includes contact information for employees, stakeholders, and emergency response personnel, as well as protocols for communicating with these individuals.

The Emergency Procedures detail the steps that should be taken during an emergency or disaster situation. The emergency procedures should be developed based on the potential risks identified in the Risk Assessment section and should be tested regularly to ensure that they are effective.

IV. Business Impact Analysis

The Business Impact Analysis (BIA) section of a Business Continuity Plan (BCP) is a critical step in identifying the potential impact of a disruption to an organization’s critical operations.

The Business Impact Analysis is typically conducted by a team of individuals who understand the organization’s critical functions and can assess the potential impact of a disruption to those functions. The team may include representatives from various departments, including finance, operations, IT, and human resources.

V. Recovery and Restoration

  • Procedures for recovery and restoration of critical processes

  • Prioritization of recovery efforts

  • Establishment of recovery time objectives

The Recovery and Restoration section of a Business Continuity Plan (BCP) outlines the procedures for recovering and restoring critical processes and functions following a disruption.

The Procedures for recovery and restoration of critical processes describe the steps required to restore critical processes and functions following a disruption. This may include steps such as relocating to alternate facilities, restoring data and systems, and re-establishing key business relationships.

The Prioritization section of the plan identifies the order in which critical processes will be restored, based on their importance to the organization’s operations and overall mission.

Recovery time objectives (RTOs) define the maximum amount of time that critical processes and functions can be unavailable following a disruption. Establishing RTOs ensures that recovery efforts are focused on restoring critical functions within a specific timeframe.

VI. Plan Activation

  • Plan Activation Procedures

The Plan Activation section is critical in ensuring that an organization can quickly and effectively activate the plan and respond to a potential emergency.

The Plan Activation Procedures describe the steps required to activate the BCP in response to a disruption. The procedures should be clear and concise, with specific instructions for each step to ensure a prompt and effective response.

VII. Testing and Maintenance

  • Testing Procedures

  • Maintenance Procedures

  • Review and Update Procedures

This section of the plan is critical to ensure that an organization can effectively respond to disruptions and quickly resume its essential functions.

Testing procedures may include scenarios such as natural disasters, cyber-attacks, and other potential risks. The testing procedures should include clear objectives, testing scenarios, roles and responsibilities, and evaluation criteria to assess the effectiveness of the plan.

The Maintenance Procedures detail the steps necessary to keep the BCP up-to-date and relevant.

The Review and Update Procedures describe how the BCP will be reviewed and updated regularly to ensure its continued effectiveness. This may involve conducting a review of the plan on a regular basis or after significant changes to the organization’s operations or threats.

What should a business continuity plan checklist include?

Organizations looking to develop a BCP have more than a few things to think through and consider. Variables such as the size of the organization, its IT infrastructure, personnel, and resources all play a significant role in developing a continuity plan. Remember, each crisis is different, and each organization will have a view on handling it according to all the variables in play. However, all business continuity plans will include a few elements in one way or another.

  • Clearly defined areas of responsibility

    A BCP should define specific roles and responsibilities for cases of emergency. Detail who is responsible for what tasks and clarify what course of action a person in a specific position should take. Clearly defined roles and responsibilities in an emergency event allow you to act quickly and decisively and minimize potential damage.

  • Crisis communication plan

    In an emergency, communication is vital. It is the determining factor when it comes to crisis handling. For communication to be effective, it is critical to establish clear communication pipelines. Furthermore, it is crucial to understand that alternative communication channels should not be overlooked and outlined in a business continuity plan.

  • Recovery teams

    A recovery team is a collective of different professionals who ensure that business operations are restored as soon as possible after the organization confronts a crisis.

  • Alternative site of operations

    Today, when we think of an incident in a business environment, we usually think of something related to cybersecurity. However, as discussed earlier, a BCP covers many possible disasters. In a natural disaster, determine potential alternate sites where the company could continue to operate.

  • Backup power and data backups

    Whether a cyber event or a real-life physical event, ensuring that you have access to power is crucial if you wish to continue operations. In a BCP, you can often come across lists of alternative power sources such as generators, where such tools are located, and who should oversee them. The same applies to data. Regularly scheduled data backups can significantly reduce potential losses incurred by a crisis event.

