Netizen Blog and News

Overview

• Phish Tale of the Week
• Bipartisan Group of Senators Proposes New Cyber Information Sharing Bill
• Ukraine Thwarts Russian Attack on Power Grid
• How can Netizen help?

Phish Tale of the Week

Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting Sam’s Club customers. This email appears to be a notification alerting us that there is a surprise waiting for us. We are then prompted to “click here” to see what the surprise is. This email contains a catching congratulations message and a photo of Sam’s Club, so why not click here? Unfortunately, there are plenty of reasons not to click that email right away.

Take a look below:

1. The first red flag on this email is the sender’s address. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
2. The second warning sign in this email is the lack of consistency. When comparing this email to others previously sent by Sam’s Club we can notice that this email does not contain their official logo, web-url, or disclaimer present at the bottom of the email. Using previous emails to compare them to suspected phishing attempts is a great way to spot immediate signs of inauthenticity immediately.
3. The final warning sign for this email is the large blue”Click here” call to action. Threat actors use call to action buttons like this to immediately redirect targets to malicious landing pages. These landing pages then infect the targets system with malware or other software with the intention of stealing information or further extortion. This attempt even tries to catch unsuspecting users twice with a malicious red “here” at the bottom of the email which is masquerading as an unsubscribe button.

General Recommendations:

A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

• Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
• Do not give out personal or company information over the internet.
• Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

Bipartisan Group of Senators Proposes New Cyber Information Sharing Bill

Earlier this month, a bipartisan group of senators consisting of Gary Peters (D-Mich), Amy Klobuchar (D-Minn), Rob Portman (R-Ohio), and Roy Blunt (R-Mo) brought new legislation to the floor in an effort to increase the communication between branches on cybersecurity issues. This legislation, titled The Intragovernmental Cybersecurity Information Sharing Act, would expedite the information sharing process from the executive branch to members of the Senate and House of Representatives. This bill aims to increase collaboration efforts between all branches as cybersecurity incidents become more frequent and detrimental to our society.

Many key sponsors of the bill cited the turtle-like pace at which information has been previously shared, with many claiming that they are left out of the loop during significant cyber-attacks. Senator Amy Klobuchar added, “Cybersecurity threats against our government require a timely, coordinated response. Yet too often, a lack of communication between the Department of Homeland Security and Congress leaves us vulnerable to damaging cyberattacks.” She later summarized that this bill would help better protect our country from cyber-attacks by requiring the Department of Homeland Security to increase information sharing with Congress.

In a show of bipartisan support, Senator Robert Portman from Ohio exclaimed, “As we have recently seen, cyberattacks are increasing against our critical infrastructure as well as the federal government. Unfortunately, some of the cybersecurity professionals in Congress have faced lengthy delays in getting information on cybersecurity threats from the Executive Branch. That should not be the case.” Portman later released a statement to the press where he stressed that our enemies would not distinguish between our branches of government, and any actions we take in response must be swift and precise.

This legislation was introduced following the recently adopted Cyber Incident Reporting Act, strengthening the reporting requirements for critical infrastructure affected by cyber-attacks. Both Klobuchar and Portman were staunch supporters of that bill, signaling a strengthening of priorities between two tenured senators. Reporters around Capitol Hill anticipate this bill to make it through numerous rounds of committees before voting on the floor, with action hopefully planned by mid-summer.

To read more about this article, click here.

Ukraine Thwarts Russian Attack on Power Grid

Officials in the Ukrainian Government released a statement on Tuesday, 4/12 detailing an alleged Russian cyber-attack they thwarted. The cyber-attack supposedly targeted Ukraine’s power grid and, if successful, could have knocked out power for over two million people. While this defense of their national power grid is impressive, the aggression by Russia marks another step toward all-out digital war, leaving many experts fearful of how Russia will respond.

