ABOUT

ACCUME PARTNERS

Accume Partners is a trusted advisor that serves clients by

delivering integrated Risk, Regulatory, and Cybersecurity solutions

to help manage uncertainty and drive business value.

Bob Gaines Director

Cybersecurity & Privacy 425-518-1914

rgaines@accumepartners.com

March 2019

Table of Contents ACCUMULATE KNOWLEDGE, VALUE, RESOURCES

Perspective: State of the Marketplace 02

1. Security News 03

2. Regulatory and Privacy News 05

04 3. Social Engineering 07

04 4. Internal Threats 09

5. Web / Internet Threats 11

6. Data Breach 13

Vulnerabilities & Indicators of Compromise 15

Infographic of the Week 16

Recommended Actions to Take 17

Contact Us 18

State of the Marketplace

Perspective:

California is proposing an update to their data breach notification law.

When California State Bill 1386 went into effect in 2003, it was country's

first data breach notification legislation. California's data breach

notification rules continue to be among the strongest in the U.S. New

changes proposed will include notification if passport numbers were

exposed as well as government-issued identification numbers and

biometric data. The bill would update California state's definition of

personal information as constituting "an individual's first name or first

initial and last name" in combination with any of the following, when

either the name or these data elements have not been encrypted

Milwaukee-based email provider VFEmail suffered a catastrophic loss last

week, in which a hacker wiped out all of it’s US-Based email storage,

including backups. From their twitter feed: At this time, the attacker has

formatted all the disks on every server. Every VM is lost. Every file server

is lost, every backup server is lost. Their Netherlands servers avoided a

similar fate because the attack was detected in progress and averted.

Ensure that your vendors have appropriate protections in place and that

your institution has a contingency plan: what would you do if VFEmail

was your provider?

A disturbing new survey indicates that 57% of IT workers who get phished

don't change their password behaviors. This should be a wakeup call for

management. Employee behavior is very difficult to change. Where

possible, technical solutions need to be in place to fill the necessary gaps.

An effective incident response program should be able to track incident

types and the users involved. From there, you can either change your

policies, procedures and technical settings, or you can find other

technical solutions to assist, such as password managers, tokens or other

forms of authentication.

~Stay Secure

www.accumepartners.com 2

SECURITY NEWS

7

Security News

www.accumepartners.com 4

‘Nearly all’ American networks will be susceptible to cyberattacks - When it comes to cybersecurity,

the four-year prognosis laid out by the United States intelligence community is stark. “Nearly all

information, communication networks, and systems will be at risk for years to come,” the 2019

national intelligence strategy reads. The strategy, which was released Jan. 22 by the Office of the

Director of National Intelligence, is a four-year road-map for the American intelligence community.

While the strategy touches on other topics, such as counter-terrorism and counter-proliferation,

cybersecurity is listed as a top priority.

Source: https://www.fifthdomain.com/dod/2019/01/23/nearly-all-american-networks-will-be-

susceptible-to-cyberattacks/

VFEmail suffers ‘catastrophic’ attack, as hacker wipes email service’s primary and backup data -

Customers of VFEmail, a Milwaukee-based email provider for businesses and end-users since 2001, has

revealed that it has suffered a ‘catastrophic’ attack after a hacker breached its systems and wiped out

all of the data it was storing on its US-based servers. According to VFEmail, it actually spotted the

hacker as they were trying to cause even more damage - formatting other mail servers run by the

company in the Netherlands. US-based users are currently being urged not to try to connect their

email clients to VFEmail’s servers, for fear that they might accidentally wipe out the only remaining

copy of their email archive on their own computers.

Source: https://www.grahamcluley.com/vfemail-suffers-catastrophic-attack-as-hacker-wipes-

email-services-primary-and-backup-data/

Supply Chain Attacks Spiked 78 Percent in 2018, Cyber Researchers Found - Hackers are shifting their

tactics away from traditional phishing and ransomware attacks, and moving toward stealthier

intrusions via websites and the software supply chain, according to a recent report. In its annual report

on internet security threats, the cybersecurity firm Symantec said online bad actors are increasingly

exploiting vulnerabilities in commercial software and operating systems to launch cyberattacks. Supply

chain attacks, which use loopholes in third-party services to strike a target, increased 78 percent

between 2017 and 2018.

