Embed Size (px)
Citation preview
Accume Partners is a trusted advisor that serves clients by delivering
integrated Risk, Regulatory, and Cybersecurity solutions to help
manage uncertainty and drive business value.
March 20th, 2019
Bob GainesDirector
Cybersecurity & Privacy425-518-1914
ABOUTACCUME PARTNERS
Accume Partners is a trusted advisor that serves clients by delivering
integrated Risk, Regulatory, and Cybersecurity solutions to help
manage uncertainty and drive business value.
May 16th , 2019
www.accumepartners.com
2
Table of ContentsACCUMULATE KNOWLEDGE, VALUE, RESOURCES
Perspective: State of the Marketplace 03
1. Security News 04
2. Regulatory and Privacy News 06
3. Social Engineering 08
4. Internal Threats 10
5. Web / Internet Threats 12
6. Data Breach 14
Data Leakage Detection 16
Tools of the Month 18
Recommended Actions to take 19
Contact Us 20
www.accumepartners.com
State of the Marketplace
Perspective:
Dropbox has uncovered a staggering 264 vulnerabilities that were discovered during a bug-hunting event. Fortunately this event was sponsored by them specifically for the purpose of finding and remediating security vulnerabilities. The number of vulnerabilities should make anyone in charge of a vendor-management program pay attention – what other web services are being used by your company, and how secure are they really?
In a related story, half of cyber-attacks involve the supply chain. This kind of supply chain attack can happen in several different ways. Most common is a network-based attack which sometimes occurs via a compromised managed security services provider (MSSP). However, watering hole attacks on partner sites are also popular. A relatively new tactic highlighted by Carbon Black is the “reverse BEC” in which attackers compromise the mail server of an organization and use this to spread fileless malware attacks to trusted partners.
In an excellent example of why physical security is important, an article this month talks about a man who wandered onto the campus of College of Saint Rose in Albany, New York. He was a student in 2017, but graduated and no longer had permission to be on campus. He wandered the campus, placing a “USB Killer” device into 59 Windows PC’s, Seven iMacs and multiple peripheral devices, destroying them. This is an expensive reminder that a motivated individual can cause a lot of harm if they wanted to. Make sure that you have physical security guidelines in place to prevent rogue (or terminated) employees from doing something similar.
A lot of stories are making the rounds about how attackers are bypassing Multi-factor authentication in order to attack mail servers and other web-based applications. It is important to put this into context. In situations where bypasses occurred, it was because of a configuration or an architecture element that won’t allow MFA, specifically around the use of the older IMAP email protocol. In their study, IMAP was the most commonly abused legacy protocol. IMAP is a legacy authentication protocol that may be used to bypass multifactor authentication (MFA) under very specific circumstances. Be prepared, but ensure that you are not falling for the hype.
~Stay Secure
3
4
SECURITY NEWS
www.accumepartners.com
Security News
71% of Ransomware Attacks Targeted Small Businesses in 2018 - About 70 percent of ransomware attacks in 2018 targeted small businesses, with an average ransom demand of $116,000, according to a recent report from Beazley Breach Response Services. Beazley researchers analyzed 3,300 ransomware attacks against their clients last year and found the highest ransom demand was $8.5 million. The highest demand paid by one of their clients was $935,000. The healthcare sector was the hardest hit by ransomware, according to the report. And small to medium sized organizations were primary targets, as they typically spend less on security than their larger counterparts.
Source: https://healthitsecurity.com/news/71-of-ransomware-attacks-targeted-small-businesses-in-2018
South-east Asian banks most used to receive funds from fraudulent transactions: SWIFT - Hackers used South-east Asian banks to receive funds from 83 per cent of all studied fraudulent transactions in 2018 and 2019, according to global payments network SWIFT. The remaining 17 per cent were spread across Europe, North America and the Middle East, SWIFT said in a recent report. Called beneficiary or “mule” accounts, these bank accounts are typically used by hackers to materialise funds extracted from financial systems. South-east Asian financial institutions were also named as one of the major targets by cyber attackers over the last 15 months, with other regions targeted including Africa, Central Asia and Latin America. In all cases, targeted institutions were banks with smaller cross-border transactions per day.
