18Jun

Bad Security Habits During the Pandemic

June 18, 2021By 0 comment

56% of IT workers believe employees have acquired poor security habits while working remotely, according to Tessian’s Back to Work Security Behaviors report.

“According to the report, younger employees are most likely to admit they cut cybersecurity corners, with over half (51%) of 16-24 year olds and almost half (46%) of 25-34 year olds reporting they’ve used security workarounds,” Tessian says.

“In addition, two in five (39%) say the cybersecurity behaviors they practice while working from home differ from those practiced in the office, with half admitting it’s because they feel they were being watched by IT departments. IT leaders are optimistic about the return to office, though, with 70% believing staff will more likely follow company security policies around data protection and privacy. However, only 57% of employees think the same.”

Tessian found that most respondents believed that the uptick in phishing observed during the pandemic will continue during the return to the workplace.

“Over two-thirds of IT decision makers (67%) predict an increase in targeted phishing emails in which cybercriminals take advantage of the transition back to the office, adding to the rapidly growing number of phishing attacks faced by organizations (the FBI found that phishing attacks doubled in frequency last year),” Tessian says.

In addition, Tessian found that 27% of employees admitted that they didn’t report cybersecurity mistakes they made while working remotely.

“Over one quarter of employees admit they made cybersecurity mistakes — some of which compromised company security — while working from home that they say no one will ever know about,” the company says. “More than one quarter (27%) say they failed to report cybersecurity mistakes because they feared facing disciplinary action or further required security training. In addition, just half of employees say they always report to IT when they receive or click on a phishing email.”

You can’t punish people into security awareness, and training shouldn’t be punitive. New-school security awareness training can teach your employees to follow security best practices so they can thwart social engineering attacks.

READ MORE
17Jun

Ragnar Locker Ransomware Finds Its Next Victim in Taiwan Computer Memory Manufacturer ADATA

June 17, 2021By 0 comment

The ransomware attack occurring in late-May required the maker of consumer and industrial memory products to take systems offline, causing them to recover and upgrade affected systems.

Ragnar Locker hasn’t been in the news much since they became a part of the Maze extortion cartel in the middle of last year. But their latest attack on ADATA signals they aren’t going anywhere and are succeeding in infiltrating and encrypting victim environments.

In an email statement to Bleeping Computer, ADATA confirmed the attack on May 23rd which disrupted business operations. And while no details were released, it appears from the email communications, ADATA was successful in implementing a response plan:

“The company successfully suspended the affected systems as soon as the attack was detected, and all following necessary efforts have been made to recover and upgrade the related IT security systems.”

The bad guys at Ragnar have claimed responsibility for the attack, alleging they have stolen 1.5TB of data – which can include intellectual property, source code, legal documents, confidential files, and more.

ADATA leak page

 

 

 

 

 

 

 

 

 

Source: Bleeping Computer

The upside to this story is ADATA signifies that it’s possible to have proper response plans in place when you’re hit with ransomware to minimize operational disruptions. The downside is ADTAT – and any other organization in their same situation – now has to content with what to do about the stolen data. Remember, ransomware gangs aren’t just arbitrarily taking whatever data they find; they are inspecting all the data they have access to and selectively choosing what data to exfiltrate.

Ragnar has historically gained access via phishing attacks, which are largely preventable with Security Awareness Training that enables users to elevate their attentiveness when interacting with suspicious email and web content.

READ MORE
16Jun

Cyber Hygiene not a Focus for Cybersecurity Leaders, Despite Being Targets of Attacks Themselves

June 16, 2021By 0 comment

New findings from a survey of over 100 global cybersecurity leaders across all major industries sheds light on the apathy around needed proper cyber hygiene in their own lives.

If the head of your cybersecurity program doesn’t care about cyber hygiene, how can you expect them to provide solid leadership to direct your organization to a more secure state?

