In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Phish Tale of the Week!
• Cisco Video Surveillance Manager Vulnerability
• FEMA Tests Emergency Alert System to Mobile Devices
• A Frozen Firefox Attack
• How can Netizen Help?

Phish Tale of the Week

This week’s phishing email claims it originates from SharePoint. This one is poorly formatted, we do not receive fax reports, and overall looks unprofessional:

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

Cisco Video Surveillance Manager Vulnerability

A critical vulnerability contained in the Cisco Video Surveillance Manager (VSM) software has been discovered with the potential to allow unauthenticated access. Attackers would be able to remotely log in and execute arbitrary commands as the root user. The vulnerability is a straight forward one in that the affected versions contain static user credentials for the root account.

Luckily these default credentials are not documented publicly. However the chance of an exploit remains a very real possibility. The static/default credentials exist because the root account of the affected software was not disabled before the Cisco installation. As it stands, there has been no word of any exploits circulating “in the wild.”

Recommendations:

There are no workarounds for this issue, however, Cisco has released a patched for affected versions:

• VSM 7.10
• VSM 7.11
• VSM 7.11.1

Affected versions are vulnerable if running on the following Cisco Connected Safety and Security Unified Computing System (UCS) platforms:

• CPS-UCSM4-1RU-K9
• CPS-UCSM4-2RU-K9
• KIN-UCSM5-1RU-K9
• KIN-UCSM5-2RU-K9

Versions not affected:

• Cisco VSM Software Releases 7.9 and earlier
• Cisco VSM Software Releases 7.10, 7.11, and 7.11.1 running on CPS-UCSM4-1RU-K9 and CPS-UCSM4-1RU-K9 platforms if Cisco VSM Software Release 7.9 or earlier was preinstalled on the platform by Cisco and the software was subsequently upgraded to Release 7.10, 7.11, or 7.11.1 by the customer
• Cisco VSM Software that is running on the VMware ESXi platform

We recommend that the devices to be upgraded should contain sufficient memory and to confirm that current hardware and software configurations will continue to be supported properly by the new patch; this means performing a complete and tested backup of current device configurations.

FEMA Test Emergency Alert System to Mobile Devices

Netizen frequently provides details of phishing attempts, but this week we are bringing to your attention news of an alert which will come to your mobile device:

The Federal Emergency Management Agency (FEMA), in coordination with the Federal Communications Commission (FCC), will conduct a nationwide test of the Emergency Alert System (EAS) and Wireless Alert System (EAS) on October 3, 2018. The WEA portion of the test commences at 2:18 p.m. EDT, and the EAS portion follows at 2:20 p.m. EDT. The test will assess the operational readiness of the infrastructure for distribution of a national message and determine whether improvements are needed.

The WEA test message will be sent to cell phones that are connected to wireless providers participating in WEA. This is the fourth EAS nationwide test and the first national WEA test. Previous EAS national tests were conducted in November 2011, September 2016,  and September 2017 in collaboration with the FCC, broadcasters, and emergency management officials in recognition of FEMA’s National Preparedness Month.
The test message will be similar to regular monthly EAS test messages with which the public is familiar. The EAS message will include a reference to the WEA test:

“THIS IS A TEST of the National Emergency Alert System. This system was developed by broadcast and cable operators in voluntary cooperation with the Federal Emergency Management Agency, the Federal Communications Commission, and local authorities to keep you informed in the event of an emergency. If this had been an actual emergency an official message would have followed the tone alert you heard at the start of this message. A similar wireless emergency alert test message has been sent to all cell phones nationwide. Some cell phones will receive the message; others will not. No action is required.”

The WEA test message will have a header that reads “Presidential Alert” and text that says:

“THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed.”

The WEA system is used to warn the public about dangerous weather, missing children, and other critical situations through alerts on cell phones. The national test will use the same special tone and vibration as with all WEA messages (i.e., Tornado Warning, AMBER Alert).

Additional information can be found at https://www.fema.gov/emergency-alert-test

Frozen Firefox Attack

A recently released proof-of-concept attack utilizes JavaScript to crash or freeze recent versions of Mozilla Firefox when victims visit a specially designed web-page through the browser.

The source code for this attack was released on Sunday, September 23rd by a security researcher, and has been officially dubbed as Browser Reaper. This attack is said to be able to crash Firefox versions 62.0.2 and earlier.

The security researcher who released the proof-of-concept has also released Browser Reaper source code for both Chrome and Safari as well, after a proof-of-concept was released last week that caused iOS devices to crash and restart when visiting a website with specially crafted Cascading Style Sheets (CSS) and HTML code, which makes up a large percent of websites today.

