Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen Cybersecurity Bulletin (June 28th, 2022)

    Overview

    • Phish Tale of the Week
    • Lithuania Suffers a Series of DDOS Attacks Following The Ban of Kaliningrad Imports
    • Carnival Cruise Lines Hit With $5,000,000 Fine for Cybersecurity Incidents
    • How can Netizen help?

    Phish Tale of the Week

    Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting debt holders. This email appears to be a notification alerting us to answer and win a new Makita Power Drill. We are then prompted to “get started now” to complete the survey for the free reward. This email contains a note about receiving a free drill for only a few minutes of our time, so why not click here? Unfortunately, there are plenty of reasons not to click that email right away.

    Take a look below:

    1. The first red flag on this email is the sender’s address. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
    2. The second warning sign in this email is the “expiring soon” notice above the main message. Phishing scams commonly use words like this to elicit a quick response from their targets. Always be sure to thoroughly inspect the messaging of all emails in your inbox.
    3. The final warning sign for this email is the large red “Get Started Now” call to action. Threat actors use call-to-action buttons like this to immediately redirect targets to malicious landing pages. These landing pages then infect the target’s system with malware or other software with the intention of stealing information or further extortion.


    General Recommendations:

    A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

    • Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    • Verify that the sender is actually from the company sending the message.
    • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    • Do not give out personal or company information over the internet.
    • Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this week’s Cybersecurity Brief:

    Lithuania Suffers a Series of DDOS Attacks Following The Ban of Kaliningrad Imports

    Earlier today, Russian hacking group Killnet claimed responsibility for a denial-of-service (DDOS) cyberattack against Lithuania. This news breaks following reports earlier this month where Lithuania banned the transit of goods through their country to the Russian enclave of Kaliningrad, situated between Poland and Lithuania with no border touching Russian soil. State and private institutions in Lithuania were taken offline early Monday, June 27, 2022, after the National Cyber Security Centre released a statement detailing an ongoing cyberattack.

    The spokesperson for Killnet announced that this series of DDOS attacks are in direct retaliation to the blocking of transit of goods sanctioned by the EU destined for Kaliningrad. Earlier this month, Moscow released a statement promising a “practical” response to the parties responsible for banning the movement of goods into Russia. Russia’s foreign ministry has since demanded a cease of the goods embargo of coal, construction materials, technology, and metals into their country. The ministry reaffirmed this sentiment in this statement:

    “If in the near future cargo transit between the Kaliningrad region and the rest of the territory of the Russian Federation through Lithuania is not restored in full, then Russia reserves the right to take actions to protect its national interests.”

    Information Security experts expect more DDOS attacks like this to increase in frequency in the new few weeks if Russia’s demands are not met promptly. Denial-of-service attacks work by flooding a website or server with a massive amount of fake traffic. These attacks overload the system, eventually shutting them offline, and can persist with continued efforts by the hacking group.

    To read more about this article, click here.

    Carnival Cruise Lines Hit With $5,000,000 Fine for Cybersecurity Incidents

    The New York State Department of Financial Services levied a $5 million penalty on Carnival Corp, owners of the globally recognized Carnival Cruises brand, earlier this month. These sanctions follow previous reports that Carnival Corp. has misreported and not adequately responded to numerous cyber-attacks they have suffered over the last few years. In recent months, government and state regulators have urged corporations to treat matters of cybersecurity with urgency and have indicated fines and penalties will be imposed on companies that do not sure up their reporting and defenses.

    In May 2019, Carnival suffered a series of phishing attacks where multiple email accounts were compromised and used to send out mass waves of spam to other employees. In total, threat actors gained access to 124 email accounts hosted on a Microsoft Office 365 email server and were able to extend their reach to other employee accounts. The attack saw a trove of PII exposed with drivers licenses, passport numbers, names, addresses, and social security numbers of multiple employees leaked. Following this incident, Carnival delayed its public response to the breach and failed to notify regulators till April 2020, almost eleven months after the initial cybersecurity incident. However, in 2017 New York imposed a new set of cybersecurity guidelines requiring all businesses to adhere to more stringent security and reporting requirements strictly.

    Unfortunately for Carnival, cyber-attacks against their organization persisted with ransomware attacks hitting them in August 2020 and January 2021, a Christmas Day malware attack in 2020, and a second phishing attack in March 2021. Since Carnival recorded four incidents within a three-year period, The New York State Department of Financial Services found that Carnival did not adequately train its employees on cybersecurity basics. Additionally, the regulatory agency found that Carnival’s CISO made false certifications of their readiness from 2018-2020.

    Following the announcement of these penalties, Carnival declined to issue any statement of wrongdoing, claiming:

    “Carnival routinely reviews security and privacy policies and procedures and implements changes when necessary to enhance information security and privacy controls.”

    Carnival has since agreed to a mutual settlement with the DFS and multistate Attorney Generals to create a breach response/notification plan, introduce multifactor authentication for remote email access, and increase their security training for all employees.

    For more information check out the rest of the article here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: What is Security Information and Event Monitoring (SIEM)?

    Netizen: What is Security Information and Event Monitoring (SIEM)?

    Ever wonder how your organization can immediately upgrade its security infrastructure? What about all the traffic and logs generated from devices and users on the network? Security Information and Event Monitoring (SIEM) combines security information management (SIM) and security event management (SEM) into one tool that provides insights into an organization’s traffic and user behavior. Plainly stated, SIEM helps businesses of all sizes recognize underlying vulnerabilities and security threats before they materialize into critical issues.

    SIEM tools got their start in the financial industry, with many of the world’s most significant players identifying a need for enriched network traffic reports to show if there was any unusual activity present. This, coupled with rule changes to PCI-DSS, ushered in the adoption of SIEM tools in many large corporations. Other industries quickly caught on to the benefits of SIEM tools, with many sighting the single point of view functionality as one of the greatest strengths of SIEM products.

