Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
The monthly security awareness summary is intended to keep staff informed of recent threats
so that they can be properly prepared to defend themselves against the never-ending variety of
attacks that they will encounter on a regular basis.
Perspective: A New Year, A New Set of Threats
Automation is constantly evolving, and recent advancements in attack tools and
methods are demonstrating that malicious automation can expected to have significant
ramifications. Researchers have proven that automated tools can successfully predict a
user’s new password based on analyzing older stolen passwords, which makes the
probability of a data breach infinitely higher. A recent test had a malicious bot infiltrate
a network, scan all systems and exfiltrate all of the available data within 15 seconds.
There is a good change that 2019 will be the year that these types of attacks become
real. Make sure that your protections are in place.
The success of Office 365 has made it a large target for phishing attacks. Phishing as a
service has finally hit its stride in 2018, and many of the available “kits” for rental are
designed to spoof the Office 365 platform. The kits are highly sophisticated, ensuring
that a normal user probably would not be able to recognize the falsified landing page.
Ensure that your staff is trained on how to detect phishing attacks and that they are
vigilant about opening unsolicited emails.
Two Factor Authentication has received a lot of press recently as a solution for account
takeover attacks, but the bad guys have already figured out ways phish second-factor
authentication codes sent via SMS. While the process involves phishing and a large
amount of redirection, it has been proven successful in many parts of the world. It may
be of value to consider tokens or other alternate methods for authentication for high-
risk accounts
15 Senators have introduced a Federal data privacy bill which would require companies
that collect personal data from users to take reasonable steps to safeguard the
information. The bill also has additional consumer protections, providing unified
approach to data privacy across the nation, instead of the patchwork of protections
provided at the state-level. The bill would let states to pursue their own legal actions
against companies for privacy violations, but would "allow the FTC to intervene" in those
enforcement efforts.
~Stay Secure
If you found this information valuable, we recommend taking a look at our
weekly threat intelligence brief. For more information, contact us here.
Bob Gaines
Director
646.375.9500 x114
rgaines@accumepartners
.com
AccumeView: Executive Cybersecurity Pulse
AccumeView: Executive Cybersecurity Pulse January 2019
accumepartners.com
Security News Backdoors Up 44%, Ransomware Up 43% from 2017 - Nearly one in three
computers was hit with a malware attack this year, and ransomware and
backdoors continue to pose a risk. Backdoor and ransomware detections
increased 44% and 43%, respectively, in 2018, the same year nearly 30% of
computers faced at least one malicious threat online, researchers report. The Kaspersky Security Bulletin
2018 found malware should be among everyone's top concerns as we head into the new year. Kaspersky
Labs handled 346,000 new malicious files each day in the first 10 months of 2018 and detected 21,643,946
unique malicious objects this year. Backdoor detections made up 3.7% of all new malicious files analyzed
by Kaspersky Lab researchers in the first 10 months of 2018, increasing from 2.27 million to 3.26 million
year over year. Ransomware (Trojan-ransom) detections made up 3.5%, up from 2.2 million detections to
3.13 million. Source: https://www.darkreading.com/threat-intelligence/backdoors-up-44--ransomware-
up-43--from-2017/d/d-id/1333399
Automated Cyber Attacks Are the Next Big Threat. Ever Hear of ‘Review Bombing? – If you think hacks
are bad now, just wait a few more years-- because "the machines" are coming. In the next few years,
artificial intelligence, machine learning and advanced software processes will enable cyber-attacks to
reach an unprecedented new scale, wreaking untold damage on companies, critical systems and
individuals. As dramatic as Atlanta’s March 2018 cyber “hijacking” by ransomware was, this was nothing
compared to what is coming down the pike once ransomware and other malware can essentially "think"
on their own. This is not a theoretical risk, either. It is already happening. Recent incidents involving
Dunkin Donuts' DD Perks program, CheapAir and even the security firm CyberReason's honeypot test
showed just a few of the ways automated attacks are emerging “in the wild” and affecting businesses.