Source: https://www.nextgov.com/cybersecurity/2019/02/supply-chain-attacks-spiked-78-

percent-2018-cyber-researchers-found/154996/

REGULATORY AND PRIVACY NEWS

www.accumepartners.com 6

Regulatory and Privacy News

Google faces ICO investigation over GDPR violation claims - The Information Commissioner's Office

(ICO) is to investigate claims that internet giant Google has violated the EU General Data Protection

Regulation (GDPR). It follows a series of complaints filed with the ICO over the company's data collection

practices. The company has faced similar complaints and investigations in jurisdictions across the

European Union, many of them filed by privacy activists. While Google claimed that it reworked its

‘transparency tools' to better comply with the EU data protection regulation when it came-in in May

2018, it still offers consumers no option to opt out of data collection, other than to close all their

accounts and request that their data is deleted.

Source: https://www.computing.co.uk/ctg/news/3070459/google-faces-ico-investigation-over-

gdpr-violation-claims

Duke fined $10M for cybersecurity lapses since 2015 - Duke Energy was fined $10 million by the North

American Electric Reliability Corporation (NERC) for security violations between 2015 and 2018

regarding critical infrastructure assets, multiple news organizations reported last week. The 127 security

violations, including critical cyber assets, were largely self-reported by the utility and caused by lack of

managerial oversight, process deficiencies, inadequate training and lack of internal controls. While the

safety violations "posed a serious risk to the security and reliability" of the bulk power system, it is not

clear if hackers ever gained access to the utility's power system.

Source: https://www.utilitydive.com/news/duke-fined-10m-for-cybersecurity-lapses-since-

2015/547528/

European regulators log more than 59K data breaches since GDPR's passage - European regulators have

logged more than 59,000 personal data breach notifications since the enactment of GDPR last May,

according to a survey by the DLA Piper cybersecurity team. The incidents range from emails sent to the

wrong person to cyberattacks that impact millions. The Netherlands, Germany and United Kingdom

reported the most data breaches with 15,400, 12,600 and 10,600, respectively. The law firm found that

regulators have handed down 91 fines under GDPR, though not all related to data breaches.

Source: https://www.ciodive.com/news/european-regulators-log-more-than-59k-data-

breaches-since-gdprs-passage/548009/

SOCIAL ENGINEERING

www.accumepartners.com 8

Social Engineering Employees report 23,000 phishing incidents annually, costing $4.3 million to investigate - In a survey

of more than 300 businesses in the U.S. and U.K., Agari determined that employees at the average

company report 23,053 phishing incident reports per year—yet 50 percent are false positive reports.

Responding to a phishing incident takes an average of 353 minutes (almost six hours); and even false

positives take an average of 238 minutes (four hours). All of these reports and hours add up—at a cost

of $253 per phishing incident—or more than $4.3 million per year in SOC costs to required to triage,

investigate and remediate phishing incidents.

Source: https://www.helpnetsecurity.com/2019/02/01/phishing-incidents-investigation/

57% of IT workers who get phished don't change their password behaviors - Despite being part and

parcel of computing for decades, everyone—including IT workers— continues to fall short on proper

password hygiene, according to a Yubico/Ponemon Institute study released Monday. The report finds

that 57% of IT workers who have experienced a phishing attack have not changed their password

behaviors, according to a survey of over 1,750 of such professionals in the US, UK, Germany and France.

Of the respondents who said they did change their password behavior, 47% reported using stronger

passwords, 43% reported changing passwords more frequently, and 41% added two/multi-factor

authentication when possible, though only 17% reported using unique passwords for every account.

Source: https://www.techrepublic.com/article/57-of-it-workers-who-get-phished-dont-change-

their-password-behaviors/

Business Email Compromise Attacks See Almost 500% Increase - Business email compromised (BEC)

attacks have seen an explosive 476% growth between Q4 2017 and Q4 2018, while the number of email

fraud attempts against companies increased 226% QoQ. BEC attacks use social engineering to target

specific company employees, regularly from the firm’s Finance department, and try to persuade them

into wiring large sums of money to third-party banking accounts controlled by the attackers. Threat

actors do not use malicious URLs or attachments with their BEC campaigns, therefore this type of attack

can be a lot harder to spot by the targeted employees, especially when they do not have the training to

detect them.

Source: https://www.bleepingcomputer.com/news/security/business-email-compromise-

attacks-see-almost-500-percent-increase/

INTERNAL THREATS

www.accumepartners.com 10

Internal Threats

www.accumepartners.com

Symantec’s Annual Threat Report Reveals More Ambitious and Destructive Attacks - This year's

report notably reveals formjacking—where infected web servers skim off consumers' payment

information—has emerged as the breakthrough threat of 2018. This threat showed explosive

growth—and potentially big profits—at the end of the year, ensuring that it's likely to draw plenty

of flies in 2019 and beyond. Often using third-party apps to infiltrate websites, formjacking also

further illustrates the dangers of supply chain attacks, a growing weakness we first warned of in last

year's report. Requiring only a few simple lines of code loaded onto a website, formjacking

represents a significant threat to online retailers, or anyone who collects personally identifiable

information from their customers via their website.

