Accume Partners is a trusted advisor that serves clients by delivering integrated Risk, Regulatory, and Cybersecurity solutions to help manage uncertainty and drive business value. March 20 th , 2019 Bob Gaines Director Cybersecurity & Privacy 425-518-1914 [email protected]ABOUT ACCUME PARTNERS Accume Partners is a trusted advisor that serves clients by delivering integrated Risk, Regulatory, and Cybersecurity solutions to help manage uncertainty and drive business value. February 3 rd , 2019
Transcript
Accume Partners is a trusted advisor that serves clients by delivering
integrated Risk, Regulatory, and Cybersecurity solutions to help
Accume Partners is a trusted advisor that serves clients by delivering
integrated Risk, Regulatory, and Cybersecurity solutions to help
manage uncertainty and drive business value.
February 3rd , 2019
www.accumepartners.com
2
Table of ContentsACCUMULATE KNOWLEDGE, VALUE, RESOURCES
Perspective: State of the Marketplace 02
1. Security News 04
2. Regulatory and Privacy News 06
3. Social Engineering 08
4. Internal Threats 10
5. Web / Internet Threats 12
6. Data Breach 14
Recommended Actions to take 16
Contact Us 17
www.accumepartners.com
State of the Marketplace
Perspective:
27% of IT managers believe that attacks against their network can be
attributed to nation states. This figure is up significantly from a year
ago, and it should wake up anyone involved in Risk and Security. Ensure
that you have properly adjusted the risk to your organization for the
possibility of a sophisticated attack from a Nation State and calculated
for the type of damage that they could inflict.
A new study shows that attackers, once inside your network, are able to
stay in longer (aka “dwell time”) in order to get to know your business,
processes and technology. The longer they stay in your network, the
more damage they can do to you, your clients and your data. Most
security systems are designed to monitor the perimeter, not the inside
systems, so ensure that you have security controls and alerting for
critical internal systems to detect unusual behavior and lateral
movement.
Business should be aware that The California Consumer Privacy Act
(CCPA) is now in effect, which has wide reaching requirements for
anyone that does business in California, or who’s clients reside in the
state. Much like NYDFS, it has a lot of complexity that doesn’t apply to
all businesses under every circumstance, but it is essential that
businesses understand the law and how it applies to them.
As tax season approaches, businesses should pay close attention to
threat of Business Email Compromise (BEC) attacks. Subscribers to our
weekly threat intelligence briefings have seen the number, scope and
damage from these types of attacks grow quarter over quarter. Ensure
that your controls are in place, your people are trained properly, and
that your processes are sufficient enough to prevent this type of attack
from occurring.
If you have questions about anything in this newsletter, and would like
to know more, please reach out to us at your earliest convenience.
~Stay Secure
3
4
SECURITY NEWS
www.accumepartners.com
Security News
Companies increasingly reporting attacks attributed to foreign governments. More than one in foursecurity managers attribute attacks against their organization to cyberwarfare or nation-state activity,according to Radware. In 2018, 19% of organizations believed they were attacked by a nation-state. Thatfigure increased to 27% in 2019. Companies in North America were more likely to report nation-stateattribution, at 36%. “Nation-state intrusions are among the most difficult attacks to thwart because theagencies responsible often have significant resources, knowledge of potential zero-day exploits, and thepatience to plan and execute operations,” says Anna Convery-Pelletier, Chief Marketing Officer atRadware. “These attacks can result in the loss of sensitive trade, technological, or other data, andsecurity teams may be at a distinct disadvantage.” These findings come at a time of heightened anxietyfor security managers. Organizations are increasingly turning to microservices, serverless architectures,and a mix of multiple cloud environments.
Cyberattackers lurking longer inside computers, report finds. Online attackers are becoming so good athiding themselves that they can remain undetected in victims’ computers for months before being found,potentially giving these criminals more time to inflict greater damage than if they were detected earlier,according to cybersecurity research firm CrowdStrike. Cyberattackers remained undetected for an averageof 95 days before discovery last year, compared with an average of 85 days in 2018, CrowdStrike said in areport made public Monday. The sharp increase in dwell time “is not a metric that we want to see go up,”Tom Etheridge, CrowdStrike vice president of services, told CQ Roll Call. Deploying so-called living-off-the-land techniques, “where an attacker can masquerade as a legitimate user in a client environment andremain stealthy provides an opportunity to get a full spectrum lay of the land” of the computer system,thus making their moves more impactful.
