In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Apple Vishing Scam
• Banking Trojan Emotet Is Back In A New Form
• Authentication Flaw Found In Cisco SOHO Switches
• Linux APT Flaw
• Phish Tale of the Week
• How Can Netizen help?

Apple Vishing Scam

There is a new vishing (phone phishing) scam that people are encountering that spoofs official Apple Inc phone numbers. Automated calls are going out that look official on people’s phones, displaying Apple’s logo, address, and real phone number, and warning people that there has been a data breach at Apple. The interesting, and scary, part is that the phone call is indistinguishable from legitimate calls to and from Apple in the phone’s recent calls list.

If someone picks up this scam call, they would hear that multiple servers containing Apple user IDs have been compromised and to call back to a 1-866 number which definitely doesn’t belong to Apple. If the number is called, you would hear an automated system answer telling you that you’ve reached Apple support and your expected wait time. You’d then hear a non-English speaker, likely someone from India, ask you about your call reason.

This is almost certainly a scheme to get unsuspecting people to divulge their personal and/or financial details, using the frightening tail of your information having been stolen. The fact that iPhones can’t tell the difference between a scammer spoofing Apple’s number and a legitimate one is worrying, as many people might fall prey to this clever tactic.

Recommendations:

Knowledge about these types of scams in the first place helps immensely. If you get a seemingly official looking call from a company you know where they are asking for personal and/or financial details, hang up, find the official company number from the company’s website and call them back. Don’t rely on a search engine result to tell you, as scammers have been polluting search results to get their numbers to appear and seem more legitimate.

Banking Trojan Emotet Is Back In A New

Companies are on alert as the infamous Emotet Trojan has emerged on the cybersecurity radar ready to cause damage. What is Emotet? It is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. This Trojan was first discovered in 2014 and was originally designed to sneak onto you computer and seal sensitive and private information. Later versions of the software saw the addition of spamming and malware delivery services including other banking Trojans.

How does the Emotet Trojan spread? It is usually spread through SPAM emails using a malicious script, a macro-enabled document file (like a Word attachment), or a malicious link. These emails will look very legit containing familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies. Once it is downloaded to a victims computer it turns into an almost worm-like malware and starts spreading on the network and also starts installing other Trojans to the infected machine. It will also ransack your contact lists and send itself to your friends, family, coworkers and clients. Since these emails are coming from your hijacked email account, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and download infected files. Finally, if a connected network is present, Emotet spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force attack. If the password to the all-important human resources server is simply “password” then it’s likely Emotet will find its way there.

Why is Emotet coming back? Emotet is coming back by bypassing SPAM email detectors. How it does this is the Trojan is polymorphic. What this means is that every time the Trojan is downloaded it changes itself to evade signature-based detection. Moreover, Emotet knows if it’s running inside a virtual machine (VM) and will lay dormant if it detects a sandbox environment. Emotet also uses C&C (Command & Control) servers to receive updates. This works in the same way as the operating system updates on your PC and can happen seamlessly and without any outward signs. This allows the attackers to install updated versions of the software, install additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses.

Why Should I be Worried? Emotet can attack anyone and has no specific target list. To date, Emotet has hit individuals, companies, and government entities across the United States and Europe, stealing banking logins, financial data, and even Bitcoin wallets. One close and noteworthy Emotet attack occurred on the City of Allentown, PA and required direct help from Microsoft’s incident response team to clean up and reportedly cost the city upwards of $1M to fix. However, on this most recent addition of the virus no activity is currently being detected in Russia which indicates that the attackers are likely not based in Russia.

Recommendations:

• Keep your computer/endpoints up-to-date with the latest patches for Microsoft Windows. Emotet may rely on the Windows EternalBlue vulnerability to do its dirty work, so don’t leave that back door open into your network.
• Don’t download suspicious attachments or click a shady-looking link. Emotet can’t get that initial foothold on your system or network if you avoid those suspect emails. Take the time to educate your users on how to spot mailspam.
• Educate yourself and your users on creating a strong password. While you’re at it, start using two-factor authentication.
• You can protect yourself and your users from Emotet with a robust cybersecurity program that includes multi-layered protection.

Authentication Flaw Found in Cisco SOHO Switches

A critical and unpatched vulnerability was found in the popular Cisco Small Business Switch software that leaves remote, unauthenticated attackers gaining full administrative control over the device.