Source: https://www.businesstimes.com.sg/banking-finance/south-east-asian-banks-most-used-to-receive-funds-from-fraudulent-transactions-swift
Almost a Quarter of Orgs Don’t Run Security Checks on Products - A new study from Outpost24 has discovered that almost one in four (23%) organizations do not carry out any form of security testing on their products before they are launched into the market. The cyber-assessment firm surveyed 121 security professionals at RSA Conference 2019, unearthing a worrying trend whereby application security appears to be taking a back seat in a number of product-producing companies. In fact, Outpost24 found that 31% of respondents admitted that their organization had knowingly marketed a product with security vulnerabilities just to beat competition, and that 44% of organizations do not introduce security into the app development cycle from the beginning. Only 56% of respondents were sure their company carried out security testing on products before going to market.
Source: https://www.infosecurity-magazine.com/news/quarter-orgs-security-checks-1-1-1-1/
5
6
REGULATORY AND PRIVACY NEWS
www.accumepartners.com
Regulatory andPrivacy News
Giovanni Buttarelli on state of GDPR adoption: ‘Even ticking a box does not necessarily mean consent is freely given’ - It’s been a year since the roll-out of the General Data Protection Regulation, yet big questions still linger around what the right consent strategy looks like, if legitimate interest is enough to cover a business and whether more fines are coming. Digiday spoke to Giovanni Buttarelli, European data protection supervisor, to hear whether media and advertising businesses have done enough to comply.
Source: https://digiday.com/media/european-commissions-giovanni-buttarelli-state-gdpr-adoption-even-ticking-box-not-necessarily-mean-consent-freely-given/
Office Depot fined millions for tricking customers into believing their PCs were infected with malware- Since at least 2012, consumers have been making complaints that Office Depot, and its partner Support.com, have been using the PC Health Check tune-up service as a way to trick people into buying unnecessary computer repair and technical services. In 2016, an undercover TV news team took freshly-purchased computers that had never been connected to the internet, and had been verified as malware-free by security experts to Office Depot. Office Depot determined that the computers required up to $180 worth of repairs due to malware infections.
Source: https://hotforsecurity.bitdefender.com/blog/office-depot-fined-millions-for-tricking-customers-into-believing-their-pcs-were-infected-with-malware-21021.html
Elizabeth Warren proposes holding execs criminally liable for scams and data breaches - A new bill from Senator Elizabeth Warren proposes personal, criminal liability for top executives of companies turning over more than $1B/year when those companies experience data breaches and scams due to negligence (many of the recent high-profile breaches would qualify, including the Equifax giga-breach, as well as many of Wells Fargo's string of scams and scandals).
Source: https://boingboing.net/2019/04/03/the-buck-stops-here.html
Chrome, Safari and Opera criticised for removing privacy setting - It’s a browser feature few users will have heard of, but forthcoming versions of Chrome, Safari and Opera are in the process of removing the ability to disable a long-ignored tracking feature called hyperlink auditing pings. This is a long-established HTML feature that’s set as an attribute – the ping variable – which turns a link into a URL that can be tracked by website owners or advertisers to monitor what users are clicking on. When a user follows a link set up to work like this, an HTTP POST ping is sent to a second URL which records this interaction without revealing to the user that this has happened. It’s only one of several ways users can be tracked, of course, but it’s long bothered privacy experts, which is why third-party adblockers often include it on their block list by default.
Source: https://nakedsecurity.sophos.com/2019/04/09/chrome-safari-and-opera-criticised-for-removing-privacy-setting/
7
8
SOCIAL ENGINEERING
www.accumepartners.com
Social Engineering
These Employees Are Most Likely to Be in Cybercriminals' Crosshairs - Lower-level workers and contributors are the employees most at risk for cyberattacks, according to digital marketing agency Reboot. To understand who is most at risk, Reboot checked enterprise security firm Proofpoint's latest quarterly analysis of highly-targeted cyberattacks. They found that 67 percent of all highly-targeted attacks are carried out against "lower-level employees" such as customer service representatives. "However, given that upper management accounts for a smaller proportion of businesses, it suggests that those in C-level positions, directors, and department managers may be targeted disproportionately more often," Reboot wrote in a news release. Interestingly, nearly 20 percent of all phishing and malware attacks target employees in public relations, marketing, and human resource positions, Reboot found.