    How does a SIEM tool work?

    At the base level, a SIEM tool functions on a set of rules or parameters to establish a correlation between network traffic and event logs. This correlation evolves into a well-monitored and established pattern of behavior that can be viewed over a set period. Most SIEM tools gather logs from user data, cloud environments, applications, firewalls, networks, and other assets deployed in the management environment. This information is stored and analyzed 24/7 to allow security personnel uninterrupted access to the logs for monitoring. Once a baseline has been established, the initial rules then detect any anomalies or irregular traffic and flag them for further review by the security team. A perfect example of these rules in the real world is password lockouts. If a user tries to log in to their account and fails 3-5 times in a 6-minute window, that is considered relatively normal traffic. However, if the system picks up 100+ failed login attempts in a 5-minute window, an alert would be generated notifying the security team of an attempted compromise.

    What are the capabilities of a SIEM tool?

    SIEM tools are outfitted with a litany of features and capabilities that make these products genuinely robust. At the heart of it all is the log management functionality. This allows the tool to collect and store log files from multiple hosts and sources in one centralized location. Keeping all of this information also streamlines the review process. With much of the legwork from compiling reports from numerous sources, the single view aspect of SIEM tools cuts IT review times drastically. Equal to log collection, security event correlation is at the top of SIEM capabilities. This backbone of the tool allows users to draw conclusions between what may look like regular network traffic to most and see more profound indications of malicious activity like foreign traffic or data exfiltration.

    Another helpful capability most SIEM tools come packed with is threat intelligence feeds. Many developers will preload their products with these intelligence feeds and even allow third-party integrations from companies like MITRE to bolster the threat visibility. Enhanced visibility also plays a role in the most valuable capability for C-level executives. Every bell and whistle a SIEM tool provides is fantastic at reducing the likelihood of a security breach, but the reporting capabilities elevate a tool to higher levels. Many IT decision-makers don’t have backgrounds or formal training in information technology. It is paramount that your SIEM tool provides intelligent reports that are digestible by a CISO with 10+ years of experience in cybersecurity and an accountant with no experience in IT alike.

    What else are SIEM tools used for?

    As outside threat actors increasingly target small, medium, and large-sized businesses, firms everywhere have turned to SIEM tools to help increase the visibility of traffic and events on their networks. One of the leading catalysts of SIEM tool integration into most businesses is regulatory. Compliance standards like PCI-DSS, HIPAA, and CMMC 2.0 require organizations to store and monitor logs and traffic reports from the daily user and network activity. Companies looking to pursue or stay compliant with these frameworks will have to adhere to strict SIEM guidelines and ensure their tools are correctly configured.

    SIEM tools have also gained traction due to insider threats increasing, with malicious organizations offering lucrative bribes to employees willing to send classified or sensitive information. With a properly deployed SIEM tool, IT teams can monitor “usual” traffic and immediately detect when an employee is downloading a large number of files or sending them to an unknown source and disrupt the activity before it becomes an issue.

    Information security professionals everywhere have also noted the increase in IoT devices as a leading factor for SIEM tool investments. As more “smart” devices are added to the network, the number of potential attack vectors also rises. Monitoring these devices for any suspicious activity or alarming vulnerabilities is crucial to an organization’s cybersecurity posture.

    Conclusion:

    Overall, SIEM tools are an excellent defense mechanism companies can look to deploy into their environment. The added visibility these products provide, coupled with the insights they generate, are helpful for any firm looking to increase its cybersecurity stance.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (May 27th, 2022)

    Overview

    • Phish Tale of the Week
    • U.S. Department of Justice reverses course on “White Hat Hacking”
    • How Cybersecurity Could Impact the Global Food Supply Chain
    • How can Netizen help?

    Phish Tale of the Week

    Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting debt holders. This email appears to be a notification alerting us that Freedom Financial can help us with large amounts of debt relief. We are then prompted to “get started now” to get our debt relief today. This email contains a note about getting personalized debt help and that we can get the relief we need today, so why not click here? Unfortunately, there are plenty of reasons not to click that email right away.

    Take a look below:

    1. The first red flag on this email is the sender’s address. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
    2. The second warning sign in this email is the lack of structure to the overall message. When comparing this message to other financial institutions there is a lack of security notices below the message and no email/phone number to reach out to, just a large “Get Stated Now” call to action.
    3. The final warning sign for this email is the large red “Get Started Now” call to action. Threat actors use call to action buttons like this to immediately redirect targets to malicious landing pages. These landing pages then infect the targets system with malware or other software with the intention of stealing information or further extortion.


    General Recommendations:

    A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

    • Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    • Verify that the sender is actually from the company sending the message.
    • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    • Do not give out personal or company information over the internet.
    • Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this week’s Cybersecurity Brief:

    U.S. Department of Justice reverses course on “White Hat Hacking”

    The United States Department of Justice released new guidance last week that would change the organization’s stance on “White Hat Hacking.” The government agency previously used the Computer Fraud and Abuse Act (CFAA), which outlaws the unauthorized access of computers and network equipment to target malicious threat actors and good-faith security researchers alike. This act was widely criticized in the Information Security community, with many feeling that this sends the wrong message to the good guys.

    For those unaware, black hat hackers are known as unethical hackers, resulting in most malicious cyberactivity against corporations. White hat hackers are considered ethical hackers, many of whom are forming IT professionals with a love for security which manifests in looking for flaws and exploits in websites, applications, and email servers.

    Before changes in the CFAA, prosecutors would often lump both groups of hackers together at the behest of large corporations. They would view these individuals as malicious actors looking to tamper with and damage digital property without authorization from the target firm. In a change to this stance, the U.S DOJ announced that it is advising prosecutors not to use the CFAA to bring criminal charges against security researchers and enthusiasts. This change in tone received an outpour of support from members of the information security community.