The Hidden Cost of Ransomware: Wholesale Password Theft. Organizations in the throes of cleaning upafter a ransomware outbreak typically will change passwords for all user accounts that have access to anyemail systems, servers and desktop workstations within their network. But all too often, ransomwarevictims fail to grasp that the crooks behind these attacks can and frequently do siphon every singlepassword stored on each infected endpoint. The result of this oversight may offer attackers a way backinto the affected organization, access to financial and healthcare accounts, or — worse yet — key toolsfor attacking the victim’s various business partners and clients. Moral of the story: Companies thatexperience a ransomware attack — or for that matter any type of equally invasive malware infestation —should assume that all credentials stored anywhere on the local network (including those saved insideWeb browsers and password managers) are compromised and need to be changed.
Facebook asks 2 billion users to check their privacy settings. Facebook wants to start the 2020s on theright privacy footing, and it's about to make that abundantly clear to most of its users. The socialnetwork is planning to prompt almost 2 billion people to review their privacy settings over the "next fewweeks." Tap the prompt in your News Feed and you'll be directed to the revamped Privacy Checkup toolto determine who can see your data and how you secure your account. When Facebook had 2.45 billionmonthly active users as of last summer, there's a very good chance you'll see this request in the nearfuture. You may also have greater control over your data in the process. The company's Off-FacebookActivity tool is now available worldwide, giving you both a summary of data from third-party sites (usedto show you targeted ads) and the option to scrub that data. Facebook also started sending notificationsfor third-party app sign-ins earlier in January.
Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers.Hackers are now getting telecom employees to run software that lets the hackers directly reach into theinternal systems of U.S. telecom companies to take over customer cell phone numbers, Motherboard haslearned. Multiple sources in and familiar with the SIM swapping community as well as screenshotsshared with Motherboard suggest at least AT&T, T-Mobile, and Sprint have been impacted. This is anescalation in the world of SIM swapping, in which hackers take over a target's phone number so they canthen access email, social media, or cryptocurrency accounts. Previously, these hackers have bribedtelecom employees to perform SIM swaps or tricked workers to do so by impersonating legitimatecustomers over the phone or in person. Now, hackers are breaking into telecom companies, albeitcrudely, to do the SIM swapping themselves.
CCPA Is Now in Effect. The California Consumer Privacy Act (CCPA), a bill that enhances data protectionsfor the roughly 40 million residents of California, officially took effect Jan. 1. CCPA, which was signed intolaw in June 2018, gives state residents the right to know which personal data is being collected aboutthem and whether that data is sold or disclosed and to whom. Consumers in the state can also refuse toallow businesses to sell their personal information or request that such data be deleted. The CCPAapplies to all businesses, including nonprofits, that collect consumers’ personal data, do business inCalifornia, and satisfy at least one of the following thresholds:
• have annual gross revenue of more than $25 million;• collect personal information from 50,000 or more consumers, households, or devices; or• earn more than half of their annual revenue from selling consumers’ personal information.
The law also requires businesses to give consumers access to their personal information upon requestand to post a link on their websites allowing consumers to opt out of the sale of their personalinformation. Businesses that violate the law are subject to fines of up to $7,500 for each violation.
How Social Engineering is Changing the Insider Threat Game. The rise of social engineering attacks hasleft many organizations hanging their heads in shame. As one of fastest growing threats to businesses,attackers are increasingly using sophisticated social engineering attacks to deceive even the most astuteusers into handing over valuable data, such as login credentials or financial information like credit cardnumbers. Social engineering attacks ultimately lead to a type of insider threat known as user error. Oneof the most common user errors occurs when someone accidentally clicks a malicious link in a phishingemail or in a text message, resulting in an account becoming compromised. User error can also be theresult of someone leaving a laptop unattended, subsequently leading to data theft. It highlights the factthat the insider threat doesn’t always have to be malicious, coming from a disgruntled employee lookingto steal company information from right under the noses of execs. According to the 2019 Verizon DataBreach Investigations Report, user errors were causal events in 21 per cent of breaches. The reality isthat every time an employee clicks on a phishing link, they are unknowingly putting the entireorganization at risk.
