In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Will This Halloween Be Cyber Scary?
• Healthcare.gov breach Compromises 75K Users’ Data
• Test your SSL Security
• Web Applications Vulnerable Due to Security Flaw in Popular Plugin
• Phish Tale of the Week
• How can Netizen Help?

Will this Halloween Be Cyber Scary?

As we wind down the month of October, it’s time for a Halloween story.   And in that spirit, what is a Halloween story without some chills and frights??

Your company’s data is at risk!   In what ways?  A threat analysis conducted by F5 Labs reports the leading application breaches are concentrating on payment card theft in the following ways:

• website injection 70%
• website hacking  26%
• database hacking  4%.

These attacks use a polymorphic code; if you think polymorphic is something a mad scientist would use, you’re not far off. Polymorphic code self-mutate, making them harder to detect by anti-virus software.

Even scarier, the number of web application breaches is rising fast, like a mist on a moonless night.  Notably, applications and identities are the primary targets in over 85% of breaches.

In Q1 of 2018, attacks break down as follows:

• login credentials stolen via compromised email accounts 34.29%
• access control misconfigurations: 22.9%
• credential stuffing (using automated tools to brute-force username/PW combinations): 8.6%
• brute forcing passwords: 5.71%
• social engineering thefts: 2.76%

Like any horror movie, simply running away will not keep you your data safe.

Recommendations:

• Your network appliances need to be configured correctly with security as the top priority.
• Embrace a top-down security culture to ensure all employees and management stay vigilant against things that go bump in the digital night.
• Just as the victims in scary movies should never open closet doors, no one should use a public WiFi without a VPN in place to ensure data integrity.

Whether you’re expecting a trick or treat this Halloween, neglecting cybersecurity is certain to have frightening consequences.

Read the full report from F5 here: https://www.f5.com/content/dam/f5/f5-labs/articles/20180725_app_protect_report/F5_Labs_2018_Application_Protection_Report.pdf

Healthcare.gov breach Compromises 75k Users’ Data

The Center for Medicare and Medicaid Services (CMS) has reported that a sign-up system for Healthcare.gov has been breached, leading to the compromise of 75,000 users’ personal data.

On Oct. 13, CMS staff detected suspicious activity in the Federally Facilitated Exchanges (FFE) – the FFE’s Direct Enrollment pathway – a system used by healthcare insurance agents and brokers to help consumers apply for coverage available on Healthcare.gov.

When the breach was confirmed on Oct. 16, officials deactivated agent and broker accounts associated with the anomalous activity and disabled the pathway. “We are working to address the issue, implement additional security measures, and restore the Direct Enrollment pathway for agents and brokers within the next 7 days,” CMS said in a release.

The tool used to breach the system is available only via the disabled pathway. All other FEE enrollment channels, including Healthcare.gov and the Marketplace Call Center, are running. It’s worth noting the compromised system is available only to agents and brokers, not the general public.

CMS said open enrollment will not be negatively affected by the incident, and it’s planning to notify all those potentially affected “as quickly as possible.”

Test Your SSL Security

A free command-line tool known as testssl.sh can test Secure Socket Layer (SSL) security. SSL is used often in encrypting and securing online communication (i.e., a banking website should be TLS/SSL encrypted). The tool can check if a server’s service on any port for the support of TLS/SSL ciphers, protocols, including recent cryptographic flaws and more.
Features of testssl.ssh include:

• The output of the results is clear and concise.
• Easy installation of the tool supports Linux, Darwin, FreeBSD, and MSYS2/Cygwin out of the box; no extra configuration is required.
• Testssl is flexible as you can test any SSL/TLS enabled and STARTTLS service; much more than just web servers at port 443.
• Features are reliable as they are tested thoroughly.
• Results are confidential as it is only you who sees them.
• Testssl is completely free—i.e., Open Source.

We recommend considering this tool for use in securing the servers in your environment as it is efficient and very cost-effective.

Web Applications Vulnerable Due to Security Flaw in Popular Plugin

A popular plugin called jQuery File Upload has been found vulnerable to an eight-year-old flaw that allows over 7,500 software applications to be at risk for compromise and remote code execution.

jQuery File Upload is an open-source package for software developers that allows for easy file uploading, including multiple file selection, drag-and-drop support, and progress bars. It’s compatible with popular web languages such as PHP, Python, Java, and Node.js.

Security researchers have found that within the code, it allows files that were uploaded to be placed in vulnerable web directories, where they can be executed to run malicious code on the targeted web server. It was also found that there was no validation performed and did not need any form of authentication in order to upload the malicious files.

This vulnerability can allow attacks an avenue of attack, where they can have access to the system, to install malware, ex-filtrate data, or access to other parts of the network depending on where the server is hosted. Not only can attackers deface the website, but they can use the server as a command-and-control server for a botnet as well.

Fixes for the vulnerability have been addressed in the commercial version, allowing only image-file uploads, such as GIF, JPEG, and PNG. However, web applications that rely on the open-source code will have to issue their own fix to the vulnerability.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here.  This week we haven’t found anything new or unique to share.  Remember these tips to stay safe:

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

---

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Goodbye TLS 1.0/1.1
• Cyber Threats: How Prepared Is Your Organization?
• Flaw Allows Hackers to Connect to Server Without Password
• Phish Tale of the Week!
• How can Netizen Help?

