In the month of April the world saw much of the same tricks and hacks against companies, governments, and people carried out by the usual suspects. Needless to say, the fact of the matter is that today if you are online you are likely to be phished, hacked, infected with malware, or socially engineered. There are ways to attempt to avoid these things from happening to you but the in the aggregate you have to realize that everyone will get hacked and you will lose data. The difference though is that realizing it is one thing, to act against it is quite another.
The following threat intelligence report is to be used as a notional guide to show you what has happened within the last month in the way of new hacks and exploits and to point to areas of the CIA triad where you can bolster your security awareness. By seeing what has been happening perhaps you and your organization can seek remedies to security vulnerabilities that you have by insights in this document.
Social Media & Reputation Management In Danger from Easy Hacks
Lately there has been a spate of attacks on Twitter and other social media accounts that have raised the bar on schadenfreude for the month. Whether the issue stems from poor password systems security within the platforms like Twitter or just a persistent and creative group of adversaries, the outcome has been noticed.
The above link is only one in a multitude of attacks on Twitter and other social media accounts of late. The use of these types of attacks against companies is usually aimed at a goal of embarrassment to the entity being attacked. A secondary outcome from these attacks usually stems from poor password strength and most of all password re-use on more sensitive systems.
A tertiary effect is reputational loss due to the hacks on these accounts. Often times the accounts are then used to spread propaganda or just to shame the company/entity with the fact that they got hacked very publicly and in some cases used as a tool to spread hacked information from their own accounts. One should consider this whenever accounts like these are created and maintained. Insure that the passwords are not re-used, the systems that access it are secure and not of a sensitive nature, and that you use good password hygiene at all times including changing those passwords at regular intervals.
Passwords… Yeah, OPSEC Much?
It is bad enough when your TV station gets hacked and used as a platform for propaganda. It is quite another thing when the hack itself was caused by a password(s) being shared on your own TV stations broadcast. This is the case of the French TV station that got hacked by the Cyber Caliphate in April. This is what is called OPSEC failure in the world of information security.
The hack of TV 5 Monde in April stemmed directly from a segment that aired containing their sensitive passwords to systems at the station itself. The Cyber Caliphate, a pseudo aligned group with daesh (ISIL) must have seen the segment or heard online that the passwords were in the video. Once this happened they went to work on hacking the TV station altotgether. It is not known to what level the hackers had gained access to the network before they were shut down but it is assumed that they had gotten inside deep enough to cause havoc. The station shut itself down to remediate the issues but not before the Caliphate made it known they had been hacked.
The fundamental issue here though is that no one, not the videographers, the technical force there, nor the security people that they may have at Tv 5 Monde stopped this from happening in the first place. It is a complete lack of security awareness about passwords, their placement on screens or other media in a segment or online that is stunning in this case. It is important to note this story and to take pains to insure that you are not the next company to lose control of it’s networks due to simple security failures like simple passwords or their sharing in public media.
The Dangers of Insider Threats
The hack of the lottery by an insider is a classic signpost for anyone in information security. The aphorism goes something like this in this business; “The insider threat is the biggest threat”and this is absolutely true.
In the case of the great lottery job of 2015, the insider tried as best as he could to pull off the job of the century. This insider almost made it but lost in the end because of the logistics of claiming the prize that did him in. It seems that the insider could not get someone right away to claim the winnings and waited a year before trying to get prize.
The object lesson here is that this attacker worked for more than a year on his plan and bided time to collect the winnings. The insider subverted not only air gapped computers with a self destructing rootkit but also the camera systems that watched the room that they reside in. This should be a lesson for everyone running a security program. Remember the mantra; “The insider threat is the biggest one”How does one stop insider threats? Well that is the problem isn’t it? Consider looking into this issue at your company and assess what steps you can take to mitigate some of these attacks.
Average Time To Intervene In A Phishing Attack: One Minute Twenty Seconds:
Phishing… What can you say about phishing that hasn’t already been said? Well, I guess you could conduct a study and determine just how long you have as a security body to stop one from being successful. That seems to be a window of one minute and twenty seconds today.
Phishing and more to the point, spear phishing, are tactics that rely heavily on the end user and the psychology of the human animal. In that you have a period of just over a minute to attempt to intervene between a user and a clickable link, loaded file, or other methods to exploit the end user system one can see the immensity of the issue.
There are many means to attempt to stop these attacks from happening in the first place such as email sandboxing, malware and semantic detection through systems like spam sifting. However, the human being at the beginning of the attack chain will always find a way to subvert those systems and get the lure to the end user. This is why it is exceedingly important to understand the human psyche and to use that to train users to understand what phishing and spear phishing is.
As the primary attack vector today in most compromises, it is the duty of all security organizations to attempt to educate their users in a fashion that will give them real knowledge and not just wrote memorization. To understand the attacks and think like an attacker is probably the best way to deter attacks. As a security organization please consider this story and work on education programs as well as check up systems of self phishing end users to inculcate awareness. Technology alone cannot solve this problem and will only lead to the cycle continuing.
A Majority of Incidents Are Aided By The End Users:
As you just read above, it seems that the end user is the primary target today for attacks on organizations. Phishing emails, social engineering exploits, and poor user security hygiene most often than not leads to greater company compromise today.
In an era when the moat, castle, and portcullis (firewall) aren’t the arbiters of stopping attacks, one must then consider that the Troy fell to the Greeks by the use of a Trojan Horse. It amazes me that even today people still fall prey to the notion that they have some security technologies like a firewall and believe that they are good to go.
What this story should give you as a takeaway, along with the previous story on phishing in tandem, is that the end user is the key to 95% of the security threats we face today. Yet, many still believe that a technological solution alone is the way to go and that education for end users is pointless. The fact of the matter is that it is quite the opposite and more orgs should come to understand the human animal’s psychology to lead them to better security choices and educate them to do so.
If your org does not have a robust program of iterative security education for the end users, you are doing a disservice to the company and the end users. You will in the end, lose your battle much quicker and have larger compromises if you are not carrying out continuing security education.
Default Passwords; A Security Threat
Insanity: doing the same thing over and over again and expecting different results.
Default passwords on secure systems. This is an oxymoron yet it happens all of the time in networks and organizations. How is it that systems are placed on networks or facing the internet with these same defaults left in their original states?
Once again the human psyche seems to be at work in our security failures and foibles. All too often default passwords or default configurations are the cause of compromise for organizations that lead to great loss of data and reputation. Are these things just oversights by overtaxed network admins? Or is there just a lack of comprehension on the part of the workers and management within the security milieu?
As a security organization you should by default (ha ha) be seeking out these defaults with network vulnerability tools and testing to deny their use by others to access your networks. This is the lowest of low hanging fruit and yet it keeps happening.