Source: https://www.entrepreneur.com/article/325142
Most Organizations Suffered a Business-Disrupting Cyber Event - A study conducted by Ponemon
Institute found that 60 percent of organizations globally had suffered two or more business-disrupting
cyber events — defined as cyber attacks causing data breaches or significant disruption and downtime to
business operations, plant and operational equipment — in the last 24 months. Further, 91 percent of
respondents had suffered at least one such cyber event in the same time period. Despite this documented
history of damaging attacks, the study found that 54 percent of organizations are not measuring, and
therefore don’t understand, the business costs of cyber risk. The report concludes that organizations are
unable to make risk-based business decisions backed by accurate and quantifiable metrics, resulting in a
lack of actionable insight for the C-suite and board of directors. Source:
https://www.helpnetsecurity.com/2018/12/14/business-disrupting-cyber-event/
AccumeView: Executive Cybersecurity Pulse January 2019
accumepartners.com
Regulatory News Twelve States File First Multistate Healthcare Data Breach Lawsuit - State
Attorneys General from a dozen states filed a lawsuit Monday against several
health IT companies, and their subsidiaries, alleging that poor security
practices led to theft of protected health information (PHI) of 3.9 million
individuals during a data security incident in 2015. The 66-page complaint,
filed in the U.S. District Court for the Northern District of Indiana, names four companies or subsidiaries,
including Fort Wayne, Ind.-based Medical Informatics Engineering and NoMoreClipboard LLC. In the
lawsuit, the state AGs allege that the companies failed to take “adequate and reasonable measures” to
ensure their computer systems were protected. Over several weeks in May, hackers infiltrated and
accessed the “inadequately protected computer systems” of the companies and were able to access and
exfiltrate the electronic PHI of 3.9 million individuals, whose PHI was contained in an electronic medical
record stores in the companies’ computer systems. The personal information obtained by the hackers
included names, addresses and Social Security numbers, as well health information such as lab results,
health insurance policy information, diagnosis and medical conditions. Source: https://www.healthcare-
informatics.com/news-item/cybersecurity/twelve-states-file-first-multistate-healthcare-data-breach-
lawsuit
Federal Data Privacy Bill Introduced by 15 US Senators - The US doesn't have a single data privacy law
that applies to all fifty states. On Wednesday, a group of 15 US senators indicated it wanted to change the
status quo, introducing the Data Care Act. The bill would require companies that collect personal data
from users to take reasonable steps to safeguard the information. The act also has provisions to prevent
them from using the data in ways that could harm consumers. If the bill becomes law, the US Federal
Trade Commission would be in charge of implementing it. "People have a basic expectation that the
personal information they provide to websites and apps is well-protected and won't be used against
them," Sen. Brian Schatz, a Democrat from Hawaii who is sponsoring the bill, said in a press release.
Source: https://www.cnet.com/news/federal-data-privacy-law-introduced-by-15-us-
senators/#ftag=CAD590a51e
German Regulator Fines Firm for GDPR Failings - A German privacy regulator has issued its first GDPR fine
after a hacker stole unencrypted data on hundreds of thousands of customers of a local chat app. The
Baden-Württemberg Data Protection Authority (LfDI) fined Knuddels just €20,000 ($22,700) despite the
firm having stored user passwords and emails in plain text. As a result, hackers were able to make off with
330,000 legitimate credentials, publishing them in September 2018 on Pastebin and Mega. The breach
itself is thought to have been much bigger, with over 800,000 email addresses and over 1.8 million
passwords stolen, although only 330,000 have been confirmed. Source: https://www.infosecurity-
magazine.com/news/german-regulator-fines-firm-for/
AccumeView: Executive Cybersecurity Pulse January 2019
accumepartners.com
Social Engineering
Office 365 Top Brand Targeted by Phishing Kits in 2018 - Criminals are nothing
if not financial opportunists, and the boom in phishing has been like a
cybercrime gold rush: While some are panning for gold, others are selling the
tools and equipment. In 2018, the underground phishing economy has come of age, with the evolution of
phishing kits offering spoofed web pages – basic ‘equipment’ for any phishing attack – a prime example.
“Phishing-as-a-Service” as a broader phenomenon has ushered in a new era of sophistication and access
for the low-level cybercriminal – democratizing phishing attacks. What used to take a team of skilled
designers, developers, and hackers to architect, build and deploy can now be purchased on the internet
for as little as fifty bucks, or rented as a turn-key service for roughly the same amount a month. Source:
https://www.cyren.com/blog/articles/phishing-as-a-service-comes-of-age
Old-School Bagle Worm Still Ready for Modern Spam Campaigns - Bagle.A and Bagle.B date back to 2004.
The long-running Bagle worm, affecting Microsoft Windows machines, is still out there, a throwback to an
earlier time. Also referred to as Beagle, Bagle contains a backdoor that listens on TCP port 6777 which is
hardcoded in the worm’s body. This backdoor component provides remote access to the infected
computer and can be used to download and execute other malware from the internet. The bad code was
first seen in January 2004, and since then has morphed to spawn plenty of different variants. Despite
having so many malware options to choose from. Comodo, writing in a posting on Monday, noted that
the very first two variants of the worm, Bagle.A and Bagel.B, arrive in peoples’ inboxes in password-
protected .zip files; the password is given to the victim in the body of the email. It’s a more simplistic
approach than what’s been seen with some later Bagle variants that eschew the attachment tactic.