The vulnerability (CVE-2018-15439) which was found to have a Common Vulnerability Scoring System (CVSS) severity score of 9.8, was found due to the default configuration on the devices include a default, privileged admin user account that is used for initial login of the device, and can not be removed. The account may be disabled but only after another user account is created with the same privilege level. Once that additional account is removed, the system automatically re-enables the default privileged account without any form of notification to system administrators.

As these switches are used to manage a LAN, an exploit means that the remote attacker would be able to gain access to network security functions such as firewalls, or management interfaces for administrating data and wireless connectivity or VOIP network devices.

Cisco has advised that “Under these circumstances, an attacker can use this account to log into an affected device and execute commands with full admin rights.” adding that “It could allow an unauthenticated, remote attacker to bypass the user-authentication mechanism of the affected device.”

Currently, no patch that addresses the current vulnerability is available. However, Cisco says a patch is expected to be released the future; for now, users can address the vulnerability by configuring an account using admin as user ID, setting the access privilege to level 15, and defining the password by replacing <strong_password> with a complex password chosen by the user, according to the advisory. By adding this user account, the default privileged account will be disabled.  Make certain to record and secure the password for this Switch device.

Linux APT Flaw

Security research has revealed a critical remote code execution flaw in Linux APT. Vulnerability dubbed CVE-2019-3462 is within the APT package manager; an extremely popular utility and tool when it comes to installation, updates, and upgrades, and the removal of software on many flavors of Linux distributions including Debian and Ubuntu. The issue lies with APT’s failure to sanitize particular parameters during HTTP redirects; this failure opens up the potential for a man-in-the-middle (MiTM) attack in which the attacker can inject malicious content and trick the host system into installing tampered packages.

HTTP redirects are utilized in APT, specifically the “apt-get” command, to help Linux machines to automatically request packages from proper mirror servers where others may not be available for distribution. In short, if one source fails to respond, the APT will then redirect or respond with another location of the next available source where the client should request the desired package. Not only would the attacker be able to insert themselves in the middle with a malicious mirror and execute arbitrary code, but they could do so with the highest level of privileges (i.e., root). While it has not been confirmed, it is possible that this vulnerability affects all package downloads, whether it be a new package or updating an old one.

Recommendations:

APT has since released a patch for the flaw in patch number 1.4.9. So it is imperative that systems be updated as soon as feasible, while also considering some other layers of security:

• Utilize signature-based verification to protect the integrity of packages.
• Implement HTTPS to prevent active exploitation (HTTP with SSL/TLS Encryption).

Phish Tale of the Week

The phishing email this week claims to be a OneDrive email that was sent from a Xerox multi-function printer.  Not only is the sender suspect, but closer examination of the “View Document” link shows an unknown malicious site.

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Law Firm Loses Money to Cyber Criminals
• Singapore Airlines Exposes Personal Data of Frequent Flyers
• Update: The Marriot Breach
• Phish Tale of the Week
• How can Netizen help?

Law Firm Loses Money to Cyber Criminals

A law firm unknowingly transferred €97,000, roughly $124,000, to cyber criminals. The unnamed law firm had been targeted on two separate occasions. In the first attack, the firm was to redeem a mortgage with the money payable to a fund. The email the firm had received was requesting that the money be sent to a bank account in Turkey with the account name of “Bitcoin Concept”. In this first case, the practice was able to identify the request as a fraud and therefore did not act on the email; verification steps were made to determine whether or not the bank account details were correct before transfer.

The second attack proved to be more fruitful for the cyber criminals as the attempt was successful. Once again, an email came through asking to redeem a mortgage from an organization. The practice received an email from one of the staff members of said organization which included legitimate bank account details. Verification steps were still involved to ensure legitimacy, however, when the information was sent for final approval, the email was intercepted, and the bank account details were changed to another fraudulent bank account. The transfer was made, and money was withdrawn by the cyber criminals.

Recommendations:

Law firms and the financial sector in general are often targeted for the potential profit they can provide to cyber criminals. We recommend the following for transferring critical or sensitive material to others:
Verify. Verify. Verify. You will want to verify the individual or organization you are making a transfer or sending information to via phone call, face-to-face, or other means.
Email is not the most secure medium to send extremely critical information like that of bank account details whereas a letter or fax would be safer, however if needed, ensure that all emails containing sensitive information are well encrypted before sending. It would be good too, to not conduct entire transactions over email.
Have an email security policy that is communicated and reviewed actively.
For banks or firms, check statements regularly for any transactions that you do not recognize.
Conduct continuous monitoring for unusual activity on accounts.
If you feel you are receiving fraudulent emails, change your passwords just to be safe.