RyanAir Hacked and Five Million Dollars Stolen Electronically:
Attacks on banking systems as well as other payment type systems are becoming more prevalent as well as creative. In the case of the Ryan Air compromise, the attackers knew their target and their ways very well indeed to carry out this hack and transfer of 5 million dollars.
This case is specifically of interest because of the way that the adversary used the daily operations of the company to transfer large sums of cash without raising a red flag internally. Like many companies Ryan Air, had a set of accounts and practices that could be leveraged by an astute attacker to make off with funds and not raise an eyebrow. In this case it was the accounts that are used to pay for re-fueling the planes.
Since the costs of fuel fluctuates this made these the perfect accounts because they often had high volume transactions with some regularity. In many companies you will also find such accounts and practices that could be leveraged by attackers to make off with money transfers that would not be noticed. As organizations you should consider looking at these high value accounts and consider means to track them more assiduously to detect and perhaps deter such attacks.
What’s Your Security Maturity Level?
Brian Krebs brings up a very important question when considering your security posture at a corporate level. In this piece he begs the question through a poll that was taken and data that shows how orgs tend to fail as security bodies. The maturity level of the company directly correlates to the level of threat that company faces from adversaries leveraging the lack of maturity to effect their goals.
One of the primary tenets of INFOSEC is that unless the security organization has buy in from the top and a clear channel to communicate, it will fail in it’s job. This is much of the point of the article and the data that Mr. Krebs is pointing out. Every organization should consider the data within this article and question what their organizational structure is and seek to better it if it is not already functioning at high level.
How does your org function? Can you get buy in from the CEO down? If not, you are not likely to be successful.
False Positives Sink Antivirus Ratings
Antivirus is problematic to start with. All too often it is seen as a panacea by the executives but the reality is that it is quite an imperfect system and must be used in tandem with a layered approach to mitigating attacks. With the prevalence of false positives we can see how just this one factor can lead to ratings hits as well as a sense of crying wolf.
The fact that AV has so many false positives as well as issues around patterns either not being up to date or missing often times makes the system a flawed one at best. Orgs should not be looking at the ratings of detection as much as the overall issues surrounding the efficacy of the products themselves as well as their balanced use in a layered approach.
Overall, orgs should look at their AV choices and implementations to determine where gaps exist in the efficacy of the programs technically and logically. Those gaps should then be closed with other means logically or technically to stop gap areas of concern. A single AV solution in an environment is futile as a means to protect your organization today.
New Malware Spreads Through Advertising Channels:
Malware campaigns spread via advertising channels is a stroke of genius for the adversaries. The prevalence of advertisements on sites and the ability to spread malware through them enables the attacks to geometrically progress.
An uptick in this activity has been seen in many channels and should be considered a clear and present danger. Once the malware channels have been created by taking over linkages to advertisements in sites and feeds the drive by potential is increased geometrically. Depending on the malware variants and the adversaries we could see quite an uptick in directed attacks.
A curated malware campaign by these attackers could conceivably be used to go after particular targets through the types of ads being used as the transmission point. Say that you were able to go after luxury item ads and inject malware into those who use them. The return on investment here by the adversaries could be huge. As well, given the prevalence for ads on sites today in every corner of the page, one imagines that this vector will become the go to method in the near future.
Banking Malware Now Using More Exotic Evasion Tactics:
The crimeware creators are taking cues from the advanced persistent threat crowd and building in features that will allow for not only greater compromise but longer periods of entrenchment in the victim networks. These factors will make crimeware the new APT and the APT seem like old hat.
As time has past we have seen the crimeware creators become more adept at integrating the tools and techniques of the advanced persistent threat set. In the case of this report we can see directly how the criminals have taken up the mantle of APT by using advanced techniques to keep persistence on the networks they are attacking.
As the technology gets more complex so too will the ability to detect and deter the attacks. In samples recently, malware of a more pedestrian nature via phishing exploits of a lower end type have shown to have malware that has been built to be network aware as well as sandbox aware. These escalations in techniques will require organizations to catch up to their level and have operations that can detect, reverse, and report on these attacks as their frequency and technological complexity rises. Orgs should invest in people and technologies to deal with these threats appropriately.
CISCO ASA Bug Allows Arbitrary Commands and DoS
A remote user on the local network can send specially crafted UDP packets to the target failover device via the failover interface to trigger a flaw in the failover IPSec feature and execute arbitrary configuration commands on the target device [CVE-2015-0675]. This can be exploited to take full control of the active and standby failover units.
This is another good example of a core system being attacked with code that could allow for greater compromise of a network. Please insure that your org is looking at these types of core systems and their feeds for vulnerabilities and patches that should be applied or investigated.
A remote user can send a specially crafted HTTP request to trigger a parsing flaw in the HTTP protocol stack (HTTP.sys) and execute arbitrary code on the target system. The code will run with System privileges.
This is another flawed that exists in common core features of the internet. As has been mentioned before it seems that the attackers are now going after core systems and protocols for larger effect today. Such vulnerabilities should be considered a clear and present danger being patched as soon as practicable.
Microsoft Security Bulletin April 2015
In Aprils patch Tuesday there were 27 vulnerabilities patched that ranged from critical to informational.
As with all systems, Microsoft has patches that are produced from alerts and events concerning their operating systems vulnerabilities. It is important that all orgs focus time on a monthly basis following up on Microsoft security patches that are put out each 2nd Tuesday of the month.
Microsoft, being what they are, is a bit of a monoculture in many networks and as such a compromise of one system likely will mean the compromise of the greater network because of trusts within the domain as well as weaknesses in the operating systems.
Please insure that your organization’s security group is involved with the patch cycle by involvement in the decision making of patching vulnerabilities per their criticality to your own environment.
Word Document to download and edit for your org HERE
An INFOSEC Maturity Differential Diagnosis:
Advanced Persistent Failure (APF *tm*) is a term that I coined today in my Twitter feed that I have yet to trademark before Rob Graham (@erratarob) gets around to it.
Advanced Persistent Failure: The inability for human beings and their collectives to learn from security incidents, data, polls, and any other lessons learned that would normally cause changes to be made. Instead, the cognitive dissonance wins out and they believe nothing is ever wrong, they are safe, and unicorn devices will prevent their data from being stolen”
Why it came to me today was the article pictured above by Brian Krebs, who begs the question “What is your orgs security maturity?” I find it interesting that the guy who is out there on the net and the one person you “don’t want to hear from” of late because if he’s calling it’s because your data is out on the net and he knows about it. Brian is actually asking a question that many others have asked in the past but I don’t think any of them, myself included, ever get the traction with the hoi polloi because we aren’t all famous or ‘rock stars’ in the industry. Still, even with someone like Brian begging the question, I still don’t think the message will get through the static of all the sales pitches and self absorbed thought processes out there in the corporate world to make one whit of difference.