  • Recovery guidelines

    If a crisis is significant, a comprehensive business continuity plan usually includes detailed guidelines on how the recovery process will be carried out.

Business continuity planning steps

Here are some general guidelines that an organization looking to develop a BCP should consider:

Analysis

A business continuity plan should include an in-depth analysis of everything that could negatively affect the overall organizational infrastructure and operations. Assessing different levels of risk should also be a part of the analysis phase.

Design and development

Once you have a clear overview of potential risks your company could face, start developing a plan. Create a draft and reassess it to see if it takes into account even the smallest of details.

Implementation

Implement BCP within the organization by providing training sessions for the staff to get familiar with the plan. Getting everyone on the same page regarding crisis management is critical.

Testing

Rigorously test the plan. Play out a variety of scenarios in training sessions to learn the overall effectiveness of the continuity plan. By doing so, everyone on the team will be closely familiar with the business continuity plan’s guidelines.

Maintenance and updating

Because the threat landscape constantly changes and evolves, you should regularly reassess your BCP and take steps to update it. By making your continuity plan in tune with the times, you will be able to stay a step ahead of a crisis.

Level up your company’s security with NordPass Business

A comprehensive business continuity plan is vital for the entire organization’s security posture. However, in a perfect world, you wouldn’t have to use it. This is where NordPass Business can help.

Remember, weak, reused, or compromised passwords are often cited as one of the top contributing factors in data breaches. It’s not surprising, considering that an average user has around 100 passwords. Password fatigue is real and significantly affects how people treat their credentials. NordPass Business counters these issues.

With NordPass Business, your team will have a single secure place to store all work-related passwords, credit cards, and other sensitive information. Accessing all the data stored in NordPass is quick and easy, which allows your employees not to be distracted by the task of finding the correct passwords for the correct account.

In cyber incidents, NordPass Business ensures that company credentials remain secure at all times. Everything stored in the NordPass vault is secured with advanced encryption algorithms, which would take hundreds of years to brute force.

If you are interested in learning more about NordPass Business and how it can fortify corporate security, do not hesitate to book a demo with our representative.

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Fake installers for popular apps targeting Southeast and East Asia with dangerous Trojan, ESET Research discovers

  • ESET researchers discovered a malware campaign that targets Chinese-speaking people in Southeast and East Asia.
  • The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results. ESET reported these ads to Google and they were promptly removed.
  • The websites and installers downloaded from them are mostly in Chinese and, in some cases, falsely offer Chinese-language versions of software that is not available in China.
  • We observed victims mostly in Southeast and East Asia, suggesting that the advertisements were targeting that region.
  • The malware delivered by this campaign is FatalRAT, a remote access Trojan that provides a set of functionalities to perform various malicious activities on a victim’s computer.

BRATISLAVA, MONTREAL — February 16, 2023 — ESET researchers discovered a malware campaign that targets Chinese-speaking people in Southeast and East Asia by buying misleading advertisements to appear in Google search results that lead to downloading Trojanized installers. The unknown attackers created fake websites that look identical to those of popular applications such as Firefox, WhatsApp, Signal, Skype, and Telegram, but in addition to providing the legitimate software, also deliver FatalRAT, a remote access Trojan that grants the attacker control of the victimized computer. The attacks affected users mostly in mainland China, Hong Kong, and Taiwan, but also in Southeast Asia and Japan.

FatalRAT provides a set of functionalities to perform various malicious activities on a victim’s computer. Among other capabilities, the malware can capture keystrokes, steal or delete data stored by some browsers, and download and execute files. ESET Research observed these attacks between August 2022 and January 2023, but according to our telemetry, previous versions of the installers have been used since at least May 2022.

The attackers registered various domain names that all pointed to the same IP address: a server hosting multiple websites that download Trojanized software. Most of these websites look identical to their legitimate counterparts but deliver malicious installers instead. The other websites, possibly translated by the attackers, offer Chinese-language versions of software that is not available in China, such as Telegram. While, in theory, there are many possible ways that potential victims can be directed to these fake websites, a Chinese-language news site reported that they were being shown an advertisement that led to one of these malicious websites when searching for the Firefox browser in Google. The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results; we reported these ads to Google and they were promptly removed.