Singapore Airlines Exposes Personal Data of 285 Frequent Flyers

Singapore Airlines, an international airline serving 19 million passengers annually, experienced a glitch in their software that exposed 285 of their Krisflyer frequent flyer program members. The glitch appeared after a recent website update which allowed the data of the frequent flyers to be exposed. This glitch is the most recent incident in a slue of security breaches among the airline industry, and people are calling for change on how the airlines approach security.

Recommendations:

In the case for the airlines, these companies should putting in stricter policies similar to today’s tech companies. This breach can be a wake up call to all businesses that delve into the online realm and handle personal data. Companies should be thinking about “who we need to secure” rather than “what we need to secure”, and those measures will help protect the customers who trust a company to protect their private information. Whether it be a software glitch or data breach, companies need to mitigate the damage from exposed data by leveraging new technologies to correctly identify customers by their behavior online rather than by credentials that have been stolen.

Update: The Marriot Breach

Netizen alerted its clients and readers in November about the data breach affecting Marriot International’s Starwood reservation database, exposing personal information of 500 million people.

The reported details of the November breach included dates of birth and credit card numbers, as well as contact information such as mailing addresses and email addresses. Initially, Marriot acknowledged the breach included passport numbers for more than 25 million guests. However last week the company acknowledged for the first time that 5.25 million of those passport numbers were unencrypted — or not coded to prevent unauthorized access. There has been no confirmation that the hackers accessed the master encryption key needed to decrypt those passport numbers.

Since the initial reporting, the total number of affected users dropped to 383 million, but that many affected users would still rank this as the largest in history. Marriott said it had not yet determined how many of the 383 million records are duplicates involving the same guest.

Recommendations:

If you have been a guest at Marriot properties since 2014, monitor your credit report and look for any suspicious activity. Credit card industry experts recommend freezing your credit so that, if your info was stolen, criminals are unable to open new lines of credit in your name. If you do decide to freeze your credit, you must contact the three major credit bureaus individually. Marriott has sent emails to those affected and has provided guests free enrollment in WebWatcher for a year, they have set up a website for affected guests here: https://answers.kroll.com/.

Phish Tale of the Week

The year is still too new for any fresh phish, so we’ll simply remind you of our recommendations to stay secure:

RECOMMENDATIONS:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Welcome 2019!
• Tribune Newspaper Hack
• China Hacked Hewlett Packard Enterprise Co. and IBM
• Phish Tale of the Week
• How can Netizen help?

Welcome 2019!

Welcome to 2019!

Netizen Corporation hopes the New Year is happy, healthy, and prosperous for all.

If you haven’t already, resolve to keep yourself and your business CyberSecure. Netizen is here to help!

A look back at Netizen Corporation’s 2018

Tribune Newspaper Hack

Newspaper print operations at Tribune Publishing were disrupted by a virus over this past weekend, preventing the printing of such titles as the Los Angeles Times, New York Times, and The Morning Call of the Lehigh Valley.

The cause was identified as a virus which is suspected of originating from overseas. It is still too early to identify why Tribune was targeted, or which nation may have been responsible, but the event is a prime reminder to review your company’s Incident Response Plan (IRP). An IRP is designed to address and manage the aftermath of a security breach or cyberattack or any other IT incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

When more information regarding the Tribune incident is available, Netizen will detail it in a future Bulletin.

China Hacked Hewlett Packard Enterprise Co. and IBM

China has struck once again as they went after Hewlett Packard Enterprise (HPE) Company and IBM, two Fortune 500 technology companies. The Chinese hackers, working on behalf of China’s Ministry of State Security, are part of the campaign Cloudhopper, which is said to infect technology service providers in order to steal secrets from their clients.

The hackers succeeded on breaching the networks of IBM and HPE, and used the access to gain entry to their clients’ computers. IBM commented on the situation stating, “it had no evidence that sensitive corporate data had been compromised.” HPE wouldn’t comment on the situation of the hacking.

Businesses and government are increasingly looking to technology companies known as managed server providers (MSPs) to remotely manage their technology operations including servers, storage, networking, and help-desk support. The Cloudhopper campaign targets MSPs to access client networks and steal corporate secrets from companies around the globe, according to a US Federal indictment of two Chinese nationals.

A way to protect your company from a hacking is to make sure your MSP is taking the proper steps to protect your assets. Make sure your company implements strict policies on how to handle data and implement least privileged access to certain data. Another way to protect your company is implementing a good password policy and regular compliance checks against your company for abnormal or suspicious logins.