What I mean to say is that even with someone like Brian asking the question, the companies and people that comprise them likely will not navel gaze enough to make the changes that are recommended by such posts and supporting data. Now you may just consider me to be a jaded bastard or a pessimist, which I am both, but I want you all to take in the reality of the situation. How many orgs do you know of that have been on the right path security wise from the start? How many of those orgs only began to change post an intrusion that caused great deals of damage and FUD? Seriously, take a look at the chart above and compare it to your own org. Now ask yourself honestly these important questions;
- If I am in reactive org can I change the org to not be?
- If I am compliance driven the motivation has already been given yet I am still unable to secure things.. Why?
- If my executive chain does not get it now how can I change this?
Now these questions may be daunting for the average security worker but then consider a CISO or director asking these questions too. Do you honestly think that even if they sent this article to the executive set that they would even bother? Why would they? Do your execs get security at all? I am sure some of you out there are like “yeah they get it, my org rocks!” to which I say “Good for you! Liar.” It is my opinion, after a long time in this business as a consultant, that orgs in general are fucked up and not clued in on security as the rule. Doubt this? Just look at all the big compromises and advanced persistent failure we have seen over the last few years. How about this though, just consider the reports recently about POS machines with default passwords that have not been changed in 20 years.
How bout them apples? We all know that default passwords are bad and they should be changed as a rule but no one is doing that. Why do we persistently fail at doing the simple things? Perhaps it is because humans are just bad at determining long term risk? Perhaps none of us is as bad as all of us when it comes to making security decisions? Or maybe it is just because there is no real imperative on the part of companies to really care because the financial and reputational losses are not that great today? Let me ask you this.. Do you think that the former CEO of (insert hacked company) is now living on the street in a cardboard box because they failed to care about the security at (insert hacked company) ?
Lemme give you a hint… No.
Clearly it is not an imperative so by Brian asking the question it may get some air time but really, how many orgs do you think are going to read that article and yell “BY JOVE HE’S RIGHT! WE MUCH CHANGE THIS HENCEFORTH!”
Lemme give you a second hint… None of them.
BUT CSO MAGAZINE SAID:
Hell, even if Steve Ragan wrote a piece on this *hint hint* I still expect that the vast majority of the security people out there, even with taking that article and forwarding it to directors and CISO’s would be able to effect a change for the better security wise. Why? Because once again, people don’t give a shit and they aren’t being forced to do anything about it. No, really, that is my opinion and I am going to stick to it. Nothing will change unless they are forced to be cognizant of the issues as well as responsible, really responsible at the end of the day. So there will be very little to hope that your CISO will be magically reporting directly to your CEO. There will be very little hope that your CISO will be working directly with the board of directors UNLESS maybe, if you are lucky, you have been hacked spectacularly and in the news. Those orgs though that have made those changes post being hacked I feel are more unicorns than anything else though. So yeah Steve, please write about this and have that drop in all the CISO’s email boxes! It will be all hopey changey!! Secretly though I would hope you just link back to me about the APF of all of this though, ya know, just as a cautionary tale and a buzzkill.
Face facts kids, we are well and truly shit out of luck here. I certainly don’t expect us as a species to change how we operate because some people in the media pointed out the realities of our collective fail. Sure, China is hacking the shit out of us. Iran is about to cyber nuke the lot of us and the Russki’s are all up in our President’s emails but will we change our SOP for security because of it? No, no we won’t we will just continue to stumble along like we have been all along. Our predilection for Advanced Persistent Failure is like an addiction really. Security is hard! We can’t make those changes to passwords! I mean how will we rememberize them? Oh. My. God! Enlightenment, even the ‘brick” that @Gattaca and others use out there does not have the play or the sexy that a new blinky light APT stopper has on the RSA floor as hawked by booth… Babes? Men? Whatever the flavor of the day is now in our stupid industry of fail.
Prepare for the next fail tsunami kids. Nothing will change.
Watch video first.. Yes, watch it again if you haven’t already then read on….
Ok, so do you feel some horror and outrage even though you laughed your ass off? Yeah, me too. But after those feelings wear off I am just left with a sense of creeping dystopia and loathing. Honestly, this shit is just out of hand and no one is really capable or willing to deal with it and this comedic bit by John Oliver hits the nail on the head. No matter what you think of Snowden the point is even after all of the data being released and all its portents shared nothing substantive has happened. Sure, the world now knows and the security community at least seems to be in a quandary over it all but the general populace it seems cannot be bothered to even know who Snowden is and what he did? To quote myself here;
Ok ok ok, maybe the sampling was skewed in Times Square that day and the sampling was small but really, no one in there had a real grasp of the leaks never mind the import to their daily hyper connected lives? I am still a little stymied to believe this to be the case but there you have it on HBO. So as the date approaches for the re-up on the Patriot Act, and specifically the most egregious of all the egregious shit in it, Section 215 we the people seem to just be abdicating our rights as citizens to say no to this. Even as we see more executive orders come out on hacking and the ‘cyber’ that seem at least notionally obtuse and open to interpretation if not outright deliberately so to allow abuses, we are just gonna go back to collectively not caring about anything other than Kim Kardashian’s ass?
Oh.. Wait a minute here, I am forgetting about the dick pics!
Well obviously we have our priorities straight as a nation and a freedom loving people right? I mean FOR GOD’S SAKE YOU CAN TAKE MY PERSONAL CALLS AND CALL ME A TERRORIST BUT FUCK ME YOU CANNOT LOOK AT MY DICK PICS YOU SURVEILLANCE BASTARDS! Yeah, that is a bridge too far my friends! I suspect I will be seeing new ‘Don’t Tread On Me’ flags with a penis instead of a snake soon enough.
Ok, well then we have proven that we as a nation, as a people, do not comprehend the problem of pervasive surveillance enough to do anything about it UNLESS it is about our personal porn. I get it now. As no one but Oliver has made it about this I predict that section 215 will just get another pass. Meanwhile all our data collection will continue and the mass surveillance state will grow even further than it already has. This leaves me once again back at the stage of Neo Ludditism. Excuse me while I go to my 6’x12′ cabin in the woods and make my ‘packages’…
GLOBAL Threat Intelligence Report – March 2015
In the month of March there were several high level vulnerabilities exposed ranging from programmatic issues to compromise of user security by supply chain tampering by a maker of laptops and desktops. All of these instances show just how much the landscape changes per month in the security of our systems and networks.