Source: https://www.pcmag.com/news/367368/these-employees-are-most-likely-to-be-in-cybercriminals-cro
Over 80% of All Phishing Attacks Targeted U.S. Organizations - U.S. entities remained the most attractive targets of phishing attacks throughout 2018, with an estimated 84% of the total volume of millions of incidents analyzed during the last year by threat intelligence company PhishLabs. "After being displaced by email/online services in 2017, financial institutions are back on top as the single most targeted industry. While the financial industry’s share of global volume has fluctuated each year, the volume of attacks has consistently risen," says the report.
Source: https://www.bleepingcomputer.com/news/security/over-80-percent-of-all-phishing-attacks-targeted-us-organizations/
BEC Scam Gang London Blue Evolves Tactics, Targets - Prolific business email compromise group London Blue has been spotted in a recent campaign that demonstrates the group’s evolved tactics and improved targeting via an updated database. London Blue has been around since 2011 – but researchers spotted the business email compromise (BEC) group again in January in a fresh campaign, now using new tactics, including trickier, less traditional scams in their emails and spoofing target domains; as well as focusing on new targets in Asia.
Source: https://threatpost.com/bec-scam-gang-london-blue-evolves-tactics-targets/143440/
90% of large tech companies vulnerable to email spoofing - Businesses and consumers see more than 1.2 million phishing attacks each year. Widely-accepted open standards exist for authenticating email and preventing phishers from spoofing domains with fake emails, but a majority of companies across industries have not made full use of them. The vast majority—90%—of large tech companies remain unprotected from impersonation attacks, the report found.
Source: https://www.techrepublic.com/article/90-of-large-tech-companies-vulnerable-to-email-spoofing/
9
10
INTERNAL THREATS
www.accumepartners.com
Internal Threats
61% of CIOs believe employees leak data maliciously - There is a perception gap between IT leaders and employees over the likelihood of insider breaches. It is a major challenge for businesses: insider data breaches are viewed as frequent and damaging occurrences, of concern to 95% of IT leaders, yet the vectors for those breaches – employees – are either unaware of, or unwilling to admit, their responsibility.
Source: https://www.helpnetsecurity.com/2019/03/27/employees-leak-data-maliciously/
Half of Cyber-Attacks Involve the Supply Chain - Half of cyber-attacks today use so-called “island hopping” techniques to infect a supply chain partner en route to a higher value target, according to a new report from Carbon Black. The security vendor’s Quarterly Incident Response Threat Report features qualitative and quantitative input from 40 Carbon Black incident response partners. It revealed the financial sector (47%) as most likely to encounter island hopping, followed by manufacturing (42%) and retail (32%). The largest number of respondents (44%) cited a lack of visibility as their key barrier to combating such attacks, up from just 10% in the previous quarter.
Source: https://www.infosecurity-magazine.com/news/half-of-cyberattacks-involve-1-1/
Most IT Bosses Hold Off Critical Patches To Keep Business Operational – Study - New research from endpoint security specialist Tanium has revealed the worrying security compromises that most IT bosses have to make in keep business systems operational. The ‘Resilience Gap Study’ from Tanium found that the vast majority of IT teams opt to hold off installing important security updates or patches. This is despite repeated advice from security experts that consumers and businesses need to apply fixes and patches to their systems and devices, as soon as possible.
Source: https://www.silicon.co.uk/security/cyberwar/most-it-bosses-hold-off-critical-patches-to-keep-business-operational-study-243679
Man fried over 50 college computers with weaponized USB stick - On Valentine’s Day, February 14th2019, Vishwanath Akuthota walked around the campus of the College of Saint Rose in Albany, New York. Akuthota plugged a USB stick into 59 Windows PCs and seven Apple iMacs owned by the college. In addition, the former student plugged his device into the USB ports of multiple other devices including monitors and digital podiums. Akuthota’s intention wasn’t to steal data from the computers, as you might expect, or to plant malware. Because what he held in his hand was “USB Killer,” a device which is capable of rapidly collecting power from a USB port and then sending a high voltage (technically, -200 Volts) back through the signal lines, effectively overloading and $58,000 worth of college equipment.
