Accume Partners is a trusted advisor that serves clients by delivering integrated Risk, Regulatory, and Cybersecurity solutions to help manage uncertainty and drive business value. March 20 th , 2019 Bob Gaines Director Cybersecurity & Privacy 425-518-1914 [email protected]ABOUT ACCUME PARTNERS Accume Partners is a trusted advisor that serves clients by delivering integrated Risk, Regulatory, and Cybersecurity solutions to help manage uncertainty and drive business value. August 2020
Transcript
Accume Partners is a trusted advisor that serves clients by delivering
integrated Risk, Regulatory, and Cybersecurity solutions to help
Accume Partners is a trusted advisor that serves clients by delivering
integrated Risk, Regulatory, and Cybersecurity solutions to help
manage uncertainty and drive business value.
August 2020
www.accumepartners.com
2
Table of ContentsACCUMULATE KNOWLEDGE, VALUE, RESOURCES
Perspective: State of the Marketplace 02
1. Security News 04
2. Regulatory and Privacy News 06
3. Social Engineering 08
4. Internal Threats 10
5. Web / Internet Threats 12
6. Data Breach 14
7. Recommended Actions to Take 16
8. Contact Us 17
www.accumepartners.com
State of the Marketplace
Perspective:
There is no threat greater then a nation-state hacking team, as they are highlyskilled, fully equipped with the latest attack methodologies, have unlimitedresources, can launch attacks in large scale and are almost untouchable by lawenforcement. North Korea has been a major player in this space for years,adding billions to their economy through cyber attacks. Researchers haveconcluded that they are currently upgrading their operations and expandingtheir list of targets. Their newest weapon allows them to attack Linux,Windows and Mac operating systems, and give them the ability to movelaterally inside a network. Defending against this type of attack requireslayers of security in order to detect command and control communications,privilege escalation, memory resource allocation and computer behaviorheuristics. This is a good time to ensure that your recent security assessmentwas thorough enough. If you still have nagging doubts, call us – we’re here tohelp.
Researchers have discovered that it is possible to modify the firmware forfast-charging devices that people commonly use to charge their smartphonesand tablets. They can alter the current, causing devices to melt, batteries toexplode and charging devices to catch fire. It takes only moments to changethe firmware, but an attacker needs to attach to the device in order to makethe modifications. While this is currently a proof of concept, it is only amatter of time before someone weaponizes it. Keep your charging systemssecure and do not share them with persons that you do not know. Also, don’tuse any public charging kiosks in the event that they are compromised.
We are currently on track for over 20,000 vulnerabilities in 2020. This issignificant considering the work-force is no longer protected by being on acorporate-administered internal network. 20,000 vulnerabilities representscountless ways attackers can leverage exploits for systems that are notcontinuously patched – home networks are nefarious for this. Ensure thatyour patch-management program is capable of detecting and remediatingremote users as well as systems on your internal network.
~Stay Secure
3
4
SECURITY NEWS
www.accumepartners.com
Security News
What's new for North Korean hackers? Kaspersky says they're polishing tools, finding new targets.North Korean government-linked hackers have refined their malware tools and expanded their target listsover the past two years, according to new research from Kaspersky, which says the attackers havedevoted “significant resources” to improving their capabilities. In particular, the hackers have aggressivelydeployed a multi-stage malware framework — which Kaspersky calls MATA — to target Windows, Linux,and macOS operating systems. The framework is capable of deploying more than 15 malwarecomponents and has exhibited signs that it allows attackers to move laterally once they havecompromised a target network, according to the research.
FBI announcement on Windows 7 end of life prompts worry from security experts. Security expertsdetailed a litany of concerns following an announcement on Monday from the Federal Bureau ofInvestigation about the official end of life for Windows 7. The private industry notification, first covered byZDNet, said the FBI "has observed cyber criminals targeting computer network infrastructure after anoperating system achieves end-of-life status," and added that "continuing to use Windows 7 within anenterprise may provide cyber criminals access into computer systems."
US GOV Exposes Chinese Espionage Malware “TAIDOOR” Secretly Used To For a Decade. Recently, theU.S. government exposed Chinese surveillance malware “TAIDOOR” that are secretly used by the Chinesegovernment for a decade. There has been a joint notice on TAIDOOR that has been revealed by thecybersecurity department of Homeland security (DHS) and Infrastructure Security Agency (CISA), theFederal Bureau of Investigations (FBI) and the Department of Defense’s Cyber Command (CyberCom). Allhave claimed that a recent security breach has been detected, and in this event, the hacker who has beenidentified belongs to China; and TAIDOOR is a code that is generally used by VirusTotal.
