SSC Security Services Corp. Recognized as Top 50 TSX Venture Exchange Company

TORONTO, ON – February 21, 2023 – SSC Security Services Corp. (“SSC”) (TSXV: SECU) (OTCQX: SECUF) is pleased to announce that it has been named as one of the top performers on the TSX Venture Exchange.

The 2023 TSX Venture 50 celebrates the strongest performances on the TSX Venture Exchange (the “TSXV” or “the Exchange”) over the last year. Comprised of 10 companies from each of five industry sectors, the ranking recognizes the strongest performance on the Exchange based on market capitalization growth, share price appreciation and trading volume. More details on the 2023 TSX Venture 50 and a video highlighting SSC can be found at https://money.tmx.com/en/venture50.

SSC Security Services Corp. to Acquire Logixx Security Inc. in All-Cash Deal to Become the Largest Publicly-Traded Security Company In Canada

REGINA, SASKATCHEWAN – March 30, 2022 – SSC Security Services Corp. (“SSC”) (TSXV: SECU) (OTCQX: SECUF), is pleased to announce that it has entered into a definitive share purchase agreement (“Share Purchase Agreement”) to acquire Logixx Security Inc. (“Logixx”), a Toronto-based provider of premium security protection for leading enterprise and commercial clients across Canada, from its corporate owner, Avante Logixx Inc. (“Avante”) (TSXV: XX) (OTC: ALXXF).

The arrangement agreement (the “Arrangement”) between SSC and Avante previously announced on February 9, 2022 has been terminated by mutual agreement (the “Termination Agreement”) of both parties in order to enter into the Share Purchase Agreement. In lieu of the expense reimbursement fee payable to SSC on termination of the Arrangement, the parties have agreed to apply an amount equal to $750,000 (the “Arrangement Expense Reimbursement”) to payment of the purchase price under the Share Purchase Agreement.

Pursuant to the terms of the Share Purchase Agreement, SSC has agreed to acquire all of the issued and outstanding common shares of Logixx (“Logixx Shares”) by way of a share purchase agreement (“Transaction”). Under the terms of the Transaction, SSC will pay Avante $23.95 million in cash for the Logixx Shares, less the Arrangment Expense Reimbursement, and subject to standard working capital, debt and other closing adjustments standard for transactions of this nature. On closing, SSC will take ownership of Logixx on a debt-free basis and with $7.5 million of net working capital. Completion of the Transaction is subject to the satisfaction of certain conditions precedent, including, but not limited to, receipt of all necessary regulatory approvals, including approval of the TSX Venture Exchange. Avante and SSC have provided representations, warranties and indemnities customary for a transaction of this nature, as well as customary interim period covenants regarding the operation of the Logixx businesses in the ordinary course. The parties have also made customary non-competition and non-soliciation arrangements.

Copies of the Termination Agreement and the Share Purchase Agreement will be filed with the securities regulators and available on the SEDAR profile of Avante at www.sedar.com.

On closing of the Transaction, SSC will be the largest publicly-traded security company in Canada, be debt-free, and have approximately 2,100 employees from coast to coast. As a result of the transaction, SSC will approximately quadruple its pro forma annual revenue and Adjusted EBITDA*. The Transaction is expected to close within the next 60 days and will be funded by SSC with cash on hand and without any dilution to SSC shareholders.
SSC plans to maintain its quarterly dividend at the current level of $0.03 per SSC Share (which equates to $0.12 annualized). On a pro forma basis, SSC’s dividend payout ratio as a percentage of estimated annual Adjusted EBITDA* will improve from approximately 80% to under 35%.

CHIEF EXECUTIVE OFFICER COMMENTS ON THE TRANSACTION

Doug Emsley, Chairman, President & Chief Executive Officer of SSC, commented: “We believe this is a better deal for SSC and its shareholders than the one we announced on February 9. It allows us to acquire the part of Avante’s business that is the most similar to our existing business, do it at a lower EV/EBITDA multiple than we would have had to pay for all of Avante’s business, do it with cash on hand and no dilution to shareholders, and end up with a debt-free well-funded national physical and cyber security company.”