Browser Reaper currently utilizes JavaScript to follow through with its attack. Javascript is one of the top 3 core technologies that make up the majority of internet websites today. It allows for more interactive browsing experience, but can also be used for nefarious actions. In the case of Browser Reaper, it generates a file with a very long name and begins to try and download itself onto your computer. By doing this million of times within a small amount of time, the browser becomes overwhelmed and eventually crashes.

• Practice safe browsing practices by being wary of suspicious links.
• Consider using a browser add-on that disables JavaScript and another popular web script by default.
• Continue to update web software at regular intervals.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Phish Tale of the Week!
• Top Threats Facing Industrial Networks
• WannaMine Worm
• The Cost of Cyber Crime
• How can Netizen Help?

Phish Tale of the Week!

This week’s phishing email claims it originates from Office 365:

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

 

Top Threats Facing Industrial Networks

Across the nation, and in our commonwealth, industrial controls systems (ICS) share a common heritage:  they were designed before cyber threats were understood and lacked baked-in security controls.  These critical infrastructure and the industrial control networks that manage them are under a real and active threat from a variety of malicious actors — ranging from nation-states, politically or financially motivated hackers, insiders, and disgruntled ex-employees.

ICS control dams, bridges, electrical generation plants, and other systems that operate in the background yet provide vital services. A breach of an ICS network can be disastrous, ranging from physical and environmental damage and costly downtime for manufacturing processes to putting lives at risk.

We’ll look at some of the biggest threats to these infrastructure systems:

1. Poor Network Configuration: None of these critical systems should have unfettered access to the Internet, yet many systems were installed without even a firewall.   ICS should be in segregated in a tightly controlled subnet.
2. Poor Audit Control: Older ICS may not have any audit functions, and those that do may not be routinely reviewed by any IT Security staff. Like all IT systems, proper audit control is essential to maintaining a secure posture. Should the ICS system lack its own auditing, adequate alternatives should be sought after to mitigate this threat.
3. Insufficient Controls: Just as your Operating System or applications receive software patches, ICS should as well.  Systems that aren’t patched regularly are open to exploits, and systems that are beyond end-of-life (EOL) should be replaced or otherwise fortified to minimize the exposure.
4. Employee Carelessness or Ignorance: As with any IT environment, ICS are subject to phishing attacks, social engineering, and risky browsing behaviors. These activities can compromise the IT and internal networks via lateral movement.

   Security training, network segmentation, and multifactor authentication can all help prevent breaches caused by employee lack of awareness, policy violations, or human error.

5. Insider Attacks: Disgruntled employees or improper assignment of privileges can lead to industrial espionage or sabotage.   Performing a risk assessment to identify and address vulnerabilities such as over-privileged accounts, insiders with access to resources they don’t need to do their jobs, and orphaned accounts is essential to reducing the attack surface for insider threats.

 

WannaMine Worm

A fileless, PowerShell based, Monero-mining malware attack known as WannaMine has made a resurgence. The worm has successfully infected a Fortune 500 company in which dozens of domain controllers and about 2,000 endpoints were affected after gaining access through an unpatched SMB server. WannaMine is able to detect whether or not it has infected a 32-bit or 64-bit system, configures a scheduled process to ensure it persists after system shutdown, and even changes the power management settings to ensure that the system does not go to sleep and it can mine uninterrupted. Further, WannaMine code shuts down any process using ports associated with cryptocurrency-mining pools (3333, 5555, 7777) and then creates its own on port 14444.

Recommendations:

WannaMine has been associated with the following IP addresses:

We also recommend practicing routine updating and patching as WannaMine includes the same ExternalBlue exploit that was abused by WannaCry; patching will mitigate this threat. However, WannaMine can then try to spread using password cracking techniques/tools to find weak passwords on the network. It is for this reason that we also recommend using complex passwords supplemented by Multifactor Authentication (MFA) such as a code, app, or text.

 

The Cost of Cyber Crime

A recent study by Germany’s IT sector association has found that two thirds of Germany’s manufacturing companies have been a victim of cyber crime attacks, and has cost the industry around $50 billion. Over 500 executives were surveyed across the manufacturing sector of Germany, and it was found that small to medium-sized companies where the most vulnerable to attacks. As more cyber attackers become better resourced, more advanced techniques will be used in order to steal advanced manufacturing techniques or important trade secrets that could be devastating to companies.