This report has been generated to give the end user an idea of what is happening in the security space as well as insights into little thought of security issues that could lead to compromise of your network. From the macro to the micro-verse, security issues can have great effect on corporations large and small. From the effects of the Target hack response of ten million dollars in reparations to their clients to the FREAK vulnerability and the attacks on core protocols that the internet is based and is secured with, these reports give you an idea of where to look and what to look for.
Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest
Think that patching your browser on a regular basis is the only answer to your security problems? Then guess again. At the last Pwn2Own contest all of the major browsers fell to attacks even though they were fully patched.
What this statistic shows is that even when a system has been curated well and security patches applied, there can always be flaws in the code that can lead to compromise. This is an important fact to remember and plan for in any environment dealing with on-line activities.
However, mitigations can be taken to help stem these types of attacks. Consider deploying systems like EMET 5 or another HIDS client that can monitor the volitile memory space as well as changes to the operating system that might trigger when a browser is exploited. It is also a given that your company should have IDS/IPS/SIEM capabilities as well to detect traffic that may be going to C&C’s from compromised systems and browsers.
The Largest Email Hack in History
The US Department of Justice announced today that it has charged three men for participating in what officials are calling “one of the largest reported data breaches in US history” and “the largest data breach of names and email addresses in the history of the Internet.”
According to allegations in the indictments, between February 2009 and June 2012, Viet Quoc Nguyen, 28, a citizen of Vietnam, allegedly hacked into at least eight email service providers (ESPs) throughout the United States and stole confidential information, including proprietary marketing data containing over one billion email addresses. Nguyen, along with Giang Hoang Vu, 25, also a citizen of Vietnam, then allegedly used the data to send “spam” to tens of millions of email recipients. The data breach was the largest in U.S. history and was the subject of a Congressional inquiry in June 2011. ~USDOJ
The hacking of eight major email providers in this case shows just how important common information like our email addresses and content are to criminals. That this is the biggest and seemingly longer running of the scams also show’s how long something like this can go on and how it has been corporatized in a way.
The criminals created an enterprise in which they used the data from their ill gotten gains to send spam and generate revenue from it. This is common today but is not completely predicated usually on the hacking of major email providers and stealing inside information.
The FREAK Vulnerability and SSL
Just when you thought it was safe to use your computer again after last year’s Heartbleed, Shellshock and other computer bugs that threatened your security and just as I predicted in my column of Dec. 20, 2014, researchers have discovered yet another security flaw that threatens millions of Internet users.
The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see more attacks on this fundamental protocol which could compromise your whole environment.
This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.
Target Offers 10 Million Dollars in Breach Payments
Target has agreed to pay $10 million to settle a class-action lawsuit related to the company’s 2013 data breach.
Court documents show hacking victims could get as much as $10,000 apiece.
The Target hack was one of the first of recent time that has made a lasting impression on the world. This attack not only showed how the adversaries used advanced and persistent means to gain access and keep it in Target’s networks but also how a company can be financially and reputation-ally compromised.
Now that Target is making offers of money, more than just offering credit monitoring, shows just how important these attacks are on a companies bottom line as well as continuing their reputation. This round of settlements though has been marked as low and not enough by many in the industry and in the public however.
The upshot here is that the company has had to respond in this manner due to their own culpability in their security measures being not up to speed to catch the warning signs that were going off like klaxon’s in the night. It is important to all organizations to perform due diligence in this day and age of advanced adversaries who may not be nation state sponsored.
One in Three Websites at Risk on the Net
Facebook. Paypal. ESPN. Google. Amazon. These are sites you probably visit all the time, sites you inherently trust. But a new report from Menlo Security released Tuesday says that trustworthy sites are not necessarily safer.
Menlo pulled out the top 1 million domains on the Web and reviewed them all for potential vulnerabilities. The results were startling. One in three fell into the category of “risky,” meaning that they had either already been compromised by hackers, or were running vulnerable software that leaves them open to attack.
There are a couple of factors that could lead to this vulnerability assessment being the case. The first of which is that the vulnerabilities are just so many that they are hard to keep up with in an enterprise environment. The second is that either the companies are not performing their scans as regularly as they should or have decided that the vulnerabilities are acceptable to them and write them off as acceptable risk.
I am unsure of the reality here regarding these potential risks to all these sites on-line. Risk acceptance and determination of the level of risk are hard to scope out as each environment is making that calculation (one hopes) for themselves so there are variations in levels of care. However, this article and the statistics therein show that as a whole, we can understand how easily the adversaries can exploit systems easily reached on-line and why we keep seeing stories about large scale hacks on organizations.
ISIS Hit List and Information Warfare
At least three times in the last five months, U.S. military members have been urged to limit their social media activity in response to worries that ISIS-linked terrorists could track them down, in the U.S. or abroad.
The latest warning came this week, when a group calling itself the Islamic State Hacking Division posted personal information of about 100 service members, which defense officials said had been collected from social media sites.
While this story is about the war on terror and the on-line antics of a small cadre of Da’esh followers, it is also a cautionary tale. The information that was leaked on-line was not in fact hacked, but instead all available through Google searches. This is an important fact in the story to clarify but also sets the stage for the second important insight, of how much of our personal data is on-line.
A simple Google ‘Dork’ can deliver a huge amount of OSINT on a target today and the use of that data to then re-post it on a page like pastebin and call for assassinations shows the power of the net. Basically, this story is the story of asymmetric warfare and how easily it can be carried out online. Now imagine that it is not in fact a terrorist organization doing this but a disgruntled employee or client of a company doing this.
Every individual should consider how much data they put online and where they are putting it. From cyber bullying to outright death threats, we make it easy to ‘dox’ ourselves with our Tweets, Facebook postings, and emails.
On March 26, 2015, a very well-coordinated distributed denial of service (DDoS) attack was waged on GitHub, the heir apparent to the now-closing Google Code. GitHub characterized this as the largest DDoS in its history.
The Electronic Frontier Foundation (EEF) and security researchers Netresec name the Chinese government as the culprits of the attack, which lasted until March 31, 2015. Here’s an overview of why the cloud-based git repository host was targeted.
China and India both blocked GitHub recently for their site’s content that evidently they found threatening. In the case of China, it seems that GitHub may have just become another piece of fodder for the internet wars. The reality though is that no matter the political aegis, GitHub was taken down with a Dd0S because of an unencrypted session that was allowed to Baidu.
The bigger story here is though, that DdoS is incredibly hard to mitigate and everyone is vulnerable to it. As a means of political protest or just an attack to force a company into some kind of complicity, DdoS is not going anywhere. This is because our systems are inherently vulnerable to these attacks and until such time as the code is adjusted to disallow these attacks, they will happen regularly.
