Scam Of The Week: This Week’s Top “In The Wild” Phishing Attacks
KnowBe4 presents a top-10 list of phishing attacks and notes, “Note that these have made it through all the filters and into the inbox of the employee.” They advise “that creating a human firewall is an essential last line of defense which you cannot do without.”
Read full article: https://blog.knowbe4.com/this-weeks-top-in-the-wild-phishing-attacks
KnowBe4 – Northrop Grumman can make a stealth bomber – but falls for W-2 phishing attack
US military contractor Northrop Grumman notified their employees that hackers managed to gain access to their W-2 tax records.
As The Register just reported, the makers of America’s stealth bomber acknowledged in a letter sent to employees and the California Attorney General’s office that hackers infiltrated its online portal at various times over the course of almost a year, gaining access to workers’ W-2 paperwork for the 2016 tax year.
MSPMentor – New Guidelines: End Frequent Password Changes (Thx Jason Jacobson for the article)
The agency that develops information security standards for the U.S. federal government is recommending significant changes to password guidelines, essentially reversing some long-held best practices.
Changes to the Digital Identity Guidelines are managed by officials at the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce.
While NIST standards are not binding – except on federal, non-military agencies – the guidelines are frequently looked to by private-sector professionals as best practices for creating security policies for businesses and other organizations.
- End periodic password changes: It wasn’t all that long ago that virtually every organization would prompt users to change their passwords every three months.But there’s long been debate about whether such policies do more harm than good, since employees will often try to make those passwords too simple in an effort to make them easier to remember.Other times, users will write them down raising other security issues.The new guidelines indicate that government experts have come down on the side of deeming frequent password changes as more trouble than they’re worth – not to mention less secure.
- Dump rudimentary password complexity restriction: This is aimed at the basketball fan who loves Michael Jordan and regularly uses “chicagobulls23” as their favorite password.Security software can impose complexity rules that require every password also have an upper-case letter and a symbol, for instance.But the government research found that changing the above Jordan fan’s password to “ChicagoBulls23!” offers only a slight modicum of additional complexity and could actually provide a false sense of security.
- Do stringent new password validation: Using this security feature, every password is compared against lists of overused or previously compromised passwords.“Users will be prevented from setting passwords like ‘password,’ ‘12345678,’ etc., which hackers can easily guess.In a world of ideal password security, administrators should aim to set validation criteria to require long, random and complicated expressions.Serious passwords these days are long — think 16 characters or more — and have a pattern that is not likely to be guessed even by the cleverest of tools.
https://mspmentor.net/managed-security-services/new-guidelines-end-frequent-password-changes
HealthcareinfoSecurity – HHS Smacks Heart Monitoring Firm with $2.5 Million Settlement
The Department of Health and Human Services has smacked a mobile heart-monitoring technology firm with a $2.5 million HIPAA settlement related to findings from an investigation into a 2012 breach involving a stolen unencrypted laptop computer. The hefty fine reflects regulators finding that the organization lacked a sufficient risk analysis and risk mitigation.
The resolution agreement and corrective action plan with CardioNet, based in Malvern, Pa., is the second HIPAA settlement HHS’ Office for Civil Rights announced in less than a week, the third in the month of April and the seventh so far in 2017.
On April 21, OCR announced a $31,000 settlement with the Center for Children’s Digestive Health in Illinois for a case involving the lack of a business associate agreement with FileFax, a paper record storage vendor.
In an April 24 statement, OCR notes that the multi-million-dollar HIPAA settlement with CardioNet is its first involving a wireless health services provider.
https://www.healthcareinfosecurity.com/hhs-smacks-heart-monitoring-firm-25-million-settlement-a-9863
BankinfoSecurity – PassFreely Attack Bypasses Oracle Database Authentication
Warning: A dumped Equation Group exploit can be used to bypass Oracle database authentication.
The attack tool in question, called PassFreely, dates from 2013. Based on leaked documents, tools and exploits tied to the Equation Group – the nickname for a group of hackers that experts believe is part of the National Security Agency’s Tailored Access Operations group – it appears that PassFreely may have been used to hack into two or more SWIFT service bureaus.