In what appears to be a case of “do as I say and not as I do”, new data from HelpNetSecurity shows how cyber leaders aren’t taking their own medicine:

  • 24% of cyber leaders have used the same password for both work and personal use
  • 45% put themselves and their organization at risk by connecting to public WiFi without using a VPN
  • 48% use their work computer to log on to social network platforms and of those, 77% accept connection requests from unknown individuals

All this, while those very same individuals have personally experienced attacks. According to the same report:

  • 74% of cyber leaders reported being targeted in a phishing or vishing attack in the last 90 days
  • 34% say they have been targeted in a phishing or vishing attack from someone impersonating their CEO
  • 57% have suffered an account takeover attack in their personal lives

This should be very disconcerting; we need leadership, well… leading by example. Perhaps cybersecurity leadership need to take a refresher course. Or better yet, make sure they, too, are continually enrolled in Security Awareness Training where the basic concepts of cyber hygiene are reinforced.

READ MORE
14Jun

Phishing Trends Show X-Rated Themes Have Skyrocketed 974%

June 14, 2021By 0 comment

Phishing lures with X-rated themes have spiked over the past year, according to researchers at GreatHorn. The researchers explain that these emails are effective at getting people to click, and will also make victims reluctant to report the attack once they realize they’ve been scammed.

“Between May 2020 and April 2021, the number of such attacks increased 974%,” the researchers write. “These attacks reach across a broad spectrum of industries and appear to target based on male-sounding usernames in company email addresses.”

The researchers note that in addition to stealing information, the attackers can also return to blackmail victims.

“Attackers use phishing attacks as an initial vector to gather information about the target,” GreatHorn says. “Because of the x-rated content, attackers set up victims with compromising material to be used for blackmail. In these attacks, cybercriminals are tracking the identity of victims who click on their sites by using a technique called an email pass-through. The same technology enables legitimate email senders to auto-populate an unsubscribe field with a user email address. Once a user clicks on a link in the email, their email address is automatically passed to the linked site. In these attacks, the cybercriminal leverages the information they gleaned in order to set up a second stage. Individuals who clicked on links to compromising material could be targeted in the second attack to extort the individual.”

GreatHorn shares a representative example in which a phishing email claimed to come from a woman staying in the same hotel as the recipient.

“The link at the top of this email points to a destination page which is classified as Malicious by Google Safe Browsing,” the researchers write. “Clicking on (https://sites[.]google[.]com/view/interestedyou would bring you to a site with photos. There, a further link points to hungrygrizzly[.]com, which has the appearance of a dating site. It is likely a fake site designed to hook users into providing payment information. User data gleaned in this way will be transmitted to cybercriminals, who will use it for various malicious purposes, such as money withdrawal, blackmailing, or committing further frauds.”

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for phishing attacks. (And seriously, people–control yourselves online.)

READ MORE
11Jun

Deal or No Deal: The Double-edged Sword of the IT Security Bundle

June 11, 2021By 0 comment

The concept of “bundling” has become very popular among large IT vendors over the past decade as it promises a number of benefits.

But, does the bundle really deliver everything promised? Well, as usual, it depends.

What Is Bundling Exactly?

Let’s first start by having a closer look at bundling. It is a sales tactic that large IT and cybersecurity vendors use to grow their “footprint” within a customer account.

Essentially, it works like a value meal at your favorite fast food joint: Why have just a burger and drink when you can have fries too for just a little bit more?

Sounds like a great deal and sometimes it is, particularly when the fries are actually spicy curly fries (I’m looking at you, Jack in the Box).

But what if those fries are not so great? Have you ever had bad fries that just make you really want the good ones? Without doing some homework, your great cybersecurity bundle may come with some soggy fries.

Deal or No Deal

Seriously, a good bundle can be a great thing. But only if all of the products and services included by the vendor are best-in-class (equivalent to best-of-breed), and you are getting a significant discount on everything you need. In that case it makes a lot of sense.

Some of the benefits of bundling are beyond the product themselves. Let’s take a look at a couple of those perceived benefits: streamlined procurement and the “one throat to choke” single vendor concept.

Streamlined Procurement

We all know that procurement is a tedious and expensive process. The legal reviews of multiple vendor contracts can eat up cycles and are sometimes frustrating. And for non-mission critical purchases, it might be worth compromising on quality to simply reduce the procurement burden on the team.

But consider some questions to ask yourself:

  • Will the one-vendor concept equate to greater success in my core objective (employee risk reduction) for major cybersecurity components?
  • When a bundle is offered, are you able to complete the due diligence on each critical product as you would in a stand-alone transaction?