    Harley Geiger, senior director of public policy at Rapid7, had this to add “This is demonstration from DOJ that the conversation around good-faith security researchers, white hat hackers, has really changed in the past ten years,” The law will now be interpreted in a way to ensure that good-faith security research is not criminalized or viewed the same way as hackers poking around in systems without authorization.

    This change in policy marks a monumental moment for information security in The United States. Legitimate digital intrusion from penetration testers, security researchers, and vulnerability assessors will no longer come under fire from the authorities. Deputy Attorney General Lisa O. Monaco had this to add “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

    The backbone of information security has always been the enthusiastic researchers and greater community who have worked together to make products and applications more secure from outside interference. This policy change will help usher in more collaboration between the private sector, public sector, and security researchers everywhere.

    To read more about this article, click here.

    How Cybersecurity Could Impact the Global Food Supply Chain

    The past few years have shown just how interconnected, and reliant every country in the world is on one another. Supply chain issues from shipping constraints or bad harvests have drastically impacted the price of everything from corn to gasoline. With this in mind and the ever-growing presence of technology in multiple facets of life, could malicious hackers further disrupt the global food supply chain?

    Just last year, JBS Meats, one of the largest meat fulfillment and processing centers in the United States, suffered a cyberattack, shutting down operations for a brief period. During this time, the price of bacon, chicken, and ground beef soared, with prices rising 25-30% on these items in some areas. For many families, a 25-30% increase in their grocery bill would be detrimental to their savings in addition to causing more budgetary constraints at home. Ultimately, JBS Meats ended up paying an $11 million ransomware payment to restore service to their facilities and continue operations. However, many in the security field think this may have proven concept for any threat actors looking for which industries to target next.

    A recent report from the University of Cambridge tackled the cybersecurity flaws in AI technology used in the agricultural industry. The study found that many of the companies proposing revolutionary and life-changing solutions to modern farming problems are doing so without any real thought to the security of their products. Imagine a commercial farm in Iowa using an AI combine to harvest fields of corn. The product would be configured with the layout of the plot of lane and soil makeup in mind to ensure the most efficient harvest possible. What if a malicious threat actor found an exploitable vulnerability in the software the combine uses? The impact could be as small as an interruption in the harvesting process, maybe a plot of corn is destroyed in the process, but what are the implications if that vulnerability is exploitable in all machines using that same software?

    This nightmare scenario has pressured many in the agricultural industry to invest heavily into researching security vulnerabilities in their products. One such company is John Deere, one of the leading manufacturers of commercial and industrial grade farming equipment globally. An ethical hacker going by the pseudonym Sick Codes alerted John Deere to a security vulnerability in their software allowing unauthorized access to machine data and company information. He quickly warned the company of this issue and urged them to emphasize the security parameters in their application development process. James Johnson, John Deere’s global chief of information security, was quick to retort to this vulnerability saying, “No company, including John Deere, is immune to vulnerabilities, but we are deeply committed and work tirelessly to safeguard our customers, and the role they play in the global food supply chain.”

    Efforts from organizations in the agricultural industry to better secure their products are a significant step forward in the fight against malicious cyber interference. Firms would be well-served to enlist the outside support of ethical hackers searching for security vulnerabilities in their software/products. The global food chain is volatile enough due to arising climate and geopolitical issues, security issues should be addressed not to add further burden to this colossal issue.

    For more information check out the rest of the article here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen Penetration Testing Guide

    Netizen Penetration Testing Guide

    Cyberattacks have become an increasingly tricky issue plaguing small and medium-sized businesses in recent years. Hackers as far as halfway across the world or two states over are leveraging unpatched vulnerabilities to steal data, damage reputation, or extort a small business for as much money as possible. In 2021, The United States FBI disclosed that their Cyber Crime Division received as many as 4,000 complaints a day. Outside threat actors target new organizations every day to digitally exploit, so how do businesses look to protect themselves? Why not start with mirroring their methods and see how easy it would be to break into your environment?

    What is Penetration Testing?

    A penetration test is a significant first step in any organization’s commitment to advancing its information security practices. Penetration Testing is the manual discovery and exploitation of uncovered vulnerabilities in a computer system or environment, usually conducted by a cybersecurity professional. The test is first authorized by management to ensure everyone is on the same footing with how the test will be completed and what steps the tester will take when performing the exercise. The cybersecurity professional then conducts the test, trying to break into the target organization’s network/systems, and provides a comprehensive report of their methodology and findings to management.

    Basically, penetration testing is similar to a bank going out and hiring an experienced bank robber to test their security practices. The bank gains valuable information from the exercise, learns where their security weak points are, and understands how someone would look to break in.

    How do you get started?

    Following the role of an actual assailant, a penetration test typically begins with the hunt for information. Network mapping, service discovery, and vulnerability scanning can all be expected at the beginning of a penetration test. Determining operating systems, service versions, employee information, if in scope, etc., is critical to a successful penetration test. To exhaust all security threats, penetration testers must have a thorough and complete picture of the scope of the target. Utilizing experience and industry-standard tools, this process is hand-crafted for precision and automated for redundancy.

    Continuing into exploitation, testers will either confirm or deny their findings from the previous phase. Exploits are tested against systems in a real-world scenario producing invaluable information for the client. At this phase, it is common to attempt to gain access to employee and administrator accounts, attempt social engineering campaigns, and evaluate all angles of an actual attack. However, when an exploit is found to be authentic and vulnerable, the test does not stop there. Further efforts are made to persist exploits against systems and push further into the network utilizing newly compromised systems and accounts. The testing continues until the entire scope has been recursed. Where a vulnerability scan can report predefined suspicions, this is the true value of a professional penetration test.

    What do you do after the test?