Source: https://threatpost.com/old-school-bagle-worm-spotted-in-modern-spam-campaigns/139746/
DanaBot Banking Trojan Gets into Spam Business - Authors of the DanaBot banking trojans updated the
malware with new features that enabled it to harvest email addresses and send out spam straight from
the victim's mailbox. The latest variant of the malware achieves this by injecting JavaScript code into the
pages of specific web-based email services. Among the targets are all email solutions based on based on
Roundcube, Horde, and Open-Xchange. Recently, DanaBot authors took fell on the European space,
targeting Italy, Germany, and Austria. Source:
https://www.bleepingcomputer.com/news/security/danabot-banking-trojan-gets-into-spam-business/
AccumeView: Executive Cybersecurity Pulse January 2019
accumepartners.com
Internet Threats
Mitigating the Risk of Office 365 Account Hijacking - Office 365 – the online,
subscription-based version of Microsoft’s Office application suite – is one the
most widely used enterprise cloud applications/services, which makes it the
preferred target of attackers looking to gain access to sensitive business information. “Once an actor has
obtained credentials for an O365 account, not only can the account access be used to access documents
across a user’s O365 surface (SharePoint, OneNote etc.) but it can also be used as a launchpad to carry
out further compromises within an organization,” UK’s National Cyber Security Centre warns. Source:
https://www.helpnetsecurity.com/2018/12/10/office-365-compromise-prevention/
Malware Targeting IoT Devices Grew 72% in Q3 Alone - Cybercriminals continue to develop sophisticated
tactics for exploiting victims, according to a new report from McAfee Labs. An average of 480 new threats
per minute appeared in Q3 2018, with new malware samples rising by 53%, the report found. Malware
attacks increasingly target Internet of Things (IoT) devices, which are rife with security issues. New
malware targeting IoT devices grew 72% in Q3, and 203% in the last year overall, the report found.
Cryptojacking has also massively grown in popularity among hackers, according to the report: New
coinmining malware grew nearly 55% in Q3, and more than 4,467% in the last year. Fileless malware also
remains a top concern, as new JavaScript malware grew 45% in Q3, while new PowerShell malware grew
24%, the report found. Source: https://www.techrepublic.com/article/malware-targeting-iot-devices-
grew-72-in-q3-alone/
Hackers Bypass Gmail, Yahoo 2FA at Scale – A new Amnesty International report explains how
cyberattackers are phishing second-factor authentication codes sent via SMS. Amnesty International this
week released a report detailing how hackers can automatically bypass multifactor authentication (MFA)
when the second factor is a text message, and they're using this tactic to break into Gmail and Yahoo
accounts at scale. MFA is generally recommended; however, its security varies depending on the chosen
factor. Consumers prefer second-factor codes sent via text messages because they're easy to access.
Unfortunately for some, cybercriminals like them for the same reason. Source:
https://www.darkreading.com/threat-intelligence/hackers-bypass-gmail-yahoo-2fa-at-scale/d/d-
id/1333534
Fileless Backdoored Trojan Spreads Using Worm Living in Removable Drives - A Windows worm
propagating through removable drives has been observed by Trend Micro spreading the BLADABINDI
Trojan with backdoor, DDoS and RAT capabilities. The BLADABINDI Trojan has been used in multiple
cyberespionage campaigns because of high adaptability which allows bad actors to tailor it for specific
targets, seeing that it can be used as a backdoor, for performing DDoS attacks when using it as a botnet,
and for exfiltrating user info using its keylogger module. Trend Micro spotted a new malware campaign
which supposedly uses a Windows worm strain the security company dubbed
Worm.Win32.BLADABINDI.AA to install a fileless version of the BLADABINDI backdoor. Source:
https://news.softpedia.com/news/fileless-backdoored-trojan-spreads-using-worm-living-in-removable-
drives-524010.shtml
AccumeView: Executive Cybersecurity Pulse January 2019
accumepartners.com
Internal Threats
Windows Zero-Day PoC Lets You Read Any File with System Level Access – For
a third time in four months, a security researcher announces a zero-day
vulnerability in Microsoft Windows and provides exploit code that allows
reading into unauthorized locations. Known by the moniker SandboxEscaper, the researcher released
details about a security vulnerability affecting ReadFile.exe, which, as its name indicates, allows reading
data from specific locations. The glitch is in the "MsiAdvertiseProduct" function, which Microsoft
describes as being able to generate an advertise script or advertises a product to the computer" and that
it "enables the installer to write to a script the registry and shortcut information used to assign or publish
a product." Calling this function leads to an arbitrary file copy by the installer service, which is controllable
by the attacker, the researcher explains. SandboxEscaper explains that despite a check being done, the
protection can be bypassed via a time to check to time to use (TOCTOU) race condition type. Source:
https://www.bleepingcomputer.com/news/security/windows-zero-day-poc-lets-you-read-any-file-with-
system-level-access/
For the Fourth Month in a Row, Microsoft Patches Windows Zero-day Used in the Wild - Today,
Microsoft released its monthly security patches --known as the Patch Tuesday updates. This month the
Redmond-based company fixed 38 vulnerabilities across a large set of products. For the fourth month in
a row, Microsoft patched a Windows OS zero-day vulnerability that was being exploited in the wild. Just
like in the last two months, and for the third month in a row, this zero-day was being (ab)used in nation-
state cyber-espionage operations. Just like last month, there were two cyber-espionage groups abusing
this zero-day, and not just one, suggesting some sort of infrastructure sharing, or common leadership.