“Although we couldn’t reproduce such search results, we believe that the ads were only served to users in the targeted region,” explains Matías Porolli, the ESET researcher who discovered the campaign. “Since many of the domain names that the attackers registered for their websites are very similar to the legitimate domains, it is also possible that the attackers rely on URL hijacking to attract potential victims to their websites,” he adds.

“It is possible that the attackers are solely interested in the theft of information like web credentials to sell them on underground forums, or to use them for another type of crimeware campaign, but for now, specific attribution of this campaign to a known or new threat actor is not possible,” elaborates Porolli. “Finally, it is important to check the URL that we are visiting before we download software. Even better, type it into your browser’s address bar after checking that it is the actual vendor site,” advises Porolli.

For more technical information about this malware campaign, check out the blogpost “These aren’t the apps you’re looking for: Fake installers targeting Southeast and East Asia” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Countries where ESET detected the attacks between August 2022 and January 2023

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

How Do You Choose the Best Cybersecurity Project For Your Company?

The IBM Cost of a Data Breach 2022 report brought a lot of information that shows the importance of choosing a good cybersecurity project for your organization.

According to information extracted from this document which included interviews with more than 3,600 people working in companies that had their data violated, it was possible to find alarming conclusions.

First, 83% of the organizations surveyed suffered some kind of breach between March 2021 and March 2022. Also, 60% of these attacks increased prices for customers.

It has also been identified that 79% of critical infrastructure organizations have not implemented a zero-trust plan to prevent cyber threats, and 19% of violations occur due to a compromised business partner.

Faced with so many digital security gaps, it can be difficult to know where to start deploying a cybersecurity project. Therefore, we address this issue here. To facilitate your reading, we divided our text into topics. These are:

  • About Cybersecurity
  • Importance of Cybersecurity
  • Cybersecurity Project: What Is It, and What Is Its Importance?
  • What Are the Five Types of Cybersecurity?
  • People, Processes, and Technologies: Crucial Elements for the Success of Every Cybersecurity Project
  • Guidelines for Prioritizing Cybersecurity Projects within a Company
  • Key Cyber Threats Faced by Companies
  • About senhasegura
  • Conclusion

Enjoy the read!

About Cybersecurity

When we talk about cybersecurity, we refer to a set of technologies, procedures, and methods used to prevent attacks on devices, programs, data, and networks, avoiding the activity of hackers and ensuring the privacy of a company’s data, which must be protected from insider and external threats and natural disasters.

However, accelerated by the Covid-19 pandemic, digital transformation has brought several vulnerabilities, such as those related to remote work. As a result, there was a significant increase in data leaks, phishing emails, and account invasions.

Importance of Cybersecurity

Currently, processes in companies are migrating to the online world due to digital transformation, which can “facilitate” the loss of information of great importance to a business.

Thus, organizations need to invest in cybersecurity in order to ensure their operations and prevent threats, such as malware, viruses, and phishing.

One should also be aware that malicious attackers have been improving their techniques over time, so it is increasingly challenging to maintain data security and avoid compromised business.

Another novelty is data protection laws, which have been holding organizations accountable for the exposure of sensitive information from their customers, employees, and business partners, generating million-dollar sanctions.

In practice, these legislations have several requirements to be respected in order to avoid accidental or intentional data loss.

That is, investing in a good cybersecurity project is the recommended measure to avoid inconvenience, financial losses, loss of credibility, and closure of companies.

Cybersecurity Project: What Is It, and What Is Its Importance?

Cybersecurity projects are aimed at promoting digital security within any company. Its importance lies in the possibility of avoiding cyber threats, such as hacker invasions. It also contributes to the fact that errors -whether deliberate or not, of employees or third parties – have fewer impacts on the organization and reduce the possibility of losses, such as: loss of data, credibility, millionaire sanctions imposed by data protection laws, which can even cause the end of a business. And in small companies, this is even more crucial: according to a Cisco study, 60% of organizations affected by a cyberattack shut down operations within 6 months of the incident.

What Are the Five Types of Cybersecurity?

There are five types of cybersecurity. These are:

  • Critical Infrastructure Security;
  • Application Security;
  • Network Security;
  • Cloud Security; and
  • Internet of Things (IoT) Security.

Check out each of them in detail below:

Critical Infrastructure Security

What Is It?
When talking about critical infrastructure security, we refer to the area that contemplates the security of systems, networks, and assets in industries that are essential to ensure the security of a country’s economy, health, and public services. These sectors include the chemical, communications, utilities, energy, and financial industries.

