Netizen Threat Brief: 9 May 2018 Edition

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

  1. SamSam Ransomware
  2. Process Doppelgänging
  3. Phishing Email
  4. Android P
  5. Drupal Cryptojacking Campaign

1. SamSam Ransomware

Overview

A ransomware known as SamSam is primarily being utilized to target organizations and public industries like hospitals and schools. SamSam operates in a manner that is different from the usual strains of malware in that it takes advantage of software vulnerabilities to infiltrate networks instead of the usual phishing and spam campaigns. It is characteristic of SamSam to use brute-force methods of attack to break weak Remote Desktop Protocol (RDP) passwords.

Recommendations

To protect critical information, we recommend the following:

  • Update your systems regularly. SamSam infiltrates vulnerable systems by exploiting outdated software and unpatched bugs. To protect your network, apply the latest security patches as soon as you can and never use obsolete and unsupported software.
  • Back up data regularly. This is the best way to recover your critical data if your computer is infected with ransomware.
  • Make sure your backups are secure. Do not connect your backups to computers or networks that they are backing up.
  • Have strong security software. This will help prevent the installation of ransomware on your gadget.
  • Implement strong and complex RDP passwords.

2. Process Doppelgänging

Overview

A fileless code injection method known as Process Doppelgänging is being used by attackers to evade detection while the malware, in this case ransomware, carries out its intended purpose. A default function of Windows, NTFS transactions, is taken advantage of by Process Doppelgänging to replace the memory of a legitimate process. This tricks other process monitoring tools, as well as antivirus software, into trusting that the legitimate process is actually running.

Recommendations

Process Doppelgänging affects all versions of Windows versions and is able to bypass most antivirus solutions. To mitigate a breach, we recommend the following:

  • Despite the malicious method bypassing most AV software, we still recommend keeping your antivirus up to date. Antivirus solutions are often created with layers of security, so that if there is a breach, it may at least be contained.
  • The method works in conjunction with ransomware, which typically comes by way of phishing emails, malicious advertisements, and malicious third-party applications and programs. Exercise caution when opening emails; examine links, verify senders, open and download items only from those that you trust.
  • Have routine backups implemented that houses all important files that is segmented off of the main network in case of a breach.

3. Phishing Email

Overview

Netizen has seen an uptick in phishing emails claiming to be from the Pennsylvania Department of General Services (DGS) and other government agencies. One particular email had an attached PDF form for download containing a link to a site that presents itself as a Microsoft login screen designed to steal credentials. However, further inspection of the email and, with closer scrutiny of the message headers, shows the true origin of this message, as seen in the images below. The PA DGS has sent out emails warning businesses about this campaign and has advised them to be cautious.

phishing1

The original message is listed above, claiming to be from the DGS.

phishing2

Taking a look at the original author’s ID, it is clearly not from the DGS but rather a breached private company that an attacker is using as a staging point to send spoofed email messages to other targets.

Recommendations

  • Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is huge red flag.
  • Do not give out personal or company information.
  • Review both signature and salutation.
  • Do not click on attachments

Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as:

HTTPS2

  • Be wary of poor spelling, grammar, and formatting. As can be seen with the Dropbox phishing email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
  • Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

4. Android P

Overview

The current Android OS allows applications to access networking data by asking for permission, however, the permission’s text is ambiguous, leading users to give more access to these applications than they intend to. Threats to mobile phones are not typically taken into consideration, amplifying the risk if the phone affected is a work phone containing company information

User-installed applications obtain permission and then tap into what is known as the “/proc/net” process, that allows these apps to detect any time whether or not a user is initiating a network connection, as well as what server they are connecting to. It is this information that allows the app’s creators to sell that data to advertisers.

Recommendations

We recommend upgrading to the latest Android OS known as Android P. Android P restricts access to the core OS processes, and will only allow said access to VPN applications, while any other must undergo a code audit. When available, Android P will:

  • Block cleartext (HTTP) traffic from apps.
  • Use the same UI when requesting fingerprint authentication across apps and devices.
  • Block background apps from accessing the phone’s camera and microphone.
  • Encrypt backups on the device with a local secret key before sending the backup for storage on Google’s servers.
  • Support for MAC address randomization.
  • Support for DNS over TLS

5. Drupal Cryptojacking Campaign

Overview

Drupal has come under attack once more, as those who have not yet patched their sites have fallen victim to backdoors and coin miners. Given the aforementioned, more and more malware campaigns are targeting Drupal site, two of which have been discovered in the last week.

Given the most recently discovered campaign, an estimated 350+ Drupal sites are running an in-browser coin-miner while the other crusade leaves PHP-based backdoors on all compromised servers for future access despite updating.

Recommendations

To prevent a breach or to mitigate site damage, we recommend:

  • Updating to the current Drupal versions that have patched these vulnerabilities if you have not already.
  • If you were hacked previously and then updated, run a thorough vulnerability scan of the site(s) to search for any backdoors as updating a hacked site will not completely remove the threat.
  • If compromised, consider restoring from an older backup, or try reinstalling the site from scratch.

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s