Reporters inside of Ukraine named the hacking group Sandworm as the perpetrators behind this most recent attack. They are formally known as Unit 74455 of the alleged cyber military unit GRU. The attack targeted high voltage computers, networking equipment, and electrical substations tied to Ukraine’s primary power grid. The attack occurred in two waves on the evening of April 8^th and targeted an unnamed Ukrainian energy supplier. Sandworm attempted to deploy malicious “wiper” software to erase data saved on computers, making them unusable and crippling the ensuing remediation response. The hacking group also utilized Industroyer, a malicious software that targets industrial controls, allowing near-total access to the affected systems.

Ukraine’s Deputy Chief of Information Protection, Victor Zhora, released a statement following the attack, claiming that Russian hackers had targeted an obelngegro (energy distribution center). This was a sophisticated and precise attack with the mission to cause mass electrical outages across Ukraine. The attackers were able to gain a brief period of access to numerous systems inside the distribution center but were quickly stopped before they could enact any more severe damage.

The CIA and U.S Department of Homeland Security have previously warned that Russia could look to utilize cyber-attacks to achieve more significant damage in their campaign against Ukraine. Experts inside the intelligence community see this attack as a signal that more cyber-attacks against critical Ukrainian infrastructure will materialize in the coming weeks. In the meantime, companies worldwide should be warned that these cyber-attacks could target businesses outside of Ukraine as havoc spreads from outside of the region.

For more information check out the rest of the article here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Overview

• Phish Tale of the Week
• Chinese State-Sponsored Hackers Compromise Multiple U.S State Governments
• Altoona Area School District Affected By Cyberattack
• How can Netizen help?

Phish Tale of the Week

Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting McAfee customers. This email appears to be a notification alerting us that our computer is no longer protected and our subscription has expired. We are then prompted to renew our subscription and activate the code below now. This email contains a convincing message saying to protect my device from hackers, so why not click the link and update details? Unfortunately, there are plenty of reasons not to click that email right away.

Take a look below:

1. The first red flag on this email is the sender address. Always thoroughly inspect the sender address to ensure its from a trusted sender. In the future, review the sender address thoroughly to see if the email could be coming from a threat actor.
2. The second warning sign in this email is the urgency created in the message. The subject line tells us that “our computer is no longer protected” and further reads “Keep your Devices Safe NOW”. This type of messages is commonly used by threat actors to elicit an urgent and fast reply out of their target.
3. The final warning sign for this email is the large red “Activate NOW” call to action. Threat actors use call to action buttons like this to immediately redirect targets to malicious landing pages. These landing pages then infect the targets system with malware or other software with the intention of stealing information or further exortion.

General Recommendations:

A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

• Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
• Do not give out personal or company information over the internet.
• Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

Chinese State-Sponsored Hackers Compromise Multiple U.S State Governments

Investigators from the cybersecurity firm Madiant have uncovered a Chinese state-sponsored hacking group that compromised at least six U.S state governments. The persistent attacks took place between May 2021 and February 2022. The group, identified as APT41, used web application vulnerabilities to gain their initial foothold into multiple state governments. Additionally, Mandiant has found that APT41 exfiltrated personally identifiable information (PII) from the affected systems in manners similar to recorded previous espionage operations but has yet to confirm whether this was an intelligence-gathering operation the Chinese government.

“APT41′s recent activity against U.S state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability.” a researcher from Mandiant added.

Microsoft is one of the most prominent tech manufacturers globally, and attacks like this have become the new normal for this U.S.-based company. Reports of a 2.4 terabit per second (tbps) attack in October 2021 and two other large-scale DDoS attacks, each with 2.5 tbps, show just how many times Microsoft’s Azure DDoS protection Team has to put their skills to the test.

This attack marks another instance where nation-state hackers from China were able to infiltrate U.S state systems and remain undetected for months on end. These threat actors utilized numerous tools and techniques to adapt to any defenses that may have begun to uncover their trail. This shows a persistence and long-term focused resolve that many inside the U.S. government were afraid would show in attacks from nation-state hackers.

