In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Fake Websites Pushing Adware
• Ransomware Net Attackers Over $6 Million
• Mid-Summer/Back-to-School Security Tips
• How can Netizen Help?

Fake Websites Pushing Adware

Fake websites are no stranger to a threat actor’s toolkit. Feigning legitimacy and earning user’s trust makes it all the more easy to steal sensitive and important information. These sites, in particular, are pushing Adware. Adware is a type of malware that automatically displays advertisements whenever a user is online. This can prove detrimental to computer performance as it puts stress on the central processing unit (CPU) constantly running these ads.

The sites that are being spoofed are Keepass, 7Zip, and Audacity just to name a few. Applications downloaded from any of these sites also downloads InstallCore (the source of the adware). On top of the ads being annoying, the advertisements showing up could be malicious in and of themselves; installing cryptocurrency miners, viruses, trojans, etc.  Being that these are ads, the motive is profit driven.

Recommendations:

Staying vigilant and watching where you browse is always a best practice. We recommend avoiding the following websites:

• unetbootin.org
• unetbootin.net
• notepad2.com
• keepass.com

These are only the English speaking sites afflicted; there are many others from European countries that are malicious as well.

Another good practice is if you are going to download from any site (yes, even if they are a reputable one), to scan the files with up to date antivirus software. You can also upload files to VirusTotal as well which is known for detecting threats.

Ransomware Net Attackers Over $6 Million

Threats of ransomware are still prevalent to this day, and continue to command a multi-million dollar black market business for criminals. A prominent ransomware variant called SamSam has been found to have extorted over 233 victims for a total of over $6 million dollars. Researchers have found that the Bitcoin addresses owned by the attackers of this ransomware variant still continue to net around $300,000 per month. The addresses are spread across 130 unique addresses which have received ransom payments from victims.

The SamSam ransomware is known to be spread by specifically selecting targets and infecting the systems manually. The attack is usually carried out by using brute-force attacks or use of stolen credentials gained from the dark web in order to compromise a system through remote desktop. The ransomware is then deployed throughout the network by exploiting vulnerabilities of other systems. This entire process is manual and does not rely on any worm or virus capabilities to spread itself through the network.

Ransomware is used to encrypt the system’s data, in which the attackers can demand a huge ransom payment in excess of $50,000 worth of Bitcoin for the decryption keys to the data. Some variants ensure that the most valuable data is encrypted first, then moves on to the rest of the system.

Recommendations:

• Keep up-to-date backups and ensure a consistent backup schedule.
• Enforce multi-factor authentication whenever possible.
• Allow access to the Windows Remote Desktop Protocol only to those who need it.
• Monitor the integrity of files on your servers.

Mid-Summer/Back-To-School Security Tips

As we enter August, many people are thinking of Back-To-School.  Whether you’re planning a vacation or planning for your child’s dorm room, you mustn’t let your guard down regarding security.

Recommendations:

The Cloud is safe, right?

The Cloud is as safe as anyone’s hard drive, which means you need to take steps to keep your data safe. Cloud data is stored on large servers, and no matter how much physical security the server room has, it can be defeated instantly if your personal device isn’t secure. Keep your laptops and mobile devices updated to the latest Operating System patches, and only download apps from the approved App Stores (i.e., Google Play, iTunes) to help prevent being infected by malware, which could access your cloud data.

Also, do not forget your anti-virus.  Too many people put off updating their anti-virus which leaves them vulnerable to new attacks.  Regardless, hackers are creating new attacks every day, so you need a firewall, antispyware, antiphishing and other security tools.

Consider: If you use your devices to conduct financial business, shouldn’t your devices be as secure as possible?

The Password is…

Everyone knows you’re supposed to use strong passwords, and yet every year there are lists of the most popular passwords include ‘123456’, ‘123456789’, ‘qwerty’, ‘letmein’ and even ‘starwars.’  Every online account you have should have a strong, long password made of a combination of symbols, letters, and numbers. Very important: Use a different password for each account.

A good, strong password is at least 8-12 characters in length. It is also made up of both upper case and lower-case letters, symbols and numbers. Example: “yCvc8m!v&Xb3”. However, a phrase will do too. Such as iLike1ceCream!

Using two-factor authentication on every account – particularly your financial accounts – will ensure your data stays secure. This way, even if your password gets into the wrong hands, the hacker can’t get in unless they also have access to your smartphone.  By the way – your smartphone has a PIN, too, right?  Preferably one that is longer than 4 digits.

My New Device is Safe, Right?

Many believe a new device, right from the manufacturer, is perfectly safe. This isn’t true. Androids and Macs need antivirus just like PCs need antivirus. And right out of the box, all devices operating systems, browsers and software should be updated.

Further, that connected TV, Smart Speaker, Refrigerator, or any other Internet of Things (IoT) device is not guaranteed secure. Always isolate IoT devices on your wifi network to a separate or guest network.  Remember the adage: ‘The Sin IoT stands for Security.’

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Is Your Bluetooth Device Secure?
• Malware Hidden in Images
• A Banking Trojan is reborn.
• How can Netizen Help?

