Efficient communication is a cornerstone of business success. Internally, making sure your team communicates seamlessly helps you avoid friction losses, misunderstandings, delays, and overlaps. Externally, frustration-free customer communication is directly correlated to a positive customer experience and higher satisfaction.

However, business communication channels are also a major target for cybercriminals. In recent years, especially since the pandemic, the number of cyberattacks has skyrocketed. Statistics show that last year alone, the number of hacks shot up by 38%. Worse, it still takes a business 277 days on average to identify a breach, causing a loss of $4.35 on average.

So, how can businesses safeguard their communication channels against hackers, while still providing the best possible experience for customers and maintaining team productivity? Here’s everything you need to know – and which mistakes you need to avoid.

Use Secure Platforms

To begin with, there is your choice of communication channels. In order to meet customers’ communication demands, you’ll need to offer a variety of channels, from texting, email and live chat to voice and video calls. Not to mention the channels for internal business communication, messaging, and team collaboration tools foremost among them.

In the choice of all these channels, you need to prioritize security. When comparing communication platforms, whether UCaaS providers or contact center software, it’s crucial to take their security standards into account.

Have they been breached before? What server infrastructure and encryption do they rely on? What cybersecurity protocols do they implement? Do they comply with international data security regulations? Do they offer additional security measures such as two-factor authentication?

All these are questions you should find the answers to before settling for any communication platform for your business.

Audit Your Passwords and Permissions

Next up, your business needs to audit its passwords and review which team members have which permissions.

Incredible as it may sound, statistics show that a vast majority of data breaches (fully 80%!) are due to compromised login credentials. They also reveal that 75% of people do not adhere to password best practices, despite knowing better.

In fact, “123456”, “password”, and “admin” still remain on the list of the most frequently used passwords in 2024.

Increasing password complexity dramatically reduces the risk of successful cyber breaches. That’s why a thorough password review and the implementation of draconic password standards should be high up on your list of priorities to safeguard your business communications.

As for the review of permissions, the more people have access to a system, the more likely it is that someone will make a mistake that could result in a breach. Make sure that only those people who really need it have access to sensitive information.

Invest in Cybersecurity Protection

Another strategy to protect your business communications against hackers is to invest in cybersecurity tools.

With the skyrocketing rates of cyber crime and the adoption of technologies such as AI by hackers, cybersecurity companies have ratcheted up their efforts to provide tools to fend them off.

Review what cybersecurity tools your company uses. A solid antivirus system, a Virtual Private Network (VPN) solution and a (team) password manager or vault combined with a strong password policy should be the absolute minimum.

Going further, you can invest in financial fraud monitoring, identity theft monitoring for your team members, as well as spam call protection.

Cybersecurity monitoring tools, especially, are underutilized by businesses – a major reason for the often months-long delay in detecting a breach. In the event of a hack, it is crucial that you detect it as soon as possible in order to be able to limit the damage and loss of customer trust.

Brush Up Your Team’s Cybersecurity Skills

The vast majority of successful cyber breaches are due to human error and not just the choice of weak passwords.

Phishing attacks in particular have become more sophisticated in recent years. Long gone are the days in which a Nigerian prince stuck at an airport reached out for a loan.

Instead, you get an email from your supervisor towards the end of the business day because he needs your login credentials for a high-level operation.

Or you get a message on Slack from a colleague two departments over with a link to sign the virtual birthday card for Sarah from accounting.

If hackers really go above and beyond, you might even get a call from your company’s CEO asking for your help with a technical issue.

In all these cases, many wouldn’t think twice about handing over information or clicking the link they’re sent, without thinking about spear or voice phishing. And today, that’s all it takes to throw the door wide open for cybercriminals to make their way quietly into your communication systems.

To prevent any of these scenarios from happening, you need to brush up your team’s cybersecurity skills – and their capacities to detect and flag fraud. Having regular cybersecurity training is crucial, as is doing spot checks to make sure everyone adheres to best practices.

Develop SOPs and a Cybersecurity Routine

Finally, to protect your business’ communication channels from hackers, it’s essential to develop standard operating procedures and a fixed cybersecurity routine.

Your SOPs should cover not only how to protect your systems, but also what to do in the event of a breach, or the suspicion of one. All your team members should be able to spot suspicious activity and know exactly who to reach out to in the event that they do.