You might notice that these great bundle deals often come with a short deadline. Bundling can mean that “somebody’s” project is going to be compromised or cause an excessive amount of admin overhead because the bundled product is likely not what their team would have chosen in a head-to-head evaluation.

There are other considerations as well. A single procurement cycle is efficient the first time you go through it, but what about following years? These vendors aren’t foolish and they don’t stay in business by giving great products away for free. You should consider the power dynamic that you’re creating for your vendor every renewal cycle.

Single Vendor Dynamics or the “One Throat to Choke” Analogy

When a vendor relationship works great, then it’s a wonderful thing to behold.

However, when there are missed expectations, promises unfulfilled or simply poor delivery from a large vendor, it can feel like that single throat being choked is yours.

Let’s be honest, even the biggest cybersecurity vendors with a myriad of product offerings typically “specialize” in just a few. Yes, over the years they have expanded their portfolio, usually by acquisition, but at their core they often do only one or two primary things exceptionally well.

Whether that focus is on endpoint security, the firewall or an email gateway is dependent on the vendor, but each one has their “golden goose” solution. That’s the product that you’re really paying for; that’s where they truly make their profit and, generally, that’s where they put their resources.

Secondary products included in a bundle may, in many cases, be “good enough” and sometimes not even that. Unfortunately, that’s often only discovered after the fact.

What you may also find is that it’s not just the product that’s substandard. Support resources are commonly metered based on the profitability of the product. That golden goose sucks up a lot of resources!

It’s not uncommon to find that the “one throat to choke” strategy doesn’t necessarily mean that you’ll always have access to subject matter experts and that tech support and customer service for the vendor’s non-core products is often woefully lacking.

The Integration Perception

One of the favorite terms that are batted around in hallways of vendors’ offices is “markitecture.”

It’s a slick way of putting various products together on a slide or graphic that makes the product portfolio look as if it fits together as cleanly as new Legos. The reality is that these diagrams are for illustration purposes only and often do not have any connection to the reality of whether there is actual integration of data, processes or administration between those products.

It’s the same (often literally) with the bundle. There’s lip service to a “fully integrated solution” during the sales and procurement cycle, but once the sales reps have all gone home it’s not uncommon to find multiple management consoles, non-compliant data structures and unmet expectations.

Combine that with a subpar product and you’ve got….frustration (to say the least). Don’t worry though, the vendor may offer to help you solve these problems – all you need is to purchase their professional services.

In the end, it’s important to ask a few very important questions of your vendor:

  • How many consoles will we need to access to perform the expected task?
  • Can you show me how that works live?
  • What about importing users, admin privileges, and granular control?

These would likely set you down the path to find out just how “integrated” this bundle is.

Cybersecurity: Best of Breed vs. the Bundle 

So the bundle can have some advantages, but there are just as many pitfalls that you have to watch out for, and that really applies to any type of large IT purchase.

However, evaluating and purchasing your mission-critical cybersecurity infrastructure is not the same as purchasing other important, but less critical solutions for the back office, for example.

We are under attack from highly sophisticated, dynamic and relentless criminal organizations. As security professionals it’s our job to prevent downtime and keep the company jewels safe, along with the private information of our customers and employees.

“Good enough” does not cut it in this environment, particularly when you’re talking about your single largest organizational vulnerability: your users.

Let’s face it – sometimes security awareness is thrown in as an extra incentive on an email gateway or other large cybersecurity purchase. Vendors offering bundles are almost always bundling in me-too products that are not nearly as fully featured as their best of breed competitors. So, the only way they can compete is by giving these non-optimal products away to help “seal the deal” for their main product. You get what you pay for.

With human error being responsible for the majority of data breaches, security awareness is your last line of defense. Having highly engaged, trained and security-aware users is a very powerful human firewall to the threat actors that are continuously testing your vulnerabilities. We’ve all seen the statistics, phishing is one of the most common penetration points for ransomware.

While bundles can seem to be a good way to save some money and lessen the procurement headache, you absolutely cannot skimp on your security awareness training. You need the best… not a bundle blunder. Get the full whitepaper: Stand-Alone Product versus Product Suite for all the key points you need to know before choosing Best of Breed vs. “Integrated Solution”.