Source: https://www.symantec.com/blogs/threat-intelligence/istr-24-cyber-security-threat-

landscape

Spectre bugs likely to 'haunt us for a long time' as software alone can't fix all of them, warn

Google researchers - Software alone can't fix all Spectre bugs, and the CPU manufacturers need to

find new microarchitecture designs to eliminate the risks associated with these vulnerabilities,

according to a new study by Google security researchers. In the study, Google researchers showed

that it is possible to create a universal 'gadget' to exploit the speculative-execution bugs present in

multiple CPU families, enabling malicious code running in a thread to read the entire memory in the

same address space. Researchers found that despite operating system patches developed to

prevent specific Spectre exploits, the underlying threat is always there for an application that

interprets attacker-supplied code.

Source: https://www.computing.co.uk/ctg/news/3071231/spectre-bugs-likely-to-haunt-us-

for-a-long-time-as-software-alone-cant-fix-all-of-them-warn-google-researchers

8-Character Windows NTLM Passwords Can Be Cracked In Under 2.5 Hours - "Current password

cracking benchmarks show that the minimum eight character password, no matter how complex,

can be cracked in less than 2.5 hours" using a hardware rig that utilizes eight NVidia GTX 2080Ti

GPUs, explained a hacker who goes by the pseudonym Tinker on Twitter. "The eight character

password is dead." From the report: It's dead at least in the context of hacking attacks on

organizations that rely on Windows and Active Directory.

Source: https://blog.knowbe4.com/8-character-windows-ntlm-passwords-can-be-cracked-

in-under-2.5-hours

WEB / INTERNET THREATS

www.accumepartners.com 12

Web / Internet Threats

Remote Access Credentials Are the Latest Malware Attack Target - The latest iteration of notable

banking trojan, Trickbot, now includes a password grabbing module designed to provide cybercriminals

with remote access to internal systems. One of the goals of any attacker intent on moving laterally

within your network is to first gain access to an endpoint. A new variant of Trickbot is making this

easier for cybercriminals by automatically grabbing credentials from three well-known remote access

solutions. It should be noted this is an update to the passwordgrabber that has been seen in the wild in

Trickbot, which has been known to grab passwords from Microsoft Outlook and a slew of popular web

browsers.

Source: https://blog.knowbe4.com/remote-access-credentials-are-the-latest-malware-attack-

target

Flaws in Popular RDP Clients Allow Malicious Servers to Reverse Hack PCs - You've always been warned

not to share remote access to your computer with any untrusted people for many reasons—it's basic

cyber security advice, and common sense, right? But what if I say, you should not even trust anyone who

invites or offers you full remote access to their computers? Security researchers at cybersecurity firm

Check Point have discovered more than two dozen vulnerabilities in both open-source RDP clients and

Microsoft's own proprietary client that could allow a malicious RDP server to compromise a client

computer, reversely.

Source: https://thehackernews.com/2019/02/remote-desktop-hacking.html

Windows Servers Vulnerable to IIS Resource Exhaustion DoS Attacks - Microsoft published a security

advisory on its Security Response Center which discloses that Windows Server and Windows 10 servers

running Internet Information Services (IIS) are vulnerable to denial of service (DOS) attacks. To be more

exact, all IIS servers running Windows Server 2016, Windows Server Version 1709, Windows Server

Version 1803, as well as Windows 10 (versions 1607, 1703, 1709, and 1803) are affected by this DoS

issue. The vulnerability described in Microsoft's ADV190005 security advisory makes it possible for a

potential remote attacker to trigger a DoS condition by taking advantage of an IIS resource exhaustion

bug that "could temporarily cause the system CPU usage to spike to 100% until the malicious

connections are killed by IIS."

Source: https://www.bleepingcomputer.com/news/security/windows-servers-vulnerable-to-iis-

resource-exhaustion-dos-attacks/

DATA BREACH

www.accumepartners.com 14

tt

Data Breach

Wendy’s to pay $50M in data breach settlement - Wendy’s has agreed to pay $50 million to settle

negligence claims following its 2015-2016 data breach that affected more than 1,000 of the burger

chain’s locations. Payment card data was stolen from victims who purchased food at these locations

then used fraudulently at other merchants after malware was installed through a third-party vendor.

The settlement includes attorney’s fees and costs. Wendy’s said it would end up paying roughly $27.5

million of its own funds after exhausting insurance, according to the press release.