Ransomware + Exfiltration + Leaks = Data Breach. When organizations get hit by crypto-locking malware,preceded by data exfiltration, is it right to still label these incidents as being just ransomware attacks?Ransomware-wielding attackers keep expanding their horizons, to the point that focusing on the crypto-locking malware alone, or even calling this "cybercrime" - as opposed to just crime - too often misses thebig picture, including the full repercussions of such attacks, says Raj Samani, chief scientist at McAfee."Crime has evolved and crime is now becoming more digitally dependent, and ransomware - what weused to call ransomware - now just comes under this category of crime," he tells me. "Because it's not aransomware attack - it is an intrusion of a computer network, and that intrusion then leads itself to dataexfiltration, which in turn also includes ransomware, which then in turn also leads to extortion. ...Ransomware is just part of the bigger attack.“
Data breach fines could skyrocket this year. The number and value of fines that businesses will have topay for mishandling user data will rise in the near future, a new report by DSA Connect claims. Thecompany that sells services related to data management claims to have polled 1,000 workers, coming tothe conclusion that more than a third (37 per cent) expect both the number and value of fines to rise by2025. Furthermore, six per cent expect a “dramatic rise”, while just three per cent expect the figures tofall. According to the report, one of the main reasons for this rise lies in the fact that employees haveaccess to a lot more data, compared to previous years. In the last year, almost a third of employees (30per cent) said they worked with more data.
Important commentary from Calif. OAG in proposed CCPA regulations package. On June 1, California’sOffice of the Attorney General submitted the final proposed regulations package for the CaliforniaConsumer Privacy Act to the Office of Administrative Law for review. Included in this package is the FinalStatement of Reasons, explaining the modifications from the initially proposed text of the regulations, aswell as a summary of all the comments received during the rulemaking process and the OAG’sresponses, attached as appendices A, C, and E to the FSOR. For businesses or practitioners dealing withcompliance issues, the OAG commentary is an important resource to consider. The OAG’s responsesaddress why certain modifications were made (or not) to the proposed regulations, confirm and clarifyhow it is interpreting certain CCPA provisions, and flag topics the OAG is still considering. They alsoappear to provide some insight regarding the OAG’s enforcement focus.
NSA releases a guide to reduce location tracking risks. The United States National Security Agency (NSA)published a new guide to warn of the risks posed by location services for staff who work in defense ornational security. The guide, titled “Limiting Location Data Exposure” warn of geolocation featuresimplemented by smartphones, tablets, and fitness trackers. “Mobile devices store and share devicegeolocation data by design. This data is essential to device communications and provides features—suchas mapping applications—that users consider indispensable. Mobile devices determine location throughany combination of Global Positioning System (GPS) and wireless signals (e.g., cellular, wireless (Wi-Fi®1), or Bluetooth®2 (BT)).” reads the NSA’s guide. “Location data can be extremely valuable and must beprotected. It can reveal details about the number of users in a location, user and supply movements,daily routines (user and organizational), and can expose otherwise unknown associations between usersand locations.”
Black Hat USA 2020: VMware Carbon Black Releases Global Incident Response Threat Report Detailing Surgein Cyberattacks Amid COVID-19. At Black Hat USA this week, VMware Carbon Black unveils findings from thefifth installment of the semiannual Global Incident Response Threat Report, entitled: “COVID-19 Continues toCreate a Larger Surface Area for Cyberattacks,” based on an online survey in April 2020 of forty-nine incidentresponse (IR) professionals from around the world. COVID-19 has changed the way we live, work and now howwe combat cyberthreats. In an unprecedented year, security professionals face the challenge of securingremote endpoints while cybercriminals look to profit from the global disruption. On the frontline of securityfor their organizations, IR professionals are grappling with exacerbated cyberthreats ranging from counter IR toisland hopping, lateral movement, destructive attacks and more.
Almost Half of Businesses Hit By COVID-Related “Business Impacting Cyber-Attack” in 2020. Just under halfof businesses have experienced at least one “business impacting cyber-attack” related to COVID-19 as of April2020. According to research of 416 security and 425 business executives by Forrester Consulting and Tenable,41% of respondents reported the statistic related to COVID-19, whilst 94% of executives say their firms haveexperienced a business-impacting cyber-attack or compromise within the past 12 months. “That is, oneresulting in a loss of customer, employee or other confidential data; interruption of day-to-day operations;ransomware payout; financial loss or theft and/or theft of intellectual property,” the research said.