The survey identified all types of risks, such as one third of companies surveyed reported that mobile devices such as phones had been stolen, and about 25% had lost sensitive digital data. Along with lost data, companies also reported that around 19% had IT and production systems sabotaged, and 11% had communications tapping.

 

Recommendations:

• Make sure every business computer is equipped with antivirus and antispyware software that is updated regularly.
• Secure network connections by using firewalls and encrypting important information.
• Conduct periodic vulnerability testing on critical information technology systems.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Phish Tale of the Week!
• URL Spoofing
• The Hazards of IoT Devices
• Targets of Phishing
• How can Netizen Help?

Phish Tale of the Week!

Netizen received an email claiming to be from Microsoft in regards to OneDrive. That email can be found below:

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
• Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

URL Spoofing

Unpatched Edge and Safari browsers are allowing attackers to spoof URLs, posing as legitimate websites creating a much more difficult phishing attempt to spot. One of the primary methods of detecting a phishing attempt is to examine the URL to determine if a website is fake. The vulnerability is caused when the browsers allow JavaScript to update the page address in the URL bar as the page is loading.

Upon successful exploitation of the flaw, the attacker initially loads the legitimate web page while, displaying the proper URL, before quickly replacing the code in the web page with a malicious site. Using this method, attackers can impersonate popular sites like that of Gmail, Facebook, Linked-In, various banks, etc. to steal credentials and other sensitive information.

Recommendations:

Microsoft has issued a patch for Edge in their latest update, however, Safari still remains vulnerable to the exploit. We recommend routinely patching all systems if they have not been already, and to exercise caution when reading emails. Since this particular attempt is harder to spot, rely more on the circumstance of the email itself:

• Should you be getting this email?
• Were you expecting this email?
• Verify the sender.

The Hazards of IoT Devices

We have smart lightbulbs, smart speakers, smart refrigerators, smart washers & dryers – they are all over our house. The Internet of Things (IoT) has virtually digitized many aspects of our lives.  But in that acronym – IoT – something is missing.

Developers of IoT devices want to make the lives of their customers as easy as possible – whether it is to easily control our lights or set our homes’ temperature, the underlying goal is ease.  That ease extends into making these devices easy to install on home networks.  However, too often this ease leaves the door open for criminals to gain a foothold into our homes, small & mid-size businesses (SMBs) and even large corporations.  The attacks range from mere nuisances (a smart refrigerator was set to make ice cubes non-stop) to treachery (baby monitors hacked to eavesdrop and in some cases speak to/wake up children), to potentially frightful (imagine a hacker could determine when you’re not home and override your smart door locks and alarms?).  Offices are seeing more IoT devices, from smart displays in conference rooms to personally owned smart speakers in cubicles.

IoT devices lack security measures for many reasons, including lower costs and faster development. Offshoots of these reasons can result in hard-coded ADMIN passwords and backdoors created by the developers who might have forgotten to close them, or because the coders were removed from the project before it was fully vetted.  Should a hacker take control of one of your IoT devices, they may be able to exploit other devices on your network and compromise the confidentiality and integrity of your data.

Clearly, the adage regarding IoT devices cannot be argued:  the ‘S’ in IoT stands for ‘Security’.    Make sure you take the necessary steps to secure your devices at home and in the office.

Recommendations:

• Always change the default login credentials. Not only the password but the username whenever possible.  Consider: a hacker already has half of the username+password combination if you use the default ADMIN.  Make the password difficult to guess.
• Always segment your IoT devices to a wifi network separate from your primary (Home) network. Often this is as easy as using the GUEST wifi on your router.  If your router lacks the ability to have 2 or more segments, it’s probably time to upgrade.
• Businesses should ensure the use of IoT devices comply with the corporate Acceptable Use Policy (AUP).
• Make a calendar reminder to check your devices for firmware updates. While not all IoT devices update their firmware, make certain to install the patches to help stay ahead of vulnerabilities.
• Evaluate whether you really need those devices in your home or office.  For example: do you really need a web-enabled toaster?

Targets of Phishing

A security company called Proofpoint Researchers has recently discovered that 60% of targeted phishing attacks are directed towards individual contributors and low-level management users. These attacks mainly consisted of malware or credential phishing attacks. This comes in comparison that upper management and executives only receive 24% percent of all attacks and only 5% of the targeted attacks. While this may seem like a small portion, it effectively is a larger disproportionate amount due to the smaller representation of the total workforce.

