Office 365 Admins Targeted in Ongoing Phishing Scam

This is not unexpected.  Cybercriminals are fairly smart and they are motivated to target the resources with the greatest and/or most effective access.  As more and more of the world moves their respective Exchange and Active Directory resources to the cloud, O365 and Azure administrators move up the valued target list.

This article simply points out something we have known for some time.  We must take phishing threats and associated awareness training seriously.  This must become a priority for every organization, large and small.  This issue also places a brighter spotlight on the security associated with service providers and 3rd party administrators.  Make sure your security controls take those resources into consideration as well.

https://threatpost.com/office-365-admins-phishing/150352/

Dark Web Monitoring Explained

 

The Dark Web is a scary place.  Even the name sounds very ominous.  Most people know that it is bad when business or personal information shows up on the Dark Web.  But at the end of the day, those same people do not really know what the Dark Web is and what is going on in the shadowy recesses of the anonymous Internet.  That is OK and to be expected.  The Dark Web is shady and cryptic and difficult to understand by design.

But Burk IT understands the threats associated with the Dark Web and the potential sale and distribution of valuable personal and business-related information.  Because the threat is real and awareness is key, Burk IT includes Dark Web monitoring in all of our core Managed Services agreements.  As part of that monitoring service, our customers will from time to time receive emails alerting them to compromises of content associated with their business user accounts.  This article will hopefully shed a little light on that process and how to react to and best leverage that information for the safety of the business and its individual computer users.

What is the Dark Web?

icebergBefore you can understand what is really taking place with Dark Web monitoring, you need first know what the Dark Web is and is not.  The best analogy I have seen to describe the Dark Web is to think about an iceberg*.  The top part of the iceberg, the part that you see bobbing up and down above the water, that is the public Internet or the World Wide Web.  This is the open part of the Internet where you can search for cat videos or find great lasagna recipes or read the box scores for your favorite baseball team.

Just beneath the surface of the water and expanding downward and outward is where the true mass and size of the iceberg lives.  This is the Deep Web.  These web servers are where the work of the Internet gets done.  This is where your online purchases get processed and your banking portal data gets generated.  This is where your social media history lives, and your private chats get hosted.  This is the home of the “cloud” and the backbone of e-commerce.

In an obscure, hard to find corner of the iceberg near the ocean floor lies the Dark Web.  This part of the Internet is not advertised, and it cannot be reached by traditional web browsers like Microsoft Edge or Google Chrome.  Access to the Dark Web requires the use of a Tor Browser which is designed to anonymize the PC and user exploring the far reaches of the Dark Web.  Dark Web websites end in the extension “.onion”, referring to the many layers of obfuscation in place to provide safely anonymous browsing.

Despite its ominous name, not every user on the Dark Web is a cybercriminal peddling his or her wares on the virtual black market.  Because of the anonymity it provides, the Dark Web is used by many legitimate groups including political dissidents, journalists, whistleblowers and even normal Internet consumers simply desiring to avoid the constant gathering of metadata traditional web browsing affords.  Yet, the Dark Web also brings together evil doers trading in child pornography, illegal drugs, violence and identity theft information.  Because of this illegal trafficking, Dark Web monitoring is an important component of any modern cybersecurity program.

What is Dark Web Monitoring?

Given the secretive and anonymous nature of the Dark Web, the logical question arises – what exactly is being monitored on the Dark Web?  This is a very important question to pose because many of the TV, web and print ads touting Dark Web monitoring would lead you to believe that these companies can definitively protect your identity and purge every bit and byte of your personal information from all these criminal forums.  That is not exactly the truth.

Dark Web monitoring was born from federal government contracts with private firms designed to understand what information was being posted and traded on the Dark Web for national security and law enforcement purposes.  These private firms quickly realized the commercial value of the tools and techniques they had developed, so business and personal Dark Web monitoring offerings were quickly designed and marketed to general public.

Dark Web monitoring services basically scour Dark Web news boards, commerce sites, and other forums looking for PII (personally identifiable information) that has been posted for sale or trade.  This research is performed using custom bots, software artificial intelligence and human assets to ensure the information is as timely and actionable as possible.  These services then correlate the PII detected with the corporate domains and user accounts being monitored and report on the findings that match.

The information reported by a Dark Web monitoring service varies from vendor to vendor but generally includes the following:

Username / Email address associated with the compromised account – This ID is typically associated with the domain name for the business or organization being monitored by the service.

Date the compromise was found – This is the date the service’s algorithms and human resources discovered the compromised information in the Dark Web.

Date reported / posted / added – This is the date the discovered information is validated and provided to the monitoring customer, usually via a traditional web portal or secure email.