Is Your Bluetooth Device Secure?

This week there was a security bulletin announcing a vulnerability in Bluetooth devices.  Should an adversary be in the right place at the right time, it is possible for that person to intercept the communication between you and your cell phone, laptop, media player, heart-rate monitor, mice or keyboard.   (Carnegie Mellon’s CERT Bulletin: https://www.kb.cert.org/vuls/id/304725 )

Interfering with your media player seems harmless enough, but this Man in The Middle (MiTM) attack could capture keyboard data and reveal any passwords you type.  The interference would occur when the devices are about to pair with each other, at which time the attacker would be able to read and write data.
The Bluetooth protocol was designed to make the pairing of devices effortlessly, which unintentionally raises the potential for abuse such as the security bulleting describes.  Fortunately, any such attack as this requires the attacker to be in close proximity to you and your devices, which limits the potential impact overall.   Furthermore, this particular attack has to happen as the devices connect, meaning if you pair your earpiece with your smartphone in your home, you are safe as you leave your home (unless a family member is trying to exploit the vulnerability).

The Good News; Despite this bulletin being released this week, the vendors have already addressed the issue.  According to Carnegie Mellon, the Bluetooth code from Apple, Microsoft, and Android is either already updated or was never affected by this vulnerability.

Recommendations

• If you are using an Android device, be certain your phone vendor or mobile carrier has pushed the patches from the Android Open Source Project to your handset.
• Best Practice: if you are not using Bluetooth, you should turn it off on your devices.  This will conserve your battery, and avoid broadcasting your Bluetooth hardware address, which makes it less likely an adversary could track you.

Malware Hidden in Images

Threat actors are now lacing vulnerable images with malware. These images are being uploaded on trusted GoogleUserContent sites including several blogs, and even the famous Google+. This is making websites stealthily malicious while remaining undetected. The malware uses Exchangeable Image File Format (EXIF) to hide, and it hides well as images are rarely ever scanned for malware.

Within the embedded images are scripts made by the threat actors that can upload a predefined web shell, arbitrary files, defacement pages, and backdoors just to name a few. More importantly, the exploitation of a site would allow the attacker to siphon important information, like that of email addresses. Unfortunately, Google inadvertently exacerbates the problem, as Google sites and their known affiliates are unequivocally trusted.

Threat actors will either utilize their own images or gain access to popular ones that are “weaponized” and publicly distributed on trusted sites. They will sit, wait, and if any user happens to download the malicious image, the attacker will be notified, and the user can then be compromised.

Recommendations

Until Google develops better anti-malware techniques, especially in areas of content analysis, the best defense is vigilance and prevention. We recommend:

• Keep up-to-date with security patches
• Utilize strong passwords
• Utilize application firewalls
• Monitor the integrity of files on your servers
• Trust no file or image. Do not download from unknown sources, sites, or senders.

A Banking Trojan is Reborn.

Recently a new variant of an old-time banking trojan called Kronos is making rounds across networks and targeting victims in Germany, Japan, and Poland. The new variant dubbed Osiris has been upgraded to include new command-and-control features that work with anonymized networks such as Tor.

Kronos was originally discovered in 2014 where it was found to be capable of stealing credentials and using web injection techniques on banking websites. Along with these capabilities it included a rootkit to help avoid detection and removal. Kronos eventually faded away about two years later in 2016.

Now, the new variant is starting to make waves by being distributed by phishing techniques, which include email attachments of Word documents. Additional attacks observed included JavaScript redirections on malicious sites to an exploit kit, capable of downloading additional files needed to activate Osiris on the victim’s computer.

Recommendations

• Ensure Anti-Virus and Malware software is up to date.
• Ensure Operating System and Applications software are running on the latest update patches.
• Be vigilant during web browsing in order to avoid clicking on malicious links.
• Continue to stay informed of new phishing techniques to avoid opening malicious attachments.
• Do not download files from unknown sources, sites, or senders.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Business Email Compromise Costs $12B – FBI
• Sextortion Scam
• More Secure Wireless
• How can Netizen Help?

Business Email Compromise Costs $12B – FBI

The FBI’s latest warning reports the losses due to scams against business email accounts have risen 135% from December 2016 to May 2018.

New FBI data shows that business email compromise (BEC) and email account compromise (EAC) scam losses worldwide spiked 136% from December 2016 to May 2018.

The FBI tracks these attacks as either Business Email Compromise (BEC) or Email Account Compromise (EAC), and reports there were 78,617 BEC/EAC incidents reported between October 2013 and May 2018, resulting in $12 billion in losses. Of those incidents, 41,058 were in the US, resulting in $2.9 billion in losses. China and Hong Kong banks led the locations for receipt of fraudulent funds, while the UK, Mexico, and Turkey are emerging regions, the FBI report shows.

In its public service announcement, the FBI warns that the scams are evolving: “The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.”

The real estate industry is the new hot target: from 2015 to 2017, there was an increase of 1,100% of BEC/EAC victims in that sector.  However, no industry is immune to these scams.