Following the initial report on this attack, a spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) stated they were aware of the breach and had this to add:

“CISA is actively working with our JCDC [Joint Cyber Defense Collaborative] private sector partners, including Mandiant, and government partners to address this advanced persistent threat to state government agencies and assist impacted entities. We encourage all organizations and critical infrastructure entities impacted by cyber intrusions to report to CISA, and to visit CISA.gov to take action to protect themselves.”

According to Mandiant’s researchers, members of APT41 were able to initially compromise U.S state government networks by exploiting vulnerabilities in applications built with Microsoft’s .NET platform. One of the vulnerabilities exploited was previously unknown and was found in an animal health reporting database system called USAHERDS. Experts believe the extent of this attack is going to be much larger than previously reported, with almost 20 different state governments reporting use of USAHERDS in their facilities.

U.S government officials were pressed on the motive of APT41’s most recent attack earlier this week and believe their focus was an espionage reconnaissance mission to determine the response of U.S state governments. When asked for a response, Zhao Lijin, a spokesperson for China’s foreign ministry stated:

“China firmly opposes and combats any form of cyberattacks and will not encourage, support, or condone any cyberattacks.”

To read more about this article, click here.

Altoona Area School District Affected By Cyberattack

Earlier this week, the Altoona Area School District sent a letter out to faculty and staff alerting them that a cyberattack affecting their internal systems had occurred. School superintendent Charles Prijatelj stated: “Altoona Area School District recently discovered it was the victim of a sophisticated cybersecurity incident, which impacted certain internal systems. Upon discovery of the incident, our IT took several steps to contain the incident and third-party forensic advisors and external legal counsel were engaged to assist”.

News publications around Altoona received numerous anonymous phone calls describing the effects of the cyberattack, with many teachers reporting that their credit card agencies alerted them that their personal information was now found on the dark web. Researchers investigating the incident believe that social security numbers, full names, addresses, insurance id numbers, and staff telephone numbers were all compromised in this breach. Prijatelj later commented on the incident, further exclaiming that Altoona’s IT department was in the process of containing the incident and has engaged third-party forensic investigators to assist with remediation.

Cyberattacks have become more frequent across the country as threat actors have found a new lucrative target to exploit. Schools districts house troves of personally identifiable information for both students and faculty alike. This, coupled with abysmal amounts of funding for security-related projects, creates the perfect storm for threat actors looking for a quick payout. The public nature of these institutions also means that when a breach occurs or ransomware is detected, the schools almost always have to agree to the hackers’ demand and pay the ransom.

Superintendent Charles Prijatelj penned a separate letter to parents and guardians of children in the school district, saying: “We do know that some of our employees have received notification of potential data compromise and we wanted to make you aware of the situation as well. Upon completion of the investigation, those individuals with compromised data will receive official notification. At this time, however, that information is not yet known.” Prijatelj then thanked parents for their patience and assured them that more information will be made available as the district uncovers more about this incident.

For more information check out the rest of the article here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Overview

• Phish Tale of the Week
• Microsofts Fends off Largest DDoS Attack Ever Recorded
• Threat Actors Target Tax Software Company Intuit in Latest Phishing Campaign
• How can Netizen help?

Phish Tale of the Week

Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting FedEx customers. This email appears to be a notification alerting us that our package could not be delivered due to incomplete information for our physical address. We are then prompted to update our address below. This email contains FedEx’s logo and a convincing message saying update my address, so why not click the link and update details? Unfortunately, there are plenty of reasons not to click that email right away.

Take a look below:

1. The first red flag on this email is the sender address. Always thoroughly inspect the sender address to ensure its from a trusted sender. In the future, review the sender address thoroughly to see if the email could be coming from a threat actor.
2. The second warning sign in this email is the frank message about grant money. Messages like this are usually targeted at people in college or around the age to entice them with an offer that is too good to be true. In this case, we are told we can take the right path in life by accepting these grant finances to go back to school.
3. The final warning sign for this email is the encrypted pdf file attached to the message. Threat actors use encrypted pdfs to delivery malicious payloads normally laced with ransomware or other malware. Never open attachments from unkown parties.