These subject lines are the most clicked for phishing. By now, even the least-seasoned email user knowsnot to open messages from Nigerian princes or vacationing "friends" desperate for an emergency loan.But bad actors have become increasingly clever in phishing attempts. KnowBe4, which provides securityawareness training, revealed the most clicked subject line in a fourth-quarter report. The most-effectlure, the firm found, was an urgent message to immediately check a password, with 39% of users fallingfor the ruse.
Microsoft Phishing Scam Exploits Iran Cyberattack Scare. An attacker is attempting to take advantage ofthe recent warnings about possible Iranian cyberattacks by using it as a theme for a phishing attack thattries to collect Microsoft login credentials. With the rising escalations between the United States andIran, the U.S. government has been issuing warnings about possible cyberattacks by Iran and potentialattacks on critical U.S. infrastructure. To take advantage of this increased tension, an attacker has createda phishing scam that pretends to be from 'Microsoft MSA' and has an email subject of 'Email users hit byIran cyber attack' warning that Microsoft's servers were hit by a cyberattack from Iran.
IRS Warns of New Tax ScamsThe Internal Revenue Service (IRS) has issued a reminder urging consumers to look out for two new variations of tax-related phone and email scams. The phone scam involves pre-recorded messages threatening to suspend or cancel a victim’s Social Security number, and the email phishing scam involves a fake agency—the “Bureau of Tax Enforcement”—claiming that the victim owes past due taxes.
SNAKE Ransomware Targeting Entire Corporate Networks. Security researchers have observed samplesof the new SNAKE ransomware family targeting organizations’ entire corporate networks. Discoveredby MalwareHunterTeam and analyzed by Vitali Kremez, SNAKE is written in Golang and contains a highlevel of obfuscation. Upon successful infection, the ransomware deletes the machine’s Shadow VolumeCopies before terminating various processes associated with SCADA systems, network managementsolutions, virtual machines and other tools. It then proceeds to encrypt the machine’s files while skippingover important Windows folders and system files. As part of this process, it appends “EKANS” as a filemarker along with a five-character string to the file extension of each file it encrypts. The threat wrapsup its encryption routine by dropping a ransom note entitled “Fix-Your-Files.txt” in theC:\Users\Public\Desktop folder. This ransom note instructs victims to contact“[email protected]” in order to purchase a decryption tool.
Microsoft Warns Attackers Are Exploiting Zero Day In Internet Explorer Scripting Engine. Hackers areactively exploiting a zero day vulnerability in Internet Explorer, prompting a warning from theDepartment of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA).“Microsoft is aware of limited targeted attacks” in a remote code execution (RCE) vulnerability [CVE-2020-0674] in the scripting engine of Internet Explorer across all versions of Windows that would let ahacker obtain the same rights as a current user, Microsoft warned Friday. “If the current user is logged onwith administrative user rights, an attacker who successfully exploited the vulnerability could takecontrol of an affected system,” the company said.
New Ransomware Process Leverages Native Windows Features. A new methodology for instigatingransomware makes use of Windows' own Encrypting File System (EFS). EFS has been a part of Windowssince Windows 2000. Unlike Windows' BitLocker -- which is a full disk encryption feature -- EFS canselectively encrypt individual files or folders. It does this transparently to the user, using a key that ispartly stored in an accessible file, and partly computed from the user's account password. Once set up,the user does not need to provide a password for EFS to work. A potential ransomware process using EFSwas discovered by researchers at SafeBreach. This approach entirely uses Windows features -- and canconsequently be defined as a form of 'living off the land' -- although the primary difference withtraditional ransomware is that this process uses different Windows features that are less likely to bemonitored. Eight steps are required for attackers to use EFS ransomware.