The recent findings come amid a continual surge of malicious email messages. Researchers have observed over a 35% increase in email attacks in the first and second quarters of 2018 alone. While every company size from large to small is targeted, companies in retail and healthcare experienced far greater growth rates for attacks compared to other sectors. Along with these findings was an 85% increase in attacks in this years second quarter, compared to last year. Growth rates for the automotive and education industries were even larger at 400% and 250% respectively.

Recommendations:

• Ensure those individual contributors, and lower-level management is receiving the appropriate training to identify and report malicious email attacks.
• Leverage advanced threat analysis and social media security to combat fake accounts.
• Continue comprehensive security awareness for the entire workforce.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• 1/5 SMB Employees Share Passwords
• 3D Printers a vector for attack
• CamuBot and Vishing
• Quick notice: Monero Miner Malware
• How can Netizen Help?

1/5 SMB Employees Share Passwords

It is the consensus of most people that they will not be a target of a cyber attack.  However, small- to mid-size businesses (SMB) are estimated to face nearly 4,000 cyber attacks per day,  and as hackers continue to refine their craft, it’s easy to assume that number will only increase. While larger sized companies have, perhaps, more assets to attack, smaller companies may be a softer target.

A recent survey of 600 small business executives and employees regarding their cybersecurity habits revealed several concerning points. In particular, small business employees and leaders may be acting negligently in regards to their own security.

The survey sought to reveal whether employee behavior helped precipitate the increase in cyber attacks. The consequences of cyber attacks can be extreme; the survey found 60% of small businesses that experienced a cyber breach are likely to go out of business within six months.

Small businesses too often lack the manpower of larger enterprises to handle IT and security, nor do they prioritize security education and best practices.  The lack of a top-down IT security profile for the company often leads to poor cyber hygiene for the rest of the employees in the company. Digging deeper into the survey results, SMB leaders overwhelmingly connect to public WiFi for work 66%, and 44% of SMB employees do as well.  Connecting to a WiFi hotspot in a hotel or at an airport can open your business to cyber threats.

They do not prioritize security education and best practices: Thirty-five percent of employees and 51 percent of leaders are convinced their business is not a target for cybercriminals, including malware and man-in-the-middle attacks, which can put your corporate and financial data in peril.

Worst, still: 62% of leaders and managers use their work computer to access social media accounts; only 44% of employees were found to do this.

Yet the absolute worse revelation from this survey was this: 1 in 5 SMB employees – 22% of leaders and 19% of employees — share their email password with co-workers or assistants.  There are more secure methods to share data that will help prevent unauthorized access.

A top-down approach to cybersecurity will help prevent poor cyber hygiene from leading to a costly breach.

Recommendations:

• Never use public or unsecured wifi without using a Virtual Private Network (VPN)
• Never share passwords; better to use collaboration software (like Microsoft SharePoint), delegate access and shared storage(such as Office 365)
• Ensure a comprehensive Acceptable User Policy (AUP) is adopted by all in the company, which details the appropriate use of all corporate data assets.

3D Printers a vector for attack

Security research centers have found that over 3,500 instances of OctoPrint, a popular web interface for 3D printers, are publicly exposed to the Web. The software OctoPrint allows users to control and monitor their 3D printers, from starting and stopping print jobs, to embedded webcam access. While not a very serious threat, it still poses several security issues that could later be used as an attack vector. With access to the printer’s code files, the attackers would be able to obtain the print plans needed for an object. This could lead to a leak of valuable trade secrets, or allow modification in order to ruin future printed objects. While rare, but not impossible, an attacker may also able to intentionally start a fire due to the high temperatures created during operation by modifying the printers files.

Recommendations:

• Ensure proper access control to devices open to the internet.
• Utilize network segmentation techniques in order to avoid system hopping.

CamuBot and Vishing

A new banking Trojan known as CamuBot strays from the usual tactics that Trojans take and involves a blend of social engineering; in this case, vishing (voice phishing). The malware is disguised as a security application marked with the bank’s logo and brand respective to the target. With a little reconnaissance, the threat actors target a victim that is likely to have login credentials to that bank. The victim installs the Trojan at the instructions of the “bank employee”.

The attack is carried out under the pretense that the user needs to install the fake security tool to check the validity of the bank’s current security module. The attacker has the user load a web page (designed by the attacker) to show that the user’s software for that particular module is out of date. The user is then tricked into downloading and installing the new “module” for online banking activity with administrator privileges. Thus, the Trojan gains entry. CamuBot can also survive multi-factor authentication (MFA). The Trojan recognizes the MFA challenge from a device that needs to connect to the infected computer of which it can then install the correct drivers. From there, it is a simple matter of asking the victim to share the temporary code with the “operator” over the phone.