Goodbye TLS 1.0/1.1

TLS, or Transport Layer Security, is the most popular security protocol deployed for protecting online privacy and data integrity. TLS is used by web browsers and applications that need to exchange data over a network; including VPN connections, file transfers, and voice over IP. As a more potent example, HTTPS is HTTP using the TLS protocol to encrypt communications, like that of a banking website.

While there are currently four available versions of TLS (1.0, 1.1, 1.2 and 1.3), versions 1.0 and 1.1 are known to have some serious critical flaws leaving them open to attacks.  It is for this reason that the support for the aforementioned versions are set to be removed from all major browsers in 2020.

Recommendations

While these outdated versions are not used as much anymore, the possibility of them still does exist. It would be wise to check and see if they are disabled; many vulnerabilities arise from misconfigurations in that the vulnerable control may not even be used yet is still turned on, thus creating an opening for attackers.

We recommend ensuring that you use TLS 1.2 (the most current version) as TLS 1.3 is still in the development stage. Many times, these controls can be found in the settings of your browser.

Cyber Threats: How Prepared Is Your Organization

The numbers of cybersecurity threats continue to rise across the globe. Whether those menaces reported are reported in local media, in trade journals or in the Netizen Cybersecurity Bulletin, organizations need to be on guard to protect their businesses.

This past summer, ISACA conducted a poll of 4,800 business and technology professionals. The ISACA/CMMI Institute Cybersecurity Culture Report produced astonishing results.

Ideally, cybersecurity awareness is integrated into the workplace culture so that perception and behavior are a part of every employee’s daily operation, from the executive level on down.  An effective cybersecurity culture can help employees understand their roles and responsibilities in keeping their organizations safe and customer data secure. However, the ISACA study found just 34% of respondents say they understand their role in their organizations’ cyberculture.

Worse still, the study found just 5% of employees think their organization’s cybersecurity culture is as advanced as it needs to be to protect their business from internal and external threats.

The report uncovered other findings that concern the researchers:

A remarkable 42% of organizations do not have an outlined cybersecurity culture management plan or policy.  A cybersecurity policy, signed-off by the senior management, sets the tone for the rest of the company to follow, and represents the first step toward a cybersecurity culture:

Naturally,  aligning the entire workforce with the organization’s cybersecurity policies often requires capital investment. However, 57% of the organizations surveyed reported a significant gap between their current and desired cybersecurity culture, yet those same organizations are spending only 19 percent of their annual cybersecurity budget on training and tools.

The full report may be downloaded here: http://www.isaca.org/cybersecurity-culture-study

Flaw Allows Hackers to Connect to Server without Password

A four-year-old vulnerability has been discovered in a Secure Shell (SSH) implementation library known as LibSSH that is widely used in Linux servers. This vulnerability allows anyone to fully bypass any authentication and gain administrative access to a vulnerable server without needing a password.

The security vulnerability, ID’d as CVE-2018-10933 is a bypass vulnerability introduced in LibSSH version 0.6 that was released earlier in 2014. This means that that vulnerability has been open to hackers for around four years now.

The latest research shows that approximately 6,500 servers are affected; however, OpenSSH has stated their package is not vulnerable due to the way that they implement the library.

The issue has been addressed with the release of updated versions 0.8.4 and 0.7.6, and the details of the vulnerability were released at the same time.

It’s highly recommended that if you are implementing LibSSH either on a website, or servers, you should update LibSSH as soon as possible.

Phish Tale of the Week

This week’s phishing email claims it originates from CHASE bank online asking the user to review a “secure message”. The email is poorly formatted, and it can be seen that the document links to some unknown site.

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

---

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Phish Tale of the Week!
• Facebook Breach Affects 90MM users
• MikroTik / WinBox Vulnerability
• 3 Things to Look for When Choosing a Cybersecurity Company
• How can Netizen Help?

Phish Tale of the Week

This week’s phishing email claims it originates from the Payroll Admin and is asking the user to update their information in order to receive the new payroll increase. This is one of the more obvious examples of a phishing attempt; poor formatting, grammar, spelling, and it does not even display a proper ticket number.

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

Facebook Breach Affects 90MM

90 million Facebook accounts were logged out last week.  So what happened?

Anyone who uses Facebook is familiar with the persistence of the login — you can close the browser/app, turn off your device and come back next week and your login is still active.

Another feature lets the Facebook login work on different sites and applications, using a feature known as SInge Sign-On (also known as OAuth).  You login to Facebook and then other sites recognize you. This is also a concern of many that Facebook can track your activity online, but that’s a discussion for another day.

Facebook provides users with the ability to have different posts shown to different groups of users – groups like Family, CoWorkers, School-Friends, and Global (the whole world).  Additionally, users are able to see their profile and ‘Wall’ page in the view any one of their friends or friends in user-groups see it. This is a useful and powerful feature, especially if users want to segregate their posts to certain users.

In 2017 Facebook updated their product to permit users to upload Birthday Videos to their friends.  This feature became instantly popular.