Source: https://www.tripwire.com/state-of-security/security-data-protection/man-fried-over-50-college-computers-with-weaponized-usb-stick/
11
12
WEB / INTERNET THREATS
www.accumepartners.com
Web / Internet Threats
Internet Explorer exploit lets hackers steal your data even if you never use it - Finally stopped using Internet Explorer? Good! But, now it’s time to completely delete it from your computer, too. Security researcher John Page has discovered a new security flaw that allows hackers to steal Windows users’ data thanks to Internet Explorer. The craziest part: Windows users don’t ever even have to open the now-obsolete web browser for malicious actors to use the exploit. It just needs to exist on their computer. “Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally,” writes Page. “This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.”
Source: https://mashable.com/article/internet-explorer-hacker-windows-pc-exploit/
Threat actors leverage credential dumps, phishing, and legacy email protocols to bypass MFA and breach cloud accounts worldwide - In a recent six-month study of major cloud service tenants, Proofpoint researchers observed massive attacks leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute force account compromises at scale. Attacks against Office 365 and G Suite cloud accounts using IMAP may be difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable. At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts. Moreover, sophisticated phishing campaigns tricked recipients into revealing authentication credentials, providing attackers with additional avenues into corporate accounts.
Source: https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols
Gustuff Android Malware Targets 100+ Banking and 32 Cryptocurrency Apps - A previously unreported advanced banking trojan named Gustuff can steal funds from accounts at over 100 banks across the world and rob users of 32 cryptocurrency Android apps. The malware includes code to target top international banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, and PNC Bank. The malware relies on a relatively rare tactic to access and automatically change text fields in targeted apps. On compromised devices, Gustuff uses Android Accessibility services to interact with screens from other apps.
Source: https://www.bleepingcomputer.com/news/security/gustuff-android-malware-targets-100-banking-and-32-cryptocurrency-apps/
13
14
DATA BREACH
www.accumepartners.com
Data Breach
Third-Party Vendors Behind 20% of Healthcare Data Breaches in 2018 - Third-party vendors working with healthcare provider organizations accounted for more than 20 percent of breaches in the healthcare sector last year, according to a new CynergisTek report. In fact, vendors are responsible for some of the largest health data breaches to date. The researchers noted that the risk is rapidly increasing, as many providers don’t proactively assess their vendors’ security before the contracting process, or at the onset of services.
Source: https://healthitsecurity.com/news/third-party-vendors-behind-20-of-healthcare-data-breaches-in-2018
Microsoft Reveals Email Breach, Says Hackers Accessed User Data - In an email sent to impacted users and obtained by TechCrunch, Microsoft explains that a malicious actor managed to compromise the credentials of a Microsoft support agent. This allowed individuals not working for Microsoft to access information stored in Microsoft email accounts (@outlook.com, @hotmail.com, @msn.com), and according to the cited source, businesses weren’t affected.
Source: https://news.softpedia.com/news/microsoft-reveals-email-breach-says-hackers-accessed-user-data-525664.shtml
Over 100 Million JustDial Users' Personal Data Found Exposed On the Internet - An unprotected database belonging to JustDial, India's largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy "88888 88888" customer care number, The Hacker News has learned and independently verified. The leaked data includes JustDial users' name, email, mobile number, address, gender, date of birth, photo, occupation, company name they are working with—basically whatever profile related information a customer ever provided to the company. Though the unprotected APIs exist since at least mid-2015, it's not clear if anyone has misused it to gather personal information on JustDialusers.
Source: https://thehackernews.com/2019/04/justdial-hacked-data-breach.html
Verity Reports Third Data Breach Caused by Employee Email Hack - Verity Health System and its Medical Foundation are again notifying patients of a potential data breach, after a third hack on its employee email system. The latest security incident occurred on January 16, just two weeks before Verity officials announced the prior email compromise. Officials said the Microsoft 365 web email account of one employee was compromised for several hours. During the incident, the hacker sent emails to a wide range of internal and external accounts without authorization. Those emails contained malicious links. Officials said it appears the hacker was attempting to obtain user names and passwords from email recipients, much like the initial two hacks.