Recommendations:

We are often trained to be on the lookout for phishing emails, as we should, due to their prevalence and the damage that they can cause. However, the telephone can be equally as dangerous. CamuBot has only been spotted in Brazil, but the United States is no stranger to scams like it.  We recommend the following to help prevent falling prey to vishing:

• Verify anyone requesting sensitive information to see if they are in fact legitimate.
• If you believe you are being vished, ask the caller if you can call them back using the number from a card statement or from the back of the credit card.
• Verify authenticity by asking the caller information only the bank would know (i.e. last transaction, balance on the account, etc.).
• Most important, employ end user awareness. The more that employees are trained to watch for phishing and vishing attempts, the more likely they are to recognize them. Employees are the first line of defense when it comes to these attacks.

Quick Notice: Monero Miner Malware

A new variant of Monero cryptominer malware has been discovered in the wild (technology that has gone beyond a development environment and is now a publicly used tool). Tests from threat actors were found in April of 2018, from which it can be assumed general release of the miner is set to take place.

These testing variants were last seen in the wild in July of 2018 and are continuing to surface in honeypots with three other variants along with it by the same malicious group. At this time, it is believed it is indeed a threat group manufacturing the variants as opposed to a state-sponsored group.

Recommendations:

The major defense at this time is restricting GitHub (a web-based hosting service for coders and developers) to only those who would have a business need for it, and by ensuring the following two vulnerabilities are patched:

• Oracle WebLogic server vulnerability (CVE-2017-10271)
• Java deserialization vulnerability in the Adobe ColdFusion platform (CVE-2017-3066).

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• DoS Attack Vectors
• Unpatched Windows Zero-Day Released
• Attackers Continue to Phish
• Bonus: How Not to Manage Passwords
• How can Netizen Help?

DoS Attack Vectors

Denial of Service attacks (DoS) are a type of attack in which a hacker/threat actor wants to make a machine, network resource, or service unavailable those that use them. these interruptions can be just a temporary annoyance, or more severely, a permanent reality to internet connected devices. Almost all DoS attacks target infrastructure services as opposed to application services. Denial of Service can take shape in many different ways: volumetric flooding, processing consumption, and RANGE attacks.

Volumetric Flooding: Attackers can overwhelm applications by flooding them with repeated HTTP/HTTPS requests. In order to achieve this goal an attacker would need to drum up a high enough level of traffic to target a victim with; this is usually done using bots in a botnet or what is known as a “booter service” which is basically DoS attack capabilities on demand.

Processing Consumption: Attackers can also attack a target’s Central Processing Unit (CPU) and Random Access Memory (RAM) allocations on and Application Programming Interface (API) server instead of the usual method of attacking network bandwidth. For each web request made, like that of JSON requests, the API has to allot a certain amount of CPU/RAM  for processing of which there are limits on concurrent availability. Hash collisions are a popular method of attack for processing consumption.

RANGE Attacks: Attackers can use and abuse ability to quickly access data for bulk extractions of information. Web scraping campaigns, in which attackers “scrape” for information, can cause a real problem for websites and create denial-of-service conditions. With RANGE attacks, a submitted web request includes a range of data do be extracted. Setting an egregious range can prove overwhelming for a system.

Recommendations:

Denial-of-Service attacks are a common issue and is used avidly by threat actors want to disrupt or completely cut off service. We recommend the following to the above listed attacks:

• Network Controls – this allows for blacklisting of IP addresses and CIDR ranges
• Rate Controls – which is specific to volumetric flooding attacks as the KSD customer can specify different criteria for thresholds.
• Slow Posts – Kona Site Defender (KSD) has protections against attacks that try to consume application resources by opening an HTTP connection and then sending data very slowly.
• DoS Risk Group – many web DoS tools and scripts have tell-tale fingerprints and be easily identified and blocked using WAF protections.
• Set a max limit on requests to web pages  (JSON, HTTP, etc.)

Unpatched Windows Zero-Day Released

Recently a security researcher has publicly disclosed a previously unknown zero-day vulnerability in Microsoft Windows operating systems that allows a user or malicious program to obtain administrator privileges on a targeted computer. The flaw has been confirmed working on fully-patched Windows 10 systems and is currently unaddressed by Microsoft at this time. The vulnerability leverages a Windows protocol called Advanced Local Procedure Call (ALPC) in order to obtain privilege escalation via the Windows task scheduler program.

This zero-day was released via Twitter by a user who posted a link to a Github page that provided a proof-of-concept exploit to allow the privilege escalation vulnerability. The vulnerability has been verified by several other security researchers as well. Since Microsoft was not notified of this vulnerability, all Windows users are vulnerable to this exploit until a security patch is created and released by Microsoft.

