Netizen Cybersecurity Bulletin (August 26th, 2022)

Overview:

  • Phish Tale of the Week
  • Whistleblower Comes Forward Alleging Major Cybersecurity Issues at Twitter
  • U.S FBI and CISA Issue Alert for Zeppelin Ransomware
  • How can Netizen help?

Phish Tale of the Week

Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting debt holders. This email appears to be a notification alerting us that ADT Monitoring wants to give us a $100 Visa Reward Card. We are then prompted to “start the confirmation process below” and follow the link below to receive our bonus. This email contains a note with an enticing offer for a free $100 reward card, so why not click here? Unfortunately, there are plenty of reasons not to click that email right away.

Take a look below:

  1. The first red flag on this email is the sender’s address. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
  2. The second warning sign in this email is the “FINAL MESSAGE” notice in the main message. Phishing scams commonly use words like this to elicit a quick response from their targets. Always be sure to thoroughly inspect the messaging of all emails in your inbox.
  3. The final warning sign for this email is the $100 bonus ADT Visa Reward Cart. Threat actors use monetary incentives to entice unsuspecting consumers with phishing tricks. Always be on the lookout for offers that look too good to be true.


General Recommendations:

A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

  • Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message.
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
  • Do not give out personal or company information over the internet.
  • Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

Whistleblower Comes Forward Alleging Major Cybersecurity Issues at Twitter

Earlier this week, the tech community was shocked as a whistleblower complaint was filed against social media giant Twitter. The complaint filed by Peiter “Mudge” Zatko alleges Twitter has violated multiple SEC and FTC regulations in addition to egregious mishandling of user information and lax security practices.

Zatko, a former DARPA program manager, and freelance hacker, previously served as the head of security for Twitter before departing the company in January 2022. Before joining Twitter in 2020, Zatko was a well-renowned security researcher and prolific hacker credited with pioneering buffer overflow work and contributing heavily to advancements in code injection, exploitation of embedded systems, and many other security facets.

Six months after his departure from Twitter, Zatko filed an 84-page whistleblower complaint with Congress alleging the communications firm he previously worked for was ridden with security and privacy issues, in addition to lying to federal regulators and the federal government. The complaint also alleges that Twitter does not prioritize removing spam/bot accounts from their community like their CEO previously claimed, does not actively monitor for insider threats from employees or external contractors, and suffered 20 security breaches in 2020 alone, which should have called for weekly security reports to a government regulator, and that over half of Twitter’s employees are given overarching access to user data and systems they don’t need access to.

The last claim made by Zatko is the most alarming to many in the information security community. In 2020, Twitter suffered a security incident that saw the accounts of hundreds of celebrities and politicians compromised, with threat actors posting links to their bitcoin wallets offering free payments to unsuspecting Twitter users. Experts believe this breach was initiated via social engineering practices that targeted Twitter employees. Once the threat actors gained access to employee accounts, they could pivot across the internal network with relatively little resistance since the account they acquired was highly privileged and shouldn’t have been.

Cases like this are why many security professionals believe organizations everywhere must adapt toward a least privileged security model. This principle dictates that employees should only have access to materials and systems that are necessary for their daily job functions and nothing more. It may be inconvenient for the employee to go up the ladder to a superior for higher access, but it will stop unnecessary privileges from being granted to too many employees, therefore, reducing the overall attack surface of the organization.

To read more about this article, click here.

U.S FBI and CISA Issue Alert for Zeppelin Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA) has released a notice for all organizations to be on the lookout for a resurgence in Zeppelin ransomware. Zeppelin is a spinoff of the Delphi-based Vega malware family and operates as a ransomware as a service (RaaS). This family emerged in 2019 after growing in popularity on Russian-backed hacker markets. Zeppelin grew in notoriety after targeting multiple U.S tech and healthcare organizations, demanding exorbitant ransoms after encrypting their environments.  

Threat actors deploying this ransomware frequently target remote desktop protocols (RDP) and SonicWall firewall vulnerabilities in conjunction with phishing campaigns to breach their target networks initially. After the initial compromise, the threat actors then stealthily map the organizations to find where their main data troves and backups reside. Following this, culprits then deploy the Zeppelin ransomware through a PowerShell loader and begin encrypting the entire network.

Once the breach and initial encryption occur, threat actors leave a detailed note on the amount of ransom to be paid and where to send the money. Typical ransom amounts for this RaaS range anywhere from a couple of thousand dollars for smaller organizations to millions in bitcoin for enterprise-grade firms. Researchers have also noticed that in recent campaigns, Zeppelin actors have begun encrypting files multiple times to increase the complexity of their attacks and reduce the chances of decrypting the files without numerous sets of keys.

CISA joined with The FBI to release this joint statement on ransomware gangs “The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities”.

To combat the rise in ransomware, organizations worldwide are being advised to implement multi-factor authentication (MFA) immediately, implement a least-privileged access policy, and increase their password security requirements. Firms must strengthen their information security policies to defend against ransomware gangs and the rise of RaaS.

For more information, check out the rest of the article here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.