#COVID19 Could Push Average Breach Cost to $4m. The average global cost of a data breach fell slightly from2019-2020 but COVID-19 is likely to increase the financial impact and incident response times thanks to massremote working, according to IBM. Published today, the tech giant’s annual Cost of a Data Breach Report iscompiled from analysis of 524 breached organizations and covers 17 countries and 17 industries. The averagebreach cost of $3.86m is 1.5% down on last year’s study, but this is not necessarily a cause for celebration.“Costs were much lower for some of the most mature companies and industries and much higher fororganizations that lagged behind in areas such as security automation and incident response processes,” thereport noted.
Pandemic Credential Stuffing: Cybersecurity's Ultimate Inside Job. Like most of us, hackers would prefer todo as little work as possible, and all too often, we serve as their accomplices. While some of those engaged incyberattacks still wield virtual hacksaws and decode complex pathways, just about every cyberthief seeks thepath of least resistance. Credential stuffing is one of the names that that path goes by.
Amazon-Themed Phishing Campaigns Swim Past Security Checks. Amazon in the era of COVID-19 hasbecome a staple of many people’s lives, as they order everything from sourdough starter to exerciseequipment. Cybercrooks have latched onto the delivery behemoth as a lure for phishing emails, knowingthat plenty of legitimate delivery messages are also making it into people’s inboxes and offering cover.Researchers at Armorblox recently spotted a pair of savvy campaigns leveraging Amazon: A credential-phishing attempt using a purported Amazon delivery order failure notice; and a voice phishing (vishing)attempt also using Amazon delivery order. Both are examples of the ever-more sophisticated phishingefforts being developed by fraudsters that are aimed at gaming traditional email security efforts,researchers said.
Experts On Microsoft Warns of Office 365 Phishing Via Malicious OAuth Apps. Microsoft warns thatwith the shift to remote working, customers are exposed to additional security threats such as consentphishing, besides conventional credential theft and email phishing attacks. Consent phishing is a variantof application-based attack where the targets are tricked into providing malicious Office 365 OAuthapplications (web apps registered by the attackers with an OAuth 2.0 provider) access to their Office 365accounts. Once the victims grant the malicious apps permissions to their account data, the threat actorsget their hands on access and refresh tokens that allow them to take control of the targets’ Microsoftaccounts and make API calls on their behalf through the attacker-controlled app.
Multi-Stage Phishing Attacks Are Dangerous. Threat actors rely on a mix of tactics that take advantageof a user’s lack of attention to draw them into interactions designed to hide malicious intent. The mostvulnerable part of an organization is its people, and bad actors know that a distracted worker is an easytarget. Clicking on an email link may lead to a phishing website, but that’s only part of the danger. Themost devious tactics used by attackers involve linking to legitimate, but booby-trapped, websites wherean attack happens after the initial interaction. The actual attack may occur after the user views the firstweb page—further down the chain of interactions between the user and the website.
Successful Security Operations in the New Normal. As more businesses shift to a work-from-homemodel amid COVID-19, IT teams are facing a surge in security threats. You’ve most likely received someof the phishing attacks that target employees who are adapting to changing work conditions and worriedabout business and economic news. Under-protected home networks and devices are easy prey. As CIOsand CISOs race to deploy additional controls and processes to combat these threats, it’s critical that theyincorporate key elements into their programs to ensure they are effective.
Unauthorized Data Sharing Puts Companies at Risk. Inappropriate data sharing continues to be aproblem for companies, according to a survey from data discovery and auditing software vendorNetwrix. Although most companies have designated secure storage areas for their data, many find itleaking into insecure areas, its research found. A quarter of companies have discovered data storedoutside designated secure locations in the past year, according to the vendor's "2020 Data Risk &Security" report. It took them considerable time to discover the stray data, with 23% reporting that it layundiscovered for weeks. This data seems to make its way into insecure storage because employees don'tfollow data sharing policies, if they exist at all. According to the survey, 30% of systems administratorsgranted direct access to sensitive data based only on user requests. The results show up in audits andcan lead to financial penalties. Of companies that experienced unauthorized data-sharing incidents, 54%ended up with non-compliance findings from audits.
Misconfigured servers contributed to more than 200 cloud breaches. Misconfigured storage services in93 percent of cloud deployments have contributed to more than 200 breaches over the past two years,exposing more than 30 billion records, according to a report from Accurics, which predicted that cloudbreaches are likely to increase in both velocity and scale. The researchers found that 91 percent of thecloud deployments analyzed had at least one major exposure that left a security group wide open whilein 50 percent unprotected credentials were stored in container configuration files, significant because 84percent of organizations use containers.
