“Evil airline” phishing attack and other cybersecurity news this week

Scam Of The Week: “Evil Airline” phishing attack

This evil airline phishing attack combines all “criminal best-practices” to steal credentials and drop malware on disk which is used to then further hack into your network.

The campaign targets companies that deal with frequent shipping of goods or employee travel, for instance logistics, shipping, or manufacturing, but almost any organization has people that frequently visit customers or business partners.

The phishing attack targets these employees, and the attackers do quite a bit of research before sending the phishing emails. The messages are constructed with subject lines and bodies that include destinations, airlines, and other details that are specific to each victim, helping them appear authentic. Here is an example subject line:

Fwd: United Airlines: Confirmation – Flight to Tokyo – 3,543.30 Dollars

“After getting the employee to open the email, the second tool employed by the attacker is an advanced persistent threat embedded in an email attachment. The attachment, usually a flight confirmation or receipt, is typically formatted as a PDF or DOCX document. In this attack, the malware will be executed upon the opening of the document.

Read full article: https://blog.knowbe4.com/cyberheistnews-vol-7-14-scam-of-the-week-the-evil-airline-phishing-attack

Security Headlines


KnowBe4 – New Cerber Ransomware Starts Evading Machine Learning

A new version of the Cerber ransomware family has adopted new techniques to make itself harder to detect by endpoint security software that uses machine learning for detection.  It is now using a new loader designed to hollow out a normal process where the code of Cerber is run instead.

Cerber reared its ugly head March last year and has rapidly grabbed marketshare by furiously innovating and using different attack vectors and distributions channels. It spreads mostly through phishing emails, but also uses exploit kits.

August 2016, Invincea researchers discovered that Cerber was being distributed by Betabot, which was designed as a banking information stealing Trojan but recycled for ransomware. Recently, Cyren researchers reported that Cerber is being dropped by Kovter, a click-fraud Trojan which was dropping Locky several months ago.

Trend Micro reports that the new loader was necessary because machine learning security code detect malicious files based on features instead of signatures. The new packaging and loading mechanism employed by Cerber can cause problems for static machine learning approaches–i.e, methods that analyze a file without any execution or emulation. In other words, the way Cerber is packaged could be said to be designed to evade machine learning file detection. For every new malware detection technique, an equivalent evasion technique is created out of necessity.


Peak 10 – The Internet of Things is Taking Over, and With It Comes a Number of Pressing Security Concerns

A study conducted by HP’s security unit, Fortify, determined that 70% of popular consumer IoT devices can be easily hacked, which is a marked IoT problem that numerous security professionals are working tirelessly to address. There are two overall problems precipitating the security obstacles of the IoT:

The rush to produce

  • IoT almost feels like it happened overnight, and now there are few devices left that aren’t connected to the Internet. Mass production of IoT devices is taking place on a daily basis in order to respond to consumer demand, but the rush to deploy products often results in a lack of security considerations in the design phase. Failing to incorporate security in the original design is a considerable risk—products should feature security by design, rather than retrofitted solutions.
  • Additionally, many IoT devices don’t have the processing power or storage needed to host endpoint security software. There are many IoT products that don’t have the ability to have firmware updated with security protection, which can lead to problems like malware vulnerabilities, DDoS, or man-in-the-middle attacks.

Lack of standards for sharing and protecting data

  • While there are IoT standardization efforts taking place, such as the Open Interconnect Consortium, overall there is no standard body of IoT security regulations for manufacturers to adhere to, which doesn’t help matters. Every business must decide independently what security controls will be employed, without a baseline for the bare minimum.


Naked Security – Why isn’t US military email protected by standard encryption tech?

One of the United States Senate’s most tech-savvy members is asking why much of the US military’s email still isn’t protected by standard STARTTLS encryption technology.