For more on DdoS go here
Your Private Data Available Through Anonymous Shares On-line
Our lives are digital now.
Everything we do on-line leaves a trail that leads directly to us; something privacy advocates are fighting to eliminate. However, we’re our own worst enemy when it comes to privacy, and personal cloud adoption has done nothing to help the situation.
Each day millions of people across the globe create backups of their files. These backups are supposed to offer a measure of assurance that their files are safe and easily recovered if needed. But that’s not entirely true.
In fact, depending on how you’ve configured the device, your backups are freely available on-line to anyone who knows what they’re looking for.
Google ‘Dorking’ as mentioned above in the Da’esh story is an easy way to not only gather data on users but to also gain access to their data and systems. In the case of the story at CSO it was easy to Google with certain terms and strings to locate users systems that were insecure and on-line. Many of these systems were in fact routers that had been turned on with default settings or mistakenly configured incorrectly.
This is an object lesson for everyone and you all should consider this not only as a personal security issue but also a corporate one. Imagine if you will that you have an IT person who is bringing work home, or worse still, has configured a router or a NAS device to share in this way to the Internet. This is actually a scenario that was discovered and offered up a compromise to the companies whole infrastructure.
Many of the cases just involve personal information. However, there have been cases like the one cited above as well as cleared individuals sharing out FOUO/NOFORN/CONFIDENTIAL information as well so this is certainly not only a personal issue. Please consider talking to your employees about these types of data breaches at home that could lead to breaches at your company as well.
Superfish! Lenovo Pre-Installed Malware
Does your Lenovo computer have Superfish VisualDiscovery adware (a.k.a. spyware) installed? It’s possible if you purchased a Lenovo PC any time in September of 2014 and thereafter.
This Superfish software intercepts the Lenovo user’s traffic so that the user sees ads displayed that reflect their browsing habits. The problem with this targeted advertising scheme is that it comes with a vulnerability that makes it easy for hackers to attack.
Superfish enables targeted advertising by installing what’s called a trusted root CA certificate.
These threat intelligence reports have covered the idea of ‘Supply Chain Tampering’ in the past but this one should set bells off for anyone buying a computer from any vendor. The alleged adware with a trusted CA according to Lenovo was nothing to worry about. However it was proven out that this adware/malware could be used by others to compromise the systems entirely.
Though Lenovo considered this form of advertising inside access and routing as legal and ok, it is in fact not. Just as Sony considered that adding a RAT (remote access tool) to their DVD’s in the past and were called on it, this is wholly inappropriate and in fact degrades the security of whole organizations as well as individuals who may purchase their hardware.
Now that this is out in the open, if you have these systems within your network you should remove the adware/trojan as well as inform any home users that might be in your work at home or bring your own computer offering to remove this as well. If left as is today, post all the reporting on it there could be compromise because exploit code is already in the wild.
To remove SuperFish go here
Kilim Facebook Worm Hooks with Sexy Pics
Security experts have warned of a new Facebook worm using adult content as a lure to trick desktop users into downloading malware.
The authors behind this version of the Kilim worm have “gone to great lengths to anonymize themselves” and circumvent browser protections, Malwarebytes senior security researcher, Jérôme Segura, wrote in a blog post.
If they click on what appears to be a video file promising to show “sex photos of teen girls,” victims are redirected via two ow.ly links – first to an Amazon Web Services page and then a malicious site, videomasars.healthcare, which apparently checks their computer.
One of the more common techniques in malware delivery and phishing attacks is the promise of sexual content. That this is being leveraged in Facebook is only more effective because of Facebook’s prevalence on the net. Additionally, the use of obfuscated shortened links like bit.ly and owl.ly is common as well and should be filtered if possible in your environment to disallow these attacks.
As organizations, you should have some form of web filtering in place but often times these slip up and let such content through. Please keep up with the filtering and leverage systems like BlueCoat and Websense as a front line tool against these types of attacks.
The Hanjuan Exploit Kit and Malvertising
Anyone who visited the New York Daily News website or Metacafe website – as well as several other lesser known sites – within the past couple of weeks could have been infected with malware, according to Malwarebytes.
Researchers identified a malvertising campaign originating from the engage:BDR advertising network, a Tuesday post indicates. In a Wednesday email correspondence, Jerome Segura, senior security researcher with Malwarebytes, told SCMagazine.com that the issue has been resolved.
Malvertising (from “malicious advertising”) is the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.
Another name for this type of attack could be ‘drive by’ as well but the point here is that nothing is safe. Ad’s on sites can in fact be the infection points for systems that are looking at the page and this is a risk to all environments.
Whether it be an iframe attack or a click through to a malicious domain, these types of attacks are myriad on-line and should be a concern for all security departments in corporations. What can be done though? It is a hard thing to keep up with and prevent users from clicking or just visiting legitimate sites that may be compromised temporarily.
The best thing that you can do is have the measures in place (Websense/BlueCoat/Barracuda etc) to monitor the online traffic of your users and get alerts on sites that may be compromised. It is then your job to locate the users who may have gone to these sites and scan their systems for compromise. Having a program of means to keep up with these types of attacks (RSS feeds etc) as well will help your security team to detect and deter these attacks from happening.
Android Malware Risk to Almost 50 percent of all Devices
Millions of Android devices have been found vulnerable to cyber attack following a security flaw allowing malware to replace legitimate apps, hacker Zhi Xu has found.
Almost half of Android phones may be affected, with the flaw allowing dangerous malicious apps to be downloaded without the user’s knowledge, collecting personal data from the infected device.
As mobile computing becomes more prevalent and operating systems like Android take more market share, your employees and you are at more risk to compromise. In the case of this malicious application installation it has been shown that nearly fifty percent of all phones are vulnerable.
With the advent of ‘Bring your own device’ and just general use of these phones, tablets, and devices the risk for compromise has increased geometrically. It is important that your security programs include keeping up on vulnerabilities to these devices as well as being aware of the intricacies involved in private individuals devices, their use, and where the security rubber meets the privacy road.
A compromise of a device not only means that the end user’s data is at risk but also the corporations as well as their network infrastructure.
New variants of malware come and go with depressing regularity, but some have capabilities that offer more cause for concern than others.
The latest piece of scary software comes from researchers at security company Doctor Web who have uncovered a new Trojan dubbed BackDoor.Yebot that’s capable of carrying out a wide range of destructive actions on an infected machine.
It’s spread via another piece of malware, Trojan.Siggen6.31836. When launched on the target machine, this injects its code into the svchost.exe, csrss.exe, lsass.exe and explorer.exe processes. After sending a request to the remote server it then downloads and decrypts BackDoor.Yebot and transfers control to it. Some features of Trojan.Siggen6.31836 are encrypted (and can be decrypted only while it’s being executed). It also incorporates mechanisms to verify the virtual machine in a target system and bypass User Account Control.