    All this work means nothing without proper documentation and education. A penetration test is more than the cyber aspect of attacking a target. The value to a client is in the reporting phase. Clear, concise documentation of how attacks and campaigns were discovered, tested, and executed brings a penetration test full circle. Paired with professional education sessions afterward to discuss solutions, best practices, and continuity, clients can now review, patch, and prepare for future attacks with confidence.   

    Conclusion:

    In review, a Penetration Test is a great exercise any organization can utilize to enhance their cybersecurity posture. The information gained throughout the test can be used to make informed decisions to upgrade security parameters and IT infrastructure and communicate what is going on in the environment to senior management. At the end of the day, what better way to figure out your security gaps than having a trusted expert try to exploit them safely?  

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (April 15th, 2022)

    Overview

    • Phish Tale of the Week
    • Bipartisan Group of Senators Proposes New Cyber Information Sharing Bill
    • Ukraine Thwarts Russian Attack on Power Grid
    • How can Netizen help?

    Phish Tale of the Week

    Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting Sam’s Club customers. This email appears to be a notification alerting us that there is a surprise waiting for us. We are then prompted to “click here” to see what the surprise is. This email contains a catching congratulations message and a photo of Sam’s Club, so why not click here? Unfortunately, there are plenty of reasons not to click that email right away.

    Take a look below:

    1. The first red flag on this email is the sender’s address. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
    2. The second warning sign in this email is the lack of consistency. When comparing this email to others previously sent by Sam’s Club we can notice that this email does not contain their official logo, web-url, or disclaimer present at the bottom of the email. Using previous emails to compare them to suspected phishing attempts is a great way to spot immediate signs of inauthenticity immediately.
    3. The final warning sign for this email is the large blue”Click here” call to action. Threat actors use call to action buttons like this to immediately redirect targets to malicious landing pages. These landing pages then infect the targets system with malware or other software with the intention of stealing information or further extortion. This attempt even tries to catch unsuspecting users twice with a malicious red “here” at the bottom of the email which is masquerading as an unsubscribe button.


    General Recommendations:

    A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

    • Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    • Verify that the sender is actually from the company sending the message.
    • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    • Do not give out personal or company information over the internet.
    • Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this week’s Cybersecurity Brief:

    Bipartisan Group of Senators Proposes New Cyber Information Sharing Bill

    Earlier this month, a bipartisan group of senators consisting of Gary Peters (D-Mich), Amy Klobuchar (D-Minn), Rob Portman (R-Ohio), and Roy Blunt (R-Mo) brought new legislation to the floor in an effort to increase the communication between branches on cybersecurity issues. This legislation, titled The Intragovernmental Cybersecurity Information Sharing Act, would expedite the information sharing process from the executive branch to members of the Senate and House of Representatives. This bill aims to increase collaboration efforts between all branches as cybersecurity incidents become more frequent and detrimental to our society.

    Many key sponsors of the bill cited the turtle-like pace at which information has been previously shared, with many claiming that they are left out of the loop during significant cyber-attacks. Senator Amy Klobuchar added, “Cybersecurity threats against our government require a timely, coordinated response. Yet too often, a lack of communication between the Department of Homeland Security and Congress leaves us vulnerable to damaging cyberattacks.” She later summarized that this bill would help better protect our country from cyber-attacks by requiring the Department of Homeland Security to increase information sharing with Congress.

    In a show of bipartisan support, Senator Robert Portman from Ohio exclaimed, “As we have recently seen, cyberattacks are increasing against our critical infrastructure as well as the federal government. Unfortunately, some of the cybersecurity professionals in Congress have faced lengthy delays in getting information on cybersecurity threats from the Executive Branch. That should not be the case.” Portman later released a statement to the press where he stressed that our enemies would not distinguish between our branches of government, and any actions we take in response must be swift and precise.

    This legislation was introduced following the recently adopted Cyber Incident Reporting Act, strengthening the reporting requirements for critical infrastructure affected by cyber-attacks. Both Klobuchar and Portman were staunch supporters of that bill, signaling a strengthening of priorities between two tenured senators. Reporters around Capitol Hill anticipate this bill to make it through numerous rounds of committees before voting on the floor, with action hopefully planned by mid-summer.

    To read more about this article, click here.

    Ukraine Thwarts Russian Attack on Power Grid

    Officials in the Ukrainian Government released a statement on Tuesday, 4/12 detailing an alleged Russian cyber-attack they thwarted. The cyber-attack supposedly targeted Ukraine’s power grid and, if successful, could have knocked out power for over two million people. While this defense of their national power grid is impressive, the aggression by Russia marks another step toward all-out digital war, leaving many experts fearful of how Russia will respond.

    Reporters inside of Ukraine named the hacking group Sandworm as the perpetrators behind this most recent attack. They are formally known as Unit 74455 of the alleged cyber military unit GRU. The attack targeted high voltage computers, networking equipment, and electrical substations tied to Ukraine’s primary power grid. The attack occurred in two waves on the evening of April 8th and targeted an unnamed Ukrainian energy supplier. Sandworm attempted to deploy malicious “wiper” software to erase data saved on computers, making them unusable and crippling the ensuing remediation response. The hacking group also utilized Industroyer, a malicious software that targets industrial controls, allowing near-total access to the affected systems.

    Ukraine’s Deputy Chief of Information Protection, Victor Zhora, released a statement following the attack, claiming that Russian hackers had targeted an obelngegro (energy distribution center). This was a sophisticated and precise attack with the mission to cause mass electrical outages across Ukraine. The attackers were able to gain a brief period of access to numerous systems inside the distribution center but were quickly stopped before they could enact any more severe damage.

    The CIA and U.S Department of Homeland Security have previously warned that Russia could look to utilize cyber-attacks to achieve more significant damage in their campaign against Ukraine. Experts inside the intelligence community see this attack as a signal that more cyber-attacks against critical Ukrainian infrastructure will materialize in the coming weeks. In the meantime, companies worldwide should be warned that these cyber-attacks could target businesses outside of Ukraine as havoc spreads from outside of the region.

