As Hurricane Helene travels toward the Florida Coast and into Alabama and Georgia, now is the time to take action and be prepared to protect your computers, printers, files and data.

1. ENSURE YOU HAVE A BACKUP

• Backup your files! It's good practice to frequently backup your data files. We recommend a hybrid-cloud image-based backup that can be used to restore data and applications even if your server is destroyed, and that can restore data from different points in time.

• Print a copy of your important/emergency contacts and take them with you if you do not have access to them from your phone or computer, you'll have them available to use via a landline.

• RealTime Clients: Everyone who is on our Business Continuity Service – Your servers are backed up and replicated offsite daily. If there is a problem, we correct that as part of the service. As the Hurricane approaches, RealTime will confirm your local servers are backed up and replicated to offsite data centers.

2. SECURE YOUR EQUIPMENT

• COMPUTERS

  • Shutdown the operating system.

  • If connected to a surge protector or UPS - unplug from the wall outlet (or unplug power cables from the surge protector or UPS if wall outlet isn't accessible).

  • Unplug Ethernet cable from the back of computer or docking station.

• PRINTERS

  • Power off the printer.

  • If connected to a surge protector - unplug as described above.

  • Unplug the Ethernet cable from the back of the printer.

  • Unplug the phone cable from the back of the printer (if a fax line is connected).

• SERVERS AND NETWORK EQUIPMENT

  • Perform a normal shutdown of the servers. RealTime clients: Please coordinate with RealTime service desk. 

  • Unplug all connections - Take photos to document how things were prior to the event. 

  • Firewalls, Switches, Access Points - unplug them from power. Unplug the firewall from the internet connection as well. Ideally, unplug all the network connections (surges can travel through the network cabling).

  • Battery backups - power these off and then unplug them.

  • Phone systems - Check with your vendor to see what steps you can take to protect it.
     

3. COVER POWERED OFF EQUIPMENT WITH PLASTIC

When a major storm is predicted, elevate your CPUs, printers, servers, and other network devices, as well as other electrical appliances like space heaters, off of the floor.  For high winds, move computers away from windows.  If there is a possibility of water leakage, cover computer equipment with plastic.

4. CONTINUING OPERATIONS AFTER THE STORM

•  If you are in the path, power and internet connectivity may be hard to come by for a few days. Generators can provide enough power to run your critical computer equipment – just be sure you are connecting up to something that can deal w/ the power fluctuations many generators have. Please ask RealTime before connecting things up to generators as they can damage sensitive equipment. Modern battery backups may have the capability to condition the power off of a generator – check with the manufacturer to confirm before trying this.

• 4G/5G USB modems or Mifi can get you connected in an emergency. Everything you do may not work, but basic web browsing.

• Forward your phones – If the office is expected to be out a few days, most phone service providers have a way for you to forward calls to your business to a cell phone or alternate number. Get the steps now, before you need them.

5. BE PREPARED

Knowing what steps to take ahead of time will help you be prepared in the worst-case scenario. RealTime is committed to ensuring our clients are prepared with the proper technology to meet their current/future needs as well as advising them about safeguarding their business from weather-related, cyber and other disasters. 

If you would like further information about RealTime managing Information Technology for your business, contact us at info@realtime-it.com.

Four minutes is all the time it took for a bad actor to infiltrate an email account through a phishing attempt.

WHAT HAPPENED?

We just had a case where our monitoring system alerted us to suspicious activity in someone’s Microsoft 365 mailbox. We disabled access and reset sessions and credentials, but a quick look through the audit trail shows that the bad actor used stolen credentials that they had obtained through a malicious shortcut in a phishing email. Within 4 minutes of obtaining the credentials, the bad guy was able to quickly create an inbox rule to redirect specific messages to an alternate inbox folder in hopes of hiding future activities from the mailbox owner.

 DID THIS EMAIL ACCOUNT USE MULTI-FACTOR AUTHENTICATION?

Yes! The attack was what is known as a AiTM (attacker in the middle or MITM, man in the middle). An MITM attack is where a threat actor puts themselves in the middle of two parties, typically a user and an application, to intercept their communications and data exchanges. For example, if you look at the diagram below you will see that the phishing attempt led the user to a realistic looking website that was a fake. They make the webpage look identical to a legit website, like your bank, for example, and then get you to input your credentials and they harvest your data this way. 

Below is a simplified diagram of what happened:

FINAL THOUGHT

Thankfully we were able to shut this attack down within minutes of starting, well before anything bad could happen. However, the reality is that most small businesses using MS Office 365 do not have the capability to detect and respond to this sort of suspicious activity. To protect yourself and your business, be proactive in verifying the validity of the emails in your inbox to be sure they are not phishing attempts and make sure all methods of protection, such as MFA, are enabled. When in doubt, don’t click on the links in the email, type the known URL in a separate window and check it out for yourself. It may take a few extra steps, but in the long run it can save you from a potential financial disaster.

If you needed a good object lesson to continue promoting regular security awareness training within your organization, here it is:

Ascension hacked after employee downloaded a malicious file.

The employee thought it was something legit, downloaded, and opened it. This gave the attackers access to a portion of Ascensions’ network and subsequently allowed access to a few of their servers, prompting them to enact their incident response plans and take some systems offline on May 8th, 2024 to contain the cyber security event – their words. 

QUICK DETECTION IS KEY

To their credit, Ascension appears to have quickly identified the issue, indicating an effective managed security service capable of detecting unusual behavior. This aspect forms a crucial part of a comprehensive approach to mitigating cybersecurity threats for the organization. Initial findings suggest that the intruders accessed files from a limited set of file servers. An Ascension representative's statement mentioned ongoing investigations revealing that some of the compromised files likely include Protected Health Information (PHI) and Personally Identifiable Information (PII) belonging to specific individuals, with variations in the data types exposed. 