Be cautious of any financial communication that is exclusively e-mail based and establish a secondary means of communication for verification purposes.

Employees should be wary of unsubstantiated phone conversations. The FBI reports victims have reported receiving phone calls from BEC/EAC actors requesting personal information for verification purposes. Some victims report they were unable to distinguish the fraudulent phone conversation from legitimate conversations. One way to defend against this fraudulent activity is to establish code phrases that would only be known to the two legitimate parties.

Recommendations

If you discover a fraudulent transfer, move fast.

• First, contact your financial institution and request a recall of the funds. Different financial institutions have varying policies; it is important to know what assistance your financial institution will provide when attempting to recover funds.
• Contact your local FBI office and report the fraudulent transfer. Law enforcement may be able to assist the financial institution in recovering funds.

Sextortion Scam

Hackers have been known to send threatening emails to scare users into sending money, most often in bitcoin, to an encrypted address. More recently there has been a spike in what are known as sextortion emails. Sextortion emails begin with an unsolicited message claiming to have photographic or video evidence of the user accessing pornographic material. The user is then blackmailed into sending money, lest the hacker release the photos/videos to the user’s mailing list (including coworkers, relatives, etc.).

The good news? It’s a scam. There is no video or photograph; the hacker is relying completely on fear and intimidation. Hackers have progressed in their scare tactics by enclosing legitimate usernames and password within the email. Reports have found that these passwords provided are in fact legitimate, they have been used before, but often these passwords were upwards of ten years old. It is likely that the hackers have discovered a stockpile of compromised passwords from previous data breaches and are thus utilizing them to make the threat more believable.

An example email follows below:

I am aware, xxxxxx, is your password. You do not know me and you’re most likely thinking why you’re getting this e-mail, correct?

Well, I actually installed a malware on the adult video clips (porno) web-site and do you know what, you visited this site to experience fun (you know what I mean).

While you were watching videos, your internet browser started operating as a RDP (Remote Desktop) that has a key logger which provided me with access to your display screen and web camera. Immediately after that, my software obtained your complete contacts from your Messenger, social networks, as well as email.

What exactly did I do?

I made a double-screen video. 1st part displays the video you were watching (you have ã good taste hahah), and 2nd part displays the recording of your web cam.

exactly what should you do?

Well, in my opinion, $2900 is a fair price for our little secret. You’ll make the payment by Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).
BTC Address: 1AioWDqwmRY8Ad7Vb6nSHtFcTqfW2Xj
(It is cAsE sensitive, so copy and paste it)

Note:
You now have one day to make the payment. (I have a specific pixel in this mail, and at this moment I know that you have read through this é mail). If I don’t receive the BitCoins, I will, no doubt send out your video recording to all of your contacts including close relatives, colleagues, and so on.

However, if I do get paid, I’ll erase the video immediately. If you really want evidence, reply with “Yes!” and I will certainly send out your video recording to your 10 friends. This is a non-negotiable offer, therefore please don’t waste my time and yours by replying to this email.

Recommendations

• Scrutinize your emails. If something does not feel right, it probably isn’t.
• Again, these emails convey fear and intimidation. Bottom line, don’t panic. If you receive an email that looks anything like the above, it is a scam. You should contact your supervisor or system administrator.

More Secure Wireless on the Way

The Wi-Fi Alliance has recently announced that the Wi-Fi Certified WPA3 protocol will be making it’s way into devices later this year. This new protocol is set to replace the decade old WPA2, by bringing more robust authentication, and increased encryption strength for more sensitive businesses.

This new way of securely connecting to wireless also brings with it replacements for WPA2’s flaws which include last year’s discovery that a victim’s device could be tricked into reusing an already in use key, along with replacing the flawed Wi-Fi Protected Setup (WPS) which is vulnerable to brute-force attacks.

WPA3 will come in both a personal and enterprise mode, capable of being resistant to dictionary and password-guessing attacks, with enterprise allowing for up to 192-bit encryption for secure data transmission.

This new protocol will take time to become fully adopted into new wireless networking devices, but nonetheless it is something that should be planned for upgrading to in the future.

Recommendations

• Continue to ensure you are using WPA2 encryption on your wireless device with a strong passphrase, and be sure to disable WPS as well.
• Ensure your wireless router or access point is not using default passwords.
• Change the default SSID Name, but ensure to not use any personally identifiable information.
• Enable the wireless MAC filter in order to bolster security, and deter attackers.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Gmail, and peeping third-party developers
• USB Restricted Mode issues
• “Alexa, pay my bills.”
• How can Netizen Help?

Gmail, and peeping third-party developers.

Given your current personal Gmail settings, third-party developers may be able to read your Google emails. While this may come as a surprise, third-party devs only have access because they are permitted by the end user. For certain applications to function they need access/permission to operate; the issue arises when said applications are unsecured or even malicious, causing a serious threat to privacy. Google responded by admitting that third-party developers are able to view a user’s email; however, they maintain that the only way the dev would be able to is by receiving permission from the user. While it is common to provide permissions among other email providers, the issue arises when not just personal information is involved, but corporate data and intel as well.