HIGHLIGHTS & KEY BENEFITS OF THE TRANSACTION

  • By approximately quadrupling SSC’s pro forma annual revenue and adjusted EBITDA*, the Transaction creates the largest publicly-traded security company in Canada
  • Brings together two highly-experienced and complementary management teams with minimal geographic overlap to leverage SSC’s large, liquid balance sheet and Logixx’s well-established revenue and EBITDA profile
  • On closing, the combined company will be an extremely well-capitalized and profitable, physical and cyber security company with critical mass and over 2,100 employees across Canada
  • Together, the companies will serve some of the largest corporate and public sector enterprises in Canada, and it is expected that the combination will enable significant growth and cross-selling opportunities for both SSC’s cyber security platform, which is housed in SRG Security Resource Group Inc. (acquired by SSC in 2021), as well as for Logixx’s tech-enabled monitoring and security platforms
  • On a pro forma basis, the combined company would have generated almost $100 million in annual revenue and a substantial amount of EBITDA over the trailing twelve-month period ended December 31, 2021
  • SSC plans to maintain its quarterly dividend at the current level of $0.03 per SSC Share (which equates to $0.12 annualized). On a pro forma basis, SSC’s dividend payout ratio as a percentage of estimated annual Adjusted EBITDA* will improve from approximately 80% to under 35%.
  • The Transaction will be entirely funded by SSC’s cash on hand with no dilution to shareholders
  • Cost synergies are expected to be realized by eliminating duplicate overhead costs
  • The board of directors of SSC unanimously approved the Transaction

ADVISOR

McKercher LLP acted as legal advisor to SSC.

ABOUT SSC

SSC Security Services Corp. (TSXV: SECU) (OTCQX: SECUF) is a leading provider of physical and cyber security services to corporate and public sector clients across Canada. For more information, please visit www.securityservicescorp.ca.

For further information, please contact:

Doug Emsley

President & CEO

SSC Security Services Corp.

(306) 347-1024

doug@securityservicescorp.ca

Brad Farquhar

Executive VP & Chief Financial Officer

SSC Security Services Corp.

(306) 347-7202

brad@securityservicescorp.ca

NEITHER TSX VENTURE EXCHANGE NOR ITS REGULATION SERVICES PROVIDER (AS THAT TERM IS DEFINED IN POLICIES OF THE TSX VENTURE EXCHANGE) ACCEPTS RESPONSIBILITY FOR THE ADEQUACY OR ACCURACY OF THIS RELEASE.

Forward Looking Information

This press release contains forward looking statements and forward-looking information within the meaning of applicable Canadian securities legislation. Such forward-looking statements are not representative of historical facts or information or current condition, but instead represent only SSC’s beliefs regarding future events, plans or objectives, many of which, by their nature, are inherently uncertain and outside of SSC’s control. Such statements are based on the current expectations and views of future events of SSC’s management. In some cases, the forward-looking statements can be identified by words or phrases such as “may”, “will”, “expect”, “plan”, “anticipate”, “intend”, “potential”, “estimate”, “believe” or the negative of these terms, or other similar expressions intended to identify forward-looking statements. The forward-looking events and circumstances discussed in this press release may not occur and could differ materially as a result of known and unknown risk factors and uncertainties affecting SSC, including risks regarding the security industry, economic factors and the equity markets generally, risks relating to the Transaction, including the ability of SSC and Logixx to implement business strategies and combined synergies, timing of the Transaction, the price of SSC Shares, the dividend payout ratio, as well regulatory approvals, and many other factors beyond the control of SSC. Additional risks are discussed under “Risk Factors” in SSC’s management’s discussion and analysis filed on SEDAR. No forward-looking statement can be guaranteed. Forward-looking statements and information by their nature are based on assumptions and involve known and unknown risks, uncertainties and other factors which may cause actual results, performance or achievements, or industry results, to be materially different from any future results, performance or achievements expressed or implied by such forward-looking statement or information. Accordingly, readers should not place undue reliance on any forward-looking statements or information. Except as required by applicable securities laws, forward-looking statements speak only as of the date on which they are made and SSC undertakes no obligation to publicly update or revise any forward-looking statement, whether as a result of new information, future events, or otherwise.

*Non-IFRS Measures

SSC measures key performance metrics established by management as being key indicators of the company’s strength, using certain non-IFRS performance measures, including: EBITDA, EBITDA per share, Adjusted EBITDA, and Adjusted EBITDA per share.