Recommendations:

Until this vulnerability is patched by Microsoft, it’s recommended to maintain an increased security posture in regards to scrutinizing suspicious email attachments or websites. Also, it’s recommended to pay particular attention to Windows event logs looking for unexpected privilege escalations.

Attackers Continue to Phish

Phishing continues to be a problem for all businesses and users. Netizen, itself, has seen the increased activity of emails purporting to contain Microsoft Office login screens.  MS Office is frequently used in these attacks, as it is one of the most popular suites in use, which increases the chances of the crooks gaining legitimate login credentials.

Phish emails often try to scare the user.   This is one of the examples that arrived at our office this week:

Other attempts sound too good to be true, sometimes suggesting an embedded link will lead to payroll information.

Everyone should be cautious when clicking on links in emails, and to contact their managers or IT department if they have concerns regarding their account deactivation.

Bonus: How Not to Manage Passwords

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Caller ID Spoofing
• USBHarpooning and Bad USBs
• FBI Warns Real Estate Industry is a Target for Cybercrime
• How can Netizen Help?

Caller ID Spoofing

Have you ever received a call where the caller said that you called them when you have not, then your number was most likely spoofed by another person. There are many phone scams that use Caller ID spoofing to hide their identity because Caller ID spoofing makes it impossible to block the number.  Sometimes the numbers are easy to spot, with invalid area codes ‘132’, or numbers with all zeroes.   More and more, however, the fraudsters are getting more devious.

There are online tools that enable anyone to spoof their outbound Caller ID.  While these services are meant to protect the caller’s number from being displayed and claim they aren’t intended for malicious activities, there’s little to prevent someone from abusing these fee-based services.

Businesses are often wasting time answering calls from spoofed customers; in June 2018, a business received an estimated 300 phone calls in one hour, overloading the call center and preventing calls from legitimate customers from getting through.

On the other end of the spectrum, Spoofed Caller IDs have been used to falsely report to police crimes that are occurring in innocent people’s homes, resulting in a waste of law enforcement resources and at least one accidental shooting death.

Recommendations:

Fraudulent calls may be reported to the FCC, which will impose a fine of up to $10,000 to anyone illegally spoofing a number. https://www.fcc.gov/consumers/guides/spoofing-and-caller-id

USBHarpooning and Bad USBs

It is no secret that USB drives can be turned malicious when in the wrong hands. Attacks could range from planting malware to allowing remote code execution from the attacker themselves. In a strange twist of ingenuity, security experts have discovered and thus created a malicious version of a USB charging cable dubbed USBHarpoon. The controller chip of the drive can be reprogrammed to appear to the victim’s computer as a human interface device (HID); more colloquially known as a peripheral. Peripherals include anything from a keyboard to a network card. Attack vectors could include the issuing of commands to modifying the system’s DNS settings to redirect traffic.

Now, the attack is only successful when the computer has been unlocked where it can then launch commands that can download and execute a payload; Windows, Mac, and Linux could all be affected. As of right now, the attack is not a hidden process. Upon insertion of the USB, the malicious activity is visible on the screen, however attempts have been made to activate when the user is not around. What makes the USBHarpoon attack so dangerous is that while many people are aware of harmful USB drives, most are trusting of the ubiquitous charging cable.

Recommendations:

While USBs can be necessary for business purposes, like anything, steps should be taken to prevent or at least mitigate a breach:

• If feasible, disallow the use of removeable media. If you have no need for USBs, do not even introduce that attack vector.
• Be cognizant of your cable manufacturer and seller. Off-brand and foreign sellers have a higher possibility of having malicious cables and drives.
• If you need to use USBs, ensure that all devices are checked for malware before they are connected to the network—especially if it is new and not trusted.
• Set limits on allowed USB devices and file types based on the user’s role in the organization.
• Avoid direct plug-ins. Utilize a USB security system like that of a malware scanning kiosk to securely transfer allowed files.
• Regularly train employees on the importance of adhering to strict USB security practices and policies.

FBI Warns Real Estate Industry  is a Target for Cybercrime

The FBI Internet Crime Complaint Center (IC3) reported that the real estate industry has become especially susceptible to business email compromises (BECs) and email account compromises (EACs).

The attraction to Real Estate goes beyond the large sums of money involved in such transactions, it also goes to the desire of those involved in the sales of homes to get the transactions done.   Home sales can involve numerous people, all dealing with largely electronic documents containing sensitive information.