Phish Tale of the Week

The year is still too new for any fresh phish, so we’ll simply remind you of our recommendations to stay secure:

RECOMMENDATIONS:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• WordPress 5.0 Patched to Fix Serious Bugs
• Logitech Keystroke Injection Flaw
• Three Question Quiz Scam
• Beware of Threads By E-Mail
• Phish Tale of the Week
• How can Netizen help?

WordPress 5.0 Patched to Fix Serious Bugs

WordPress recently updated to 5.0.1 after a serious number of bugs were reported with the recently released WordPress 5.0. WordPress is an open-source content management system used to create websites such as blogs, media galleries, forums, and online stores using PHP and MySQL. The update addresses several flaws with the initial 5.0 release.

• Sensitive Data Exposure: The most serious of the bugs allowed the WordPress “user activation screen” to be indexed by Google and other search engines, leading to the possible public exposure of email addresses and in some rare cases, the default generated passwords.
• PHP Object Injection: Contributors could craft metadata in a certain way that can result in PHP object injection. The vulnerability allows an author to assign an arbitrary file path that uses a PHAR stream wrapper from a previously uploaded attachment which leads to the object injection. These PHAR file types store serialized objects in the metadata of the PHAR file.
• Unauthorized Post Creation: Authors of a site could create posts of unauthorized post types with specially crafted input. The attacker would need at least ‘author’ level privilege to be able to perform the attack.
• Privilege Escalation/Cross-site Scripting: Contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability. This is another vulnerability that requires a higher-level user role, making the likelihood of widespread exploitation quite low. WordPress addressed this issue by removing the <form> tag from their HTML white-list.
• Unauthorized File Deletion: Author-level users could alter metadata to delete files that they weren’t authorized to modify. This issue stems from the two arbitrary file delete vulnerabilities fixed in WordPress 4.9.6.

RECOMMENDATIONS:

Sites on WordPress 5.0 should update to version 5.0.1 as soon as possible. Those with automatic updates enabled for WordPress core should have already been updated, but given the nature of the vulnerabilities, we recommend you check your sites manually just in case. Sites running WordPress 4.x versions should update to version 4.9.9 as soon as possible.

Logitech Keystroke Injection Flaw

Logitech’s ‘Options’ application, which allows users to customize the functionality and behavior of their mice, keyboards & trackpads, still has a vulnerability that allows an attacker to perform keystroke injection attacks more than three months after being alerted by a bug report from Google’s Project Zero.

Google security researcher Tavis Ormandy first discovered that the app was opening a WebSocket server on user’s machines back in September. The server in question featured support for a number of intrusive commands and used a registry key to auto-start on each system boot. Ormandy detailed how the software bug allowed someone to take control of a user’s system in the report:

“The only ‘authentication’ is that you have to provide a PID [process ID] of a process owned by your user but you get unlimited guesses so you can bruteforce it in microseconds. After that, you can send commands and options, configure the ‘crown’ to send arbitrary keystrokes, etc, etc.,”

Logitech has released two updates to the application since being informed, but it appears that the issue still persists.

RECOMMENDATIONS:

If you are using the Logitech Options application, disable it until a fix has been released.

Three Questions Quiz Scam

An estimated 78 brands have been impersonated over the last year in what can be described as a well-organized online phishing scheme. Users are tricked into releasing personal information to the threat actor of a malicious website, apparently after winning a prize for answering three questions.

The phishing campaign targeted four separate industries: airline travel, retail, food, and entertainment; airline travel was the largest targeted industry at 32.34 percent of malicious domains, targeting 23 companies. A handful of the companies impersonated include Kroger, Dunkin’ Donuts, United Airlines, JetBlue, Target, Outback Steakhouse, and Disneyland.

While each phish attempt is tailored to a particular organization, each phish does contain some similarities. For instance, like many phishing emails, they try to rush the user by employing urgent language (“This offer will expire soon!”). They will also try to lace the email with social media profiles for legitimacy; other “winners” of the quiz.

After completion of the quiz, the user is told they will win a prize (plane ticket, gift card, etc.) but they need to divulge some information about themselves and to share the link to the quiz, help to propagate the scam across the internet.

The “Quiz” has also evolved to allow for automatic translation capabilities and the creation of new fake social media profiles. It is likely this method of phishing will be used in the future.

Anything unsolicited should always be suspect, but our phishing recommendations at the bottom of this bulletin highlight ways to recognize and verify scams like this one.

