The monthly security awareness summary is intended to keep staff informed of recent threats

so that they can be properly prepared to defend themselves against the never-ending variety of

attacks that they will encounter on a regular basis.

Perspective: A New Year, A New Set of Threats

Automation is constantly evolving, and recent advancements in attack tools and

methods are demonstrating that malicious automation can expected to have significant

ramifications. Researchers have proven that automated tools can successfully predict a

user’s new password based on analyzing older stolen passwords, which makes the

probability of a data breach infinitely higher. A recent test had a malicious bot infiltrate

a network, scan all systems and exfiltrate all of the available data within 15 seconds.

There is a good change that 2019 will be the year that these types of attacks become

real. Make sure that your protections are in place.

The success of Office 365 has made it a large target for phishing attacks. Phishing as a

service has finally hit its stride in 2018, and many of the available “kits” for rental are

designed to spoof the Office 365 platform. The kits are highly sophisticated, ensuring

that a normal user probably would not be able to recognize the falsified landing page.

Ensure that your staff is trained on how to detect phishing attacks and that they are

vigilant about opening unsolicited emails.

Two Factor Authentication has received a lot of press recently as a solution for account

takeover attacks, but the bad guys have already figured out ways phish second-factor

authentication codes sent via SMS. While the process involves phishing and a large

amount of redirection, it has been proven successful in many parts of the world. It may

be of value to consider tokens or other alternate methods for authentication for high-

risk accounts

15 Senators have introduced a Federal data privacy bill which would require companies

that collect personal data from users to take reasonable steps to safeguard the

information. The bill also has additional consumer protections, providing unified

approach to data privacy across the nation, instead of the patchwork of protections

provided at the state-level. The bill would let states to pursue their own legal actions

against companies for privacy violations, but would "allow the FTC to intervene" in those

enforcement efforts.

~Stay Secure

If you found this information valuable, we recommend taking a look at our

weekly threat intelligence brief. For more information, contact us here.

Bob Gaines

Director

646.375.9500 x114

rgaines@accumepartners

.com

AccumeView: Executive Cybersecurity Pulse

AccumeView: Executive Cybersecurity Pulse January 2019

accumepartners.com

Security News Backdoors Up 44%, Ransomware Up 43% from 2017 - Nearly one in three

computers was hit with a malware attack this year, and ransomware and

backdoors continue to pose a risk. Backdoor and ransomware detections

increased 44% and 43%, respectively, in 2018, the same year nearly 30% of

computers faced at least one malicious threat online, researchers report. The Kaspersky Security Bulletin

2018 found malware should be among everyone's top concerns as we head into the new year. Kaspersky

Labs handled 346,000 new malicious files each day in the first 10 months of 2018 and detected 21,643,946

unique malicious objects this year. Backdoor detections made up 3.7% of all new malicious files analyzed

by Kaspersky Lab researchers in the first 10 months of 2018, increasing from 2.27 million to 3.26 million

year over year. Ransomware (Trojan-ransom) detections made up 3.5%, up from 2.2 million detections to

3.13 million. Source: https://www.darkreading.com/threat-intelligence/backdoors-up-44--ransomware-

up-43--from-2017/d/d-id/1333399

Automated Cyber Attacks Are the Next Big Threat. Ever Hear of ‘Review Bombing? – If you think hacks

are bad now, just wait a few more years-- because "the machines" are coming. In the next few years,

artificial intelligence, machine learning and advanced software processes will enable cyber-attacks to

reach an unprecedented new scale, wreaking untold damage on companies, critical systems and

individuals. As dramatic as Atlanta’s March 2018 cyber “hijacking” by ransomware was, this was nothing

compared to what is coming down the pike once ransomware and other malware can essentially "think"

on their own. This is not a theoretical risk, either. It is already happening. Recent incidents involving

Dunkin Donuts' DD Perks program, CheapAir and even the security firm CyberReason's honeypot test

showed just a few of the ways automated attacks are emerging “in the wild” and affecting businesses.