Multiple vector infection malware is more common today. Once the code has been allowed on the system it will infect many .dll files or others that are common to the operating system as a means to stay entrenched on the system. This is called ‘persistence’ and is the status quo. It is also important to note that these types of malware then in turn call out to command and control systems to gather more malware for that same persistence should the primary infection be detected and removed.
In the case of this particular malware it is important to understand the multiplicity of infections as well as the many means that it then creates to exfil your data out of your domain as well as the rapidity that this can happen at. What this means is that not only by the time an infection is detected, it already has had ample time to export your data to the adversaries.
Please note that this is not part of some exotic malware campaign by a nation state actor, this is in fact crimeware!
Bitcoin blockchain exploitation could allow for malware spreading
Bitcoin’s blockchain can do more than store transactions, according to new research from Kaspersky that demonstrates the way in which the cryptocurrency’s ledger can be used to store malware control mechanisms or provide access to illicit content.
As with anything on the Internet and in computing, the technology can be turned against you. In this case it is the primary means for Bitcoin (a crypto currency) to track it’s amounts and use can be used to infect systems. This likely will not be a big deal for many companies as yet because Bitcoin is still not in use widely by corporations.
However, it is important to note that any users of the currency might fall prey to these attacks and those persons may work for you and use systems that not only connect to their daily lives but also your network as well.
A local user can run a program that repeatedly accesses a row of memory to cause bits in adjacent rows to flip. This can be exploited to execute arbitrary code on the target system with kernel-level privileges.
This is a local exploit that can cause a flipping of bits in certain brands of DDR3 RAM. This then would result in compromising kernel level processes on the system attacked.
We have shown two ways in which the DRAM rowhammer problem can be exploited to escalate privileges. History has shown that issues that are thought to be “only” reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don’t change unless the locations are written to.
This is a problem for various brands of laptops and desktops that use the specific RAM mentioned in the article. Please consider looking at the systems in your environment and what RAM they use to insure that you are not at a higher risk through mono-cultures in hardware.
FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.
As stated above in this report the FREAK vulnerability is just one of a few that have come out over the last year. This section will rely more on the technical aspects of the vulnerability but the statement above must be repeated;
The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see mo
Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest
re attacks on this fundamental protocol which could compromise your whole environment.
This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.
Please click the links above to the CVE and the technical specs for this vulnerability and remediate in your networks.
Security Advisory Feeds
Newsnow offers an aggregation of security advisories that is very helpful if you do not already have an RSS feed aggregated.
The importance of advisories and news sources to a security program cannot be overstressed. If you do not already aggregate security RSS feeds you should start to look toward doing so.
Websense XSS Vuln
Users of Websense Data Security that are reviewing DLP incidents can be attacked via cross site scripting. This issue can be exploited using a specially crafted email, or by sending a specially crafted HTTP request through the Websense proxy. The attacker-supplied code can perform a wide variety of attacks, such as stealing session tokens, login credentials, performing arbitrary actions as victims, or logging victims’ keystrokes.
Websense is a very common solution for web filtering and DLP for mid sized companies. This current vulnerability could lead to compromise of your internal networks as well as all the data within the DLP/Websense system. If you are running Websense with a DLP (Data Loss Prevention) module please go to the following link and update your console:
This issue is resolved in TRITON APX Version 8.0. More information about
the fixed can be found at the following location:
<enter your own data here from IDS/SIEM/AV/LOG CORRELATION> for your own organization and report on what you are seeing on your network.
WORD FORMAT: HERE
Recently there was a spate of defacements by Team System DZ that has been making the rounds in the mainstream media. These defacements by Poti-SaDZ or Poti Sad Darky and his derpy bandito boyz using daesh symbols and poorly written rhetoric are nothing to write home about yet the media spins their skiddie exploits into media gold. Well I am here to set the record straight with you all. Poti, or Ahmed Saoudi is just a derpy kid in Algeria with nothing better to do than deface sites with others tools. He, and they, are just looking for the lowest of low hanging fruit to garner some attention for themselves. In fact, Poti here has some poor OPSEC as do many of his derpy little pals as you can see below.
In the first picture there you see his folders as he is running a tutorial on uber lee7 h4x0ring in winderz. The second picture is one of more than a few where he fails to engage his proxy and the handy little task bar there on the browser gives his home IP address(s) 188.8.131.52 and 184.108.40.206 respectively over time. Poti in fact logs in to the Team System DZ Facebook account without proxy a couple times and is likely unable to easily get on there because of issues with proxies, since ya know Zucky don’t play privacy.
Anyway, the IP space is for the following in Algeria:
IP address: 220.127.116.11
inetnum: 18.104.22.168 – 22.214.171.124
descr: region chlef
status: ASSIGNED PA
source: AFRINIC # Filtered
parent: 126.96.36.199 – 188.8.131.52
person: Security Departement
source: AFRINIC # Filtered
Poti-Sadz aka PoTi SaD DaRkY
youtube.com/user/ahmedsaoudik/playlists … ahmedsaoudik
There are a lot of Ahmed Saoudi’s in the skype phone book as well but only a couple list Algeria as his location and one of them has 1992 attached to the name. So, 2015 – 1992 = 23 which would be a prime age range for this kind of stupid kid activity no?
Give em a shout and see! Look, what I am saying here is that in looking at these guys I would have to say that the are not the daesh A-Team of hacking. I would also say that perhaps they could be behind the last derpy Googling of some military names and posting a hitlist online thing. That there was also something that the media went nova on and in reality “no va” is really more appropriate.
HOLY WTF PEOPLE! CUT THIS SHIT OUT!
Anywho, I just thought I would dump this little OSINT OPSEC FAILTACULAR on you all.
Enjoy the lulz…
So you all know me, I had to go and download CSI Cyber just to see. I mean, I couldn’t resist because I am a masochist and I knew that this would be a terrible show so I had to see it! Well I am happy to report that none of you were wrong, this is in fact one of the worst shows on television and it’s not just because it is all about the OMG CYBER! There are a whole host of issues with this show and I just wanted to share with you all my personal review. So strap yourselves in, put on your sturdiest CYBER HELMET, and prepare for a heaping helping of WTF.
The show starts off with the kidnapping of a baby and some nonsense about voices coming from a nanny cam. The case comes across the lead investigator’s email and she immediately goes to her boss and says that any criminal action that includes electronics make it a CYBER CRIME! No, really, she says this and thus a plot line is born! The feebs then take over the case and use shiny bags to take away laptops and phones. They use what they call “Faraday Bags” and have the nifty graphic above to show signals bouncing off the bag PEW PEW PEW! (eat your hearts out Norse!)