While this seems cut and dry, it can easily be overlooked as not everyone realizes that their Gmail accounts are permitted to be viewed by outside parties.

Recommendations

• Again, this sounds obvious, but do not conduct any company business with your personal email. This should be a standard of the organization.
• Stop using third-party apps. If not feasible, scrutinize the permissions of the application and limit its access as much as possible.
• Gmail Security Check-up can be utilized to see which third-party apps are connected to your account and what permissions have been granted. If you find an app that you do not want to have access, you can remove it accordingly.
• Make use of encrypted email services, and check your current email configurations (even the company’s) to see if there is any outside access given.

“Alexa, pay my bills.”

More and more uses of smart speakers – like Amazon Echo, Apple Siri, & Google Home – are making our lives more connected and perhaps more entertaining. Anyone who has ever enjoyed a science-fiction story where the hero starts a request with “Computer…. ´ has waited to do the same thing in their own home. Smart Speakers can create lists, play games, play media, send and receive audio and video communications, and even order goods and services. But should they also handle purely financial transactions as well?

American Express and Capital One are two credit card issuers who allow users to pay bills through their smart speaker, which poses a small risk to the consumer. But regional banks have introduced using a smart speaker to query account balance inquiries and mortgage and bill payments. While the risk of someone fraudulently paying your bills is minimal, the privacy of your account balances is something to be considered. Financial institutions may encourage a PIN to protect the account information, but if you are overheard speaking the PIN, it is hardly secure.

As advanced as these smart speakers have already become, there are many times when instructions or commands spoken to them are misheard. Should you request a payment to be sent to a friend or relative and the device mishears the name you speak, you may have a headache resolving the matter.

Most importantly, as with any connected device, the opportunity for a vulnerability to be uncovered can lead to a financial catastrophe. As using these devices for financial transactions is still new, the attention hackers pay to them is probably minimal. It won’t be long, however, before the bad guys look to exploit these devices in search of potentially draining your account.

Recommendations

• Evaluate your need for using a smart speaker to handle your financial data.
• Always use a strong password and PIN, and never use these on more than one online account.

USB Restricted Mode issues

Apple has recently released iOS 11.4.1 which includes a new security feature in order to protect your phone from malicious USB accessories that connect to its data port. This will make things harder for hackers to break into your device without your permission.
Called USB Restricted Mode, this feature automatically disables the data connection on your iPhone or iPad’s data port after the device has been locked for an hour or longer.

Security researchers, however, have found that connecting a USB accessory, such as lighting port to USB camera adapter to a recently locked device will reset the 1-hour countdown.

While the vulnerability is not extremely severe, it certainly could be a costly mistake if a user was expecting their data connection to be disabled but instead was still active due to using a USB accessory before the lockout window.

This feature comes amid a growing rate of Juice-jacking stations, which are malicious free charging stations setup by hackers in order to gain access to your device and steal personal and sensitive data.

Recommendations

• Keep your devices charged! When going out for a long time, ensure your device is charged completely. Make it a habit to charge your device when they are not in use.
• Avoid using public chargers, and if you must, ensure they are only an AC/DC charger and not a USB connection charger.
• Carry a power bank or charger, so if you must recharge you are doing so from a trusted source.
• Get a charge-only cable so that you can safely plug into public charging stations.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• IoT in the Workplace: Are you at risk?
• Fake OVERDUE INVOICES alert Malware disguised as billing notices
• Two-Factor Inauthentication–The Rise in SMS Phishing Attacks
• How can Netizen Help?

Cybersecurity Assurance TIPS

IoT in the Workplace

Are you at Risk?

As mobile and IoT devices become more and more important to the overall success of modern business, the inherent security vulnerabilities they bring to information technology infrastructures becomes more acute—and more dangerous. The enthusiastic, and somewhat reckless, embrace of BYOD mo- bile and IoT devices by so many businesses, all hoping to capitalize on em- ployee mobile productivity, may have far-reaching and costly security con- sequences for all of us.

According to Verizon’s Mobile Security Index 2018, only 14% of the re- sponding organizations said they had implemented even the most basic cy- bersecurity practices, with an astonishing 32% of these IT professionals ad- mitting that their organization sacrifices mobile security to improve busi- ness performance on a regular basis. That general lax attitude toward cy- bersecurity goes along way toward explaining why IoT attacks have spiked 600% in one year.

Businesses, regardless of size or technical sophistication, can’t afford to continue treating cybersecurity, especially with regard to IoT, as an after- thought. Besides the obvious costs of lost productivity from system down- time, there is a substantial potential for fines and penalties stemming from data loss and violation of privacy regulations. Whether you like it or not, cybersecurity must be a vital and integral part of your strategic plan.

Recommendation:

• Ensure any IoT installed in the workplace meet with the business’ System Security Plan for ‘BYOD’ devices.