    For more information check out the rest of the article here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Lapsus$: The teenager-run cybercriminal gang targeting Fortune 500 companies.

    Lapsus$: The teenager-run cybercriminal gang targeting Fortune 500 companies.

    Earlier this week, IT giant Microsoft and identity management firm Okta reported that their organizations had suffered data breaches from Lapsus$. Lapsus$ is a relatively new hacking group, with indications of their activity being first reported against Samsung and NVIDIA at the end of 2021. The hacking group announced a Telegram channel on March 22nd, 2022, claiming they had stolen source code from Microsoft and were going to publish screenshots of their exploit to show their capabilities to the public. Microsoft quickly retorted this claim in a blog post detailing suspicious activity:

    The activity we have observed is attributed to a group of threats tracked by Microsoft as DEV-0537 , also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. DEV-0537 began attacking organizations in the United Kingdom and South America, but expanded to global targets, including organizations in the government, technology, telecommunications, media, retail, and healthcare sectors. DEV-0537 has also been known to hijack individual user accounts on marketplaces to loot accounts.”

    Okta Data Breach:

    While this claim shows Microsoft was able to mitigate the damage caused by Lapsus$, how have other targets faired in their defense against this cybercriminal operation? Identity and access management company Okta is a relatively familiar name for many in the business world. Their suite of products allows companies to monitor user activity across their networks remotely and escalate access privileges as necessary. Unfortunately, this company known for enhancing security practices in customer environments ran into a nightmare scenario when they found themselves in the scope of the Lapsus$ hacking group.

    On Monday, March 21, 2022, Lapsus$ posted screenshots of Okta’s internal apps and systems, boasting of their ability to circumvent the tech giant’s inner defenses. The screenshots depict an ongoing hacking operation that persisted inside Okta’s environment through most of January 2022. Lapsus$ first gained access to Okta’s systems after compromising Sykes, a third-party support vendor with ties to Okta. Malicious hackers often exploit third-party vendors as an initial target, where the hacking group then looks to pivot and find more lucrative targets that rely on these vendors for support. In this case, Sykes provided customer support services to Okta and had wide-spanning access to their internal environment, creating the perfect storm for Lapsus$ to exploit this relationship.

    How do they do it?

    The one issue that has repeatedly baffled researchers is how do you stop Lapsus$? Their preferred method of compromise is through bribing insiders or exploiting third-party vendors. Bribing disgruntled insiders is a surefire way to access highly privileged user accounts. Lapsus$ bypasses traditional security parameters by researching these insiders for weeks to months beforehand and contacts them on personal devices not under the security umbrella of their employer. In other cases, they use similar methods to gain access through vendors with solid relations to target organizations. These vendors typically lack the sophisticated security defenses that a Fortune 500 company would have, but ultimately are so interconnected that they allow attackers to pivot to the larger targets after the initial breach. However, the most significant conundrum investigators have faced with Lapsus$ is what their goal in all these attacks is?

    Conclusion:

    Lapsus$ has targeted massive Fortune 500 companies, globally recognized brands that collect billions in revenue each year, but they seldom asked for a ransom to be paid to them. They’ve stolen source code, published internal documentation to boast of their exploits, even suggested a change in business practices, but only made monetary demands towards two organizations. In NIVIDA’s case, Lapsus$ demanded that NVIDIA remove an anti-cryptomining feature in their GPUs and make all their products open source. When they attacked Microsoft, there were no demands. Instead, they boasted of their exploitation in a Telegram channel and distributed what source code they stole for free. Regardless of their goals, Lapsus$ is still a hacking group consisting primarily of teenagers. If hackers this young can breach some of the most well-funded companies, everyone needs to take a step back and reevaluate their security practices.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (March 11th, 2022)

    Overview

    • Phish Tale of the Week
    • Chinese State-Sponsored Hackers Compromise Multiple U.S State Governments
    • Altoona Area School District Affected By Cyberattack
    • How can Netizen help?

    Phish Tale of the Week

    Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting McAfee customers. This email appears to be a notification alerting us that our computer is no longer protected and our subscription has expired. We are then prompted to renew our subscription and activate the code below now. This email contains a convincing message saying to protect my device from hackers, so why not click the link and update details? Unfortunately, there are plenty of reasons not to click that email right away.

    Take a look below:

    1. The first red flag on this email is the sender address. Always thoroughly inspect the sender address to ensure its from a trusted sender. In the future, review the sender address thoroughly to see if the email could be coming from a threat actor.
    2. The second warning sign in this email is the urgency created in the message. The subject line tells us that “our computer is no longer protected” and further reads “Keep your Devices Safe NOW”. This type of messages is commonly used by threat actors to elicit an urgent and fast reply out of their target.
    3. The final warning sign for this email is the large red “Activate NOW” call to action. Threat actors use call to action buttons like this to immediately redirect targets to malicious landing pages. These landing pages then infect the targets system with malware or other software with the intention of stealing information or further exortion.


    General Recommendations:

    A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

    • Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    • Verify that the sender is actually from the company sending the message.
    • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    • Do not give out personal or company information over the internet.
    • Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this week’s Cybersecurity Brief:

    Chinese State-Sponsored Hackers Compromise Multiple U.S State Governments

    Investigators from the cybersecurity firm Madiant have uncovered a Chinese state-sponsored hacking group that compromised at least six U.S state governments. The persistent attacks took place between May 2021 and February 2022. The group, identified as APT41, used web application vulnerabilities to gain their initial foothold into multiple state governments. Additionally, Mandiant has found that APT41 exfiltrated personally identifiable information (PII) from the affected systems in manners similar to recorded previous espionage operations but has yet to confirm whether this was an intelligence-gathering operation the Chinese government.

    “APT41′s recent activity against U.S state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability.” a researcher from Mandiant added.