Researchers at Facebook noticed a sharp increase in the use of ‘View As’ and looked into it.  They discovered this function was being exploited by a bug in the Birthday Video app, which passed the OAuth sign-on token to the attacker, enabling that user to actually become any user they wanted.

Facebook responded by logging out some 90 million people, basically anyone any user who ‘Viewed As’ by any other user in the last year.  That act was drastic, but overall harmless and it ensured anyone’s account that was compromised was logged out. The OAuth has been incredibly useful, but when a service with the 2 billion user base has a bug, it potentially affects a lot of people.  Facebook disabled the View As feature and it is still unavailable as of this writing.

Recommendations

• Check where you’re logged in on Facebook:  Facebook tracks the devices you are currently logged in. On a desktop, click the down arrow (found in the top right-hand corner) and click Settings or go to this link: https://www.facebook.com/settings?tab=security Check WHERE YOU’RE LOGGED IN and see if you recognize the devices and locations. You can clock the three dots on the right-side of the list and select ‘Log Out’ to simply log out the connection, or ‘Not You’ to report a suspected login to Facebook.

• It is also a good time to select APPS AND WEBSITES (from the left-hand menu or go to https://www.facebook.com/settings?tab=applications ) and review what apps have access to your data. Many users don’t realize how many apps and websites are able to interact with their data.

These recommendations should be done periodically for all social media accounts.

MikroTik / WinBox Vulnerability

A once medium vulnerability discovered in MikroTik routers is now rated as critical. The vulnerability coupled with a new hacking technique used against MikroTik routers will allow an attacker to remotely execute code on affected devices and obtain root access. Furthermore, remote attackers would be able to bypass authentication and read arbitrary files by modifying a request to change one byte related to a session ID.

The vulnerability is capable of impacting WinBox as well. WinBox is a management component for administrators to set up their routers using a web-based interface with a Windows GUI application. The new exploit could allow unauthorized attackers to hack MikroTik’s RouterOS system, deploy malware payloads, or bypass router firewall protections.
Additional Vulnerabilities include:

• CVE-2018-1156—A stack buffer overflow flaw that could allow an authenticated remote code execution, allowing attackers to gain full system access and access to any internal system that uses the router.
• CVE-2018-1157—A file upload memory exhaustion flaw that allows an authenticated remote attacker to crash the HTTP server.
• CVE-2018-1159—A www memory corruption flaw that could crash the HTTP server by rapidly authenticating and disconnecting.
• CVE-2018-1158—A recursive parsing stack exhaustion issue that could crash the HTTP server via recursive parsing of JSON.

Recommendations:

The aforementioned vulnerabilities impact  MikroTik RouterOS firmware versions 6.42.7 and 6.40.9. Now, these issues have in fact been patched however it is estimated that nearly 70% of these routers are still vulnerable to attack. It is a good rule of thumb with any router to regularly patch and update the firmware. Also, while it may sound obvious if your router contains a default password (admin, password, etc.) change it!

3 Things to Look for When Choosing a  Cybersecurity Company

As cyber threats and security mandates continue to grow at a rapid pace, security teams are struggling to keep up. How does a company keep the team’s morale and motivation high? How does one ensure the strategy to protect your company’s assets are sound and continue to move in the right direction?

Teaming with a third-party security company can provide the skills, knowledge, and support that is needed to keep defensive measures strong. This is critical at a time when there are so few Cybersecurity professionals available – estimates of up to 3.5 million unfilled positions in the industry by 2021. Choosing the right security company can make certain your defense strategy stays on track, rather than derail due to a lack of resources.

Three questions to consider when evaluating potential security companies:

1. Are they a proven security company?
When it comes down to Cybersecurity, the best partner is one that often has done their “time in the trenches.” When you work with a company who is a proven practitioner of security – one that has been down the path and understands what companies are up against – you get a different, and arguably better perspective and guidance over someone who has simply has only read a book on security.

2. Do they offer end-to-end solutions?
Cybersecurity is a journey, not a destination; and every single company’s journey is different. What this means is that regardless of where a company is on the path to Cybersecurity, you need different solutions, product offerings, and services. There is no such thing as a one-size-fits-all solution.

All too often, companies rely on Cybersecurity software vendors for broad-stroke support. They may provide security consulting services, but their knowledge and capabilities are limited only to their technology. One needs to look fora  security vendor that can meet your companies needs wherever you are on your Cybersecurity journey.

3. Do they offer tailored security options?
With a multitude of factors that drive Cybersecurity decisions, including budget, risk tolerance, compliance requirements, technology stacks, and resource constraints, you need a Cybersecurity company that understands these various aspects and deliver the support that best fits your company.

You may want to adhere to specific standards or certifications when performing business objectives, such as ISO 27001. You will need a Cybersecurity company that can provide the needed security assessments and roadmaps with these standards in mind.

Working with a Cybersecurity vendor that only has a single delivery model, or single technology, greatly limits what they are able to provide. Working with multiple Cybersecurity vendors adds unnecessary complexity and higher costs for your business. That’s why seeking out a single firm that offers a range of services and solutions designed to meet your every challenge is the proven course. This approach offers more cost control, lower overhead, and most of all lower complexity.