Fake URGENT PAYMENT for overdue bills

Malware delivered in phony billing notice

An email with the subject of “FW: URGENT PAYMENT FOR OVERDUE IN- VOICES” pretending to come from FINANCE <salgar@dgkw.com> with both a malicious Word DOC and an Excel XLS spreadsheet attachment delivers the Formbook malware. The only real reason to mention this is the dual attachment so trying to get 2 bites at the cherry. They are using email ad- dresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com>. That is why these scams and phishes work so well.

All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and other organizations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

Recommendation:

By default, protected view is enabled and macros are disabled, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you.

Two-Factor Inauthenticaiton

The Rise in SMS Phishing Attacks

As cyber criminals are constantly on the prowl to capture passwords and other credentials, two-factor authentication (2FA) has become one of the most widely accepted backup verifications for many services and compa- nies. Since nearly everyone has a mobile phone, the 2FA method most widely used is a code sent via SMS text message.

However, SMS is not entirely secure. Anyone with direct access to your cell phone can pretend to be you and have a code sent to your device. In fact, thieves do not need to have the device in their hands, as 2FA is also vulner- able to remote phishing. We most often think of phishing attacks as taking place over email, targeting information such as passwords, but the same tactic can very easily be applied over SMS and targeting reset codes. One particularly powerful technique is the Verification Code Forwarding Attack, or VCFA. For this approach, the criminal accesses a service provider and requests an SMS code to reset their password for a particular user. Immedi- ately afterwards, they send a fake text message to the same user, pretend- ing to be the service provider and asking for the code “as an additional veri- fication measure”.

In a research experiment conducted at New York University, it was discov- ered that the VCFA technique can be incredibly effective. 300 volunteers, who were not aware that the experiment involved SMS phishing, were sent a variety of different messages designed after real SMS from their email provider. The most successful message was able to fool 50 percent of recip- ients into giving up their authentication code, which is an impossibly high result for most forms of social engineering. By comparison, most non- targeted email-based phishing attacks have a success rate of around 1 per cent, with the very best reaching two or three percent.

Any service being breached in this way would mean severe repercussions for the victim, most obviously online payment, retail, and anything else con- nected to financial data. The holy grail for any attacker is to gain access to an email account, a tactic known Email Account Compromise (EAC).

While financial details can be exploited as a one-off opportunity before the bank takes action, an email account can be used in to cause much more damage.

While SMS remains so widespread and more attackers pick up on SMS phishing attacks, it is more important than ever for organizations to be aware that their workforce’s digital identities may be compromised.

Recommendation

• Adopt using a code-generating app such as Microsoft Authenticator on your mobile device

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing ad- vanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of exec- utive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compli- ance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. MyloBot
2. WannaCry Extortion Fraud
3. Wavethrough
4. Stay Safe on Public Wi-Fi
5. ZeroFont

1. MyloBot

Overview

A new sophisticated malware dubbed MyloBot had been discovered with smart evasion, infection, and propagation techniques.

MyloBot behaviors include:

• Process hollowing; A legitimate process that is supposed to run on a computer is used as a container, or a host rather, for malicious code. This technique helps hide the malware.
• Reflective EXE; Loading executable files from memory into a host process.
• Code injection; Invalid data processing allows malicious code to be “injected” into a vulnerable computer to change a program’s intended outcome.
• Ransomware payload
• Data theft
• Anti-VM (Virtual Machine) capabilities
• Anti-sandbox capabilities; A sandbox is a form of testing environment for untested code. MyloBot circumnavigates this.
• Anti-debugging capabilities

A successful MyloBot infection allows attackers to gain full control of a victim’s machine. Full control would let the attacker add further damage, such as keyloggers (recording a user’s keyboard strokes), banking Trojans, and Distributed Denial of Services (DDoS) attacks. One last interesting ability of MyloBot, is that it actually seeks out and destroys any other malware on a system so that it could gain the most profit from the victim.

Recommendations

We recommend the following steps to help protect your organization from MyloBot:

• Ensure a multi-layered approach and protection for your systems to prevent, detect and remove threats from the gateway to the endpoints.
• Regularly back up your files. Practice the 3-2-1 system to minimize or mitigate data loss; the 3-2-1 system is when you have 3 copies of your data (1 production and 2 backup copies) on two different types of media with one off site copy for disaster recovery purposes.
• Employ data categorization (organizing data correctly and efficiently) and network segmentation (the guest network of the organization should not be able to talk to the company internal network).

2. WannaCry Extortion Fraud

Overview

Extortion emails are sent by hackers to try and threaten or intimidate users into paying money (often in Bitcoin), lest they face the wrath of the WannaCry ransomware. The extortion emails that have been circulating are designed to cause panic and state that all of the victim’s devices have been infected with WannaCry; this is in fact a fraud and actually just a phishing attempt. This “your computer is infected, pay us” approach is a classic in the social engineering realm and has been used for years.

Recommendations

While understandably scary, do not panic. More often than not, if you are infected with ransomware, you wouldn’t even be able to access anything; let alone your email. A prompt would surface on startup claiming the computer encrypted. To be on the lookout for this fraud, we recommend:

• Being skeptical of emails. Examine them closely, and do not click on any links or download attachments. If something does not seem right, it probably isn’t. Verify emails that pose as legitimate companies.
• Develop and execute a plan for end-user awareness on recognizing phishing emails. Last week’s threat brief was a good example of a phishing attempt.
• Perform routine updates and patches for antivirus solutions, software, applications, and operating systems as is best practice.