Who do they need to alert if they get a spear phishing message to their work phone?

What’s the procedure if databases are behaving oddly?

Which systems need to be shut down first to contain a potential breach?

All these are questions that need to be clarified and communicated to your team.

Similarly, uncomfortable as it is, you also need to develop backup plans for the worst case scenario of a successful breach. What’s your strategy to recover your website if it has been taken hostage? And how do you alert customers to a potential threat?

Finally, you need to incorporate cybersecurity into your routines on a daily, weekly, quarterly, and annual basis. Cybercriminals constantly evolve their tactics, and you need to keep up to speed to protect your communications.

This means staying up to date on cybersecurity news, new threats, and scams. It also involves regular changes to your passwords, system reviews, and updates to your SOPs.

Conclusion

Protecting your business communications against hackers is a complex task. It starts with your choice of platforms and cybersecurity tools, but requires constant vigilance. It’s crucial to regularly audit your passwords and permissions, educate yourself and your team, and develop cybersecurity SOPs and routines.

While all of this takes a considerable amount of time, effort, and resources, it is well worth it. The alternative is to leave yourself wide open and vulnerable to attacks that can have serious financial consequences and result in a total loss of customer trust. In that scenario, the question is when – rather than if – you get breached.

Only with the best tools and team members sticking to cybersecurity best practices, and being capable of spotting phishing attacks, will you be able to defend your communication channels.

Note: This expert piece is contributed by Hasan Saleem, a successful serial entrepreneur, investor, and founder of multiple technology and e-commerce startups. He now manages a marketing agency that helps small businesses and startups establish a robust online presence.

Feb 14, 2024NewsroomMalware / Cybercrime

The infamous malware loader and initial access broker known as Bumblebee has resurfaced after a four-month absence as part of a new phishing campaign observed in February 2024.

Enterprise security firm Proofpoint said the activity targets organizations in the U.S. with voicemail-themed lures containing links to OneDrive URLs.

“The URLs led to a Word file with names such as “ReleaseEvans#96.docm” (the digits before the file extension varied),” the company said in a Tuesday report. “The Word document spoofed the consumer electronics company Humane.”

Opening the document leverages VBA macros to launch a PowerShell command to download and execute another PowerShell script from a remote server that, in turn, retrieves and runs the Bumblebee loader.

Bumblebee, first spotted in March 2022, is mainly designed to download and execute follow-on payloads such as ransomware. It has been put to use by multiple crimeware threat actors that previously observed delivering BazaLoader (aka BazarLoader) and IcedID.

It’s also suspected to be developed by threat actors the Conti and TrickBot cybercrime syndicate as a replacement for BazarLoader. In September 2023, Intel 471 disclosed a Bumblebee distribution campaign that employed Web Distributed Authoring and Versioning (WebDAV) servers to disseminate the loader.

The attack chain is notable for its reliance on macro-enabled documents in the attack chain, especially considering Microsoft began blocking macros in Office files downloaded from the internet by default starting July 2022, prompting threat actors to modify and diversify their approaches.

The return of Bumblebee also coincides with the reappearance of new variants of QakBot, ZLoader, and PikaBot, with samples of QakBot distributed in the form of Microsoft Software Installer (MSI) files.

“The .MSI drops a Windows .cab (Cabinet) archive, which in turn contains a DLL,” cybersecurity firm Sophos said on Mastodon. “The .MSI extracts the DLL from the .cab, and executes it using shellcode. The shellcode causes the DLL to spawn a second copy of itself and inject the bot code into the second instance’s memory space.”

The latest QakBot artifacts have been found to harden the encryption used to conceal strings and other information, including employing a crypter malware called DaveCrypter, making it more challenging to analyze. The new generation also reinstates the ability to detect whether the malware was running inside a virtual machine or sandbox.

Another crucial modification includes encrypting all communications between the malware and the command-and-control (C2) server using AES-256, a stronger method than was used in versions prior to the dismantling of QakBot’s infrastructure in late August 2023.

“The takedown of the QakBot botnet infrastructure was a victory, but the bot’s creators remain free, and someone who has access to QakBot’s original source code has been experimenting with new builds and testing the waters with these latest variants,” Andrew Brandt, principal researcher at Sophos X-Ops, said.