What Are the Challenges?
A major challenge for critical infrastructure is the security issues its systems present versus the limited protection features.

Application Security

What Is It?
Application security is essential as these programs have increasingly become targets for hackers. It consists of practices adopted to make them more secure, which occurs during their development and then after their implementation.

What Are the Challenges?
Ensuring application security requires tracking all the tools developed for these applications. It is also important to be aware of the future needs of a company, which may require software aimed at a more complex infrastructure.

Network Security

What Is It?
Network security is a term that refers to hardware and software solutions, as well as procedures aimed at protecting the network and data against cyberattacks. In practice, this concept includes network analysis, application security, access control, and antivirus software, among other factors.

What Are the Challenges?
The main challenge of network security is to maintain protection in increasingly complex structures, with a large volume of cyber threats and several functionalities used in corporations, which also represent new problems.

Cloud Security

What Is It?
As companies suffer the impact of digital transformation, they become more dependent on cloud solutions and need to adopt measures that ensure digital security in this context.

This is because outsourced providers may even be responsible for infrastructure management, but the accountability for any exposed data remains with the organization as well.

What Are the Challenges?
The challenges of companies adopting cloud solutions are related to the ability to meet security criteria in a dynamic environment, which can generate a lack of visibility in accessing and using data.

Internet of Things (IoT) Security

What Is It?
Internet of things security is associated with protecting devices connected directly to the cloud in gadgets, such as surveillance cameras. Its function is to protect designed devices, without taking into account aspects of cybersecurity and data protection.

What Are the Challenges?
The greatest challenge associated with the internet of things security refers to human activity. In practice, with the increased connectivity of these devices, it is necessary to instruct users on the change of default passwords and the need for updates, for example.

On the other hand, many users do not see these devices as targets of attacks and end up ignoring best security practices during their development and use.

People, Processes, and Technologies: Crucial Elements for the Success of Every Cybersecurity Project

An efficient cybersecurity project does not only involve the five types of digital security covered in the previous topic. It is also important to take other essential elements into account. They are: people, processes, and technology.

Here’s what you need to know about these aspects:

People

When it comes to cybersecurity projects, investing in cutting-edge technology is not enough. It is essential to train users to respect security protocols and ensure the protection of company data.

In practice, your employees increase security risks in a variety of ways.
Among them, we can highlight:

Clicking on URLs and Opening Suspicious Emails

It is necessary to make your employees aware of the risks involved in this practice and encourage the exclusion of emails from fake addresses to protect sensitive data.

Keeping the Same Password for a Long Period

To ensure the security of your company, employees’ passwords must be changed regularly. In addition, strong combinations should be used, and it is not recommended to reuse the same password in different services.

Due to the difficulty in memorizing so many passwords, we also recommend the use of a password vault, which will only require the memorization of a single code.

Personal Browsing

Many people use the devices of their companies for personal purposes, such as accessing social media, shopping, or paying bills. The big problem is that this behavior facilitates the work of malicious agents who want to collect information. Therefore, ask your employees to use their own devices, not corporate ones, for personal browsing.

Lack of Backups

Many people still fail to perform backups when finishing their tasks. Nevertheless, it is of paramount importance to back up the system files. So, employees should understand they need the help of the IT team with these functions.

Unattended Devices

Leaving devices on desks unattended and without blocking them is a fairly common practice, which can also cause damage to the security of a company. For this reason, it is essential to make employees aware of the importance of preserving data contained in these devices and maintaining their control.

Processes

Information security professionals use numerous processes to protect sensitive data. In practice, they need to identify and combat cyber threats, protecting information and responding to incidents.
Besides being implemented, these processes must be documented to save time and financial resources, and preserve customer confidence in cases of cyberattacks.

To counter cybersecurity-related risks, we recommend using the Cybersecurity Framework, developed by the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce, after former U.S. President Barack Obama signed an executive order in 2014.

Technology

After the deployment of security processes, it is indispensable to assess the tools available to avoid cyber threats.

For this, you must consider two types of technology: those that will help you prevent and combat attacks, such as antivirus, DNS filtering, and malware protection; and those that need protection, including computers, routers, and the cloud.