3. Wavethrough

Overview

A Google researcher has found a vulnerability in many modern browsers which could allow malicious websites to steal sensitive content from websites you are currently logged into on the same browser. By tricking the victim to play or view a malicious embedded media file, the browser is exploited into sending elements from other open tabs. These media elements could contain sensitive information or conversations that the victim may have open.

Recommendations

• Ensure browsers and applications are continually updated to ensure the latest security patches are in place.
• Be vigilant when browsing new or unknown websites, and refrain from playing and embedded media that you are suspicious of.
• Practice good browsing techniques and limit the simultaneous browsing of business and leisure pages to avoid cross-script exploitation.

4. Stay Safe on Public WiFi

Overview

Public Wi-Fi has become so accessible that many of us eagerly search for it and connect to open hubs without thinking.  Many are travelling in the warmer months, and often use hotel or other hotspots to stay connected.

However, connecting to public Wi-Fi could leave you exposed to cybercriminals that might keep tabs on your financial transactions, email correspondences or anything else you do online.

One of the most common methods of attack involves hackers tricking you into thinking you’re connected to a valid network — such as one operated by a hotel or coffee shop. In reality, hackers named the false network to make it seem legit to unsuspecting victims, then monitor individuals’ activities.

You can stay safer while connected to a public network by doing a few simple things every time you connect.

Recommendations

Don’t Store the Network Login Credentials

Computers can handily remember passwords and usernames required for public Wi-Fi access if you consent to use that feature. However, it’s best to disable that capability — usually by un-checking the Remember This Network box when logging in. You may also need to go into your computer’s settings and manually delete networks to make it forget Wi-Fi connections when you’re not using them.

Otherwise, your computer or mobile device could log in to networks without your knowledge. That typically happens whenever you’re in range of a previously used Wi-Fi network.

Avoid Connecting Workplace Devices

Sometimes instead of taking things from your computer, hackers install stuff onto it. Malware is one of the software-related risks associated with unsecured devices people use for work. The best practice is not to connect your workplace equipment to public hotspots at all. Then, hackers can’t infiltrate it to either steal data or add corrupt applications.

Only Visit Extra-Secure Sites or Take Part in Casual Browsing

Get in the habit of only going to websites that include the “https” prefix or offer two-factor authentication. Then, if a hacker does enter your system as you use a public network, it’s harder for them to obtain useful details.

Consider only using public Wi-Fi when doing things not of interest to cybercriminals — for example, checking the weather forecast or reading the news headlines. Don’t check your bank account or participate in online shopping.

5. ZeroFont

Overview

In recent attacks, cyber criminals have been leveraging small font sizes to bypass Office365 spam protection in order to send malicious phishing emails to users and companies. By setting the font size to ‘0’ they can leverage making the email look normal to the victim but confuse spam filters into not being able to filter certain words and allow these malicious emails to come through.

Recommendations

• Continue to be vigilant when opening emails, looking for spelling mistakes, or requests for sensitive information.
• Consider setting your email client to display emails as plain text as this will help filter out specially crafted emails that look to deter spam filters.
• Ensure users are continually educated on the dangers of phishing emails and what to look for when browsing their email.

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. Phishing Email
2. Vulnerable Cloud Containers
3. Sneaky Windows malware delivers adware
4. Invisimole
5. Firefox fixes critical buffer overflow

1. Phishing Email

Overview

Just recently, Netizen has received a phishing email depicted below:

From the looks of it, the email appears to be legitimately from Chase. However, further inspection of the link reveals suspicious details:

We can see that the link points to a website based out of Chile (as depicted by the .cl domain) and is not actually from Chase Bank.

Recommendations

A Phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has.

Here are our recommendations and tips on what to watch out for when it comes to suspicious emails:

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting.
• Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

2. Vulnerable Cloud Containers

Overview

As the cloud is developed and technologies progress further, so do the risks of using these services. Around 22,000 cloud containers and application programming interface (API) management systems have been found unprotected, or publicly available on the Internet. Containers are a form of Infrastructure-as-a-Service (IaaS) that offers operating system virtualization that is more efficient than typical hardware virtualization. The containers discovered had poorly configured resources, a lack of credentials, and the use of non-secure protocols. As a result of these poor practices and security measures, attackers would be able to remotely access company infrastructure to either install, remove, or encrypt any application that the organization may be using in the cloud.

Recommendations

We recommend the following mitigations:

• Secure containers with complex and strong passwords.
• Utilize secure protocols (SSL/TLS)
• Scan container images and registries to search for security flaws within them.
• Monitor data that flows in and out of containers to search for any suspicious activity.
• Encrypt data, when in transit and when at rest.
• Keep your systems up to date.
• Limit user access to administrative privileges to only those that need it.