Source: https://www.scmagazine.com/home/security-news/wendys-has-agreed-to-pay-50-

million-to-settle-negligence-claims-following-its-2015-2016-data-breach-that-affected-more-

than-1000-of-the-burger-chains-locations/

Palisades Park officials say nearly $500,000 is missing from its accounts in bank breach - Officials in

Palisades Park were notified last week that nearly half a million dollars had been drained from its

accounts at Mariner's Bank, the borough's mayor and business administrator said Wednesday.

Mariner's Bank, which is based in Edgewater and has seven locations in Bergen County, told the

officials that $460,000 was missing from the borough's accounts as a result of a fraudulent wire

transfer, said Dave Lorenzo, the borough administrator.

Source: https://www.northjersey.com/story/news/bergen/palisades-

park/2019/01/30/palisades-park-nj-officials-nearly-500-000-missing-bank-breach/2726275002/

Power Company Has Security Breach Due to Downloaded Game - South African energy supplier Eskom

Group has been hit with a double security breach consisting of an unsecured database containing

customer information and a corporate computer infected with the Azorult information-stealing Trojan.

According to Eskom's web site, they are an energy company based out of Johannesburg in South Africa

that supplies 95% of the electricity used in South Africa and approximately 45% of the electricity used in

Africa. Based on information provided to BleepingComputer, these breaches exposed Eskom's network

credentials, customer information, redacted customer credit card information, and sensitive business

information.

Source: https://www.bleepingcomputer.com/news/security/power-company-has-security-

breach-due-to-downloaded-game/

www.accumepartners.com 15

Vulnerabilities and Indicators of Compromise

Vulnerabilities & IOCs

• Weekly Vulnerability Summary from US-CERT

• Talos Threat Roundup: (1) (2) (3) (4)

• GandCrab Ransomware Helps Shady Data Recovery Firms Hide Ransom Costs

• ExileRAT shares C2 with LuckyCat, targets Tibet

• Flaw in SS7 Lets Attackers Empty Bank Accounts

• Hacker talks to baby through Nest security cam, jacks up thermostat

• APT 32/OCEANLOTUS – Sample:D592B06F9D112C8650091166C19EA05A

• Remote Hardware Takeover via Vulnerable Admin Software

• Info-Stealing FormBook Returns in New Campaign

• Many popular iPhone apps secretly record your screen without asking

• DanaBot updated with new C&C communication

• "Lucky Draw" Smishing Campaign Asks Money to Deliver Car Prize

• APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign

• The Muncy malware is on the rise

• Breach at PoS Firm Hits Hundreds of U.S. Restaurants, Hotels

• Ransomware attack on MSPs exploits popular PSA/RMM Tool

• New macOS Malware Variant of Shlayer (OSX) Discovered

• Siemens Warns of Critical Remote-Code Execution ICS Flaw

• New Unpatched macOS Flaw Lets Apps Spy On Your Safari Browsing History

• New Offensive USB Cable Allows Remote Attacks over WiFi

• Malspam Exploits WinRAR ACE Vulnerability to Install a Backdoor

• Hackers Can Plant Backdoors on Bare Metal Cloud Servers: Researchers

• New browser attack lets hackers run bad code even after users leave a web page

• ICANN warns of large-scale attacks on Internet infrastructure

• Exploit Code Published for Recent Container Escape Vulnerability

• Tor traffic from individual Android apps detected with 97 percent accuracy

“For every lock, there is someone out there trying pick it or break in” - David Bernstein

Infographic of the Month

www.accumepartners.com

18

17

Anatomy of a Typical Business Email Compromise (BEC) Attack

Source: https://www.helpnetsecurity.com/2018/02/22/bec-scammers-target-fortune-500/

Recommended Actions to Take

➢ Review the vulnerabilities and determine if any

actions need to take place

➢ Inform staff as needed about new phishing and

social engineering campaigns

➢ Audit your firewalls, routers and switches and

wireless networks annually

➢ Ensure that you have protections in place for

mobile users

➢ Update the firmware on your routers as necessary

➢ Investigate blocking IP blocks from countries your

institution does not do business with as an

additional form of protection

➢ Ensure that your SIEM can detect when Powershell

Scripts are running and alert you accordingly.

➢ Keep systems patched and up to date

➢ Consider the implementation of annual threat

hunting exercises

E

P: 888-696-1515

E: info@accumepartners.com

12 East 49th Street – 5th Floor,

New York, NY 10017

Contact Us Accume Partners

www.accumepartners.com

Gabrielle Bass Executive Coordinator

516-456-2028 gbass@accumepartners.com

Trusted Advisor Specialized Resources: Big 4, Industry Cost-Effective Agile