When selecting the right Cybersecurity partner for your organization, remember that Cybersecurity is long term challenge, and teaming with a long term partner can help you along your journey.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

---

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Phish Tale of the Week!
• GhostDNS Hacks Over 100,000 Routers
• Browser Notification Spam
• Cybersecurity Buzzwords to Know
• How can Netizen Help?

FEMA Tests Emergency Alert System Oct 3 starting at 2:18 ET

Phish Tale of the Week

This week’s phishing email claims it originates from “Microcorporation” and is asking the user (T4NG) to reconfirm a password. This is one of the more obvious examples of a phishing attempt; poor formatting, grammar, spelling, and it does not even address the actual name of a person, as well as the fake link.

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

GhostDNS Hacks Over 100,000 Routers

A widespread malware campaign known as GhostDNS has hijacked over 100,000 home routers. The infection modifies the routers’ DNS setting to hack users with malicious web pages, namely, banking sites to steal users’ login credentials. The GhostDNS system operates mainly at four different modules:

DNSChanger module: This is the main module that can run scripts (an automated series of instructions) to exploit routers in the Shell, Javascript (Js), and Python (Py) programming languages; each language being a submodule of the former.

Web Admin module: Not too much information has been found regarding this module. However, it seems to be an administrative panel for the attackers to utilize when secured into a login page.

RogueDNS module: The RogueDNS is responsible for resolving targeted domain names from the attacker-controlled web servers. These web servers mainly included banking websites and cloud hosting services.

Phishing Web module: When a targeted domain has been successfully exploited, in this case, the domain is resolved through RogueDNS, the Phishing Web module points the server to the fake version of whatever website the user tries to visit, where the attacker can then steal credentials.

The GhostDNS campaign is organized and highly scaled, making use of different attack vectors coupled with automated processes, making the malware particularly dangerous.

Recommendations:

• To help protect your network from GhostDNS, due diligence provides the best defense:
• Ensure your router’s firmware is the most current version.
• Set a strong, complex password for the router.
• If at all feasible, disable remote administration to the router to increase security.
• Change the default local IP address.
• Hardcode a trusted DNS server into the router or at the operating system.

Browser Notification SPAM

Browser notifications enable websites to pop-up alerts, such as for breaking-news bulletins from a news site. Like so many features online, something good has been exploited. BleepingComputer.com reported this issue last week.

Sites are now tricking users to accepting browser notifications in order to promote unwanted extensions, fake software, adware bundles, adult sites, and scam sites.

For example, in the image above the site tricks the user into thinking they subscribe to notifications in order to view a video.

Once the users signs-up for notifications, the site will either perform a redirect to another site or display the video. In addition, the visitor will now receive spam browser notifications delivered directly to their desktop. These spam notifications will essentially be advertisements for unwanted extensions, fake downloads, adult sites, and giveaway scams.

If you are receiving browser notification spam, you can check for and remove subscriptions by going into your browser’s settings. Once the subscriptions are removed, the spam will stop appearing on the desktop,

Chrome Users
To remove them in Chrome, you can go into the Settings and search for Notifications, click on Content Settings, and then click on Notifications. Chrome will now display a list of sites that you are subscribed to or have blocked.  Most users are often surprised at how many sites they have in their subscription list. To remove a notification, simply click on the dotted vertical line next to a site and select Remove.

Firefox Users
Firefox users can go into Options, search for Notifications, and then click on Settings next to Notifications to access the list of subscribed sites and remove them.

Edge Users
You can disable browser notifications on a site-by-site basis by clicking on the menu icon (three horizontal dots) in the upper right-hand corner and going to Settings > View advanced settings.   Under the Notifications subheading, click Manage and a panel will appear where you can edit the various sites that you’ve agreed to receive notifications from.

https://www.bleepingcomputer.com/news/security/sites-trick-users-into-subscribing-to-browser-notification-spam/

Cybersecurity Buzzwords to Know

The cybersecurity industry is filled with words like trojan horse, zombie, and worm. Words that seem like works of science fiction, but are an everyday reality for the internet.

As more of our daily life is moving towards the digital world, these terms begin to take on new meanings and introduce us to the different cybersecurity threats we face.

While the majority of us would rather leave these threats to more IT-focused individuals, it’s important that we all have an understanding of cybersecurity so that we can protect not only ourselves but others, by understanding key terms.
Cybersecurity Terms:

Backup: Ensuring that all important data is stored on a secure, offline location to protect the data from being lost, or if a computer is hacked. It’s good practice to routinely copy files to a USB flash drive or cloud storage.

Blackhat hacker: An individual who maliciously cases damage to a computer system, steals data, or conducts illegal cyber activities.

Botnet: A group of computers, typically anywhere in the world, that have been infected by malicious software. This allows the group to be remotely controlled by a hacker, allowing them to perform malicious attacks such as denial of service.

Brute Force Attack: A hacking technique that is used to break into a computer system. The technique involves attempting to “guess” a password over several thousand attempts.