General Recommendations:

A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

• Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
• Do not give out personal or company information over the internet.
• Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

Microsoft Fends off Largest DDoS Attack Ever Recorded

Cyber-attacks have ballooned to numbers the United States has never seen before in recent months. The FBI estimates that in 2020 U.S. based companies suffered over $5 billion in damages from cyber-attacks. One of the crudest and widely used methods of cyber-attacks is a distributed denial of service or DDoS attack for short. This occurs when an attacker floods a system or server with an insurmountable amount of data, usually from multiple systems, in an effort to overload their target. If done as intended, this attack can knock websites offline for hours, if not days on end, and cause outages for other similar systems.

Last week Microsoft’s Azure DDoS protection team reported that they had successfully defended against what is likely the largest distributed denial of service attack ever recorded in November of 2021. The attack lasted over 15 minutes with a throughput of 3.47 tbps, a packet rate of 340 million packets per second (pps), and came from over 10,000 different attack sources in ten distinct countries across the globe.

Microsoft is one of the most prominent tech manufacturers globally, and attacks like this have become the new normal for this U.S.-based company. Reports of a 2.4 terabit per second (tbps) attack in October 2021 and two other large-scale DDoS attacks, each with 2.5 tbps, show just how many times Microsoft’s Azure DDoS protection Team has to put their skills to the test.

Reports from inside of Microsoft have shown that these DDoS attacks are growing in size and duration. In 2021 57% of DDoS attacks against Microsoft lasted just under 30 minutes. This is a 17% drop from where attacks clocked in 2020. The number of attacks that lasted longer than an hour doubled from 13% in 2020 to 27% in 2021. These more drawn-out attacks often consist of a sequence of numerous short, repeated burst attacks.

This rise in DDoS attacks is a growing concern for many in the global information security community. Attacks similar to this can be used to overload power or utility systems to cause blackouts, disrupt transit in major metropolitan cities, or even go as far as short-circuiting a nuclear power reactor. Policymakers and board of directors alike need to prioritize bolstering their security postures. Attacks are going to start flooding in from every side, and companies will only have a moment’s notice to react to these attacks. Proactive cyber security policies and dynamic firewall parameters are some of the best ways to fight against these DDoS attacks.

To read more about this article, click here.

Threat Actors Target Tax Software Company Intuit in Latest Phishing Campaign

Eager to get your tax refund this year? Unfortunately, so are cyber criminals. Tax company Intuit is warning their customers that an ongoing phishing campaign is targeting their users. The subject line reads “Critical: Action Required (TXPO99497)”, with the email displaying an “account disabled warning” and that users must remedy this issue within 24 hours. Users are then told that “this is the result of a recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season. The message is then concluded with a malicious link at the bottom of the message for users to “restore their accounts”.

A spokesperson for Intuit declared, “the sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit.”

Intuit declined to comment on what happens when users click the malicious link, however most phishing campaigns utilize similar links to ensnare their targets with malware or ransomware. If you have already clicked the link, some necessary steps you can take to protect yourself are as follows. Delete any recent downloads from unknown sources, use up-to-date antivirus software and scan your computer/laptop, change your passwords to any accounts that were signed in when you clicked the initial link.

Consumers need to constantly be on the lookout for phishing attacks as threat actors become more crafty with their attacks. This recent phishing campaign using Intuit as a guise relies on users rushing to get their taxes done during a busy time of the year. Always be sure to check the sender address and contents of every email you receive to make sure it’s not a phishing trap. Attackers often utilize urgent messages such as “fix account within 24 hours” or “click the link immediately to resolve this issue” in an attempt to create panic and illicit a fast response out of their targets. Thoroughly inspect any suspicious-looking emails, and discard them properly when using your email service.

For more information check out the rest of the article here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Overview

• Phish Tale of the Week
• How Remote Work has Impacted Cybersecurity
• Are Medical Devices at Risk of Cyber Attacks?
• How can Netizen help?