3. Sneaky Windows Malware Delivers Adware

Overview

A newly uncovered form of stealthy and persistent malware is distributing adware to victims across the world while also allowing attackers to take screenshots of infected machines’ desktops. Discovered by researchers at Bitdefender, the malware has been named Zacinlo after the name of the final payload that’s delivered by the campaign which first appeared in 2012.

The vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10. There are also victims in other regions of the world, including Western Europe, China and India. A small percentage of victims are running Windows 7 or Windows 8.

What makes Zacinlo so unusual is how it is delivered by rootkit, a malicious form of software which can manipulate the operating system and any installed anti-malware in such a way to make the computer oblivious to the existence of the malware. Rootkit-based malware is complex and is therefore rare, accounting for less than one percent of all malware.

Once downloaded, the false application pretends to act as a VPN would, but does nothing but act as a delivery mechanism for the malware, which uses the rootkit as a means of downloading files and eventually delivering the final Zacinlo payload.

The main goal of Zacinlo is to deliver adware, displaying adverts developed by the attackers in webpages the user visits and to secretly click through to them to generate ad revenue. Popular browsers including Edge, Internet Explorer, Firefox, Chrome, Opera, and Safari can all be used to drive the adware.

Ironically, in order to ensure it can carry out its goal, the malware can also clean up any other adware the victim device may be infected with.

Zacinlo is extremely persistent, secretly going about its business until it is told to stop by those running the command and control server — but using the computer to generate ad fraud isn’t the only threat posed by the malware.

The malware is stealthy, but it can be detected if the system is scanned in safe mode.

Recommendations

• Never download attachments without knowing where they have originated.
• Alert your Information Security staff if you suspect advertisements are appearing on unusual sites

4. Invisimole

Overview

A recent discovery of a sophisticated cyber-espionage malware tool has been discovered by security researchers and dubbed Invisimole. This malware can allow attackers to turn ordinary PCs into full-fledged spying devices. Capable of turning on the microphone or video camera remotely on the compromised machine allowing the attacker to listen in on, and record conversations near the infected computer. In addition, the ability to take screenshots of applications running in the background, and even scanning nearby wireless networks to geolocate the victim has been noted as well.

Recommendations

• Ensure recent updates and patches are applied to the operating system, internet browsers, and any addon plugins.
• Remove old and outdated software that is no longer in use.
• Be vigilant when reading emails, and do not download and run attachments from suspicious emails.
• Ensure the use and frequent updating of firewalls, antivirus, and anti-malware technology.

5. Firefox Fixes Critical Buffer Overflow

Overview

Firefox fixes critical buffer overflow Mozilla announced a security advisory (MFSA2018-14) for its Firefox browser, noting that version 60.0.2 of both Firefox and Firefox Extended Support Release (ESR) as well as the legacy ESR (ESR 52.8.1) now have a fix for a critical-level buffer overflow vulnerability.

The buffer overflow bug occurs within Firefox’s implementation of the Skia library, an open-source graphics library that is used by almost all of the mainstream browsers.

Skia is used for rendering and rasterizing images and text, and Fratric found that an attacker could trigger a buffer overflow during the rasterization process if they use a malicious SVG image file with anti-aliasing turned off. The Mozilla advisory says this buffer overflow could result in “a potentially exploitable crash.”

The fixed versions of Firefox became available on 6 June, so if you’ve run your browser lately, the chances are it’s already patched.

Recommendations

• To be sure though, check to see what version of the browser you are running — in Firefox on Windows, go to Help and select About Firefox, on a Mac, Firefox and select About Firefox.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. Zip Slip
2. Password Reset Flaw
3. Loki Bot Malware
4. MitM Chrome Extension
5. MyHeritage Breach

1. Zip Slip

Overview

Thousands of online projects may have been affected by a vulnerability known as Zip Slip. Attackers have discovered that they can create Zip archives that utilize a attack, which enables them to access files and directories that are stored outside the default folder. This attack allows the attacker to overwrite important files on affected systems, which can either destroy them or replace them with other malicious substitutes.

Zip Slip has been found on the following platforms:

• Java: It is very prevalent here because Java has no central library that offers high-level processing of archive files.
• JavaScript
• Ruby
• .NET
• Go

Attackers will target a site that will allow them to upload zip files, and then create malicious versions of the kinds of files that they would like to overwrite. It is even possible for an attacker to attach a zip file to an email, with the malicious file targeting a common location of a Windows desktop.

Recommendations

Like many software bugs, the usual fix is a simple patch. Below and libraries with known vulnerabilities on GitHub. Peruse the list and see if you are using any vulnerable software, as there are updates for most of them on the list. We also recommend that:

• Projects and libraries with known Zip Slip vulnerabilities https://github.com/snyk/zip-slip-vulnerability
• If you maintain software that unzips files automatically, you should test to see if it is vulnerable.
• Consider whether standard libraries would be a better option for your organization.
• Check to see if your applications are operating in accordance with the principle of least privilege.

2. Password Reset Flaw

Overview

Large cable and internet provider, , has a bug in the way they reset account passwords for their customers. The bug would allow anyone to take over a user’s account. An attacker with some determination and a few hours of their time would be able to take over a customer account with just a username and email address.