Source: https://healthitsecurity.com/news/verity-reports-third-data-breach-caused-by-employee-email-hack
15
16
DATA LEAKAGE DETECTION
Vulnerabilities & ICOs➢ Weekly Vulnerability Summary from US-CERT
➢ Talos Threat Roundup: (1) (2) (3) (4)
➢ A One Two Punch Emotet Trickbot and Ryuk Steal Then Ransom Data
➢ vxCrypter Is the First Ransomware to Delete Duplicate Files
➢ Malware Actors Using New File Hosting Service to Launch Attacks
➢ ASUS Admits Its Live Update Utility Was Backdoored by APT Group
➢ Dissecting BokBot’s “Man in the Browser”
➢ Mysterious Hackers Hid Their Swiss Army Spyware for 5 Years
➢ PoC exploit for Carpe Diem Apache bug released
➢ Project TajMahal – a sophisticated new APT framework
➢ Grab-and-go Baldr malware enters the black market
➢ Group-IB report: JS-sniffers infected 2440 websites around the world
➢ Advantech addressed code execution and DoS flaws in WebAccess software
➢ Mimikatz v2.2.0 - A Post-Exploitation Tool to Extract Plaintexts Passwords, Hash, PIN Code from Memory
➢ Major Bug in EA’s Origin Client Gives Hackers the Keys to Your PC
➢ Oracle security warning: Customers told to patch ASAP to swat 297 bugs
➢ A new variant of HawkEye stealer emerges in the threat landscape
➢ Malvertising Campaign Abused Chrome to Hijack 500 Million iOS User Sessions
➢ Virobot Ransomware Is A Multi-Tasking Menace
➢ ShadowHammer Targets Multiple Companies, ASUS Just One of Them
➢ Hotspot finder app blabs 2 million Wi-Fi network passwords
➢ FINTEAM: Trojanized TeamViewer Against Government Targets
➢ OilRig APT uses Karkoff malware along with DNSpionage in recent attacks
➢ DLL Cryptomix Ransomware Variant Installed Via Remote Desktop
“Practice isn't the thing you do once you're
good. It's the thing you do that makes you
good."
- Malcolm Gladwell
www.accumepartners.com
Tools of the Month
Below is a list of free security tools that you and your employees may find very useful:
1. have i been pwned? A searchable website that allows users to find out if their email address has turned up on the almost daily list of security breaches. It provides details around each breach, and some additional information on exposure. https://haveibeenpwned.com/
2. Pwned Passwords. From the makers of “have I been pwned?”, this site helps to determine if your past passwords have been exposed in data breaches. It’s a great reference to check any intended passwords before they are used, as credential stuffing (an attack that uses captured usernames and passwords) is becoming a common (and very successful) attack. https://haveibeenpwned.com/Passwords
3. CheckShortURL. Allows you to retrieve the original URL from a shortened link before clicking on it and visiting the destination. Perfect for ensuring that you don’t fall for a phishing email. http://www.checkshorturl.com/
4. Virustotal. Allows you to upload files or enter in URLs to determine if they are malicious. A great tool for those occasions when you don’t trust the attachment or link in your email. https://www.virustotal.com
5. Wiggle. Wiggle is an interactive map that tracks wireless access points that have been uploaded via “Wardriving” and provides SSIDs and passwords. Check to ensure that your home or business is not listed. https://wigle.net/
18
19
➢ Review the advisories and determine if any actions
need to take place
➢ Inform staff as needed about new phishing and
social engineering campaigns
➢ Audit your firewalls, routers and switches and
wireless networks annually
➢ Ensure that you have protections in place for
mobile users
➢ Update the firmware on your routers as necessary
➢ Investigate blocking IP blocks from countries your
institution does not do business with as an
additional form of protection
➢ Keep systems patched and up to date
➢ Consider the implementation of annual threat
hunting exercises
➢ Ensure that you have DMARK implemented
➢ Remove IMAP support for your mail system
➢ Revised your incident response plan to address
supply-chain attacks
RecommendedActions to Take
Trusted Advisor Specialized Resources: Big 4, Industry Cost-Effective Agile
Gabrielle BassExecutive Coordinator
P: 888-696-1515
12 East 49th Street – 5th Floor,
New York, NY 10017
Contact Us
Accume Partners