Source: https://www.entrepreneur.com/article/325142

Most Organizations Suffered a Business-Disrupting Cyber Event - A study conducted by Ponemon

Institute found that 60 percent of organizations globally had suffered two or more business-disrupting

cyber events — defined as cyber attacks causing data breaches or significant disruption and downtime to

business operations, plant and operational equipment — in the last 24 months. Further, 91 percent of

respondents had suffered at least one such cyber event in the same time period. Despite this documented

history of damaging attacks, the study found that 54 percent of organizations are not measuring, and

therefore don’t understand, the business costs of cyber risk. The report concludes that organizations are

unable to make risk-based business decisions backed by accurate and quantifiable metrics, resulting in a

lack of actionable insight for the C-suite and board of directors. Source:

https://www.helpnetsecurity.com/2018/12/14/business-disrupting-cyber-event/

AccumeView: Executive Cybersecurity Pulse January 2019

accumepartners.com

Regulatory News Twelve States File First Multistate Healthcare Data Breach Lawsuit - State

Attorneys General from a dozen states filed a lawsuit Monday against several

health IT companies, and their subsidiaries, alleging that poor security

practices led to theft of protected health information (PHI) of 3.9 million

individuals during a data security incident in 2015. The 66-page complaint,

filed in the U.S. District Court for the Northern District of Indiana, names four companies or subsidiaries,

including Fort Wayne, Ind.-based Medical Informatics Engineering and NoMoreClipboard LLC. In the

lawsuit, the state AGs allege that the companies failed to take “adequate and reasonable measures” to

ensure their computer systems were protected. Over several weeks in May, hackers infiltrated and

accessed the “inadequately protected computer systems” of the companies and were able to access and

exfiltrate the electronic PHI of 3.9 million individuals, whose PHI was contained in an electronic medical

record stores in the companies’ computer systems. The personal information obtained by the hackers

included names, addresses and Social Security numbers, as well health information such as lab results,

health insurance policy information, diagnosis and medical conditions. Source: https://www.healthcare-

informatics.com/news-item/cybersecurity/twelve-states-file-first-multistate-healthcare-data-breach-

lawsuit

Federal Data Privacy Bill Introduced by 15 US Senators - The US doesn't have a single data privacy law

that applies to all fifty states. On Wednesday, a group of 15 US senators indicated it wanted to change the

status quo, introducing the Data Care Act. The bill would require companies that collect personal data

from users to take reasonable steps to safeguard the information. The act also has provisions to prevent

them from using the data in ways that could harm consumers. If the bill becomes law, the US Federal

Trade Commission would be in charge of implementing it. "People have a basic expectation that the

personal information they provide to websites and apps is well-protected and won't be used against

them," Sen. Brian Schatz, a Democrat from Hawaii who is sponsoring the bill, said in a press release.

Source: https://www.cnet.com/news/federal-data-privacy-law-introduced-by-15-us-

senators/#ftag=CAD590a51e

German Regulator Fines Firm for GDPR Failings - A German privacy regulator has issued its first GDPR fine

after a hacker stole unencrypted data on hundreds of thousands of customers of a local chat app. The

Baden-Württemberg Data Protection Authority (LfDI) fined Knuddels just €20,000 ($22,700) despite the

firm having stored user passwords and emails in plain text. As a result, hackers were able to make off with

330,000 legitimate credentials, publishing them in September 2018 on Pastebin and Mega. The breach

itself is thought to have been much bigger, with over 800,000 email addresses and over 1.8 million

passwords stolen, although only 330,000 have been confirmed. Source: https://www.infosecurity-

magazine.com/news/german-regulator-fines-firm-for/

AccumeView: Executive Cybersecurity Pulse January 2019

accumepartners.com

Social Engineering

Office 365 Top Brand Targeted by Phishing Kits in 2018 - Criminals are nothing

if not financial opportunists, and the boom in phishing has been like a

cybercrime gold rush: While some are panning for gold, others are selling the

tools and equipment. In 2018, the underground phishing economy has come of age, with the evolution of

phishing kits offering spoofed web pages – basic ‘equipment’ for any phishing attack – a prime example.

“Phishing-as-a-Service” as a broader phenomenon has ushered in a new era of sophistication and access

for the low-level cybercriminal – democratizing phishing attacks. What used to take a team of skilled

designers, developers, and hackers to architect, build and deploy can now be purchased on the internet

for as little as fifty bucks, or rented as a turn-key service for roughly the same amount a month. Source:

https://www.cyren.com/blog/articles/phishing-as-a-service-comes-of-age

Old-School Bagle Worm Still Ready for Modern Spam Campaigns - Bagle.A and Bagle.B date back to 2004.

The long-running Bagle worm, affecting Microsoft Windows machines, is still out there, a throwback to an

earlier time. Also referred to as Beagle, Bagle contains a backdoor that listens on TCP port 6777 which is

hardcoded in the worm’s body. This backdoor component provides remote access to the infected

computer and can be used to download and execute other malware from the internet. The bad code was

first seen in January 2004, and since then has morphed to spawn plenty of different variants. Despite

having so many malware options to choose from. Comodo, writing in a posting on Monday, noted that

the very first two variants of the worm, Bagle.A and Bagel.B, arrive in peoples’ inboxes in password-

protected .zip files; the password is given to the victim in the body of the email. It’s a more simplistic

approach than what’s been seen with some later Bagle variants that eschew the attachment tactic.