Phishing or spear phishing:  A technique used by hackers to obtain sensitive information, such as passwords, bank accounts, or credit cards. Often an unexpected email is received disguised as being from a legitimate source. In many cases, the hacker will attempt to trick you into either replying with the information they seek, like bank details or tempt you to click a malicious link or run an attachment. Spear phishing is a variant of this technique, but the hacker targets a business or person specifically, instead of taking a blanket approach.

Trojan horse: A piece of malware that often allows a hacker to gain remote access to a computer. The system will be infected by a virus that sets up an entry point for the perpetrator to download files or watch the user’s keystrokes.

Worm: A piece of malware that can replicate itself to spread the infection to other connected computers. It will actively hunt out weak systems in the network to exploit and spread.

Whitehat hacker: A person who uses their hacking skills for an ethical purpose, as opposed to a blackhat hacker, which typically has malicious intent. Businesses will often hire these individuals to test their cybersecurity capabilities.

Zombie: A computer system that has been infected by malware and is now part of a hacker’s botnet.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Phish Tale of the Week!
• Cisco Video Surveillance Manager Vulnerability
• FEMA Tests Emergency Alert System to Mobile Devices
• A Frozen Firefox Attack
• How can Netizen Help?

Phish Tale of the Week

This week’s phishing email claims it originates from SharePoint. This one is poorly formatted, we do not receive fax reports, and overall looks unprofessional:

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

Cisco Video Surveillance Manager Vulnerability

A critical vulnerability contained in the Cisco Video Surveillance Manager (VSM) software has been discovered with the potential to allow unauthenticated access. Attackers would be able to remotely log in and execute arbitrary commands as the root user. The vulnerability is a straight forward one in that the affected versions contain static user credentials for the root account.

Luckily these default credentials are not documented publicly. However the chance of an exploit remains a very real possibility. The static/default credentials exist because the root account of the affected software was not disabled before the Cisco installation. As it stands, there has been no word of any exploits circulating “in the wild.”

Recommendations:

There are no workarounds for this issue, however, Cisco has released a patched for affected versions:

• VSM 7.10
• VSM 7.11
• VSM 7.11.1

Affected versions are vulnerable if running on the following Cisco Connected Safety and Security Unified Computing System (UCS) platforms:

• CPS-UCSM4-1RU-K9
• CPS-UCSM4-2RU-K9
• KIN-UCSM5-1RU-K9
• KIN-UCSM5-2RU-K9

Versions not affected:

• Cisco VSM Software Releases 7.9 and earlier
• Cisco VSM Software Releases 7.10, 7.11, and 7.11.1 running on CPS-UCSM4-1RU-K9 and CPS-UCSM4-1RU-K9 platforms if Cisco VSM Software Release 7.9 or earlier was preinstalled on the platform by Cisco and the software was subsequently upgraded to Release 7.10, 7.11, or 7.11.1 by the customer
• Cisco VSM Software that is running on the VMware ESXi platform

We recommend that the devices to be upgraded should contain sufficient memory and to confirm that current hardware and software configurations will continue to be supported properly by the new patch; this means performing a complete and tested backup of current device configurations.

FEMA Test Emergency Alert System to Mobile Devices

Netizen frequently provides details of phishing attempts, but this week we are bringing to your attention news of an alert which will come to your mobile device:

The Federal Emergency Management Agency (FEMA), in coordination with the Federal Communications Commission (FCC), will conduct a nationwide test of the Emergency Alert System (EAS) and Wireless Alert System (EAS) on October 3, 2018. The WEA portion of the test commences at 2:18 p.m. EDT, and the EAS portion follows at 2:20 p.m. EDT. The test will assess the operational readiness of the infrastructure for distribution of a national message and determine whether improvements are needed.

The WEA test message will be sent to cell phones that are connected to wireless providers participating in WEA. This is the fourth EAS nationwide test and the first national WEA test. Previous EAS national tests were conducted in November 2011, September 2016,  and September 2017 in collaboration with the FCC, broadcasters, and emergency management officials in recognition of FEMA’s National Preparedness Month.
The test message will be similar to regular monthly EAS test messages with which the public is familiar. The EAS message will include a reference to the WEA test:

“THIS IS A TEST of the National Emergency Alert System. This system was developed by broadcast and cable operators in voluntary cooperation with the Federal Emergency Management Agency, the Federal Communications Commission, and local authorities to keep you informed in the event of an emergency. If this had been an actual emergency an official message would have followed the tone alert you heard at the start of this message. A similar wireless emergency alert test message has been sent to all cell phones nationwide. Some cell phones will receive the message; others will not. No action is required.”

The WEA test message will have a header that reads “Presidential Alert” and text that says:

“THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed.”

The WEA system is used to warn the public about dangerous weather, missing children, and other critical situations through alerts on cell phones. The national test will use the same special tone and vibration as with all WEA messages (i.e., Tornado Warning, AMBER Alert).

Additional information can be found at https://www.fema.gov/emergency-alert-test

Frozen Firefox Attack

A recently released proof-of-concept attack utilizes JavaScript to crash or freeze recent versions of Mozilla Firefox when victims visit a specially designed web-page through the browser.

The source code for this attack was released on Sunday, September 23rd by a security researcher, and has been officially dubbed as Browser Reaper. This attack is said to be able to crash Firefox versions 62.0.2 and earlier.