 

Blogged By: Perry Carpenter

READ MORE
10Jun

Insights Into Credential Phishing

June 10, 2021By 0 comment

Cybercriminals are quick to put hacked accounts to use, according to Agari by Help Systems. The researchers found that 91% of compromised accounts are accessed by attackers within one week, and half of these accounts are accessed within the first twelve hours. Additionally, 23% of phishing sites are using automation to test the authenticity of stolen credentials. Agari explains that criminals are efficient at escalating their attack once they gain access to a network.

“[O]nce attackers gained access to the compromised accounts, it became apparent that they wanted to identify high-value targets who have access to a company’s financial information or payment system so that they could send vendor email compromise scams more effectively,” the researchers write. “The accounts were also used for other purposes, including sending malicious emails and using the accounts to register for additional software from which to run their scams.”

Agari notes that once the attackers compromise a single account at an organization, they can use that account to send more convincing phishing emails to other employees. It’s particularly effective in staging business email compromise (BEC) campaigns.

“In another example, cybercriminals targeted employees at real estate or title companies in the U.S. with an email that appeared to come from a U.S.-based financial services company that offers title insurance for real estate transactions,” Agari says. “When targets opened the email, they were encouraged to view a secure message, which sent them to a webpage mimicking the company’s actual homepage. From there, they were encouraged to view additional documents and enter their account information—leading to the compromise. This shows the self-fulfilling growth cycle where credential phishing attacks lead to compromised accounts, which lead to more credential phishing attacks and more compromised accounts, and so on.”

Agari founder Patrick Peterson emphasized that the best way to defend against these attacks is by preventing attackers from gaining a foothold in the first place.

“Without measures in place to protect against BEC and account takeover-based attacks, the problem will only continue,” Peterson said. “The insight uncovered by the [Agari Cyber Intelligence Division (ACID)] team is a sobering reminder of the scale of the issue—compromised accounts lead to more compromised accounts, and only by preventing the first compromise can we suppress BEC at an early stage.”

New-school security awareness training can help your employees avoid falling for social engineering attacks, stopping the attackers before they’re able to establish a beachhead in your organization.

READ MORE
08Jun

Fake Positive Reviews Mask Spoofed Browser Extensions

June 8, 2021By 0 comment

Malicious browser extensions often have fake positive reviews to garner trust from users, according to Brian Krebs. Krebs describes a phony Microsoft Authenticator extension in the Google Chrome Store that had five user reviews. Three were one-star reviews warning users that the extension was malware, while two were positive reviews praising the app’s convenience. Krebs also found that the developer of the app had made another phony app; that one had only positive reviews.

Krebs worked with Hao Nguyen, the developer of chrome-stats.com, to track the accounts behind the phony extensions and reviews.

“Like an ever-expanding Venn diagram, a review of the extensions commented on by each new fake reviewer found led to the discovery of even more phony reviewers and extensions,” Krebs writes. “In total, roughly 24 hours worth of digging through chrome-stats.com unearthed more than 100 positive reviews on a network of patently fraudulent extensions.”

Krebs and Nguyen identified 45 malicious browser extensions that had a collective total of nearly 100,000 downloads.

“The extensions spoofed a range of consumer brands, including Adobe, Amazon, Facebook, HBO, Microsoft, Roku, and Verizon,” Krebs writes. “Scouring the manifests for each of these other extensions in turn revealed that many of the same developers were tied to multiple apps being promoted by the same phony Google accounts. Some of the fake extensions have only a handful of downloads, but most have hundreds or thousands. A fake Microsoft Teams extension attracted 16,200 downloads in the roughly two months it was available from the Google store. A counterfeit version of CapCut, a professional video editing software suite, claimed nearly 24,000 downloads over a similar time period.”

Krebs notes that none of these apps request special permissions from users, and instead trick users into entering sensitive information voluntarily. New-school security awareness training can give your employees a healthy sense of skepticism so they can avoid falling for these scams.

READ MORE
07Jun

Ransomware Attacks Run Rampant as Fujifilm Becomes the Next Victim

June 7, 2021By 0 comment

We just covered a recent story today that there was a ransomware attack on Steamship Authority. And like clockwork, another company becomes the next victim.