Source: https://threatpost.com/old-school-bagle-worm-spotted-in-modern-spam-campaigns/139746/

DanaBot Banking Trojan Gets into Spam Business - Authors of the DanaBot banking trojans updated the

malware with new features that enabled it to harvest email addresses and send out spam straight from

the victim's mailbox. The latest variant of the malware achieves this by injecting JavaScript code into the

pages of specific web-based email services. Among the targets are all email solutions based on based on

Roundcube, Horde, and Open-Xchange. Recently, DanaBot authors took fell on the European space,

targeting Italy, Germany, and Austria. Source:

https://www.bleepingcomputer.com/news/security/danabot-banking-trojan-gets-into-spam-business/

AccumeView: Executive Cybersecurity Pulse January 2019

accumepartners.com

Internet Threats

Mitigating the Risk of Office 365 Account Hijacking - Office 365 – the online,

subscription-based version of Microsoft’s Office application suite – is one the

most widely used enterprise cloud applications/services, which makes it the

preferred target of attackers looking to gain access to sensitive business information. “Once an actor has

obtained credentials for an O365 account, not only can the account access be used to access documents

across a user’s O365 surface (SharePoint, OneNote etc.) but it can also be used as a launchpad to carry

out further compromises within an organization,” UK’s National Cyber Security Centre warns. Source:

https://www.helpnetsecurity.com/2018/12/10/office-365-compromise-prevention/

Malware Targeting IoT Devices Grew 72% in Q3 Alone - Cybercriminals continue to develop sophisticated

tactics for exploiting victims, according to a new report from McAfee Labs. An average of 480 new threats

per minute appeared in Q3 2018, with new malware samples rising by 53%, the report found. Malware

attacks increasingly target Internet of Things (IoT) devices, which are rife with security issues. New

malware targeting IoT devices grew 72% in Q3, and 203% in the last year overall, the report found.

Cryptojacking has also massively grown in popularity among hackers, according to the report: New

coinmining malware grew nearly 55% in Q3, and more than 4,467% in the last year. Fileless malware also

remains a top concern, as new JavaScript malware grew 45% in Q3, while new PowerShell malware grew

24%, the report found. Source: https://www.techrepublic.com/article/malware-targeting-iot-devices-

grew-72-in-q3-alone/

Hackers Bypass Gmail, Yahoo 2FA at Scale – A new Amnesty International report explains how

cyberattackers are phishing second-factor authentication codes sent via SMS. Amnesty International this

week released a report detailing how hackers can automatically bypass multifactor authentication (MFA)

when the second factor is a text message, and they're using this tactic to break into Gmail and Yahoo

accounts at scale. MFA is generally recommended; however, its security varies depending on the chosen

factor. Consumers prefer second-factor codes sent via text messages because they're easy to access.

Unfortunately for some, cybercriminals like them for the same reason. Source:

https://www.darkreading.com/threat-intelligence/hackers-bypass-gmail-yahoo-2fa-at-scale/d/d-

id/1333534

Fileless Backdoored Trojan Spreads Using Worm Living in Removable Drives - A Windows worm

propagating through removable drives has been observed by Trend Micro spreading the BLADABINDI

Trojan with backdoor, DDoS and RAT capabilities. The BLADABINDI Trojan has been used in multiple

cyberespionage campaigns because of high adaptability which allows bad actors to tailor it for specific

targets, seeing that it can be used as a backdoor, for performing DDoS attacks when using it as a botnet,

and for exfiltrating user info using its keylogger module. Trend Micro spotted a new malware campaign

which supposedly uses a Windows worm strain the security company dubbed

Worm.Win32.BLADABINDI.AA to install a fileless version of the BLADABINDI backdoor. Source:

https://news.softpedia.com/news/fileless-backdoored-trojan-spreads-using-worm-living-in-removable-

drives-524010.shtml

AccumeView: Executive Cybersecurity Pulse January 2019

accumepartners.com

Internal Threats

Windows Zero-Day PoC Lets You Read Any File with System Level Access – For

a third time in four months, a security researcher announces a zero-day

vulnerability in Microsoft Windows and provides exploit code that allows

reading into unauthorized locations. Known by the moniker SandboxEscaper, the researcher released

details about a security vulnerability affecting ReadFile.exe, which, as its name indicates, allows reading

data from specific locations. The glitch is in the "MsiAdvertiseProduct" function, which Microsoft

describes as being able to generate an advertise script or advertises a product to the computer" and that

it "enables the installer to write to a script the registry and shortcut information used to assign or publish

a product." Calling this function leads to an arbitrary file copy by the installer service, which is controllable

by the attacker, the researcher explains. SandboxEscaper explains that despite a check being done, the

protection can be bypassed via a time to check to time to use (TOCTOU) race condition type. Source:

https://www.bleepingcomputer.com/news/security/windows-zero-day-poc-lets-you-read-any-file-with-

system-level-access/

For the Fourth Month in a Row, Microsoft Patches Windows Zero-day Used in the Wild - Today,