“One of the most notable changes involve a change to the encryption algorithm the bot uses to conceal default configurations hardcoded into the bot, making it more difficult for analysts to see how the malware operates; the attackers are also restoring previously deprecated features, such as virtual machine (VM) awareness, and testing them out in these new versions.”

QakBot has also emerged as the second most prevalent malware for January 2024, trailing behind FakeUpdates (aka SocGholish) but ahead of other families like Formbook, Nanocore, AsyncRAT, Remcos RAT, and Agent Tesla.

The development comes as Malwarebytes revealed a new campaign in which phishing sites mimicking financial institutions like Barclays trick potential targets into downloading legitimate remote desktop software like AnyDesk to purportedly resolve non-existent issues and ultimately allow threat actors to gain control of the machine.

Jan 31, 2024NewsroomCryptocurrency / Cybersecurity

A financially motivated threat actor known as UNC4990 is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy.

Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics.

“UNC4990 operations generally involve widespread USB infection followed by the deployment of the EMPTYSPACE downloader,” the company said in a Tuesday report.

“During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages, which it downloads and decodes via PowerShell early in the execution chain.”

UNC4990, active since late 2020, is assessed to be operating out of Italy based on the extensive use of Italian infrastructure for command-and-control (C2) purposes.

It’s currently not known if UNC4990 functions only as an initial access facilitator for other actors. The end goal of the threat actor is not clear, although in one instance an open-source cryptocurrency miner is said to have been deployed after months of beaconing activity.

Details of the campaign were previously documented by Fortgale and Yoroi in early December 2023, with the former tracking the adversary under the name Nebula Broker.

The infection begins when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script that’s responsible for downloading EMPTYSPACE (aka BrokerLoader or Vetta Loader) from a remote server via another intermedia PowerShell script hosted on Vimeo.

Yoroi said it identified four different variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python, which subsequently acts as a conduit for fetching next-stage payloads over HTTP from the C2 server, including a backdoor dubbed QUIETBOARD.

A notable aspect of this phase is the use of popular sites like Ars Technica, GitHub, GitLab, and Vimeo for hosting the malicious payload.

“The content hosted on these services posed no direct risk for the everyday users of these services, as the content hosted in isolation was completely benign,” Mandiant researchers said. “Anyone who may have inadvertently clicked or viewed this content in the past was not at risk of being compromised.”

QUIETBOARD, on the other hand, is a Python-based backdoor with a wide range of features that allow it to execute arbitrary commands, alter crypto wallet addresses copied to clipboard to redirect fund transfers to wallets under their control, propagate the malware to removable drives, take screenshots, and gather system information.

Additionally, the backdoor is capable of modular expansion and running independent Python modules like coin miners as well as dynamically fetching and executing Python code from the C2 server.

“The analysis of both EMPTYSPACE and QUIETBOARD suggests how the threat actors took a modular approach in developing their toolset,” Mandiant said.

“The use of multiple programming languages to create different versions of the EMPTYSPACE downloader and the URL change when the Vimeo video was taken down show a predisposition for experimentation and adaptability on the threat actors’ side.”

Dec 27, 2023NewsroomZero-Day / Vulnerability

A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections.

The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month.

“The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present,” the SonicWall Capture Labs threat research team, which discovered the bug, said in a statement shared with The Hacker News.

CVE-2023-49070 refers to a pre-authenticated remote code execution flaw impacting versions prior to 18.12.10 that, when successfully exploited, could allow threat actors to gain full control over the server and siphon sensitive data. It is caused due to a deprecated XML-RPC component within Apache OFBiz.

According to SonicWall, CVE-2023-51467 could be triggered using empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, effectively circumventing the protection and enabling a threat actor to access otherwise unauthorized internal resources.

The attack hinges on the fact that the parameter “requirePasswordChange” is set to “Y” (i.e., yes) in the URL, causing the authentication to be trivially bypassed regardless of the values passed in the username and password fields.

“The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF),” according to a description of the flaw on the NIST National Vulnerability Database (NVD).

Users who rely on Apache OFbiz to update to version 18.12.11 or later as soon as possible to mitigate any potential threats.