It was in this moment that the plots sub sub plot of CYBER PSYCHIATRY comes to play. The main character ( Avery Ryan ) who is loosely based on the “creator/SME” of the show Mary Aiken one of the loopiest people I have looked at online. She claims she is a “Cyber Psychiatrist” whatever the fuck that is. Let me just set you all straight, there is no such thing as a “Cyber Psychiatrist” There are Psychiatrists who maybe deal with technology issues and pscyhology and psychiatry but there is no cognitive DSM V sub speciality that I am aware of. In short, she is making shit up as she goes. I may go into a full rant on this later on, but sweet jeebus she is as much a Cyber Psychiatrist as the Scorpion Crew is an elite red team in reality ok?
Next let’s talk tech because I know you all want to! CYBER CYBER CYBER! Blinky lights and holodecks for everyone! This show does not let us down in this area either. There is so much shiny blinky light material that if you are epileptic you should really consider watching it with shades. The highlights of all this is the above image from the uberl337 hax0r showing that malware always shows up as RED TEXT on ADA and more often than not actually calls itself MALWORM! As I was morning drunk tweeting watching this farce I managed to start a bit of a dialogue with some who complained that they did not get all of our attitudes about the tech being right at all because it’s TV FOR FUCKS SAKE! Well, Ian, yes, yes it is and really we should not really worry ourselves about this in reality. I guess some of us all care too much or live it too closely. In my case I don’t really care beyond the possibility that this shit will bleed into our real lives as dumbasses think that this is all reality from watching entertainment TV. I will once again point to the CSI Effect and just say I hope this kind of shit does not happen in the court room because of shit like this is all.
OMG CYBER ATOMIC SOMETHING SOMETHING!
At the end of the day I just have to report that this show is sucktastic. The acting is wooden, the dialogue is horrendous, and the subject matter is wholly unbelievable. Well, unbelievable for someone who actually works in psychiatry, technology, hacking, acting, cinematography, etc. This is the turdliest of unflushable turds that CBS has grunted out of its collective anus in a while.
For my part I LOVED the original CSI because it was new and it was fun. I used to sit watching it with a REAL SCIENTIST who cringed as much as we all do about the OMG CYBER today so it is not just our group of peers that have issues with the Hollywood-izaton of their careers. Though I knew that the tech was not accurately portrayed made no difference because it was fun and the chemistry/writing worked. As soon though as Grissom left so did I. It has been pathetic to watch CBS continue to flail the dead corpse of CSI through the David (flip sunglasses down the nose) Caruso years to the Cheer’s OMG MY HAIR GREW BACK INTO A POMPADOUR Ted Danson travesty.
No more please.
Please FUCKING STOP!
*hangs head.. CSI CYBER!*
Welcome to CBS TV where we make shitty SHITTIER!
Global Threat Intelligence Report
In the month of February an astonishing array of news came out concerning information security and vulnerabilities. One such piece of news concerned supply chain tampering by Lenovo with “Superfish” an adware that compromised users SSL sessions of every user’s machine purchased from the company. In other areas we discovered that our personal routers were being attacked by phishing emails containing the default passwords for the routers that people commonly forget to change. It would seem that nothing is safe either because people leave the defaults as the way they operate or in fact the companies are weakening security on their products to make more money through tracking users and selling data to advertisers.
This report will cover the news highlights and give you a more nuanced portrait of their importance globally to you personally as well as at a corporate level for information security. Use this report as a primer to understanding the security picture as it is today and to help in confronting the security issues within your organization.
Think your BYOD program is secure? Perhaps you might want to think again about that as you consider this article. Applications for iOS and Android have been cloned and malware inserted into them for download by unsuspecting users. All the attackers need to is trick the end users into installing the new application with malware in it by sending them an email with a link to their fake site.
As more and more corporations move toward the singularity and use BYOD as their primary way of conducting business (phones, tablets, and phablets) these concerns should be more pressing. Given that the BYOD now allows personal devices to access corporate networks and assets, if the user then infects their device with malware that steals data such as keystrokes, then your corporate network is now at risk of compromise.
If you have a BYOD program and do not have a robust way to manage what the users can download and install then you are more likely to have a compromise to your domain. If for example though, you have BYOD mandates and policies that require phones with separate profiles you might be on a better footing in that the end users corporate profile should be completely locked down and unable to install anything without approval. This is a hard needle to thread and must be considered today as we see more of these types of attacks being leveraged in the wild against corporate BYOD programs.
Once again we find ourselves facing another SSL attack that may leave our private communications at risk. This one has been an issue for many years and only now is being talked about as something adversaries may be using. As with others, this attack uses the fact that many systems still allow backward compatibility to reduce the encryption levels to one that can be cracked by an attacker.
While this attack is being patched it is important to note that since Shellshock and Poodle adversaries have been working on variations on a theme to attempt to find old or unthought-of of exploits to leverage in attacks today. It is important to keep up on these various vulnerabilities being reported to respond to them as soon as possible once they have been announced.
It is recommended that all SSL systems be set to disallow backward compatibility of there is a newer version that is more secure. If you are forced to use backward compatibility though, you should insure that you have a risk assessment carried out and the risk signed off on at a corporate level to cover your risk should an incident occur from one of these known exploits.
Common technologies abound today and one of the most popular is the COTS (Common Off The Shelf) router for internet access. In the case of D-Link, one of the more common brands being used today, there are multiple vulnerabilities that could lead to compromise of home or even corporate networks. The current vulnerability allows for a remote attack to gain “root” or administrative access to the routers.
So how then could these COTS routers be a threat to your corporate network? Well, consider that the home user who is VPN’d into your network is using one of these routers that is vulnerable? If that is the case and their router is compromised, then so too is all the traffic and systems potentially they own at home. If that home user has their system online and not on the VPN then their system could be scanned and compromised remotely. If the end point has been compromised so too is your network VPN or not so this is a real threat to your corporate environment as well.
Additionally, should by any chance your environment have any of these devices connected to your networks then you too may be vulnerable directly from attacks on those routers. Consider too any company that you may be connected to (via VPN for instance again) that may be a mom and pop with one of these routers being used. This could be leveraged to gain access to your network as well by an enterprising adversary.
It is recommended that all corporations consider these vulnerabilities whether or not they think they have these devices on premises or not. All it takes is one connection from an insecure network elsewhere that has rights on yours to make your life miserable.
NAS (Network Accessible Storage) is common not only in corporate networks but also home networks. As such these devices need to be securely configured and access restricted to internal networks only unless you absolutely know what you are doing. In the case of the Seagate NAS, this vulnerability is like many of the others out there and Seagate has yet to update their firmware months after the fact. This leaves all of these devices unprotected on networks and on the internet in some unfortunate cases.