Source: https://www.zdnet.com/article/for-the-fourth-month-in-a-row-microsoft-patches-windows-
zero-day-used-in-the-wild/
Researchers Discover SplitSpectre, a New Spectre-like CPU Attack – Three academics from Northeastern
University and three researchers from IBM Research have discovered a new variation of the Spectre CPU
vulnerability that can be exploited via browser-based code. The research team says this new CPU
vulnerability is, too, a design flaw in the microarchitecture of modern processors that can be exploited by
attacking the process of "speculative execution," an optimization technique used to improve CPU
performance. The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original
Spectre v1 vulnerability discovered last year and which became public in January 2018. The difference in
SplitSpectre is not in what parts of a CPU's microarchitecture the flaw targets, but how the attack is carried
out. Source: https://www.zdnet.com/article/researchers-discover-splitspectre-a-new-spectre-like-cpu-
attack/
DarkVishnya: Banks Attacked Through Direct Connection to Local Network - While novice attackers,
imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying around parking lots in
the hope that an employee from the target company picks one up and plugs it in at the workplace, more
AccumeView: Executive Cybersecurity Pulse January 2019
accumepartners.com
experienced cybercriminals prefer not to rely on chance. In 2017-2018, Kaspersky Lab specialists were
invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown
device directly connected to the company’s local network. In some cases, it was the central office, in
others a regional office, sometimes located in another country. At least eight banks in Eastern Europe
were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in
the tens of millions of dollars. Source: https://securelist.com/darkvishnya/89169/
Vulnerabilities and Indicators of Compromise
• AA18-337A: SamSam Ransomware
• TA18-331A: 3ve – Major Online Ad Fraud Operation
• New online service will hack printers to spew out spam
• Kubernetes Vulnerability Allowed Malicious Control of Nodes
• Ukraine’s SBU: Russia carried out a cyberattack on Judiciary Systems
• Malicious Chrome extension which sloppily spied on academics believed to originate from North Korea
• Government Hackers Assault Hundreds Of 'Secure' Google Accounts With Evil Phishes
• Russia-linked Sofacy APT developed a new ‘Go’ variant of Zebrocy tool
• Talos published IOCs for December (1) (2) (3)
Recommended Actions to take The following set of recommendations is based on the information provided above in
the brief. For a more detailed set of recommendations, as well as vulnerabilities and
indicators of compromise, please refer to Accume’s weekly threat intelligence briefings.
• Never trust an unsolicited email
• Never open an attachment from a source that is unknown.
o If it from a known user, but unsolicited, call the user to verify the nature of the attachment
• Be vigilant when responding to or opening an attachment within a text message
• Don’t install software from untrusted sources
• Pay attention to the url address in web pages that you are visiting.
o Don’t trust popups or any automatic re-direction to another page
• Never click a link within an email or web page where the URL has been shortened or hidden (i.e.
tinyurl and other services.)
• Be careful when using social media
• Make sure that your incident response playbook is updated regularly to address the latest threats.
• Ensure that your systems are patched and free from configuration-based vulnerabilities
• Make sure that your layered defenses (IDS, Firewall, Web-Filtering) are dynamically updating
AccumeView: Executive Cybersecurity Pulse January 2019
accumepartners.com
• If you see or suspect any suspicious activity when using the internet or email, report it immediately.
• Keep current with emerging state privacy and incident response laws (California and Colorado are mentioned in this issue of AccumeView) to ensure your organization is ready for tightening regulatory requirements.
If you have questions about any of the above recommendations, or about their implementation, feel free to reach out to Accume for additional information.
If you found this information valuable, we recommend our weekly threat
intelligence brief, which has additional operational details for you and
your staff. For more information, contact us here.