The security researcher who released the proof-of-concept has also released Browser Reaper source code for both Chrome and Safari as well, after a proof-of-concept was released last week that caused iOS devices to crash and restart when visiting a website with specially crafted Cascading Style Sheets (CSS) and HTML code, which makes up a large percent of websites today.

Browser Reaper currently utilizes JavaScript to follow through with its attack. Javascript is one of the top 3 core technologies that make up the majority of internet websites today. It allows for more interactive browsing experience, but can also be used for nefarious actions. In the case of Browser Reaper, it generates a file with a very long name and begins to try and download itself onto your computer. By doing this million of times within a small amount of time, the browser becomes overwhelmed and eventually crashes.

• Practice safe browsing practices by being wary of suspicious links.
• Consider using a browser add-on that disables JavaScript and another popular web script by default.
• Continue to update web software at regular intervals.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Phish Tale of the Week!
• Top Threats Facing Industrial Networks
• WannaMine Worm
• The Cost of Cyber Crime
• How can Netizen Help?

Phish Tale of the Week!

This week’s phishing email claims it originates from Office 365:

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

 

Top Threats Facing Industrial Networks

Across the nation, and in our commonwealth, industrial controls systems (ICS) share a common heritage:  they were designed before cyber threats were understood and lacked baked-in security controls.  These critical infrastructure and the industrial control networks that manage them are under a real and active threat from a variety of malicious actors — ranging from nation-states, politically or financially motivated hackers, insiders, and disgruntled ex-employees.

ICS control dams, bridges, electrical generation plants, and other systems that operate in the background yet provide vital services. A breach of an ICS network can be disastrous, ranging from physical and environmental damage and costly downtime for manufacturing processes to putting lives at risk.

We’ll look at some of the biggest threats to these infrastructure systems:

1. Poor Network Configuration: None of these critical systems should have unfettered access to the Internet, yet many systems were installed without even a firewall.   ICS should be in segregated in a tightly controlled subnet.
2. Poor Audit Control: Older ICS may not have any audit functions, and those that do may not be routinely reviewed by any IT Security staff. Like all IT systems, proper audit control is essential to maintaining a secure posture. Should the ICS system lack its own auditing, adequate alternatives should be sought after to mitigate this threat.
3. Insufficient Controls: Just as your Operating System or applications receive software patches, ICS should as well.  Systems that aren’t patched regularly are open to exploits, and systems that are beyond end-of-life (EOL) should be replaced or otherwise fortified to minimize the exposure.
4. Employee Carelessness or Ignorance: As with any IT environment, ICS are subject to phishing attacks, social engineering, and risky browsing behaviors. These activities can compromise the IT and internal networks via lateral movement.

   Security training, network segmentation, and multifactor authentication can all help prevent breaches caused by employee lack of awareness, policy violations, or human error.

5. Insider Attacks: Disgruntled employees or improper assignment of privileges can lead to industrial espionage or sabotage.   Performing a risk assessment to identify and address vulnerabilities such as over-privileged accounts, insiders with access to resources they don’t need to do their jobs, and orphaned accounts is essential to reducing the attack surface for insider threats.

 

WannaMine Worm

A fileless, PowerShell based, Monero-mining malware attack known as WannaMine has made a resurgence. The worm has successfully infected a Fortune 500 company in which dozens of domain controllers and about 2,000 endpoints were affected after gaining access through an unpatched SMB server. WannaMine is able to detect whether or not it has infected a 32-bit or 64-bit system, configures a scheduled process to ensure it persists after system shutdown, and even changes the power management settings to ensure that the system does not go to sleep and it can mine uninterrupted. Further, WannaMine code shuts down any process using ports associated with cryptocurrency-mining pools (3333, 5555, 7777) and then creates its own on port 14444.

Recommendations:

WannaMine has been associated with the following IP addresses:

We also recommend practicing routine updating and patching as WannaMine includes the same ExternalBlue exploit that was abused by WannaCry; patching will mitigate this threat. However, WannaMine can then try to spread using password cracking techniques/tools to find weak passwords on the network. It is for this reason that we also recommend using complex passwords supplemented by Multifactor Authentication (MFA) such as a code, app, or text.

 

The Cost of Cyber Crime

A recent study by Germany’s IT sector association has found that two thirds of Germany’s manufacturing companies have been a victim of cyber crime attacks, and has cost the industry around $50 billion. Over 500 executives were surveyed across the manufacturing sector of Germany, and it was found that small to medium-sized companies where the most vulnerable to attacks. As more cyber attackers become better resourced, more advanced techniques will be used in order to steal advanced manufacturing techniques or important trade secrets that could be devastating to companies.

The survey identified all types of risks, such as one third of companies surveyed reported that mobile devices such as phones had been stolen, and about 25% had lost sensitive digital data. Along with lost data, companies also reported that around 19% had IT and production systems sabotaged, and 11% had communications tapping.