This is a comprehensive explanation of the synergistic relationship between different cybersecurity layers in mitigating the impact of cyber attacks. It is evident that Ascension prioritizes the training of its employees in security awareness, a fundamental practice in minimizing cyber threats. Despite these efforts, human errors remain a possibility, necessitating additional proactive measures to further enhance cybersecurity defenses.

Other notable points:

• Systems were set up to find and check strange actions. Nowadays, attackers use system tools to go unnoticed for a while. Many current EDR and MDR systems can spot user behaviors to some extent.

• Data logging can show if information was viewed and taken from their systems. It helps you grasp the situation better, which many small businesses lack.

• They have a plan for emergencies to show them what to do. It's better to have a simple plan than to figure it out suddenly. It helps to know what to do, who to call, and what to avoid.

• They did a fairly good job with the message they conveyed to customers. On the internal front, though, there appears to have been some confusion and disarray.

Their systems were mostly down for about two weeks perhaps because of investigations and making sure the hackers were gone. A good Business Continuity Plan includes having instructions for backup methods when computer systems are down, so you can keep running your business with some limitations, depending on what you need. 

Ascension statement: https://about.ascension.org/en/cybersecurity-event

Dell began warning customers via email on May 8th of a data breach that may have exposed the purchase related information of approximately 49 million customers.

The breached data includes customer names, physical addresses, and order related information such as service tags, order dates, item descriptions and warranty information. However, Dell has stated that no email addresses or phone numbers or any financial information was involved in this breach.

OWN A DELL? What this mean for you…

If you have purchased a Dell, then you can expect to see a lot of phishing and social engineering attempts revolving around this information. Even though this particular data theft didn’t include your email address and phone number, it’s very simple for bad actors to associate those pieces of information (from prior breaches) with what was stolen from Dell this time. Keep in mind that with 49 Million possible targets, the bad actors will just blast out the phishing emails and hope that recipients were impacted by this breach, a not unrealistic expectation.

Be on the lookout for scams!

The scams could be similar to any of the following scenarios:

• Dell warranty renewal emails and/or calls. We get these all the time legitimately. What we don’t know is how many more will we receive that are scams?
  BEST ADVICE: Know what legitimate emails/calls look like AND, if it’s over the phone, call Dell back on a previously known phone number. Do not ask the caller for the number as they could provide a fake number.

• Urgent notices! These could be about security vulnerabilities and requests to call some number or click a link to fix the issue. Still a scam, don’t click the link!

• Unironically, notices of this data breach. However, it will include a link for more information that lead to problems. Still a scam, don’t click the link!

• Class action lawsuit notices. This may include calls to action like call or email the “attorney”. Once again, don’t do either of those items. It’s probably a scam.

DOUBLE-CHECK WITH REALTIME

If you’re a RealTime customer, you can always give us a call if you have any questionable emails, texts, even phone calls related to this matter. Additionally, if you’re a RealTime customer, you probably bought things through us and we manage on your behalf. We should be handling items related to this already; this is another reason it should give you a red flag if Dell contacts you.

THE BEST PROTECTION

The best protection from these sorts of scams is to confirm legitimacy through previously known contact methods. Call a number you have for Dell instead of giving any credibility to someone over the phone, don’t click on links in emails, or lastly, call RealTime if you’re a client.

https://www.securityweek.com/dell-says-customer-names-addresses-stolen-in-database-breach/

CHANGE HEALTHCARE LEARNS THE HARD WAY

Paying a ransomware ransom is not a Get Out of Jail Free card as Change Healthcare is slowly learning! The Ransomware that has impacted the customers of the United Health Care subsidiary, Change Healthcare, has lasting impacts beyond just not being able to confirm insurance coverage or delayed filing/reimbursements, which are already pushing many medical practices to their financial limits.

Stories abound like this one : An Ohio Urgent Care may not be able to pay rent and their doctors are slashing expenses to try and stay afloat. Read more about this story in the NY Times:  https://www.nytimes.com/2024/03/05/health/cyberattack-healthcare-cash.html

criminals lie?? no way!

Let’s just talk about how much the criminals are actually making off of these ransoms. It looks like the criminals that got paid the $22 Million in Bitcoin took the money and ran! They closed up shop and even stiffed their partners in crime, who have come out and stated that they didn’t get paid! The worst part is that the criminals still have all the data from this event!

This story above reinforces that paying the ransom doesn’t guarantee that the criminals will delete their copies of your data that they stole, despite their promises. LockBit, a ransomware gang that was taken down by law enforcement agencies last month, admits to lying to their victims in their extortion notes. They were basically guaranteeing they will release their data, but never did. Obviously we are learning that criminals lie on all avenues, shocker!

“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future.” -Extortion notes by Lockbit to victims.

Britian’s National Crime Agency also reinforced that you shouldn’t trust Ransonware gangs to do what they say in their extortion notes. The NCA has a lot of of evidence that when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised. The NCA led the takedown of the LockBit ransomware gang and since discovered data still in the LockBit’s System from victims that had already paid the threat actors.

REPORT THE CRIMES TO THE FBI TO SAVE US ALL!

LockBit’s demise (for now) also showed that the vast majority of cybercrime goes unreported. Most of the identified victims did not report these crimes to relevant federal agencies. The Federal Bureau of Investigation’s (FBI) website has a place where victims can report crimes. By reporting crimes, it helps the FBI better understand what the criminals are up to and correlate this data to better understand how the criminals operate. That way the FBI can keep all of us updated on how to spot the crimes and how to respond. If you have had an incident related to cybercrime, please report it! FBI Website: IC3.gov