Beware of Threats By E-Mail

In a return to some older tactics and plays, new extortion emails are not threatening your computer data with ransomware, they are threatening you — a new wave of emails playing out which demand payments in bitcoin claim to have planted a bomb in your office or facility.   This may come from a “disgruntled employee” or be a random message.   Other variations are more personal, threatening the use of acid.

Ensure your employees are aware of what to do in case of a bomb or personal threat within your facility, and awareness of these types of threats which while they cannot be ignored completely, do warrant a level of review, especially the more personal threats to ensure the safety of the people.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here. This week one of our users was sent an email claiming to be from the IRS with an attached voicemail. The “voicemail”, as it turns out, goes to some unknown link. The overall format and sender makes this email less than reputable.

RECOMMENDATIONS:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Kubernetes Vulnerability
• phpMyAdmin Critical Software Update
• Phish Tale of the Week
• How can Netizen help?

Kubernetes Vulnerability

Kubernetes, a Linux container orchestrator, has revealed a flaw in their code that allows privilege escalation for both authorized & unauthorized users. What started out as a bug report on Github quickly turned into a realization by the developers of the implications of said bug.

Something that increases the severity of this vulnerability is the scope of it. It has existed in every version of Kubernetes since v1.0. Fortunately, the Kubernetes team has released patches for the vulnerability. The next question is how quickly will enterprise users patch their own installations.

RECOMMENDATIONS
If your organization uses Kubernetes, make sure to update to any deployed instances to versions 1.10.11, 1.11.5, 1.12.3 and 1.13.0-rc1. If your organization is unable to update, mitigation steps have been published here: https://github.com/kubernetes/kubernetes/issues/71411

phpMyAdmin Critical Software Update

One of the most popular MySQL database management systems has issued a new patch, updating to version 4.8.4 solving numerous important vulnerabilities. phpMyAdmin is an open-source (free) administration tool offering a graphical user interface via a browser for MySQL; which in turn is an open-source relational database management system. phpMyAdmin is so popular that many web hosting services preinstall the software within their control panels to assist admins in managing their databases for websites, of which big sites like WordPress are included. While there were some smaller bugs there are three main critical vulnerabilities patched:

• Local file inclusion (CVE-2018-19968) — phpMyAdmin versions from at least 4.0 through 4.8.3 includes a local file inclusion flaw that could allow a remote attacker to read sensitive contents from local files on the server through its transformation feature.
• Cross-Site Request Forgery (CSRF)/XSRF (CVE-2018-19969) — phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 includes a CSRF/XSRF flaw, which if exploited, could allow attackers to “perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes” just by convincing victims into opening specially crafted links.
• Cross-site scripting (XSS) (CVE-2018-19970) — The software also includes a cross-site scripting vulnerability in its navigation tree, which impacts versions from at least 4.0 through 4.8.3, using which an attacker can inject malicious code into the dashboard through a specially-crafted database/table name.

RECOMMENDATIONS

The most obvious recommendation we can make is that if you are using phpMyAdmin, you need to update it to the most current version (4.8.4). While the solution is simple, it serves as an important reminder to keep systems patched and updated regularly. If a patch is forgotten or brushed aside and not deemed dire enough to deal with then you could be leaving your organization open to attack; it may take 3 months or 3 years, but it only takes one breach to cost the company dearly—both in finances and reputation.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here. This week one of our users was being spammed by an agent claiming to be from the Department of Veteran Affairs. This email was sent to the user numerous times.The email was unsolicited, claiming that a payment was received that was never even made; it was vague,and an untitled document was attached as well.

RECOMMENDATIONS:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Massive Starwood Hotels breach affects 500 million guests
• Zoom Flaw Open to Conference Hijacking
• Q: What Happened to Quora? A: Data Breach Affecting 100 million users
• 1-800-Flowers Victim of Latest Payment Breach
• Phish Tale of the Week
• How can Netizen help?

Massive Starwood Hotels breach affects 500 million guests

Starwood Hotels (a Marriott subsidiary) has revealed that guests have had their personal information exposed in a breach started in 2014 until this past September. According to their statement:

For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.  For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).  There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.  For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.

RECOMMENDATIONS:

Monitor your credit report and look for any suspicious activity. Credit card industry experts recommend freezing your credit so that, if your info was stolen, criminals are unable to open new lines of credit in your name. If you do decide to freeze your credit, you must contact the three major credit bureaus individually. Marriott has sent emails to those affected and has provided guests free enrollment in WebWatcher for a year, they have set up a website for affected guests here: https://answers.kroll.com/.

