Netizen Threat Brief: 28 February 2018 Edition

Threats

Listed below is information regarding two of this week’s most critical threats, and preventative measures to lessen the chances of a breach. Also contained in this brief, is an update to a previous vulnerability:

  1. Spike in W-2 Phishing Campaigns
  2. Single Sign-On Vulnerability
  3. Intel Spectre Firmware Fixes

1. Spike in W-2 Phishing Campaigns

Overview

The FBI has warned of a sharp rise in phishing campaigns targeting businesses’ W-2 information from payroll personnel. Given that it is tax season, these types of emails are after very important personal information, including employee’s social security numbers likely from an individual within Human Resources as they have access to that type of information.

The phishing attacks range from the impersonation of an executive down to a legitimate looking email requesting employee information. In certain cases, after the cyber criminals had obtained the W-2 information, they would immediately follow up with a request for a wire transfer—many organizations were unaware for weeks or even months that they had been scammed.

Recommendations

Human error is one of the biggest entry points for cyber criminals.

To mitigate a breach, we recommend:

  • Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is huge red flag.
  • Do not give out personal or company information.
  • Review both signature and salutation.
  • Do not click on attachments
  • Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place (HTTPS)
  • Be wary of poor spelling, grammar, and formatting.
  • Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.
  • Verify the sender—even if that means calling the person to confirm it was them who is requesting or sending the email.

We also suggest that businesses maintain a hard copy of vendor contact information with a list of those that are authorized to approve changes in payment instructions. Also, businesses should delay a transaction until further additional verifications can be performed. For example, make staff wait to be contacted by the bank to verify the wire transfer.

2. Single Sign-On Vulnerability

Overview

Single sign-on (SSO) is a session and user authentication service that organizations often leverage to use one set of login credentials in order to access multiple applications. SSO is extremely convenient as it will authenticate the end user for every application that the user has authorization and rights to, while also eliminating further prompts when switching between applications. SSO is also helpful for logging and monitoring users’ accounts and activity on the backend.

A new vulnerability has been discovered based on Security Assertion Markup Language (SAML)—an open standard that allows security credentials to be shared by multiple computers across a network—in which hackers can trick systems using SAML to grant them higher access. Using an existing user ID and password, which can be obtained legitimately or through other means (i.e. social engineering), a hacker can fool the SAML system into authenticating another user without needing that user’s password. Predictability plays a factor, as most organizations have a pattern with which they delegate ID’s, making it easy to find or guess what the ID is; and with an exploited SAML system with one set of credentials, higher access can be attained.

Recommendations

Vendors known for using SAML and SSO systems are: OneLogin, Clever, OmniAuth, Shibboleth and Duo Network Gateway. We recommend that SAML-based systems utilizing the SSO service have applied patches and updates as soon as feasible. It would also prove beneficial to leverage multifactor authentication (MFA)—even if an account is compromised, there is that added second layer of security that prevents the access as further verification is required.

3. Intel Spectre Firmware Fixes (Update)

Overview

In a previous Threat Brief entitled, “Major Microchip Flaws”, government research had revealed two major flaws in the computer processor chips of everyday devices. The flaws, known as Meltdown and Spectre, exist within processors that could allow an attacker to read sensitive data stored in memory—such as passwords or data from current system processes. Research also suggests that the chips themselves would need to be replaced to constitute a complete fix but patches have been released by major vendors to mitigate the most extreme vulnerabilities associated with this threat.

While the data within the devices should be protected and isolated, there are cases where the processor can be exposed while it queues up information. Affected devices include, but are not limited to: desktops, laptops, smartphones, and cloud servers.

Update

In response to the vulnerabilities, Intel has issued an updated microcode that will help protect and fend off the Spectre security exploit in their newer processors—6th, 7th, 8th generation Intel core processors and Intel Xeon scalable processors to name a few.

Intel has stated that the new microcode updates will be made available in most cases through OEM firmware updates. It is also recommended to continue with routine patching, updates, and upgrades to systems. The discovery of Meltdown and Spectre by Google Project Zero in early January now has Intel looking to bolster their security efforts in getting ahead of potential and newfound threat vectors.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s