Last month, Sen. Ron Wyden (D-Oregon) shared his concerns with DISA, the federal organization that runs mail.mil for the US army, navy, marines and the Coast Guard:

The technology industry created STARTTLS fifteen years ago to allow email servers to communicate securely and protect email messages from surveillance as they are transmitted over the internet. STARTTLS is widely supported by email server software but, critically, it is often not enabled by default, meaning email server administrators must turn it on.


Security Bulletins from the FBI and DHS

FBI – CJIS Division Observes a Milestone

Twenty-five years ago, the FBI’s Criminal Justice Information Services (CJIS) Division—the focal point and central repository for all the criminal justice information services within the Bureau—was created.

To understand the significance of the CJIS Division, however, you first have to understand how the FBI’s role as the keeper of the nation’s criminal justice information evolved.

  • Around 1920, there was a push by the International Association of Chiefs of Police (IACP) and others to merge the nation’s two major criminal identification records—the federal one at Leavenworth prison and the IACP’s own set held in Chicago—and make them available to all of law enforcement. Congress provided the funding, and in 1924, the Bureau of Investigation (as the FBI was called at the time) established its Identification Division, which began accepting fingerprints and other criminal identification records and also provided crucial identification services for law enforcement across the country and for our own investigations.

The main CJIS Division facility is located in Clarksburg, West Virginia.

  • The IACP also saw a need to collect crime statistics nationally that would enable authorities to understand trends and better focus resources. In 1929, the IACP adopted a system to classify, report, and collect crime statistics. But it then recommended that the Bureau—with its experience in centralizing criminal records—take the lead in the effort. Congress agreed, and the Uniform Crime Reporting (UCR) Program was born.
  • Fast forward a few years, and in 1967, as computer technology began to make inroads, the FBI launched the National Crime Information Center (NCIC). The NCIC was created to give our law enforcement partners quick access to a computerized index of documented criminal justice information whenever and wherever they needed it.

Over time, various FBI entities continued to develop and implement additional criminal justice information systems, but the problem was that these systems were being developed independently of each other. There had to be a way to coordinate and integrate these systems to ensure that we were providing the criminal justice community with the best products and best service possible.


DHS – Regulators Warn of Man-in-the-Middle Attack Risks

Federal regulators are warning healthcare sector entities that some products used as part of their end-to-end security could make the organizations vulnerable to man-in-the-middle attacks.

In its April cyber awareness newsletter, the Department of Health and Human Services’ Office for Civil Rights warns about the threat of man-in-the-middle attacks and related risks associated with the use of some Secure Hypertext Transport Protocol, or HTTPS interception products.

Man-in-the-middle, or MITM attacks occur “when a third party intercepts and potentially alters communications between two different parties, unbeknownst to the two parties,” OCR explains. These attacks can be used to inject malicious code, intercept sensitive information such as protected health information, expose sensitive information, and modify trusted information, OCR notes.


Vendor Information

Sophos – Introducing Sophos MSP Connect

Sophos MSP Connect, a flexible program designed to connect managed service providers (MSPs) and their customers to one complete security solution – centralized and simplified through one vendor, with one dashboard and one monthly bill.

Sophos MSP Connect leverages Sophos Central, the easy-to-use, cloud-based dashboard. If you haven’t seen the new Sophos Central – Partner dashboard, it’s an intuitive, single pane of glass for managing everything Sophos has to offer, from XG Firewall to Next-Generation Enduser Protection.


Google – Google Discovery Shows Fragility of Mobile Phone Security

Google’s top-notch vulnerability researchers rarely bring good news. They’ve found another whopper: Flaws in a microchip used widely in Apple and Android mobile devices could be used to remotely hack a device over Wi-Fi.

It’s the kind of heart-stopping find that has unfortunately become routine for Google’s Project Zero, which does deep research into critical software and components. Apple has issued a patch for the flaws, but Android devices remain unprotected.

The problems are contained within the firmware of a system on chip made by Broadcom that is used in mobile devices and Wi-Fi routers. The chips are in Google’s flagship Nexus devices, Samsung’s high-end devices and in Apple’s iPhone 4 through later models.



Related Posts