Phish Tale of the Week

Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting FedEx customers. This email appears to be a notification alerting us that our package could not be delivered due to incomplete information for our physical address. We are then prompted to update our address below. This email contains FedEx’s logo and a convincing message saying update my address, so why not click the link and update details? Unfortunately, there are plenty of reasons not to click that email right away.

Take a look below:

1. The first red flag on this email is the sender address. Always thoroughly inspect the sender address to ensure its from a trusted sender. In the future, check all suspicious emails from companies against previous correspondences you’ve received and make sure the sender address is the same.
2. The second warning sign in this email is the incomplete greeting. The email starts off with Dear [Name] instead of an actual name. This is a telltale sign of a spam email. Most outside threact actors will lack the basic information to create a legitimate looking email. Usually, the greeting would have your specific first and last name in the beginning to show who the company is communicating with.
3. The final warning sign for this email is the inconsistency in the messaging. First we are told to update our physical address. Then we are told to update our personal address. Finally we are told to “update my address” below. Most companies will use consistent messaging and refer to account changes that need to be made in the same fashion each time. This phyiscal address vs personal address vs update my address is an immediate red flag.

General Recommendations:

A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

• Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
• Do not give out personal or company information over the internet.
• Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

For FedEx-specific recommendations and tips check out this link to their fraud detection center here.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

How Remote Work Has Impacted Cybersecurity

The pandemic has forced many companies to abruptly accept work from home for the majority of their workforce as the new normal. Once bustling offices have been reduced to skeleton crews of a handful of employees or, in many cases, remain completely empty. This switch has been a blessing for some companies allowing them to reduce fixed costs such as real estate and even broadened their searches for new job candidates now that geographical limitations aren’t a factor.

Unfortunately, some severe problems have begun to plague many organizations relying on remote work policies. Before the start of the pandemic, remote work was seldom used in most companies. This lack of experience and a rapid switch to remote work created a security nightmare for many teams. Many of these businesses lacked the infrastructural and cultural policies to adapt to remote work environments fully. Did you know only 38% of companies had a cybersecurity policy in place before the pandemic, and only a third of these businesses had policies on remote work? This created a perfect storm for cybercriminals, with cyber attacks almost quadrupling during the pandemic targeting small and medium-sized businesses, hospitals, enterprise-grade organizations, and schools alike.

One of the leading causes of headaches for companies suffering onslaughts of cyber attacks was the lack of planning. Organizations quickly adapted to the new normal of remote work but were unable to create cybersecurity policies beforehand to govern how these devices communicate with each other and are used. This lack of forethought also affected the tools or lack thereof that companies could use to help better monitor network traffic, secure firewalls, or detect vulnerabilities within their environment. Even companies who did have state-of-the-art equipment in the office were now rendered helpless and had to rely on the network security of their employees since they were no longer under the office safety net of a well-programmed firewall.

Another major issue that has affected companies everywhere is an overall lack of cybersecurity education. Most cyber attacks start with an unsuspecting employee clicking on a malicious link or downloading a file they shouldn’t have. Organizations need to be quick to adopt a culture of hyper-vigilance when discussing security with their employees. The best way to approach this is through an abundance of caution. Employees are better served asking for help or if an attachment looks suspicious than mistakenly clicking on a malicious link. Companies that prioritize training their employees to ask questions about security and check with their IT admins first will immediately notice a decline in risk.

Overall, remote work has brought many incentives to organizations that implement it correctly. With it, outside threat actors will use this increased attack surface to target more companies and employees to extort. The best way to move forward is to review your cybersecurity policies and update them accordingly for a remote work environment. Make all employees involved in a culture of security at your company.

To read more about this article, click here.

Are Medical Devices at Risk of Cyber Attacks?

In 2017 the first ransomware assault on networked medical equipment occurred when the ransomware strain WannaCry targeted radiological tools in several hospitals. This attack caused multiple hospitals to postpone cancer treatments until they could identify the source of the ransomware affecting their network. This example perfectly illustrates how cyber attacks can disrupt the healthcare industry and impact patients’ care. However, the quality of care is not the only thing disrupted during cyber attacks.