RDP brute-force attacks have lifespan of 2-3 days on average: Microsoft study. Microsoft’s study intothe impact of Remote Desktop Protocol (RDP) brute-force attacks on the enterprise sector revealed thatsuch attacks last 2-3 days on average. For the study, Microsoft allegedly collected data from more than45,000 workstations running Microsoft Defender Advanced Threat Protection. Around 0.08 percent ofRemote Desktop Protocol (RDP) brute-force attacks are successful. RDP brute-force attacks last 2-3 dayson average, with about 90% of cases lasting for one week or less. And, less than 5% lasting for two weeksor more. Across all enterprises analyzed over several months, on average about 1 machine was detectedwith a high probability of being compromised. As per the firm, the attacks were lasting for days—ratherthan hours—importantly due to attackers slyness to avoid IPs banned by firewalls; they were trying onlya few combinations per hour.
#THIREurope: APT Groups Now Using Similar Tools in Espionage and Cybercrime Attacks. Speaking at the SANS Institute Threat Hunting and IR Europe conference in London, Tom Hall, principal consultant for incident response and Mitch Clarke, incident response consultant UK&I, at Mandiant, talked about lessons learned from the APT41 detection last summer, and how tools are being used by different threat actors. The speakers said that they believed that APT41 are “sponsored by the Chinese government” and not part of the state’s offensive operations, and the group have been seen conducting espionage operations during daytime working hours, and doing “cybercrime activities” in the evening. This includes targeting healthcare and telco companies for IP theft. Clarke explained that the group “flip the infrastructure and use it for cybercrime and non espionage tasks” and this has involved stealing source code and certificates, and in the day job they flip back to espionage and use those certificates to sign malware to run in their operations.
TrickBot Adds Custom, Stealthy Backdoor to its Arsenal. The Russian-speaking cybercriminals behindthe TrickBot malware have developed a stealthy backdoor dubbed “PowerTrick,” in order to infiltratehigh-value targets. According to research from SentinelLabs, released on Thursday, PowerTrick isdesigned to execute commands and return the results in Base64 format. It’s deployed as a module afterthe initial TrickBot infection has already taken hold on a victim computer. “The end-goal of thePowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the newage of security controls and exploit the most protected and secure air-gapped high-value networks,”according to the analysis.
City of Potsdam offline following a cyberattack. The German City of Potsdam has suffered a majorcyberattack that took down its servers earlier this week, the good news is that emergency services,including the city’s fire department fully operational and payments were not affected. Potsdam is thecapital and largest city of the German federal state of Brandenburg. It directly borders the Germancapital, Berlin, and is part of the Berlin/Brandenburg Metropolitan Region. The intrusion into thePotsdam administration’s servers was discovered on Tuesday, and on Wednesday evening systems weredisconnected from the Internet to contain the infection and prevent data exfiltration.
P&N Bank discloses data breach, customer account information, balances exposed. P&N Bank isinforming customers of a data breach in which personally identifiable information (PII) and sensitiveaccount information was exposed. P&N Bank, a division of Police & Nurses Limited and operating inWestern Australia, sent the notice which warned of an "information breach" occurring through itscustomer relationship management (CRM) platform. On or around December 12, the bank wasperforming a server upgrade and it is at this point the cyberattack took place. It is believed that acompany P&N Bank hired to provide hosting was the entry point.
Social media accounts of multiple NFL teams hacked. The Twitter, Facebook and Instagram accounts ofmultiple NFL teams were hacked on Monday, with profile pictures disappearing for the teams. The hackincluded the two teams headed to the Super Bowl this weekend. A tweet that appeared Mondayafternoon on the official account of the Green Bay Packers credited a group known as “OurMine” forhacking into accounts, with the hackers tweeting “hi, we’re back” and “we are here to show people thateverything is hackable.” The profile pictures and headers of the official Twitter verified accounts ofmultiple NFL teams went blank at the same time OurMine took credit for hacking these accounts.
How to Spot Data Breach Warning Signs to Protect Your Business. Data breach. The phrase suggestscompromised customer data, with resulting legal battles and hefty remediation costs. Most attacks takeweeks, or even months, to detect. . Alarmingly, according to a recent Ponemon study, hackers spend anaverage of 197 days inside the targeted system before being discovered. That represents more than sixmonths to pull sensitive information, introduce malware or encrypt files. Adding to the problem, themixture of public and private clouds, along with an increasingly mobile workforce and a growing IoT,creates an environment with hundreds of entry points. However, by following a few key steps,organizations can detect data breaches early enough to mitigate the consequences.