These scams are frequently carried out when a hacker compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques, such as a malicious message containing a link to a rogue website.

The scam may not always be associated with a request for transfer of funds, as a compromised account can be used to access stored documents (or request new documents) containing Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.

The FBI reported hackers have used information that is publicly available on real estate listing sites to target victims. This may include homes that are for sale and the progress of the sale such as “under contract” as well as the contact information of the real estate agent.

FBI  Recommendations:

Title Companies report establishing new procedures when processing legal documents requiring all changes in payment type and/or location to be verified prior to distributing funds.

If you discover a fraudulent transfer, time is of the essence. First, contact your financial institution and request a recall of the funds. Different financial institutions have varying policies; it is important to know what assistance your financial institution will provide when attempting to recover funds. Second, contact your local FBI office and report the fraudulent transfer. Law enforcement may be able to assist the financial institution in recovering funds. Finally, regardless of dollar loss, file a complaint with http://www.ic3.gov or, for BEC/EAC victims, bec.ic3.gov. The IC3 will be able to assist both the financial institutions and law enforcement in the recovery efforts.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• KeyPass Ransomware
• Still Phishing
• Another Printer Vulnerability
• How can Netizen Help?

KeyPass Ransomware

Not to be confused with the popular password manager KeePass, KeyPass is an extension placed on files of a new variant of ransomware. The KeyPass Trojan propagates itself by way of fake installers, further highlighting the importance that proper cyber awareness and training plays in defense of an organization’s data and assets.

Upon successful infection, the trojan remains hidden, installing to the local app data folder and then deleting itself from its original location, further manifesting copies to spread through other avenues like command line arguments. KeyPass also utilizes “manual control”, in that its form can be shown after pressing a certain button on the keyboard, indicating that the attackers may wish to use the trojan in a manual attack.

The manual control technique gives the attackers the ability to customize the encryption process including the key, what is said in the ransom note, victim ID, extension of the encrypted files (.KEYPASS), as well as the list of paths to be excluded. The attackers will also be able to change the price of decryption.

Recommendations:

As mentioned above, the best defense is practicing proper cyber hygiene, however, we do have further recommendations:

• Protect from the KeyPass ransomware, and any ransomware for that matter, by utilizing properly created and tested backups.
• Install all needed software from trusted sources.
• Make use of strong passwords for RDP access; greater than 8 characters, camel-case, with numbers and special characters.
• Develop and execute a plan for an end-user awareness program.
• Review network drive permissions to minimize the impact a single user can have on operations.
• Perform routine patching and updating.
• Utilize trusted and efficient endpoint protection software.

Still Phishing

One of the most widespread and simplest forms of attack continues to be a problem in the latter part of 2018—phishing. In particular, attacks have increased substantially in the financial services industry, such as online banking, e-commerce, and payment systems. These attacks include fake shopping sites or banking web pages in an effort to obtain login credentials, emails, phone numbers, credit card information, and PINs. The IT industry has also felt the increase of phishing attacks but are still targeted less than the financial sector.

Many companies receive phishing emails daily, remaining under constant threat from attackers. Phishing is so popular as people, more often than not, are the largest security vulnerabilities. Attackers often use intimidation, fear, or try to feign a level of trust in an effort to gain access to sensitive company information. For example, by way of social engineering, an attacker could spoof the CEO’s email address and demand all payment information from accounting immediately; many people would not hesitate because who would disobey the CEO?

Recommendations:

There are many best practices when it comes to defending against a phishing email of which we have listed below:

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.
• Be wary of poor spelling, grammar, and formatting. If an email is visually unprofessional, the sender is likely not who they say they are.

Another Printer Vulnerability

Fax machines have been a staple in office environments since the late 1980s; you may have one in your office.  In recent years, these devices are combined into a network printer for efficiency.  However, this may be another example of the trade-off of security for convenience.

Two security researchers at DEF CON 26 recently discovered a pair of vulnerabilities in the fax protocol can transform fax machines into entry points for hackers into corporate networks.  Named “Faxploit,” this attack leverages two buffer overflows in the fax protocol components.  An attacker can send a specifically designed ‘fax’ image containing code that exploits these two vulnerabilities to a fax machine and then gains remote code execution rights over the targeted device.  From that point, the hacker can run his own code and take over the machine, and deploy other tools to infiltrate your network.  Once on the inside, the hacker can begin scanning every device on the network, looking for other weaknesses to exploit.