SSC uses these non-IFRS measures for its own internal purposes. These non-IFRS measures do not have any standardized meaning prescribed by IFRS, and these measures may be calculated differently by other companies. The presentation of these non-IFRS measures is intended to provide additional information and should not be considered in isolation or as a substitute for measures of performance prepared in accordance with IFRS. SSC provides these non-IFRS measures to enable investors and analysts to understand the underlying operating and financial performance of the company in the same way as it is frequently evaluated by SSC’s management. SSC’s management will periodically assess these non-IFRS measures and the components thereof to ensure continued use is beneficial to the evaluation of the underlying operating and financial performance of the company. For more detailed information, please refer to page 20 and 21 of the the Company’s Management Discussion and Analysis dated February 16, 2022 available on the Company’s website at www.securityservicescorp.ca and on SEDAR at www.sedar.com.

Input Capital Corp. Completes Acquisition of SRG Security Resource Group Inc.

REGINA, SKFeb. 1, 2021 /CNW/ – Input Capital Corp. (TSX Venture: INP) (US: INPCF) (“Input” or the “Company“) is pleased to announce that it has completed the acquisition (the “Acquisition“) of all of the common shares (“SRG Shares“) of SRG Security Resource Group Inc. (“SRG“) on the terms and subject to the conditions set out in the Share Purchase Agreement (“Purchase Agreement“).

“We plan to put our very strong balance sheet to work backing the growth of SRG in the cyber and physical security business in Canada,” said President & CEO Doug Emsley. “SRG is a well-established and profitable business with an experienced management team, and we look forward to enabling the growth of SRG organically and via acquisition in the months and years to come.”

Pursuant to the Purchase Agreement, Input acquired all the SRG Shares for a total purchase price of approximately C$19,900,000 (the “Purchase Price“), as adjusted on a dollar-for-dollar basis for positive or negative net working capital of SRG. Half of the Purchase Price was satisfied by the issuance of 8,883,930 common shares of Input (“Input Shares“) at a deemed value of C$1.12 per Input Share for an approximate total value of C$9,950,000. The remaining 50% of the Purchase Price was paid in cash. The full text of the Purchase Agreement may be found under Input’s issuer profile at www.sedar.com.

The new Input Shares issued to SRG shareholders pursuant to the Acquisition are subject to a statutory hold period expiring 4 months and 1 day from the date of issuance. In addition, the SRG shareholders have agreed to lock-up terms in favour of the Company restricting their ability to transfer their Input Shares until the date that is 6 months following the closing of the Acquisition.

As previously announced, Input will continue to operate its existing agriculture operations in order to serve many farm clients who have 2-3 years left on their streaming contracts. With canola prices nearing all-time highs, Input believes that it has an excellent opportunity to maximize the value of its assets as the Company repatriates capital from the agriculture sector over the remaining life of these contracts. This will grow Input’s already excellent financial capacity to back SRG’s anticipated growth strategy in the security sector.

ABOUT INPUT

Input is primarily an agriculture commodity streaming company providing several flexible and competitive forms of financing which help western Canadian farmers solve working capital, mortgage finance and canola marketing challenges and improve the financial position of their farms. On February 1, 2021, Input acquired SRG Security Resource Group Inc. as a platform for growth in the cyber and physical security business in Canada.  For more information, please visit www.inputcapital.com.

ABOUT SRG

SRG is a market-leading Canadian provider of world-class Cyber Security and physical Protective Security Services. Founded in 1996, most of SRG’s employees are located in Western Canada, but solutions and services are provided to organizations across the country. SRG clients include federal and provincial governments, Crown corporations, and many high profile corporate and public sector clients such as hospitals, airports, utility companies and police forces. Previously privately-held, now operates as a wholly-owned subsidiary of Input. More information is available on SRG’s website at https://securityresourcegroup.com.

Forward Looking Statements

This release includes forward-looking statements regarding Input, SRG and their respective businesses. Such statements are based on the current expectations and views of future events of Input’s and SRG’s management. In some cases the forward-looking statements can be identified by words or phrases such as “may”, “will”, “expect”, “plan”, “anticipate”, “intend”, “potential”, “estimate”, “believe” or the negative of these terms, or other similar expressions intended to identify forward-looking statements. The forward-looking events and circumstances discussed in this release may not occur and could differ materially as a result of known and unknown risk factors and uncertainties affecting Input and SRG, including risks regarding their respective industries, economic factors and the equity markets generally, uncertainties concerning the Company’s or SRG’s future plans and intentions with respect to their businesses, risks and uncertainties relating to Input’s and SRG’s businesses, and many other factors beyond the control of Input or SRG (including the ongoing COVID-19 pandemic). No forward-looking statement can be guaranteed. Forward-looking statements and information by their nature are based on assumptions and involve known and unknown risks, uncertainties and other factors which may cause our actual results, performance or achievements, or industry results, to be materially different from any future results, performance or achievements expressed or implied by such forward-looking statement or information. Accordingly, readers should not place undue reliance on any forward-looking statements or information. Except as required by applicable securities laws, forward-looking statements speak only as of the date on which they are made and Input undertakes no obligation to publicly update or revise any forward-looking statement, whether as a result of new information, future events, or otherwise.

