Netizen Cybersecurity Bulletin: 15 August 2018 Edition

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

  • KeyPass Ransomware
  • Still Phishing
  • Another Printer Vulnerability
  • How can Netizen Help?

KeyPass Ransomware

Not to be confused with the popular password manager KeePass, KeyPass is an extension placed on files of a new variant of ransomware. The KeyPass Trojan propagates itself by way of fake installers, further highlighting the importance that proper cyber awareness and training plays in defense of an organization’s data and assets.

Upon successful infection, the trojan remains hidden, installing to the local app data folder and then deleting itself from its original location, further manifesting copies to spread through other avenues like command line arguments. KeyPass also utilizes “manual control”, in that its form can be shown after pressing a certain button on the keyboard, indicating that the attackers may wish to use the trojan in a manual attack.

The manual control technique gives the attackers the ability to customize the encryption process including the key, what is said in the ransom note, victim ID, extension of the encrypted files (.KEYPASS), as well as the list of paths to be excluded. The attackers will also be able to change the price of decryption.

Recommendations:

As mentioned above, the best defense is practicing proper cyber hygiene, however, we do have further recommendations:

  • Protect from the KeyPass ransomware, and any ransomware for that matter, by utilizing properly created and tested backups.
  • Install all needed software from trusted sources.
  • Make use of strong passwords for RDP access; greater than 8 characters, camel-case, with numbers and special characters.
  • Develop and execute a plan for an end-user awareness program.
  • Review network drive permissions to minimize the impact a single user can have on operations.
  • Perform routine patching and updating.
  • Utilize trusted and efficient endpoint protection software.

Still Phishing

One of the most widespread and simplest forms of attack continues to be a problem in the latter part of 2018—phishing. In particular, attacks have increased substantially in the financial services industry, such as online banking, e-commerce, and payment systems. These attacks include fake shopping sites or banking web pages in an effort to obtain login credentials, emails, phone numbers, credit card information, and PINs. The IT industry has also felt the increase of phishing attacks but are still targeted less than the financial sector.

Many companies receive phishing emails daily, remaining under constant threat from attackers. Phishing is so popular as people, more often than not, are the largest security vulnerabilities. Attackers often use intimidation, fear, or try to feign a level of trust in an effort to gain access to sensitive company information. For example, by way of social engineering, an attacker could spoof the CEO’s email address and demand all payment information from accounting immediately; many people would not hesitate because who would disobey the CEO?

Recommendations:

There are many best practices when it comes to defending against a phishing email of which we have listed below:

  • Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message.
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
  • Do not give out personal or company information.
  • Review both signature and salutation.
  • Do not click on attachments.
  • Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.
  • Be wary of poor spelling, grammar, and formatting. If an email is visually unprofessional, the sender is likely not who they say they are.

Another Printer Vulnerability

Fax machines have been a staple in office environments since the late 1980s; you may have one in your office.  In recent years, these devices are combined into a network printer for efficiency.  However, this may be another example of the trade-off of security for convenience.

Two security researchers at DEF CON 26 recently discovered a pair of vulnerabilities in the fax protocol can transform fax machines into entry points for hackers into corporate networks.  Named “Faxploit,” this attack leverages two buffer overflows in the fax protocol components.  An attacker can send a specifically designed ‘fax’ image containing code that exploits these two vulnerabilities to a fax machine and then gains remote code execution rights over the targeted device.  From that point, the hacker can run his own code and take over the machine, and deploy other tools to infiltrate your network.  Once on the inside, the hacker can begin scanning every device on the network, looking for other weaknesses to exploit.

Unlike hacks that look to penetrate your company’s firewall from outside your network, this hack comes through the fax phone number you probably list on your business cards and website.  If your fax is combined with a network printer, the attacker gains access to your network through the phone line; a novel approach, if not one that causes a real risk to your network.

There is no way to scan incoming faxes for this kind of attack. The only way to prevent Faxploit attacks is to apply patches to individual fax machines and all-in-one office printers, which also come with an embedded fax machine.

At the time of writing, only HP has addressed Faxploit, and has released patches to prevent this attack from gaining access to your network. Other vendors will follow suit, but consideration should be given to creating network segments that would isolate printers from other mission-critical assets.

Once again, the lesson that cannot be stressed enough is simply this: any connected device needs to be updated and patched.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

ISO

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s