Unlike hacks that look to penetrate your company’s firewall from outside your network, this hack comes through the fax phone number you probably list on your business cards and website.  If your fax is combined with a network printer, the attacker gains access to your network through the phone line; a novel approach, if not one that causes a real risk to your network.

There is no way to scan incoming faxes for this kind of attack. The only way to prevent Faxploit attacks is to apply patches to individual fax machines and all-in-one office printers, which also come with an embedded fax machine.

At the time of writing, only HP has addressed Faxploit, and has released patches to prevent this attack from gaining access to your network. Other vendors will follow suit, but consideration should be given to creating network segments that would isolate printers from other mission-critical assets.

Once again, the lesson that cannot be stressed enough is simply this: any connected device needs to be updated and patched.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

 

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Cracking WPA2
• Popular Social Media Site Hacked by “SMS Intercept”
• Is your printer spying on you? HP releases important patches.
• How can Netizen Help?

Cracking WPA2

A new method of attack against cracking the famed secure wireless protection protocol has been discovered. This new method simplifies the cracking of WPA/WPA2 passwords on 802.11 networks. In the past an attacker would have to wait for a user to login in an effort to capture a full authentication handshake, whereas with this new method, would only have to obtain a single frame from the router; this can be obtained from the access point (AP) as it is a customary part of the protocol. The tool used to discover this vulnerability is known as Hashcat and will work on nearly all routers operating on 802.11i/p/q/r networks with roaming enabled.

An attacker would retrieve the Pairwise Master Key Identifier (PMKID), just by simply trying to authenticate and grabbing a single frame, which can then be cracked to retrieve the Pre-Shared Key (PSK) of the wireless network. Something else users should be aware of is that this does not mean cracking the wireless network password is easier. However, the process of acquiring a hash that can be attacked to get to the wireless password is much easier. The default PSK length generated by manufacturers can be cracked in as little as eight days.

Recommendations:

It is our recommendation that to protect keys from being simplified and cracked, that users create and implement their own keys rather than using one generated by the manufacturer (router by default). It is especially recommended that this key should be long, complex, and consist of numbers, camel-case lettering, and symbols.

Popular Social Media Site Hacked by “SMS Intercept”

The popular social media site Reddit has recently suffered a security breach by hackers bypassing two-factor authentication measures using a technique called SMS intercept. The attackers were able to access all of Reddit’s user data from 2007 and before, most of it including account credentials and email addresses.

Two-factor authentication, or 2FA as it is often referred to, is an extra layer of security called multi-factor authentication that requires in addition to a password, something that only that person would have on them. This could be either a security token, RFID tag, or the more popular method of using an SMS code sent to a cell phone. Using both of these together makes it much harder for potential hackers to gain access to a users account as it would require the physical access to the physical token.

Unfortunately, hackers have found that by spoofing a cell phone’s sim card they can claim access to any cell phone number they want. By doing so, they can intercept all SMS messages destined for the target’s phone. Hackers can then use this in order to obtain the necessary SMS codes sent by accounts setup with two-factor authentication to gain unauthorized access.

Recommendations:

• Enforce multi-factor authentication whenever possible using physical security tokens rather than SMS codes.
• Use a password manager to vary passwords used for different sites to minimize risk should one password be compromised.
• Ensure important database information such as passwords is utilizing encryption-at-rest.

Is your printer spying on you? HP releases important patches.

Late last month, HP invited a select group of security researchers to hack their printers, with the rewards ranging from $500 to $10,000 per bug.  HP, who claims to provide “the world’s most secure printing” devices, told the researchers to hone in on firmware-level vulnerabilities in their July 31 Bug Bounty program.

And the researchers said ‘Challenge accepted!’

HP has released firmware patches this week that address two nasty security vulnerabilities make hundreds of HP Inkjet printers vulnerable to remote code execution. HP recommended applying firmware update patches “as soon as possible.”

Many people may think, “What could happen if someone hacked my printer?  Inappropriate print jobs?”  Yes, but that’s a minor risk.  Once the printer’s Operating System is compromised, it can be used as a launch point to scan the LAN for vulnerable PCs. If a vulnerable PC is found and compromised, it could be configured to serve as a proxy within the company firewall.  That’s a big risk.

HP’s security bulletin lists hundreds of printer models affected. Users can go to https://support.hp.com/us-en/drivers/printers and enter printer model names to determine whether there are patches available for your device.   If HP rushed these updates less than a week after their Bug Bounty program began, it’s likely they will provide more patches soon.

Other printer manufacturers offer similar lookups.  Like any connected device, printers need to have their operating system/firmware updated routinely as well.  Make sure your systems are updated appropriately.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.