    Microsoft is one of the most prominent tech manufacturers globally, and attacks like this have become the new normal for this U.S.-based company. Reports of a 2.4 terabit per second (tbps) attack in October 2021 and two other large-scale DDoS attacks, each with 2.5 tbps, show just how many times Microsoft’s Azure DDoS protection Team has to put their skills to the test.

    This attack marks another instance where nation-state hackers from China were able to infiltrate U.S state systems and remain undetected for months on end. These threat actors utilized numerous tools and techniques to adapt to any defenses that may have begun to uncover their trail. This shows a persistence and long-term focused resolve that many inside the U.S. government were afraid would show in attacks from nation-state hackers.

    Following the initial report on this attack, a spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) stated they were aware of the breach and had this to add:

    “CISA is actively working with our JCDC [Joint Cyber Defense Collaborative] private sector partners, including Mandiant, and government partners to address this advanced persistent threat to state government agencies and assist impacted entities. We encourage all organizations and critical infrastructure entities impacted by cyber intrusions to report to CISA, and to visit CISA.gov to take action to protect themselves.”

    According to Mandiant’s researchers, members of APT41 were able to initially compromise U.S state government networks by exploiting vulnerabilities in applications built with Microsoft’s .NET platform. One of the vulnerabilities exploited was previously unknown and was found in an animal health reporting database system called USAHERDS. Experts believe the extent of this attack is going to be much larger than previously reported, with almost 20 different state governments reporting use of USAHERDS in their facilities.

    U.S government officials were pressed on the motive of APT41’s most recent attack earlier this week and believe their focus was an espionage reconnaissance mission to determine the response of U.S state governments. When asked for a response, Zhao Lijin, a spokesperson for China’s foreign ministry stated:

    China firmly opposes and combats any form of cyberattacks and will not encourage, support, or condone any cyberattacks.”

    To read more about this article, click here.

    Altoona Area School District Affected By Cyberattack

    Earlier this week, the Altoona Area School District sent a letter out to faculty and staff alerting them that a cyberattack affecting their internal systems had occurred. School superintendent Charles Prijatelj stated: “Altoona Area School District recently discovered it was the victim of a sophisticated cybersecurity incident, which impacted certain internal systems. Upon discovery of the incident, our IT took several steps to contain the incident and third-party forensic advisors and external legal counsel were engaged to assist”.

    News publications around Altoona received numerous anonymous phone calls describing the effects of the cyberattack, with many teachers reporting that their credit card agencies alerted them that their personal information was now found on the dark web. Researchers investigating the incident believe that social security numbers, full names, addresses, insurance id numbers, and staff telephone numbers were all compromised in this breach. Prijatelj later commented on the incident, further exclaiming that Altoona’s IT department was in the process of containing the incident and has engaged third-party forensic investigators to assist with remediation.

    Cyberattacks have become more frequent across the country as threat actors have found a new lucrative target to exploit. Schools districts house troves of personally identifiable information for both students and faculty alike. This, coupled with abysmal amounts of funding for security-related projects, creates the perfect storm for threat actors looking for a quick payout. The public nature of these institutions also means that when a breach occurs or ransomware is detected, the schools almost always have to agree to the hackers’ demand and pay the ransom.

    Superintendent Charles Prijatelj penned a separate letter to parents and guardians of children in the school district, saying: “We do know that some of our employees have received notification of potential data compromise and we wanted to make you aware of the situation as well. Upon completion of the investigation, those individuals with compromised data will receive official notification. At this time, however, that information is not yet known.” Prijatelj then thanked parents for their patience and assured them that more information will be made available as the district uncovers more about this incident.

    For more information check out the rest of the article here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Global Cyber War: What is at stake?

    Global Cyber War: What is at stake?

    The Russian military invasion of Ukraine has begun with missiles striking just outside the capital, Kyiv, in the early morning hours on February 24th. While this event marks the beginning of military involvement in the campaign against Ukraine, Russian-sponsored hackers have been bombarding Ukrainian websites and infrastructure for the past few weeks in preparation for the invasion. The cyberattacks targeted the Ukrainian Parliament’s website and several state-sponsored banks in an effort to destabilize the country. The warning “Be afraid and expect the worse” was left on multiple websites following the initial cyberattacks.

    These recent geopolitical escalations have left many wondering, how bad could modern-day cyber war be? Russia stifled the Ukrainian economy by disabling all their state-owned banks and spread panic across the country by targeting other websites. Unfortunately, this is not as bad as it gets when it comes to the effects of a cyber war.

    The effects of Cyber War:

    In 2021 The U.S saw firsthand what critical infrastructure could be impacted by a cyber war. In Oldsmar, Florida, a water treatment facility was targeted by an unknown hacker who modified the lye levels in the water to toxic levels. Luckily, a worker at the facility noticed the changes and corrected them immediately. Had he not, millions of people would have risked consuming dangerously tainted drinking water. Another example of critical infrastructure being impacted was when Colonial Pipeline suffered a ransomware attack, disrupting the largest fuel supplier for the Southeastern part of the United States. U.S. citizens from Texas to Virginia saw the impacts of this attack firsthand as the fuel shortage caused by the cyberattack sent gas prices skyrocketing and left many across that region without fuel.

    Prepare for the worst:

    Cyber-attacks of this nature are becoming more and more common as this marks the fifth major breach of a U.S company in the past six months. Cyber criminals are beginning to utilize RaaS or Ransomware As A Service model to expand their operations by licensing their software out to other malicious actors who Countries across the globe need to be prepared for impending cyberattacks in the coming weeks. Many members of NATO have imposed economic sanctions on Russia in an attempt to punish them for escalations along the Ukrainian border. These sanctions could prove to be motivation for more state-sponsored hackers to take up their keyboards in retaliatory efforts against NATO countries. The U.S. Federal Bureau of Investigations (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have released a warning for businesses and countries to be on high alert for malicious cyber activity.