Think that your corporate network doesn’t have a problem because the NAS is behind the firewall? Well that is not truly the case either as you could have a compromise internally and if these devices are secured yet vulnerable to these types of attacks you could lose in the end. It is recommended that you seek to determine if you have these in your environment and patch as soon as possible.
Alternatively, consider the end user out there who works for you. Do you have a strong policy and practice of not allowing those users to store corporate data anywhere other than your network? Consider the end user who buys one of these and puts it on their home network and shares it accidently with the world. Think that is not probable? Then go to Shodan and look for these devices or better yet use Google to search for them. They are out there and they are open.
Patch Tuesday in February was huge with a total of 56 vulnerabilities being fixed in Microsoft products. A majority of the patches were for Internet Explorer, a core piece of the Windows system and the one most attacked by adversaries seeking to exploit users systems.
This particular patch cycle was of note because the previous cycle had not patched IE and this one seems to have been an aggregate of earlier patches being held back. As the number of patches is so high for one piece of the Microsoft system it can be inferred just how much attention is paid to attacks for the IE Browser.
It is recommended that every enterprise undertake a strong process driven function around patching in your environment. Specifically, enterprises should take care to patch high value target systems at the least and all systems at the most. Given that there are mitigating factors that may leave an organization no choice but to not patch a system because it would break business, those systems should be signed off on for risk and as a compensating measure watched more to insure that they are not compromised.
Earlier this report covered default passwords on routers in the home. It seems that this issue has risen again as malware/malcode disguised in spam has been seen in the wild with the ability to log into routers with insecure default passwords. This type of attack is not new but it is once again being leveraged by particular actors today in the wild.
This in and of itself should be a wakeup call for any users who have not changed their default passwords and logins for COTS routers. As also mentioned before in this report, this is something that all enterprises should be concerned about with regard to users who work from home and have access to your internal networks.
It is recommended that all organizations look at these vulnerabilities as not only affecting home users but also those networks that they may interface every day for work. As such, it is in every companies interest to follow these things and to have education for their users not only about corporate networks and assets but also those BYOD devices and networks that interconnect them.
Increasingly carders and other adversaries are attacking corporations by targeting the end users for malware by phishing campaigns. Much of these exploits are directly targeted at gaining access to credit card data, bank account data, and PII data that would allow them to create new identities and start credit lines.
The adversaries are however getting cleverer and targeted today and with knowledge, they are attacking from the top down. Phishing campaigns aimed at executives gain access to their accounts and machines which then are used to trick employees into making funds transfers from the company accounts.
It is recommended that organizations keep awareness at a high level not only for regular employees but also specifically, the executives. Executives are the prime targets for much of the malware and phishing campaigns in these types of attacks and all too often, the executives and their minions are less aware than they should be about phishing and how to spot it.
Additionally, it is also a good policy to have some means of empowering employees to question the process of such transactions if they feel that there is something amiss. Often times the adversaries are counting on the social and psychological norms of corporate pecking order to just get an employee to react and carry out transactions like these.
As the tempo of attacks speeds up and more groups of adversaries start working together, the likelihood of follow on attacks using news items like the Anthem breach is high. In the case of Anthem, phishing emails started immediately after the incident made it into the news. Emails began to be sent from newly created domains created by a whole other sector of adversaries.
The Anthem breach for all intents and purposes, seems to have been Nation State actors and as such the data that they stole will not, and has not yet been seen to be for sale on the darknet or other places where this data is sold. This means that the criminals who do carry out this type of attack for money are seeking to capitalize on the backs of the APT by phishing already worried clients of Anthem.
It is recommended that organizations keep up with this type of activity as well as the breach itself. Targeted phishing emails are not just going to end users home addresses. These phishing emails and new waves of malware have been seen in corporate email systems as well. Awareness is key and as such talking directly to employees about these types of attacks will not only benefit them but hopefully stop incursions into your network as well.
The Anthem breach, while unfortunate, should be an object lesson for all corporations today. The scope of the breach and the attacks that were carried out to steal the information and keep access to the networks at Anthem should be studied by anyone who has a network and data they want to protect. In the case of Anthem though, it is becoming clearer that not only was it nation state actors but also that they had access to Anthem’s networks for a considerable amount of time before discovery.
As information becomes more available the likelihood will be that the initial incursion came from a phishing campaign using crafted domains (we11point.com etc) to get users to click on links and install malware on their machines. This is a common tactic and something that every organization has problems with as users are being manipulated by actors who understand human nature.
Watch the Anthem story and consider how your networks could or could not use telemetry to determine undue traffic to known bad actor sites as well as anomalous traffic. In the case of Anthem, it was a sysadmin who first noticed that their account was being used on a system that they had never logged into that started the incident there. Every org is vulnerable to these tactics and it is in the interest of every company to learn from others mistakes as well as the modus operandi of the actors involved.
Superfish, a simple piece of adware that was installed on every system that Lenovo sold in the last couple of years had upended the trust of the public about their products. This particular malware was to perform a man in the middle attack against SSL traffic and route the user to specific ads which then would pay Lenovo on the back end. This however backfired on them once the malware was discovered.
While Lenovo claimed that the adware was harmless it was shown that in fact this piece of software could be easily subverted to break into machines by setting up man in the middle exploits and getting users to log into things with their credentials as well as downloading malware. This is unacceptable and an object lesson in supply chain trust.
If one cannot trust the supply chain (e.g. laptops from Lenovo without malware pre-loaded) how can one trust that the systems they are buying for their companies are secure? This issue should be something that all companies consider when not only purchasing new equipment but also those systems or appliances they may buy grey market online. Can you trust the systems have not been tampered with?
Today the selling of “Threat Intelligence” is all the rage, but really how useful is much of what is being sold today? So far the focus of many seems to be on “who” carried out the attacks but not so much on the how. While the who can be important in many ways, it is the least of your worries when dealing with an incident and this needs to be a key focus for companies.
By engaging companies that sell threat intelligence a company can in fact gain a better foothold on protecting their networks and data. However, all too many companies are not prepared to really use the data that these threat intelligence firms provide because they do not have enough insight into their own networks to start. As such it is key to know your own capabilities and work with threat intelligence firms to set up feeds and methods that will help your company detect and deter as well as proactively mitigate ongoing campaigns.
It is recommended that when you look into threat intelligence feeds that you first undertake a serious introspective look at your environment, it’s maturity, and capabilities to truly leverage the data that you are buying and not to just have a feed as a check box in an auditors notebook.
Document for download and dissemination HERE