Previously, we could rely on security perimeters. Now, migration to cloud environments, remote work, and policies like Bring Your Own Device (BYOD) have made it easier for hackers to work.

Guidelines for Prioritizing Cybersecurity Projects within a Company

A cybersecurity project is essential to not overwhelm IT staff with unnecessary work and to ensure the company’s ability to deal with a cyberattack.

However, to create and run your cybersecurity project, you must take some action. They are as follows:

Understanding Your Company’s Goals

Each organization has its strategic goals, which should guide the creation of the cybersecurity project. Therefore, it is important to evaluate the company’s vision and its business and cybersecurity strategies.

This information will provide a basis for the development of the project and will be a guide to gradually know if it is, in fact, efficient.

To understand the strategic goals of the company, read documents related to the subject and talk to top management to know their priorities.

Discovering the Reason Behind the Project

Cybersecurity projects can be motivated by several reasons, although all of them need to prevent and combat cyber incidents in common.

In practice, the project can be an awareness and training campaign on cybersecurity, the implementation or updating of a security system, compliance with new laws and regulations, etc.

Understanding what the project’s motivation is will certainly contribute to establishing priorities, directly impacting the company’s operations.

Determining the Value of the Project

Here, when we talk about value, we are referring to the importance of a cybersecurity project for an organization. That is, it is convenient to analyze how it will impact stakeholders and what its real importance is to the business. A project that adds great value must necessarily be prioritized.

Analyzing the Urgency

It is important to assess the urgency of the cybersecurity project to determine whether it should be prioritized or can wait. But remember that priorities can and should be modified as changes occur.

Detailing the Aspects that Affect the Project’s Success

A successful cybersecurity project depends on a number of factors, including budgets, deadlines, and return on investment (ROI), among other things.

On the other hand, it is often impossible to execute a project due to unfavorable circumstances. Therefore, it is advisable to know what can affect the project’s success in advance.

Ranking the Cybersecurity Project According to the Priority

With the information on goals, objectives, and possibilities of success in hand, it is time to establish an order of priorities through an overall classification, which can be score-based.

Defining How Many Projects Can Be Executed at a Time

Probably, the organization will not be able to assume all priority projects at once. Thus, the solution is to work on them in a phased manner, creating a queue of plans to execute.

Another recommendation is to run the fastest ones first and then the ones that require more time and effort.

Sharing Findings with Top Management

Before starting the cybersecurity project, it is essential to meet with leaders and share the information gathered. This is because the findings can serve as insights to change the order of priorities of the projects, requiring top management to be on board.

Working Flexibly

Working with cybersecurity projects requires flexibility, after all, priorities can be modified according to context. By the way, this occurred in most companies after the beginning of Covid-19, which accelerated the mass adoption of remote work and brought new demands to security teams.

Key Cyber Threats Faced by Companies

The following are the main cyber threats that should be considered by a cybersecurity project:

  • Ransomware;
  • Phishing;
  • Attacks on Mobile Devices;
  • Attacks Using QR Codes;
  • Denial-of-Service (DDoS) Attacks; and
  • LotL and AVT Attacks.

See the detailed explanation of each of them below:

Ransomware

This type of cybercrime works like this: the attacker blocks a network or system and asks for millionaire amounts in exchange for the release of information, which may not be returned, but sold to other criminals. Due to the lack of efficient cybersecurity mechanisms in companies, this tactic is very common.

Phishing

Another common crime in the virtual environment is phishing, which consists of sending counterfeit emails, and pretending to be a legitimate organization. With this, malicious agents convince their victims to share personal information or take action to their benefit.

There are also some types of very sophisticated phishing attacks, such as very realistic audio recordings produced through artificial intelligence.

Attacks on Mobile Devices

With many people working remotely, the use of personal devices for corporate purposes and the use of corporate devices for personal purposes tend to occur more frequently.
This increases security vulnerabilities, especially in the face of malware attacks on devices.

Attacks Using QR Codes

Currently, cybercriminals use QR Codes to deploy malware applications, infecting their victims’ phones and stealing their bank details.
For this reason, it is advisable to check the code provided by the company before accessing it.

Denial-of-Service (DDoS) Attacks

This type of attack occurs when the hacker overloads a machine with traffic, disrupting its normal operation and making a service unavailable to users. In practice, the attack is performed through a single computer.