Hospitals house some of the most comprehensive PHI (patient health information) databases globally. These records include medical history, address, age, social security numbers, and insurance specifics that can lead to nightmares for unsuspecting patients when in the wrong hands. Since more hospitals have become interconnected with a litany of medical devices communicating with each other over the network, securing the transfer of this information through the cloud is paramount.

Securing external medical equipment is imperative to providing quality health care and protecting patient information. Everything from insulin pumps to ventilators to security cameras, and RFID readers must be secured to ensure hackers do not have easy entry points. The interconnectivity of devices in a hospital has created a massive attack surface for outside threat actors to exploit. IT staff need to be well trained in identifying, upgrading, and patching vulnerable systems and devices to ensure they are safe from malicious cyber criminals.

The pandemic has caused a significant strain on health care organizations across the country. The increase in patients has caused issues for primary care providers and created a perfect storm for outside threat actors. Hackers are using the unrest created from surges of patients at hospitals to target health care networks and infect them with ransomware. Law enforcement and government agencies have been unable to stop the escalation of cyber attacks against hospitals, leaving on-site IT admins and medical device security as the last line of defense.

In conclusion, medical device manufacturers need to focus on the security of their devices before they are released into the market. Vulnerable devices cause a wide array of problems for health care institutions and can be actively exploited by cyber criminals. At the same time, hospitals need to prioritize enabling IT staff to monitor these devices and consider what devices could become attack vectors in their environment.

For more information check out the rest of the article here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Overview

• Phish Tale of the Week
• Ubiquiti Developer Charged With Extortion
• IKEA Fights Ongoing Phishing Campaign
• How can Netizen help?

Phish Tale of the Week

Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting Amazon customers or just someone who doesn’t check their email rigorously. This email appears to be a notification alerting us that our email is missing from Amazon and a package was supposed to be delivered today. This email contains Amazon’s branding and a convincing message saying to reply with the correct shipping address, so why not click the link and update details? Unfortunately, there’s plenty of reasons not to click that email right away.

Take a look below:

1. The first red flag on this email is the sender address. Always thoroughly inspect the sender address to ensure its from a trusted sender. In the future, check all suspicious emails from companies against previous correspondences you’ve received and make sure the sender address is the same.
2. The second warning sign in this email was the lack of authentication. The message says a delivery was scheduled for today, but normally Amazon fulfills their shipping orders using UPS, FedEX or USPS. While Amazon will normally alert you of a missed delivery, the lack of an additonal email from the shipping company is cause for suspicion.
3. The final warning sign for this email is the callouts at the bottom. This message says to “update detals”. Brief messaging is normally used in scams like this to attract people to just read what they say and click as fast as possible. One easy way to spot a scam email is to reference previous emails you’ve received from the company. When compared to other correspondences from Amazon, this email immediately looks different.

General Recommendations:

A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

• Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
• Do not give out personal or company information over the internet.
• Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

For Venmo-specific recommendations and tips check out this link to their fraud detection center here.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

Ubiquiti Developer Charged With Extortion

Following a January 2021 data breach, technology vendor Ubiquiti Inc. has uncovered the source behind the incident. On Wednesday in Oregon, federal prosecutors arrested Nickolas Sharp, a former senior developer at Ubiquiti. Sharp stands accused of stealing gigabytes of confidential, proprietary data from his former employer and then trying to extort Ubiquiti for $1.9 million to return the files. Sharp worked at the New York-based company from August 2018 to April 2021, acting as an unidentified whistle-blower claiming that a hacker was responsible for the January data breach.

Prosecutors claim Nickolas Sharp applied for a different job at another tech company in December of 2020. He then abused his access privileges to steal Ubiquiti data via Uqibuti’s AWS server and the company’s GitHub accounts. Employees inside of Ubiquiti uncovered unusual download traffic on December 28, noting a user had leveraged internal company credentials and a VPN connection to mask their actual location. This prompted the tech company to investigate the suspicious activity further.