NEITHER TSX VENTURE EXCHANGE NOR ITS REGULATION SERVICES PROVIDER (AS THAT TERM IS DEFINED IN POLICIES OF THE TSX VENTURE EXCHANGE) ACCEPTS RESPONSIBILITY FOR THE ADEQUACY OR ACCURACY OF THIS RELEASE.

SOURCE Input Capital Corp.

,

Cyber Security Bulletin: Microsoft Cyber Security Updates

This notice is sent as an update to the recent Microsoft Exchange cyber security issues. Microsoft has issued several security patches to address the cyber security issues. Information on business systems shows that unpatched systems internationally continue to exist including within Canada. Some of these systems within Canada have been further compromised with malware. Malicious actors are actively scanning using automated tools to identify unpatched servers

On 11 March 2021, Microsoft Security Intelligence issued a Tweet stating that a new family of ransomware, known as DearCry, is being leveraged by actors exploiting the recently disclosed Exchange vulnerabilities. In addition to DearCry, multiple proofs of concepts leveraging the Exchange vulnerabilities resulting in remote code execution have been made publicly available. These vulnerabilities are being leveraged to gain a foothold within an organization’s network for malicious activity which includes but is not limited to ransomware and the exfiltration of data.

It is strongly recommended that organizations with unpatched external facing servers perform the following:

  1. Immediately disconnect the server from external interfaces
  2. Follow Microsoft guidance to determine compromise
  3. If no compromise has been identified follow the below patching recommendations:
    • Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
    • Exchange Server 2013 (update requires CU 23)
    • Exchange Server 2016 (update requires CU 19 or CU 18)
    • Exchange Server 2019 (update requires CU 8 or CU 7)

Note: All updates (CU and the security update) must be run as administrator and Microsoft has noted that multiple reboots may be required. Additional information on patching is available through Microsoft’s tech community blog.

Organizations are encouraged to confirm that no signs of malicious activity have been detected and that both the CU and security update are successful prior to returning the server to service.

Microsoft has published out-of-band Security Updates to address critical vulnerabilities in multiple Exchange products:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Volexity has also published a blog detailing observed activity of actors remotely exploiting a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855)[2]. This method of exploitation does not require authentication and can be accomplished through remote access to a vulnerable external facing Exchange server over HTTPS.

Microsoft has reported the following vulnerabilities were used by actors to gain access to victim systems:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the actor to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave actors the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If actors could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If an actor could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

After exploiting these vulnerabilities to gain initial access, malicious actors deploy web shells on the compromised server. Web shells potentially allow actors to steal data and perform additional malicious actions that lead to further compromise.

Reminder: For your protection, please ensure you follow Microsoft’s instructions on recent Microsoft Security Updates

Please reach out to us with your concerns or for more information on how to protect yourself and your business.

,

Cyber Security Bulletin: SolarWinds Supply-Chain Compromise

On 13 December, 2020 SolarWinds disclosed a security advisory outlining recent malicious activity impacting SolarWinds Orion Platform resulting from a supply chain compromise. The SolarWinds technology is used by many businesses to manage their network environments including mapping and capacity planning. This is a widespread campaign by a “highly evasive” actor gaining access to numerous public and private organizations around the world.

Through trojanizing SolarWinds Orion Platform software updates, actors were successfully able to distribute malware. This campaign may have begun as early as Spring 2020 and is reported as currently ongoing. Post compromise activity leverages multiple techniques to evade detection and obscure their activity, which includes lateral movement and data theft.

SolarWinds has provided guidance on how to identify the version of Orion Platform organizations are using and to check which hotfixes organizations have applied. If an organization cannot upgrade immediately, please follow the guidelines securing an Orion Platform instance.

An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. SolarWinds recommends that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements.