    The FBI, NSA, and CISA recommendations for companies are as follows:

    • Enforce Multi-Factor Authentication.
    • Enforce strong and unique passwords for all users.
    • Enable M365 Unified Audit Logs.
    • Implement endpoint detection and response tools.

    In conclusion, organizations and countries worldwide must prepare themselves for escalated cyberattacks in the next few weeks. Treat every disturbance or instance of unusual activity as a potential threat and investigate thoroughly. Inform all employees that they should also be hyper-vigilant during this time of unrest and be mindful of any suspicious emails or activity within their environment.

    Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (February 14th, 2022)

    Overview

    • Phish Tale of the Week
    • Microsofts Fends off Largest DDoS Attack Ever Recorded
    • Threat Actors Target Tax Software Company Intuit in Latest Phishing Campaign
    • How can Netizen help?

    Phish Tale of the Week

    Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting FedEx customers. This email appears to be a notification alerting us that our package could not be delivered due to incomplete information for our physical address. We are then prompted to update our address below. This email contains FedEx’s logo and a convincing message saying update my address, so why not click the link and update details? Unfortunately, there are plenty of reasons not to click that email right away.

    Take a look below:

    1. The first red flag on this email is the sender address. Always thoroughly inspect the sender address to ensure its from a trusted sender. In the future, review the sender address thoroughly to see if the email could be coming from a threat actor.
    2. The second warning sign in this email is the frank message about grant money. Messages like this are usually targeted at people in college or around the age to entice them with an offer that is too good to be true. In this case, we are told we can take the right path in life by accepting these grant finances to go back to school.
    3. The final warning sign for this email is the encrypted pdf file attached to the message. Threat actors use encrypted pdfs to delivery malicious payloads normally laced with ransomware or other malware. Never open attachments from unkown parties.


    General Recommendations:

    A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

    • Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    • Verify that the sender is actually from the company sending the message.
    • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    • Do not give out personal or company information over the internet.
    • Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this week’s Cybersecurity Brief:

    Microsoft Fends off Largest DDoS Attack Ever Recorded

    Cyber-attacks have ballooned to numbers the United States has never seen before in recent months. The FBI estimates that in 2020 U.S. based companies suffered over $5 billion in damages from cyber-attacks. One of the crudest and widely used methods of cyber-attacks is a distributed denial of service or DDoS attack for short. This occurs when an attacker floods a system or server with an insurmountable amount of data, usually from multiple systems, in an effort to overload their target. If done as intended, this attack can knock websites offline for hours, if not days on end, and cause outages for other similar systems.

    Last week Microsoft’s Azure DDoS protection team reported that they had successfully defended against what is likely the largest distributed denial of service attack ever recorded in November of 2021. The attack lasted over 15 minutes with a throughput of 3.47 tbps, a packet rate of 340 million packets per second (pps), and came from over 10,000 different attack sources in ten distinct countries across the globe.

    Microsoft is one of the most prominent tech manufacturers globally, and attacks like this have become the new normal for this U.S.-based company. Reports of a 2.4 terabit per second (tbps) attack in October 2021 and two other large-scale DDoS attacks, each with 2.5 tbps, show just how many times Microsoft’s Azure DDoS protection Team has to put their skills to the test.

    Reports from inside of Microsoft have shown that these DDoS attacks are growing in size and duration. In 2021 57% of DDoS attacks against Microsoft lasted just under 30 minutes. This is a 17% drop from where attacks clocked in 2020. The number of attacks that lasted longer than an hour doubled from 13% in 2020 to 27% in 2021. These more drawn-out attacks often consist of a sequence of numerous short, repeated burst attacks.

    This rise in DDoS attacks is a growing concern for many in the global information security community. Attacks similar to this can be used to overload power or utility systems to cause blackouts, disrupt transit in major metropolitan cities, or even go as far as short-circuiting a nuclear power reactor. Policymakers and board of directors alike need to prioritize bolstering their security postures. Attacks are going to start flooding in from every side, and companies will only have a moment’s notice to react to these attacks. Proactive cyber security policies and dynamic firewall parameters are some of the best ways to fight against these DDoS attacks.

    To read more about this article, click here.

    Threat Actors Target Tax Software Company Intuit in Latest Phishing Campaign

    Eager to get your tax refund this year? Unfortunately, so are cyber criminals. Tax company Intuit is warning their customers that an ongoing phishing campaign is targeting their users. The subject line reads “Critical: Action Required (TXPO99497)”, with the email displaying an “account disabled warning” and that users must remedy this issue within 24 hours. Users are then told that “this is the result of a recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season. The message is then concluded with a malicious link at the bottom of the message for users to “restore their accounts”.

    A spokesperson for Intuit declared, “the sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit.”

    Intuit declined to comment on what happens when users click the malicious link, however most phishing campaigns utilize similar links to ensnare their targets with malware or ransomware. If you have already clicked the link, some necessary steps you can take to protect yourself are as follows. Delete any recent downloads from unknown sources, use up-to-date antivirus software and scan your computer/laptop, change your passwords to any accounts that were signed in when you clicked the initial link.

    Consumers need to constantly be on the lookout for phishing attacks as threat actors become more crafty with their attacks. This recent phishing campaign using Intuit as a guise relies on users rushing to get their taxes done during a busy time of the year. Always be sure to check the sender address and contents of every email you receive to make sure it’s not a phishing trap. Attackers often utilize urgent messages such as “fix account within 24 hours” or “click the link immediately to resolve this issue” in an attempt to create panic and illicit a fast response out of their targets. Thoroughly inspect any suspicious-looking emails, and discard them properly when using your email service.

    For more information check out the rest of the article here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen Cybersecurity Bulletin (January 11th, 2022)

    Overview

    • Phish Tale of the Week
    • How Remote Work has Impacted Cybersecurity
    • Are Medical Devices at Risk of Cyber Attacks?
    • How can Netizen help?