BadPower attack corrupts fast chargers to melt or set your device on fire. Chinese security researcherssaid they can alter the firmware of fast chargers to cause damage to connected (charging) systems, suchas melt components, or even set devices on fire. The technique, named BadPower, was detailed lastweek in a report published by Xuanwu Lab, a research unit of Chinese tech giant Tencent. According toresearchers, BadPower works by corrupting the firmware of fast chargers -- a new type of charger thatwas developed in the past few years to speed up charging times. The BadPower technique works byaltering the default charging parameters to deliver more voltage than the receiving device can handle,which degrades and damages the receiver's components, as they heat up, bend, melt, or even burn.
Researcher Discovers New HTTP Request Smuggling Attack Variants. HTTP request smuggling, alsoknown as HTTP desyncing, has been known since 2005, but Amit Klein, VP of security research atSafeBreach, believes the method has not been fully analyzed, which is why he has decided to conduct aresearch project focusing on this attack technique. HTTP request smuggling leverages the way HTTPdevices handle a stream of requests, specifically how the stream is divided into individual requests. Anattacker can abuse this to “smuggle” a malicious HTTP request to a server through an HTTP device (i.e. aproxy) by leveraging the discrepancy in how the server interprets the stream and how the HTTP deviceviews the stream.
New ‘Meow’ attack has deleted almost 4,000 unsecured databases. Hundreds of unsecured databasesexposed on the public web are the target of an automated 'meow' attack that destroys data without anyexplanation. The activity started recently by hitting Elasticsearch and MongoDB instances without leavingany explanation, or even a ransom note. Attacks then expanded to other database types and to filesystems open on the web. A quick search by BleepingComputer on the IoT search engine Shodan initiallyfound dozens of databases that have been affected by this attack. Recently, the number of wipeddatabases increased to over 1,800. These attacks have pushed researchers into a race to find theexposed databases and report them responsibly before they become 'meowed.‘
375 new cyber threats per minute seen in Q1 globally: McAfee. San Francisco, With cybercriminalsincreasing their activities amid Covid-19, researchers at cybersecurity company McAfee saw an averageof 375 new threats per minute during the first quarter of 2020 worldwide, a new report revealed onWednesday. Cybercriminals are exploiting the pandemic through Covid-19 themed malicious apps,phishing campaigns, malware, and more, said the McAfee "COVID-19 Threat Report: July 2020". "Thusfar, the dominant themes of the 2020 threat landscape have been cybercriminal's quick adaptation toexploit the pandemic and the considerable impact cyberattacks have had," Raj Samani, McAfee Fellowand Chief Scientist, said in a statement.
First reported Russian BEC scam gang targets Fortune 500 firms. Over the past year, a new group offraudsters believed to be from the Russian cybercriminal space has elevated Business Email Compromise(BEC) scams to a new level. Most BEC attacks are from Nigerian actors, who target companies of anysize. Cosmic Lynx is a different breed that focuses on multinational corporations and tries to score big,asking for large sums (hundreds of thousands or even millions of USD) to be transferred to muleaccounts in Hong Kong. Researchers at email prevention company Agari tracking Cosmic Lynx say thatthe group is responsible for more than 200 BEC attacks since July 2019 and show operational complexitynot seen before with other BEC actors. Moreover, Cosmic Lynx relies on infrastructure linked withmalware campaigns from Emotet and TrickBot, which are tied to the Russian criminal underground.
Smartwatch Maker Garmin Shuts Down Services After Ransomware Attack. Garmin, the maker offitness trackers, smartwatches and GPS-based wearable devices, is currently dealing with a massiveworldwide service interruption after getting hit by a targeted ransomware attack, an employee of thecompany told The Hacker News on condition of anonymity. The company's website and the Twitteraccount say, "We are currently experiencing an outage that affects Garmin.com and Garmin Connect.“"This outage also affects our call centers, and we are currently unable to receive any calls, emails oronline chats. We are working to resolve this issue as quickly as possible and apologize for thisinconvenience.“
What’s New in the 2020 Cost of a Data Breach Report. In a world of uncertainty and change, it’s acomfort that some things are consistent year after year. Now in its 15th year, the annual Cost of a DataBreach Report, with research by the Ponemon Institute and published by IBM Security, continues toprovide a detailed view of the financial impacts security incidents can have on organizations, withhistorical data revealing trends in data breach causes and consequences. This year’s study analyzed 524breaches that occurred between August 2019 and April 2020, in organizations of all sizes, across 17geographies and 17 industries. The 2020 Cost of a Data Breach Report shows some consistency with pastresearch, including the global total cost of a data breach, which averaged $3.86 million in the 2020 study,down about 1.5% from the 2019 study, but in line with previous years. The average time to identify andcontain a data breach was 280 days in the 2020 study, nearly identical to the average of 279 days in2019.