The interbank messaging system from Brussels-based SWIFT – formally known as the Society for Worldwide Interbank Financial Telecommunication – is designed to guarantee that money-moving messages between more than 11,000 banks worldwide are authentic. While some banks host the related infrastructure themselves, many instead use one of 74 accredited SWIFT bureaus.
“PassFreely is an exploit for patching Oracle in memory,” according to an analysis published by Norwegian managed security services firm Mnemonic. In this case, “patching” refers to altering software behavior to suit an attacker’s needs. “The exploit patches the Oracle binary in memory to allow unauthenticated access to the data stored in Oracle databases,” it says.
Based on leaked documentation, PassFreely appears to tie to money-moving monitoring efforts by the NSA. But the exploit could also be used to access or modify any Oracle database – without leaving a trail – provided a hacker or malicious insider first gains access to the systems on which those databases run.
https://www.bankinfosecurity.com/passfreely-attack-bypasses-oracle-database-authentication-a-9868
Security Bulletins from the FBI and DHS
FBI – Russian Receives Record-Setting US Hacking Sentence
A federal judge has slammed a 32-year-old Russian hacker, who ran a massive malware scheme that targeted U.S. businesses, with a nearly three-decade prison sentence.
On April 21, Roman Valeryevich Seleznev, aka “Track2,” was sentenced by U.S. District Judge Richard A. Jones to serve 27 years in prison – apparently the longest sentence ever handed down in the United States tied to hacking charges. And he faces even more potential jail time via cases that remain underway in federal courts in Georgia and Nevada.
In August 2016, a jury found Seleznev guilty on 38 counts related to defrauding 3,700 financial institutions in the United States of at least $169 million.
https://www.databreachtoday.com/russian-receives-record-setting-us-hacking-sentence-a-9862
DHS – Alert (TA17-117A) Intrusions Affecting Multiple Victims Across Multiple Sectors
The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.
Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.
https://www.us-cert.gov/ncas/alerts/TA17-117A
Vendor Information
Sophos – Calling all bug hunters: Sophos teams up with Bugcrowd
Adversarial relationships between vendors and security researchers used to be common. Researchers would report a bug and the vendor – not all but certainly more than a few – would drag its feet in patching the problem. Then, the researcher would make the findings public and the vendor would criticize them for releasing information attackers could exploit.
In more recent years, things have improved. A growing number of companies now encourage researchers to dissect their products and take their best shots to find cracks in the armor. That means more vulnerabilities are discovered and fixed, and we’re all more secure as a result. The process is now popularly known as bug bounty programs, where researchers are rewarded for what they find, financially or otherwise.
Quickly finding and fixing vulnerabilities is something we at Sophos take very seriously. We’ve had our own responsible disclosure program for some time, and since June 2016 we’ve been partnering with Bugcrowd for a more robust experience.
https://news.sophos.com/en-us/2017/04/25/calling-all-bug-hunters-sophos-teams-up-with-bugcrowd/
Sophos – CryptoGuard now for Servers
Much like you’ve seen with Intercept X for endpoints, Sophos Server Protection now has signature-less detection capabilities in the form of CryptoGuard. This additional layer of defense detects and reverses unsolicited encryption of data on servers, so that cyber criminals don’t get the chance to hold organizations captive for extortion. Even if ransomware on a rogue endpoint connects to a server and attempts to encrypt files on a server, Sophos Central Server Protection Advanced protects the organization.
https://news.sophos.com/en-us/2017/04/21/protecting-the-treasure-trove/
Microsoft – Report a Computer Security Vulnerability
The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products and services. If you are a security researcher and believe you have found a Microsoft security vulnerability, we would like to work with you to investigate it.
If you are a security researcher and believe you have found a security vulnerability that meets the definition of a security vulnerability that is not resolved by the 10 Immutable Laws of Security, please send e-mail to us at secure@microsoft.com. To help us to better understand the nature and scope of the possible issue, please include as much of the below information as possible.
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
- Product and version that contains the bug, or URL if for an online service
- Service packs, security updates, or other updates for the product you have installed
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue on a fresh install
- Proof-of-concept or exploit code
- Impact of the issue, including how an attacker could exploit the issue
Please note that the Microsoft Security Response Center does not provide technical support for Microsoft products.