On January 7, a senior Ubiquiti employee received a ransom email sent to them through an IP address with the same VPN used to download the stolen data. The email explained that internal and external Ubiquiti data had been stolen, and the ransomer demanded 25 bitcoin in exchange for the return of the data. The assailant then offered to identify a “backdoor” they had left in the Ubuqiti environment for an additional 25 bitcoin. Prosecutors believe Nickolas Sharp sent this ransom while working on the remedial team tasked with investigating the breach, bringing him closer to the crime and giving him a chance to stifle any efforts to uncover the breach’s source.

Federal investigators claim that while attempting to download the data, Sharp’s internet connection briefly failed, disrupting his VPN connection and exposing his internet address. Sharp maintains his innocence and claims the VPN subscription tying him to the crime must have been purchased by someone else using his PayPal account.

Prosecutors are charging Nickolas Shark with intentionally damaging protected computers, making false statements to the FBI, transmitting interstate communications with the intent to extort, and wire fraud. If found guilty Sharp faces a maximum sentence of 37 years in prison.

Following the announcement of this data breach in a March disclosure, Ubiquiti’s stock tumbled 20%, erasing $4 billion in market cap.

To read more about this article, click here.

IKEA Fights Ongoing Phishing Campaign

While many Americans were out shopping on Black Friday, Swedish design company IKEA was busy fighting an ongoing internal phishing campaign rather than hoards of shoppers. Reports from inside IKEA show that a reply-chain email attack is being utilized to install malware on unsuspecting employee devices through malicious download links hidden in documents. This attack differs from most phishing campaigns by using legitimate company email accounts to hijack email chains and distribute ransomware and malware.

After detecting this attack, IKEA has been on high alert and has urged all employees to use caution when opening or replying to any emails in their inboxes. At this time, official IKEA accounts, distributors, suppliers, and other organizations with ties to IKEA are considered compromised. IKEA’s internal security team has detected numerous malicious emails sent to their employees from most of their business partners.

IIKEA security teams have warned employees that the reply-chain emails have seven-digit codes and an example email attached to all emails. Employees have also been advised not to open any suspicious emails, regardless of the sender, and immediately report them to the IT department.

On Tuesday, an IKEA spokesperson was pressed on this matter, asking if the phishing attack had been contained. He responded by saying, “IKEA takes this matter very seriously. We continue to monitor to ensure that our internal defense mechanisms are sufficient. Actions have been taken to prevent damages, and a full-scale investigation is ongoing”. 

For more information check out the rest of the article here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Overview

• Phish Tale of the Week
• CMMC Halted CMMC 2.0 On The Horizon
• Global Supply Chain At War Against Dark Web Cybercriminals
• How can Netizen help?

Phish Tale of the Week

Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting employees that may be expecting an invoice to be paid or just someone who doesn’t check their email rigorously. This email appears to be a notification saying $500 has been sent to our Venmo account. This email contains Venmo’s branding and a convincing message saying to complete the necessary steps to finish the process, so why not click the link?. Unfortunately, there’s plenty of reasons not to click that email right away.

Take a look below:

1. The first red flag on this email is the sender address. Always thoroughly inspect the sender address to ensure its from a trusted sender. In the future, check all suspicious emails from companies against previous correspondences you’ve received and make sure the sender address is the same.
2. The second warning sign in this email is the lack of consistent messaging. The image in the email shows that I $500 has been sent to my account, but there is no other information available. Normally, when you recieve money on Venmo a reciept is sent to your inbox with the party that sent the money and the total amount. In this case, there are no further details on this payment.
3. The final warning sign for this email is the callouts at the bottom. This message says to “accept money”. Brief messaging is normally used in scams like this to attract people to just read what they say and click as fast as possible. One easy way to spot a scam email is to reference previous emails you’ve received from the company. When compared to other correspondences from Venmo, this email immediately looks different.