The attacker can bypass the access code sent during the reset process exploiting a small flaw; the access code field is not limited allowing for any number of attempts to try codes. Using an automated network intercept tool, the attacker could try as many as 100 codes in 10 seconds, eventually unlocking the account.

Recommendations

The service has since been shutdown and is likely to result in a patch. Once the patch becomes available, it is recommended to apply the fix as soon as possible. It is also recommended that different methods of multifactor authentication (MFA) are utilized. MFA can be a text message or even an application that either approves or denies a sign-in request.

3. Loki Bot Malware

Overview

Malware known as Loki Bot attempts to steal login credentials from infected users and sends the data and other sensitive material to a command and control (C2) server from an infected Windows host. Loki Bot is commonly distributed through malicious spam (malspam). The malware typically has an RTF attachment and is disguised as a Word document. When the file is opened, with a vulnerable version of Microsoft Office, the malware is then downloaded and Loki Bot is installed. Once installed Loki Bot steals usernames, passwords, and other sensitive data pertaining to the Windows Host.

Recommendations

The most effective aversion to this threat would be to make sure all updates and patches are implemented on your Windows system(s). Poor system upkeep seems to be the main opening that this threat needs in order to exploit a vulnerability. The following are also some indicators of the malware:

Indicators are not the same as a block list.  If you need to block the associated web traffic, block anything going to these two domains:

• com
• service-sbullet.com

Information from the malicious spam:

• Date: Sunday, 11 Jun 2018 01:05 UTC
• From: “Gold Link Logistics” <c37120b2324@fb90cfa11840.tr>
• Subject: Re: Aw: Aw: Shipping Documents
• Attachment Name: shipping documents.doc

Traffic from an infected Windows host:

• 163.221.2 TCP port 443 (HTTPS) – service-sbullet.com – GET /images/mg2/m.exe
• 122.138.6 TCP port 80 (HTTP) – oceanlinkmarrine.com – POST /loki4/fre.php

Associated malware:

SHA256 hash: b66d5b28c57517b8b7d2751e30e5175149479e5fde086b293a016aac11cdd546

• File size: 7,347 bytes
• File name: shipping documents.doc
• File description: RTF exploiting CVE-2017-11882 disguised as a Word document

SHA256 hash: a747eeac9ae8ee9317871dfaa2a368f2e82894f601a90614da5818f8f91d1d78

• File size: 667,648 bytes
• File location: hxxp://service-sbullet.com/images/mg2/m.exe
• File description: Windows executable file for Lokibot

System administrators can also implement Microsoft’s best practices when it comes to software restriction policies. https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies-technical-overview

4. MitM Chrome Extension

Overview

A malicious chrome extension known as Desbloquear Conteúdo (Unblock Content) targeted Brazilian online banking services. The goal of the malicious extensions is to accumulate stolen user logins and passwords, further allowing the attackers to steal money from the victims’ bank accounts. While most of our users are not in Brazil, the threat of malicious extensions are ever present globally.

This is not the first time that Chrome has been found with bad extensions wanting to steal user information and data (Nyoogle, Lite Bookmarks, Stickies, etc.). In fact, over 500,000 users were affected by the ones that were just mentioned, which is why it is incredibly important to be vigilant and careful of the extensions that you use.

Recommendations

Browser extensions designed to steal logins and passwords are more than feasible, and they should be taken seriously. We recommend discontinuing the use of such extensions if at all possible, however business needs may arise to which they are required. If you must use extensions:

• Have a good antivirus solution (like Symantec) that is up to date and can check for suspicious activity regarding newly installed extensions.
• Perform routine patches and updates. Often, malicious extensions require some sort of open vulnerability in a system to activate. Stay current.
• Only install verified extensions with large numbers of installations and reviews in the Chrome Web Store.
• Avoid third-party extensions as their validity cannot always be determined.

5. MyHeritage Breach

Overview

The breach was discovered when a security researcher found an archive on a third-party server containing the personal details of 92,283,889 MyHeritage users. The archive contained only emails and hashed passwords, but not payment card details or DNA test results. MyHeritage says it uses third-party payment processors for financial operations, meaning payment data was never stored on its systems, while DNA test results were saved on separate servers from the one that managed user accounts.

The company also promised to roll out a two-factor authentication (2FA) feature for user accounts, so even if the hacker manages to decrypt the hashed passwords, these would be useless without the second-step verification code.

It goes without saying that MyHeritage users should change their passwords as soon as possible.

The MyHeritage incident marks the biggest data breach of the year and the biggest leak since last year’s Equifax hack.

Recommendations

This breach is a reminder of the importance of using different passwords for every online account.  While the precise password for each account was not revealed, the hash could be reverse-engineer to discover the original password. Since the email address for the accounts was revealed, there is a chance an advisory could try password with the email on different sites, hoping to login successfully.

• MyHeritage is only now adopting two-factor authentication (2FA); users should always make use of this feature wherever possible.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.