Microsoft released its monthly security patches --known as the Patch Tuesday updates. This month the

Redmond-based company fixed 38 vulnerabilities across a large set of products. For the fourth month in

a row, Microsoft patched a Windows OS zero-day vulnerability that was being exploited in the wild. Just

like in the last two months, and for the third month in a row, this zero-day was being (ab)used in nation-

state cyber-espionage operations. Just like last month, there were two cyber-espionage groups abusing

this zero-day, and not just one, suggesting some sort of infrastructure sharing, or common leadership.

Source: https://www.zdnet.com/article/for-the-fourth-month-in-a-row-microsoft-patches-windows-

zero-day-used-in-the-wild/

Researchers Discover SplitSpectre, a New Spectre-like CPU Attack – Three academics from Northeastern

University and three researchers from IBM Research have discovered a new variation of the Spectre CPU

vulnerability that can be exploited via browser-based code. The research team says this new CPU

vulnerability is, too, a design flaw in the microarchitecture of modern processors that can be exploited by

attacking the process of "speculative execution," an optimization technique used to improve CPU

performance. The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original

Spectre v1 vulnerability discovered last year and which became public in January 2018. The difference in

SplitSpectre is not in what parts of a CPU's microarchitecture the flaw targets, but how the attack is carried

out. Source: https://www.zdnet.com/article/researchers-discover-splitspectre-a-new-spectre-like-cpu-

attack/

DarkVishnya: Banks Attacked Through Direct Connection to Local Network - While novice attackers,

imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying around parking lots in

the hope that an employee from the target company picks one up and plugs it in at the workplace, more

AccumeView: Executive Cybersecurity Pulse January 2019

accumepartners.com

experienced cybercriminals prefer not to rely on chance. In 2017-2018, Kaspersky Lab specialists were

invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown

device directly connected to the company’s local network. In some cases, it was the central office, in

others a regional office, sometimes located in another country. At least eight banks in Eastern Europe

were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in

the tens of millions of dollars. Source: https://securelist.com/darkvishnya/89169/

Vulnerabilities and Indicators of Compromise

• AA18-337A: SamSam Ransomware

• TA18-331A: 3ve – Major Online Ad Fraud Operation

• New online service will hack printers to spew out spam

• Kubernetes Vulnerability Allowed Malicious Control of Nodes

• Ukraine’s SBU: Russia carried out a cyberattack on Judiciary Systems

• Malicious Chrome extension which sloppily spied on academics believed to originate from North Korea

• Government Hackers Assault Hundreds Of 'Secure' Google Accounts With Evil Phishes

• Russia-linked Sofacy APT developed a new ‘Go’ variant of Zebrocy tool

• Talos published IOCs for December (1) (2) (3)

Recommended Actions to take The following set of recommendations is based on the information provided above in

the brief. For a more detailed set of recommendations, as well as vulnerabilities and

indicators of compromise, please refer to Accume’s weekly threat intelligence briefings.

• Never trust an unsolicited email

• Never open an attachment from a source that is unknown.

o If it from a known user, but unsolicited, call the user to verify the nature of the attachment

• Be vigilant when responding to or opening an attachment within a text message

• Don’t install software from untrusted sources

• Pay attention to the url address in web pages that you are visiting.

o Don’t trust popups or any automatic re-direction to another page

• Never click a link within an email or web page where the URL has been shortened or hidden (i.e.

tinyurl and other services.)

• Be careful when using social media

• Make sure that your incident response playbook is updated regularly to address the latest threats.

• Ensure that your systems are patched and free from configuration-based vulnerabilities

• Make sure that your layered defenses (IDS, Firewall, Web-Filtering) are dynamically updating

AccumeView: Executive Cybersecurity Pulse January 2019

accumepartners.com

• If you see or suspect any suspicious activity when using the internet or email, report it immediately.

• Keep current with emerging state privacy and incident response laws (California and Colorado are mentioned in this issue of AccumeView) to ensure your organization is ready for tightening regulatory requirements.

If you have questions about any of the above recommendations, or about their implementation, feel free to reach out to Accume for additional information.

If you found this information valuable, we recommend our weekly threat

intelligence brief, which has additional operational details for you and

your staff. For more information, contact us here.