    Phish Tale of the Week

    Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting FedEx customers. This email appears to be a notification alerting us that our package could not be delivered due to incomplete information for our physical address. We are then prompted to update our address below. This email contains FedEx’s logo and a convincing message saying update my address, so why not click the link and update details? Unfortunately, there are plenty of reasons not to click that email right away.

    Take a look below:

    1. The first red flag on this email is the sender address. Always thoroughly inspect the sender address to ensure its from a trusted sender. In the future, check all suspicious emails from companies against previous correspondences you’ve received and make sure the sender address is the same.
    2. The second warning sign in this email is the incomplete greeting. The email starts off with Dear [Name] instead of an actual name. This is a telltale sign of a spam email. Most outside threact actors will lack the basic information to create a legitimate looking email. Usually, the greeting would have your specific first and last name in the beginning to show who the company is communicating with.
    3. The final warning sign for this email is the inconsistency in the messaging. First we are told to update our physical address. Then we are told to update our personal address. Finally we are told to “update my address” below. Most companies will use consistent messaging and refer to account changes that need to be made in the same fashion each time. This phyiscal address vs personal address vs update my address is an immediate red flag.


    General Recommendations:

    A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

    • Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    • Verify that the sender is actually from the company sending the message.
    • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    • Do not give out personal or company information over the internet.
    • Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    For FedEx-specific recommendations and tips check out this link to their fraud detection center here.

    Cybersecurity Brief

    In this week’s Cybersecurity Brief:

    How Remote Work Has Impacted Cybersecurity

    The pandemic has forced many companies to abruptly accept work from home for the majority of their workforce as the new normal. Once bustling offices have been reduced to skeleton crews of a handful of employees or, in many cases, remain completely empty. This switch has been a blessing for some companies allowing them to reduce fixed costs such as real estate and even broadened their searches for new job candidates now that geographical limitations aren’t a factor.

    Unfortunately, some severe problems have begun to plague many organizations relying on remote work policies. Before the start of the pandemic, remote work was seldom used in most companies. This lack of experience and a rapid switch to remote work created a security nightmare for many teams. Many of these businesses lacked the infrastructural and cultural policies to adapt to remote work environments fully. Did you know only 38% of companies had a cybersecurity policy in place before the pandemic, and only a third of these businesses had policies on remote work? This created a perfect storm for cybercriminals, with cyber attacks almost quadrupling during the pandemic targeting small and medium-sized businesses, hospitals, enterprise-grade organizations, and schools alike.

    One of the leading causes of headaches for companies suffering onslaughts of cyber attacks was the lack of planning. Organizations quickly adapted to the new normal of remote work but were unable to create cybersecurity policies beforehand to govern how these devices communicate with each other and are used. This lack of forethought also affected the tools or lack thereof that companies could use to help better monitor network traffic, secure firewalls, or detect vulnerabilities within their environment. Even companies who did have state-of-the-art equipment in the office were now rendered helpless and had to rely on the network security of their employees since they were no longer under the office safety net of a well-programmed firewall.

    Another major issue that has affected companies everywhere is an overall lack of cybersecurity education. Most cyber attacks start with an unsuspecting employee clicking on a malicious link or downloading a file they shouldn’t have. Organizations need to be quick to adopt a culture of hyper-vigilance when discussing security with their employees. The best way to approach this is through an abundance of caution. Employees are better served asking for help or if an attachment looks suspicious than mistakenly clicking on a malicious link. Companies that prioritize training their employees to ask questions about security and check with their IT admins first will immediately notice a decline in risk.

    Overall, remote work has brought many incentives to organizations that implement it correctly. With it, outside threat actors will use this increased attack surface to target more companies and employees to extort. The best way to move forward is to review your cybersecurity policies and update them accordingly for a remote work environment. Make all employees involved in a culture of security at your company.

    To read more about this article, click here.

    Are Medical Devices at Risk of Cyber Attacks?

    In 2017 the first ransomware assault on networked medical equipment occurred when the ransomware strain WannaCry targeted radiological tools in several hospitals. This attack caused multiple hospitals to postpone cancer treatments until they could identify the source of the ransomware affecting their network. This example perfectly illustrates how cyber attacks can disrupt the healthcare industry and impact patients’ care. However, the quality of care is not the only thing disrupted during cyber attacks.

    Hospitals house some of the most comprehensive PHI (patient health information) databases globally. These records include medical history, address, age, social security numbers, and insurance specifics that can lead to nightmares for unsuspecting patients when in the wrong hands. Since more hospitals have become interconnected with a litany of medical devices communicating with each other over the network, securing the transfer of this information through the cloud is paramount.

    Securing external medical equipment is imperative to providing quality health care and protecting patient information. Everything from insulin pumps to ventilators to security cameras, and RFID readers must be secured to ensure hackers do not have easy entry points. The interconnectivity of devices in a hospital has created a massive attack surface for outside threat actors to exploit. IT staff need to be well trained in identifying, upgrading, and patching vulnerable systems and devices to ensure they are safe from malicious cyber criminals.

    The pandemic has caused a significant strain on health care organizations across the country. The increase in patients has caused issues for primary care providers and created a perfect storm for outside threat actors. Hackers are using the unrest created from surges of patients at hospitals to target health care networks and infect them with ransomware. Law enforcement and government agencies have been unable to stop the escalation of cyber attacks against hospitals, leaving on-site IT admins and medical device security as the last line of defense.

    In conclusion, medical device manufacturers need to focus on the security of their devices before they are released into the market. Vulnerable devices cause a wide array of problems for health care institutions and can be actively exploited by cyber criminals. At the same time, hospitals need to prioritize enabling IT staff to monitor these devices and consider what devices could become attack vectors in their environment.

    For more information check out the rest of the article here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.