In addition to the fixes being posted by SolarWinds, the following recommendations are mitigation techniques that could be deployed as first steps to address the risk of trojanized SolarWinds software in an environment. SRG encourages organizations review the below recommendations and action those based on an organization’s own risk-based assessment:

  • Ensure that SolarWinds servers are isolated / contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.
  • If SolarWinds infrastructure is not isolated, consider taking the following steps:
    • Restrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets
    • Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
    • Block Internet egress from servers or other endpoints with SolarWinds software.
  • Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers / infrastructure. Based upon further review / investigation, additional remediation measures may be required.
  • If SolarWinds is used to managed networking infrastructure, consider conducting a review of network device configurations for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.

If malicious activity is discovered in an environment, SRG recommends conducting a comprehensive investigation and designing and executing a remediation strategy driven by the investigative findings and details of the impacted environment.

Please reach out to us with your concerns or for more information on how to protect yourself and your business.

,

Cyber Security Bulletin: FireEye Cyber Security Breach

This Cyber Security alert is intended for organizations that utilize this technology as part of their cyber security protection program.

On December 8, 2020, cyber security firm FireEye disclosed that it was recently a victim of a targeted security breach by a threat actor.

The threat actors were successful at infiltrating the internal network and acquire red team security assessment tools. FireEye is currently investigating and initial findings show no evidence of customer data exfiltration and at this time cannot state confidently whether these tools will be used or publicly disclosed by the threat actors..

These FireEye tools are used by customers to simulate real-world cyber attacks and test themselves in a near-real type of environment. Users of these technologies should review FireEye released methods of detecting the use of those red team tools in the event the threat actors use them for attack purposes.

Further actions for Consideration:

  • Review the CSE Top 10 Security Actions (https://cyber.gc.ca/en/top-10-it-security-actions)
  • Review the signatures shared by FireEye and consider them for inclusion within security appliances. Organizations are encouraged to contact vendors if tailored signatures are required for specific products.
  • Consider measures to limit the amount of sensitive information that malicious actors can collect about their networks by performing security assessments on network systems for un-necessary or inadequately secured or patched services.
  • Assess networks for the presence of vulnerable software, particularly where it is installed on devices exposed to the internet, and update as soon as possible to the latest version.
  • Implement two-factor authentication (2FA) on all internet-facing remote access services, starting with perimeter security devices such as firewalls and remote access gateways for teleworkers and administrators.

Please reach out to us with your concerns or for more information on how to protect yourself and your business.

,

Cyber Security Bulletin: Phishing Attack Campaigns Target MS Teams Users

A new attack vector has been identified specific to those organizations that use Microsoft Teams for collaboration with internal teams as well as with your customers. The phishing campaign pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials.

Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic. This particular campaign was sent to between 15,000 to 50,000 Office 365 users with suspicion that additional campaigns will be forthcoming. Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification.

The initial phishing email displays the name “There’s new activity in Teams,” making it appear like an automated notification from Microsoft Teams. Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’,” according to researchers. Clicking on any of these leads to a fake website that impersonates the Microsoft login page. The phishing page asks the recipient to enter their email and password.

Further, the phishing landing page also looks convincingly like a Microsoft login page with the start of the URL containing “microsftteams.” If recipients are convinced to input their Microsoft credentials into the page, they are unwittingly handing them over to attackers, who can then use them for an array of malicious purposes – including account takeover. See one sample of the phishing email below.​​​​​​​

In May, a similar convincing campaign that impersonated notifications from Microsoft Teams in order to steal the Office 365 credentials of employees circulated, with two separate attacks that targeted as many as 50,000 different Teams users.

Users are warned to be diligent in reading all invites such as described above and when in doubt, delete the email and not click on any of the display areas.​​​​​​​

Please reach out to us with your concerns or for more information on how to protect yourself and your business.

,

Cyber Security Bulletin: Increased Threat from Emotet Malware Campaigns

Since July 2020 there has been an increase in malicious activity associated with Emotet malware campaigns. Emotet has been frequently observed working in tandem with Trickbot and Ryuk malware in a persistent attempt to compromise computer systems within Canada. These threats have been successfully used to attack many Canadian companies since 2019.

Emotet is an advanced botnet attached to email. Once a system is infected by Emotet, additional malware, including Trickbot and Ryuk may be implanted on the system resulting in data exfiltration or attempts to extort the victim.