General Recommendations:

A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

• Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
• Do not give out personal or company information over the internet.
• Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

For Venmo-specific recommendations and tips check out this link to their fraud detection center here.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

CMMC Halted CMMC 2.0 On The Horizon

Earlier this month, sources from inside The Pentagon summarized their changes for the Cybersecurity Maturity Model Certification (CMMC) program. These changes come almost a year after the initial idea of CMMC was proposed to members of the DoD supply chain. CMMC is made up of security requirements that all DoD vendors and suppliers must adhere to better protect the flow of data and information and increase their security posture. The Department of Defense has halted all official audits and implementations of this framework, pending the release of new changes later this year.

The goal of this program was to require every defense contract that comes in contact with certain controlled and unclassified information to undergo a third-party audit to determine their compliance with the controls outlined in the original release of the Cybersecurity Maturity Model Certification. The federal government had plans to pilot this certification with multiple internal programs, but now those plans have been stalled. According to The Pentagon, the previous requirements and guidelines from CMMC will be rolled into CMMC 2.0 with hopes of discussion and collaboration within the industry to help streamline this process.

The focal point of CMMC was that Pentagon officials believed the current system of defense contracts being allowed to self-attest their compliance with cybersecurity standards from the National Institute of Standards and Technology (NIST) was not working. This was further confirmed after the U.S saw a nationwide increase in cyberattacks at the beginning of and through most of 2021.

The original CMMC guidelines established five levels of security for vendors to meet with specifics to which level they needed based on the level of data they process/possess. CMMC 2.0 has proposed removing levels two and four from the standard. Additionally, all level one suppliers can self-attest to their cybersecurity readiness. The next level (previously level three) would be split into priority and non-priority acquisitions, allowing priority to opt-out of an independent third-party assessment. The rules for level three (previously level five) have yet to be released.

CMMC 2.0 is also rumored to remove additional controls that were added last year in CMMC’s initial run and will instead rely solely on NIST’s 800-171 controls. In accordance with this, CMMC 2.0 will now accept plans of actions and milestones (PoAMs), which had initially been ruled out last year. The final set of changes and requirements for CMMC 2.0 have yet to be released but are due out by the end of the year.

To read more about this article, click here.

Global Supply Chain At War Against Dark Web Cybercriminals

Many Americans have been suffering supply chain shortages for months now. Whether it is toilet paper, a new PlayStation 5, or a pair of winter boots, goods are not as easy to get your hands on as they once were. Economists have blamed these shortages on many issues surrounding the pandemic and state of the global economy. To make matters worse, supply chain vendors are now faced with an onslaught from cybercriminals on the dark web selling sensitive information that could compromise these companies.

Cyber intelligence firm Intel 471 recently reported that dark web traffic has spiked with user credentials from ground, maritime, and air cargo transport vendors being sold on underground marketplaces. These criminals have leveraged vulnerabilities in virtual private networks (VPNs), remote desktop protocol (RDP), and other products like Citrix and SonicWall to exploit these organizations.

Intel 471 researchers reported, “We’ve witnessed ransomware attacks on the shipping industry throughout the year, which has undoubtedly put a constraint on companies that are already stretched thin due to the pandemic.”

By the beginning of 2021, the four largest global maritime shipping companies had become victims of recent cyber-attacks, leaving many wondering how. A deeper dive into the dark web uncovered that many of these companies were being advertised on underground forums. In October 2021, cybercriminals on one of the forums stated they had access to a U.S based freight company and could provide administrator access for multiple computers on their network. In August, just months before, an unknown threat actor with ties to the Conti ransomware gang had claimed to have similar access to a U.S-based transportation management firm.

These attacks are hindering shipping operations across the globe, and vendors need to take notice immediately. As more focus is put on suppliers to move goods worldwide, companies must increase their cybersecurity posture. These recent attacks have proved they are lucrative targets to cybercriminals, and they won’t stop till there is pushback.  

For more information check out the rest of the article here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.