Netizen Cybersecurity Bulletin: 19 September 2018 Edition

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

  • Phish Tale of the Week!
  • Top Threats Facing Industrial Networks
  • WannaMine Worm
  • The Cost of Cyber Crime
  • How can Netizen Help?

Phish Tale of the Week!

This week’s phishing email claims it originates from Office 365:

phish1

phish2

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

  • Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message.
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
  • Do not give out personal or company information.
  • Review both signature and salutation.
  • Do not click on attachments.
  • Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
  • Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

 

Top Threats Facing Industrial Networks

Across the nation, and in our commonwealth, industrial controls systems (ICS) share a common heritage:  they were designed before cyber threats were understood and lacked baked-in security controls.  These critical infrastructure and the industrial control networks that manage them are under a real and active threat from a variety of malicious actors — ranging from nation-states, politically or financially motivated hackers, insiders, and disgruntled ex-employees.

ICS control dams, bridges, electrical generation plants, and other systems that operate in the background yet provide vital services. A breach of an ICS network can be disastrous, ranging from physical and environmental damage and costly downtime for manufacturing processes to putting lives at risk.

We’ll look at some of the biggest threats to these infrastructure systems:

  1. Poor Network Configuration: None of these critical systems should have unfettered access to the Internet, yet many systems were installed without even a firewall.   ICS should be in segregated in a tightly controlled subnet.
  2. Poor Audit Control: Older ICS may not have any audit functions, and those that do may not be routinely reviewed by any IT Security staff. Like all IT systems, proper audit control is essential to maintaining a secure posture. Should the ICS system lack its own auditing, adequate alternatives should be sought after to mitigate this threat.
  3. Insufficient Controls: Just as your Operating System or applications receive software patches, ICS should as well.  Systems that aren’t patched regularly are open to exploits, and systems that are beyond end-of-life (EOL) should be replaced or otherwise fortified to minimize the exposure.
  4. Employee Carelessness or Ignorance: As with any IT environment, ICS are subject to phishing attacks, social engineering, and risky browsing behaviors. These activities can compromise the IT and internal networks via lateral movement.

    Security training, network segmentation, and multifactor authentication can all help prevent breaches caused by employee lack of awareness, policy violations, or human error.

  5. Insider Attacks: Disgruntled employees or improper assignment of privileges can lead to industrial espionage or sabotage.   Performing a risk assessment to identify and address vulnerabilities such as over-privileged accounts, insiders with access to resources they don’t need to do their jobs, and orphaned accounts is essential to reducing the attack surface for insider threats.

 

WannaMine Worm

A fileless, PowerShell based, Monero-mining malware attack known as WannaMine has made a resurgence. The worm has successfully infected a Fortune 500 company in which dozens of domain controllers and about 2,000 endpoints were affected after gaining access through an unpatched SMB server. WannaMine is able to detect whether or not it has infected a 32-bit or 64-bit system, configures a scheduled process to ensure it persists after system shutdown, and even changes the power management settings to ensure that the system does not go to sleep and it can mine uninterrupted. Further, WannaMine code shuts down any process using ports associated with cryptocurrency-mining pools (3333, 5555, 7777) and then creates its own on port 14444.

Recommendations:

WannaMine has been associated with the following IP addresses:

IPS

We also recommend practicing routine updating and patching as WannaMine includes the same ExternalBlue exploit that was abused by WannaCry; patching will mitigate this threat. However, WannaMine can then try to spread using password cracking techniques/tools to find weak passwords on the network. It is for this reason that we also recommend using complex passwords supplemented by Multifactor Authentication (MFA) such as a code, app, or text.

 

The Cost of Cyber Crime

A recent study by Germany’s IT sector association has found that two thirds of Germany’s manufacturing companies have been a victim of cyber crime attacks, and has cost the industry around $50 billion. Over 500 executives were surveyed across the manufacturing sector of Germany, and it was found that small to medium-sized companies where the most vulnerable to attacks. As more cyber attackers become better resourced, more advanced techniques will be used in order to steal advanced manufacturing techniques or important trade secrets that could be devastating to companies.

The survey identified all types of risks, such as one third of companies surveyed reported that mobile devices such as phones had been stolen, and about 25% had lost sensitive digital data. Along with lost data, companies also reported that around 19% had IT and production systems sabotaged, and 11% had communications tapping.

 

Recommendations:

  • Make sure every business computer is equipped with antivirus and antispyware software that is updated regularly.
  • Secure network connections by using firewalls and encrypting important information.
  • Conduct periodic vulnerability testing on critical information technology systems.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

ISO

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s