LotL and AVT Attacks

Less known, Living off the Land (LotL) attacks do not need to create malicious files to access a company’s systems because they use gateways that already exist.
Advanced Volatile Threat (AVT) attacks allow access to an organization’s data as quickly as possible.

About senhasegura

We, from senhasegura, are part of MT4 Tecnologia, a group of companies specializing in digital security, founded in 2001 and operating in more than 50 countries.

Our main objective is to ensure digital sovereignty and security for our clients, granting control over privileged actions and data and avoiding theft and leaks of information.

For this, we follow the lifecycle of privileged access management through machine automation, before, during, and after accesses.

These are also our commitments:

  • Avoid interruptions in the activities of companies, which may impair their performance;
  • Automatically audit the use of privileges;
  • Automatically audit privileged changes to identify privilege abuses;
  • Provide advanced PAM solutions;
  • Reduce cyber risks;
  • Bring organizations into compliance with audit criteria and standards such as HIPAA, PCI DSS,
  • ISO 27001, and Sarbanes-Oxley.

Conclusion

In this article, you saw that:

  • Cybersecurity is a set of technologies, procedures, and methods used to prevent cyberattacks;
  • Digital transformation has brought new vulnerabilities to IT structures;
  • Companies should invest in cybersecurity to prevent threats, such as malware, viruses, and phishing;
  • Data protection laws hold organizations accountable for the exposure of sensitive information of their customers, employees, and business partners;
  • Cybersecurity projects are aimed at promoting digital security within any company;
  • There are five types of cybersecurity: critical infrastructure security, application security, network security, cloud security, and Internet of Things (IoT) security;
  • People, processes, and technology stand out among the crucial elements for the success of a cybersecurity project;
  • To define the priorities of cybersecurity projects within a company, one needs to understand the organization’s objectives, find out the reason for each project, determine its value, assess its urgency, detail aspects that interfere with its success, rank projects in order of priority, define how many projects it is possible to execute at a time, share the findings with top management, and work flexibly;
  • The main threats faced by companies are ransomware, phishing, mobile device attacks, attacks using QR Codes, denial-of-service (DDoS) attacks, and LotL and AVT attacks.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

Finding OpenSSH servers

The OpenSSH team surfaced a security issue earlier this month that specifically affects OpenSSH server version 9.1p1 (a.k.a. version 9.1). This version contains a memory double-free vulnerability (tracked as CVE-2023-25136) that can be reached pre-authentication by a remote attacker. Researchers, including JFrog and Qualys, have been investigating and providing proof-of-concepts of a denial-of-service scenario and remote code execution for the attacker.

What is the impact?

OpenSSH is a popular open source implementation of the SSH protocol and is available on many operating systems. While the installation base for OpenSSH is quite large (Shodan currently reports ~48k public-facing instances of OpenSSH servers running version 9.1), the potential impacts of this vulnerability are not yet fully understood and are still being investigated.

The denial-of-service attack vector may be successful against a number of operating systems running OpenSSH 9.1. However, it yields limited results because it only crashes the forked daemon instance that was spun up to handle the attacker’s SSH connection (leaving the parent ssh daemon still running to handle other incoming connections).

Exploitation of this vulnerability for remote code execution (RCE) is more complex, with a current proof-of-concept that only targets OpenBSD 7.2 without memory protections in place (such as ASLR, NX, or ROP defenses) and with code execution still contained within the ssh daemon’s sandbox. As researchers continue investigating RCE exploitation, other operating systems with attacker-bypassable memory malloc and double-free protections may be discovered. So, the ability to fully execute attacker-controlled code outside of the ssh daemon sandbox -even with memory protections in place– may be achieved.

Are updates available?

OpenSSH version 9.2p1 (a.k.a version 9.2) was released earlier this month and patches this vulnerability (CVE-2023-25136). For systems currently running OpenSSH 9.1, admins are encouraged to update to OpenSSH 9.2 or later.

How do I find vulnerable OpenSSH services with runZero?

To locate OpenSSH servers running the vulnerable 9.1/9.1p1 version in your network, use the following prebuilt query in your Service Inventory:

_asset.protocol:ssh AND protocol:ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")
OpenSSH query

To local all OpenSSH servers in your network, use the folloing prebuilt query in your Asset Inventory:

product:”OpenSSH”
OpenSSH query

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×