Zoom Flaw Open to Conference Hijacking

The popular desktop conferencing software, Zoom, contains a serious vulnerability that could allow a remoter attacker to hijack screen controls and perform actions like kicking attendees out of meetings. In this fashion Zoom could be exploited in three scenarios: More unlikely a current Zoom attendee could cause the exploit, an attacker could take advantage of the vulnerability if on the Local Area Network (LAN), or an attacker, in theory, could remotely attack over Wide Area Network (WAN) could hijack an ongoing Zoom meeting.

The vulnerability itself derives from a flaw within Zoom’s internal messaging pump, a feature that Zoom uses to wait for and send messages in the program. The pump dispatches both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages to the same message handler. Given that this process operates in this way, an attacker can potentially create and send a UDP message which would then be interpreted as a known and trusted TCP message used by authorized Zoom servers. Malicious actions caused by the attacker can include hijacking screen controls when a desktop is shared, spoof chat messages impersonating attendees, or kicking and locking out attendees from the conference call.

RECOMMENDATIONS:

Impacted Systems:

• Zoom 4.1.33259.0925 for macOS and Windows 10
• Zoom 2.4.129780.0915 for Ubuntu

This also affects both one-on-one (P2P) meetings as well as group meetings streamed through Zoom servers.

Zoom has since patched this issue with Windows and MacOS. However, the problem persists with Ubuntu systems and Zoom is currently working on an update. If for some reason patches cannot be applied, we recommend using other avenues of web conferencing like that of WebEx or Skype.

Q: What Happened to Quora?
A: Data Breach That Affected 100 million users

The question and answer website Quora announced on Monday that as many as 100 million of its users had their data breached by a malicious third party.

CEO Adam D’Angelo reported the breach in a company blog posting, noting that data that was mainly exposed consists of data that users have publicly shared.  Such data includes email address, questions, answers, comments, up-votes, and down-votes.

Of some concern is that users encrypted password hashes were breached.  Encrypted password hashes are the result of unique algorithmic calculations performed on the password you enter, resulting in a string, or hash. Complex hashes are safe from decoding but can be replicated when the input values are the same; this is how your password is used to gain access to Quora.

RECOMMENDATIONS:

• While it is highly unlikely any users’ password hashes can be cracked, using different passwords for different sites is your best defense against breaches such as this one.
• Quora users should change their login password to strengthen their security.

1-800-Flowers Victim of Latest Payment Breach

Canadian online flower shop, 1-800-Flowers, has been a recent victim of a payment breach from what researches say dates back over four years.

The site’s operating company recently filed a notice with the attorney general’s office in California in compliance with the state’s data breach notification requirements. This comes after the security team found suspicious behavior back in October, and found there had been unauthorized access to payment card data used to make purchases on the Canadian website. This information includes First and last name, payment card number, expiration date, and card security codes.

The company believes that the data exposure had lasted from middle August 2014 until mid-September of this year. There is little information in regards to how the information was being leaked, but researches think that it was a card-skimming malware installed on a misconfigured website which would account for the long window of the breach.

There is also little notice on how many were impacted from this breach, but based on the filings in California which requires notification if over 500 or more are affected, there is a significant amount found to have been breached. A Canadian newspaper has reported that over 75,000 Canadian orders have been involved in the breach. A spokesman for the company has said the issue has affected “a small number of orders.” as the US website was not affected.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here. This week one of our users has received several emails suggesting that an audio message was left in the user’s voicemail, prompting the recipient to click on a file download titled “VoiceMessage.wav”. This email was spammed to the user numerous times. Given the repeated emails as well as the unprofessional appearance, the fact that it is unsolicited, while also containing a top-level domain from Japan (.jp) leads us to believe without a doubt that this is a phishing attempt. It can also be seen that the .wav file is actually a link to a website.

RECOMMENDATIONS:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

Marriott has today revealed that its Starwood guest reservation database has been subject to unauthorized access “since 2014”. The scope of the data breach is huge, covering nearly five years and approximately 500 million guests.

The company has created a website to deal with the breach at info.starwoodhotels.com (note that at the time of writing it redirects to answers.kroll.com).

Who’s affected?

The company warns that if you made a reservation at one of its Starwood brands in the last five years then you are at risk: If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved.

Netizen Recommends: If you have stayed at Marriott properties since 2014, you should update the password you use on the reservation webstie and the email account you use to access that Marriott website. It is possible that the credit card you have used with  Mariott have been exposed, so you should consider contacting your card issuer to request a non-emergency card reissue.

Details can be found here.