 

Recommendations:

• Make sure every business computer is equipped with antivirus and antispyware software that is updated regularly.
• Secure network connections by using firewalls and encrypting important information.
• Conduct periodic vulnerability testing on critical information technology systems.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Phish Tale of the Week!
• URL Spoofing
• The Hazards of IoT Devices
• Targets of Phishing
• How can Netizen Help?

Phish Tale of the Week!

Netizen received an email claiming to be from Microsoft in regards to OneDrive. That email can be found below:

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
• Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

URL Spoofing

Unpatched Edge and Safari browsers are allowing attackers to spoof URLs, posing as legitimate websites creating a much more difficult phishing attempt to spot. One of the primary methods of detecting a phishing attempt is to examine the URL to determine if a website is fake. The vulnerability is caused when the browsers allow JavaScript to update the page address in the URL bar as the page is loading.

Upon successful exploitation of the flaw, the attacker initially loads the legitimate web page while, displaying the proper URL, before quickly replacing the code in the web page with a malicious site. Using this method, attackers can impersonate popular sites like that of Gmail, Facebook, Linked-In, various banks, etc. to steal credentials and other sensitive information.

Recommendations:

Microsoft has issued a patch for Edge in their latest update, however, Safari still remains vulnerable to the exploit. We recommend routinely patching all systems if they have not been already, and to exercise caution when reading emails. Since this particular attempt is harder to spot, rely more on the circumstance of the email itself:

• Should you be getting this email?
• Were you expecting this email?
• Verify the sender.

The Hazards of IoT Devices

We have smart lightbulbs, smart speakers, smart refrigerators, smart washers & dryers – they are all over our house. The Internet of Things (IoT) has virtually digitized many aspects of our lives.  But in that acronym – IoT – something is missing.

Developers of IoT devices want to make the lives of their customers as easy as possible – whether it is to easily control our lights or set our homes’ temperature, the underlying goal is ease.  That ease extends into making these devices easy to install on home networks.  However, too often this ease leaves the door open for criminals to gain a foothold into our homes, small & mid-size businesses (SMBs) and even large corporations.  The attacks range from mere nuisances (a smart refrigerator was set to make ice cubes non-stop) to treachery (baby monitors hacked to eavesdrop and in some cases speak to/wake up children), to potentially frightful (imagine a hacker could determine when you’re not home and override your smart door locks and alarms?).  Offices are seeing more IoT devices, from smart displays in conference rooms to personally owned smart speakers in cubicles.

IoT devices lack security measures for many reasons, including lower costs and faster development. Offshoots of these reasons can result in hard-coded ADMIN passwords and backdoors created by the developers who might have forgotten to close them, or because the coders were removed from the project before it was fully vetted.  Should a hacker take control of one of your IoT devices, they may be able to exploit other devices on your network and compromise the confidentiality and integrity of your data.

Clearly, the adage regarding IoT devices cannot be argued:  the ‘S’ in IoT stands for ‘Security’.    Make sure you take the necessary steps to secure your devices at home and in the office.

Recommendations:

• Always change the default login credentials. Not only the password but the username whenever possible.  Consider: a hacker already has half of the username+password combination if you use the default ADMIN.  Make the password difficult to guess.
• Always segment your IoT devices to a wifi network separate from your primary (Home) network. Often this is as easy as using the GUEST wifi on your router.  If your router lacks the ability to have 2 or more segments, it’s probably time to upgrade.
• Businesses should ensure the use of IoT devices comply with the corporate Acceptable Use Policy (AUP).
• Make a calendar reminder to check your devices for firmware updates. While not all IoT devices update their firmware, make certain to install the patches to help stay ahead of vulnerabilities.
• Evaluate whether you really need those devices in your home or office.  For example: do you really need a web-enabled toaster?

Targets of Phishing

A security company called Proofpoint Researchers has recently discovered that 60% of targeted phishing attacks are directed towards individual contributors and low-level management users. These attacks mainly consisted of malware or credential phishing attacks. This comes in comparison that upper management and executives only receive 24% percent of all attacks and only 5% of the targeted attacks. While this may seem like a small portion, it effectively is a larger disproportionate amount due to the smaller representation of the total workforce.

The recent findings come amid a continual surge of malicious email messages. Researchers have observed over a 35% increase in email attacks in the first and second quarters of 2018 alone. While every company size from large to small is targeted, companies in retail and healthcare experienced far greater growth rates for attacks compared to other sectors. Along with these findings was an 85% increase in attacks in this years second quarter, compared to last year. Growth rates for the automotive and education industries were even larger at 400% and 250% respectively.

Recommendations:

• Ensure those individual contributors, and lower-level management is receiving the appropriate training to identify and report malicious email attacks.
• Leverage advanced threat analysis and social media security to combat fake accounts.
• Continue comprehensive security awareness for the entire workforce.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• 1/5 SMB Employees Share Passwords
• 3D Printers a vector for attack
• CamuBot and Vishing
• Quick notice: Monero Miner Malware
• How can Netizen Help?

1/5 SMB Employees Share Passwords

It is the consensus of most people that they will not be a target of a cyber attack.  However, small- to mid-size businesses (SMB) are estimated to face nearly 4,000 cyber attacks per day,  and as hackers continue to refine their craft, it’s easy to assume that number will only increase. While larger sized companies have, perhaps, more assets to attack, smaller companies may be a softer target.