Emotet malware can be spread through untargeted bulk spam emails (such as shipping notifications, or “past-due” invoices), as well as what appear to be targeted malicious emails (spear phishing). Targeted emails are particularly effective as they appear to come from a trusted source, often from someone with whom the email recipient has recently been in communication.

Furthermore, Emotet email campaigns have been observed to be leveraging both ‘thread hijacking’, a technique where malicious emails are inserted into existing email threads, and using password-protected zip files to avoid detection by network defenses. These techniques result in convincing messages that an unaware recipient may believe to be trustworthy and encouraged to download malware by opening an attachment (a macro-enabled Microsoft Word document or PDF) or clicking a malicious link.

SUGGESTED ACTIONS

  • Scan all incoming and outgoing e-mails to detect threats and prevent executable files or macro enabled documents from reaching end users.
  • Always exercise caution when receiving an unexpected email or email reply containing an attachment or URL, even when from a trusted source. If the email seems unusual, contact the sender to confirm the authenticity of the attachment.
  • Avoid enabling macros within a document received via email.
  • Use anti-virus protection and ensure that it is diligently kept up to date.
  • Implement architectural controls for network segregation and protection.
  • Perform daily backups of all critical systems, maintain offline and offsite copies of backup media and periodically test data restoration processes from backups, including key databases to ensure integrity of existing backups and processes.
  • Ensure operating systems receive the latest patches.

Please reach out to us with your concerns or for more information on how to protect yourself or your business.

,

Cyber Security Bulletin: Due Diligence vs Bad Actors

While bad actors continue their denial-of-service for ransom activities, SRG would like to remind all clients and businesses to continue your due diligence as you work to protect your company assets:

Actors claiming to be various Advanced Persistent Threat (APT) groups have been threatening to carry out large-scale distributed denial-of-service attacks for ransom, commonly known as Ransom DoS (RDoS). Recent reported threats were against the financial sector, globally and in Canada, but other sectors are expected to be subject to the same activities. The threats are typically accompanied by short Distributed Denial of Service attacks (DDoS) that are intended to demonstrate the actor’s capability.

Details vary from case to case but the core elements are as follows:

  • An organization is approached via e-mail by an actor identifying explicitly as a well-known APT, indicating an intent to demonstrate the capability to disrupt the organization’s infrastructure, and demanding a specific payment in Bitcoin be made. In return for payment, the actor undertakes to refrain from further activity.
  • A short time after the e-mail is sent, the targeted organization’s infrastructure is subjected to a relatively short DDoS, as threatened in the e-mail.

There are reports across Canada of such activity where the subject line of the ransom email is: “DDoS Attack on <organization name>’s network”. The email specifies a date on which the organization’s network would be subjected to a DDoS attack and imply that a small-scale attack on a specific IP address range will be carried out immediately to prove the message was not a hoax. The mail demands a ransom amount, to be paid in Bitcoin, to avoid a larger and sustained attack. The ransom attack then escalates daily with non-payment.

The following denial-of-service techniques have been reported:

  • UDP flooding;
  • DNS amplification;
  • NTP amplification;
  • CLDAP amplification;
  • IP Fragmentation; and possibly others.

Recommended Protection Activities are as follows:

  • Work with your cloud and Internet service providers to implement service-level agreements that include DoS defence provisions. Your service providers may use multiple tools and techniques to help your organization protect itself against DoS attacks.
  • Ensure your system administrators are familiar with DoS protection services. Familiarity with these services can help them effectively rate limit or whitelist.
  • Monitor network and systems. Configure monitoring tools to alert you when there is an increase in traffic (outside of your baseline) or any suspicious traffic overloading a site.
  • Install and configure firewalls and intrusion prevention systems. You can use these tools to monitor traffic and block known-malicious and illegitimate traffic.
  • Update and patch operating systems and applications. Update and patch systems and applications, including your firewalls, to ensure that security issues are addressed and prevent threat actors from taking advantage of vulnerabilities.
  • Defend your network perimeter. To protect your network, use a layered approach to security by implementing multiple controls and techniques.
  • Plan for an attack. Have a recovery plan that prioritizes systems and processes based on their tolerable downtime. You should also identify points of contact and an incident response team.
  • Monitor for inbound e-mails to publicly available addresses where addressing and subject line is similar to that provided above.

Reach out to us with your concerns or for more information on how to protect yourself or your business.