Fujifilm, a huge Japanese company known for digital imaging products, has been hit with ransomware at their Tokyo headquarters. In a statement from the company, “We want to state what we understand as of now and the measures that the company has taken. In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities.”

As a result of the attack, Fujifilm USA posted on the website that they are experiencing difficulties. These difficulties include a halt on processing orders and no lines of communication available for use.

According to Bleeping Computer, it is suspected that the company’s servers have been infected with Qbot. Qbot has a history of being utilized by multiple ransomware gangs. It is now being linked to the REvil ransomware group, who most recently hacked the world’s largest meat producing company.

With several companies now becoming a victim of ransomware, it’s important for your organization to put cybersecurity first. Additional security layers such new-school security awareness training can ensure your users will know how to report any suspicious activity.

READ MORE
03Jun

Two-Thirds of Organizations Plan to Improve Their Cybersecurity in the Wake of Devastating Ransomware Attacks

June 3, 2021By 0 comment

With 81% of organizations believing ransomware attacks will become more prevalent in the second half of 2021, nearly everyone is preparing for the worst to come.

You can’t go a day without hearing about some new ransomware attack, a new cybergang popping up, or the detailed aftermath of a prior ransomware attack being made public. And with last month’s attack on the US’s largest gasoline pipeline, the ramifications of such attacks are now clearly evident – well-beyond just the cost of paying a ransom.

According to ISACA’s latest survey of 1,200 IT professionals, it appears that organizations are waking up to the fact that ransomware is a much larger problem.

  • 46% of organizations consider ransomware to be the cyberthreat most likely to impact their organization in the next 12 months
  • 85% think their organization is at least “somewhat prepared” for a ransomware attack
  • Only 32% believe their organization is “highly prepared”

ISACA recommends the following strategy:

  • Enforced Vulnerability Management to make certain the environment is patched
  • Microsegmentation of the network to prevent spreading
  • Better Security Monitoring to improve detection
  • Offline Backups with a tested recovery process
  • Security Awareness Training implemented year-round

According to ISACA, 38 percent of organizations have not conducted any ransomware-related training for their staff, and yet, even ISACA attributes the “human factor” as one of the reasons ransomware is growing.

We’ve seen massive improvements in organizations utilizing continual Security Awareness Training to not just teach users the basics of “don’t open suspicious emails”, but also consistent update training that includes current scams, social engineering tactics, and phishing campaign themes.

READ MORE
19May

Transparent Tribe Uses Spoofed Domains in Social Engineering Attacks

May 19, 2021By 0 comment

Researchers at Cisco Talos warn that the threat actor known as “Transparent Tribe” (also known as APT36 and Mythic Leopard) is using spoofed websites and malicious documents to deliver malware.

“Our latest Transparent Tribe research confirms that the group continues to create malicious domains mimicking defense-related entities as a core component of their operations,” the researchers write. “During our most recent investigation, we discovered a fake domain, clawsindia[.]com, registered by the attackers. This domain masquerades as the website for the Center For Land Warfare Studies (CLAWS), an India-based think tank covering national security and military issues.”

Cisco Talos also notes that the threat actor is targeting more verticals than usual in the latest campaign.

“While military and defense personnel continue to be the group’s primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations, and conference attendees, indicating that the group is expanding its targeting,” the researchers write.

The researchers add that Transparent Tribe is putting more effort into making its phishing lures more convincing.

“The actors recently deviated from the CrimsonRAT infection chains to make their ObliqueRAT phishing maldocs appear more legitimate,” the researchers write. “For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc. In one such case in early 2021, the adversaries used iiaonline[.]in, the Indian Industries Association’s legitimate website, to host ObliqueRAT artifacts. The attackers then moved to hosting fake websites resembling those of legitimate organizations in the Indian subcontinent.”

Transparent Tribe also used HTTrack, a website copying tool, to create identical duplicates of legitimate sites.

“These examples highlight Transparent Tribe’s heavy reliance on social engineering as a core TTP and the group’s efforts to make their operations appear as legitimate as possible,” the researchers conclude.

New-school security awareness training can give your organization an essential layer of defense by teaching your employees how to thwart social engineering attacks.

READ MORE