A recent survey of 600 small business executives and employees regarding their cybersecurity habits revealed several concerning points. In particular, small business employees and leaders may be acting negligently in regards to their own security.

The survey sought to reveal whether employee behavior helped precipitate the increase in cyber attacks. The consequences of cyber attacks can be extreme; the survey found 60% of small businesses that experienced a cyber breach are likely to go out of business within six months.

Small businesses too often lack the manpower of larger enterprises to handle IT and security, nor do they prioritize security education and best practices.  The lack of a top-down IT security profile for the company often leads to poor cyber hygiene for the rest of the employees in the company. Digging deeper into the survey results, SMB leaders overwhelmingly connect to public WiFi for work 66%, and 44% of SMB employees do as well.  Connecting to a WiFi hotspot in a hotel or at an airport can open your business to cyber threats.

They do not prioritize security education and best practices: Thirty-five percent of employees and 51 percent of leaders are convinced their business is not a target for cybercriminals, including malware and man-in-the-middle attacks, which can put your corporate and financial data in peril.

Worst, still: 62% of leaders and managers use their work computer to access social media accounts; only 44% of employees were found to do this.

Yet the absolute worse revelation from this survey was this: 1 in 5 SMB employees – 22% of leaders and 19% of employees — share their email password with co-workers or assistants.  There are more secure methods to share data that will help prevent unauthorized access.

A top-down approach to cybersecurity will help prevent poor cyber hygiene from leading to a costly breach.

Recommendations:

• Never use public or unsecured wifi without using a Virtual Private Network (VPN)
• Never share passwords; better to use collaboration software (like Microsoft SharePoint), delegate access and shared storage(such as Office 365)
• Ensure a comprehensive Acceptable User Policy (AUP) is adopted by all in the company, which details the appropriate use of all corporate data assets.

3D Printers a vector for attack

Security research centers have found that over 3,500 instances of OctoPrint, a popular web interface for 3D printers, are publicly exposed to the Web. The software OctoPrint allows users to control and monitor their 3D printers, from starting and stopping print jobs, to embedded webcam access. While not a very serious threat, it still poses several security issues that could later be used as an attack vector. With access to the printer’s code files, the attackers would be able to obtain the print plans needed for an object. This could lead to a leak of valuable trade secrets, or allow modification in order to ruin future printed objects. While rare, but not impossible, an attacker may also able to intentionally start a fire due to the high temperatures created during operation by modifying the printers files.

Recommendations:

• Ensure proper access control to devices open to the internet.
• Utilize network segmentation techniques in order to avoid system hopping.

CamuBot and Vishing

A new banking Trojan known as CamuBot strays from the usual tactics that Trojans take and involves a blend of social engineering; in this case, vishing (voice phishing). The malware is disguised as a security application marked with the bank’s logo and brand respective to the target. With a little reconnaissance, the threat actors target a victim that is likely to have login credentials to that bank. The victim installs the Trojan at the instructions of the “bank employee”.

The attack is carried out under the pretense that the user needs to install the fake security tool to check the validity of the bank’s current security module. The attacker has the user load a web page (designed by the attacker) to show that the user’s software for that particular module is out of date. The user is then tricked into downloading and installing the new “module” for online banking activity with administrator privileges. Thus, the Trojan gains entry. CamuBot can also survive multi-factor authentication (MFA). The Trojan recognizes the MFA challenge from a device that needs to connect to the infected computer of which it can then install the correct drivers. From there, it is a simple matter of asking the victim to share the temporary code with the “operator” over the phone.

Recommendations:

We are often trained to be on the lookout for phishing emails, as we should, due to their prevalence and the damage that they can cause. However, the telephone can be equally as dangerous. CamuBot has only been spotted in Brazil, but the United States is no stranger to scams like it.  We recommend the following to help prevent falling prey to vishing:

• Verify anyone requesting sensitive information to see if they are in fact legitimate.
• If you believe you are being vished, ask the caller if you can call them back using the number from a card statement or from the back of the credit card.
• Verify authenticity by asking the caller information only the bank would know (i.e. last transaction, balance on the account, etc.).
• Most important, employ end user awareness. The more that employees are trained to watch for phishing and vishing attempts, the more likely they are to recognize them. Employees are the first line of defense when it comes to these attacks.

Quick Notice: Monero Miner Malware

A new variant of Monero cryptominer malware has been discovered in the wild (technology that has gone beyond a development environment and is now a publicly used tool). Tests from threat actors were found in April of 2018, from which it can be assumed general release of the miner is set to take place.

These testing variants were last seen in the wild in July of 2018 and are continuing to surface in honeypots with three other variants along with it by the same malicious group. At this time, it is believed it is indeed a threat group manufacturing the variants as opposed to a state-sponsored group.

Recommendations:

The major defense at this time is restricting GitHub (a web-based hosting service for coders and developers) to only those who would have a business need for it, and by ensuring the following two vulnerabilities are patched:

• Oracle WebLogic server vulnerability (CVE-2017-10271)
• Java deserialization vulnerability in the Adobe ColdFusion platform (CVE-2017-3066).

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.