Password / Password Hint / Password Hash – This is typically the entire cleartext password of the account in question, or a portion of that password as a verification tool for the end user.  A password hash is a masked version of a user password usually compromised from an online website or backend website resource.  These hashes are easily decrypted by cybercriminals and are, therefore, very damaging when discovered in the wild of the Dark Web.

PII information – Many monitoring services will also report whether additional personal information was present associated with the compromised credentials including full name, address, phone number, and social security number.

Source or origin of the compromise – This information is often speculative, but most Dark Web monitoring services will provide insight into the source or nature of the breach that led to the presence of these credentials and other PII on the Dark Web.

All of this information is value and warrants a response, but it is also very important to consider the information that the Dark Web monitoring service CANNOT provide and the actions the service CANNOT take on behalf of the compromised entity:

Date / Time of the original compromise – Monitoring services most often cannot pinpoint the exact date or time of a data compromise.  Even if the compromise is attributed to a known breach of a business, service, or website, specifics about the timing surrounding those breaches are not typically public knowledge.  If the compromise was the result of an attack against an end user such as phishing or a malware attack, knowledge of the timing of those types of attacks is nearly impossible.  It is also important to note that most of the information posted on the Dark Web was stolen weeks if not months earlier.

Date the compromised information was first posted to the Dark Web – Monitoring services have become extremely efficient at finding and correlating data from the Dark Web, but they are still far from the ability to monitor the whole of the Dark Web in real-time.  There can be a significant delay of days or weeks between the time information is posted to a site or forum on the Dark Web and its discovery by a monitoring service.

Removal of compromised information from the Dark Web – It is one thing to discover information associated with an individual on the Dark Web.  It is a wholly different problem to try to purge information from these forums and sites.  Generally speaking, once this proverbial genie is out of the bottle, there is no putting it back.  Remember, these are Dark Web MONITORING services.  They can let you know something bad has happened, but they cannot necessarily reverse the damage already done.

What should you do when you receive a Dark Web alert?

Many people will read the previous paragraph and decide that there is no real value in Dark Web monitoring if you cannot remove personal information once it is posted.  I would disagree on the following grounds – 1) It is better to know than to not know what personal information is in the wild, and 2) With knowledge comes power and the ability to better mitigate the situation quickly.  So, what should you do if you or your organization receives an alert that PII is on the Dark Web?

  • Rotate the passwords associated with the affected user account – The biggest fear for most business IT administrators is that when a website is compromised, the user’s password associated with that website may be the same password that person uses on the business network. Internet users have become creatures of habit when it comes to passwords and tend to reuse passwords across multiple sites and systems.  This behavior makes the job of the cybercriminal that much easier when he or she decides to see what all can be stolen using those compromised credentials.  Also, consider three other options when you are changing those passwords:
    • Switch from short, complex passwords to longer, easier to remember passphrases consisting of several words or a memorable sentence. Passphrases are significantly harder to crack for cybercriminals and require changing less often.
    • Consider using a good Password Manager (1Password / KeePass / LastPass). It is a good practice to use unique passwords or passphrases for every website and system you access.  A password manager is a safe way to keep up with all those different credentials.
    • Implement multi-factor authentication for websites and systems whenever possible. Multi-factor authentication in the form of authenticator apps or SMS texts adds a strong barrier to protect against identity compromise.  Even if a cybercriminal gets his or her hands on your username and password, that person still cannot authenticate as you without your phone or token.  Most major websites and services support multi-factor authentication now including Facebook, Twitter, Amazon and Google.
  • Request new credit cards and other account numbers when necessary – In some situations, Dark Web monitoring services can alert you to card or account fraud before the affected bank or store knows something has gone wrong. React quickly by alerting the bank or store and requesting new account info.
  • Consider freezing your credit – The best way to prevent identity theft and stop the bad guys from opening lines of credit in your name is to take away that option. Freezing your credit line by contacting each credit bureau (Equifax, Experian, and TransUnion) is an easy, low cost process that can provide peace of mind despite the scary nature of the Dark Web.
  • Educate! Educate!  Educate! – The best thing anyone can do to fight cybercrime is to learn about the enemies at the gate, learn how to keep out and fight back against those enemies, and then share that information with others.  Train yourself.  Get training for those around you.  Share what you have learned.

Hopefully this article has helped to demystify the Dark Web and add some clarity to the process surrounding Dark Web monitoring.  The tools that protect us from cybercrime keep getting stronger and more effective.  We too need to continue to get stronger in our knowledge of the threats we face and the actions we need to take to protect ourselves.  Keep fighting!

 

* Susan Grant of the Consumer Federation of America

A New Attack Category is Born: You Now Need to Also Worry About Evasive Spear Phishing

Spear phishing has long been a serious concern for organizations battling the constant onslaught of social engineering attacks pointed at their users.  This post from the team at KnowBe4 sheds some light on a new form of spear phishing that often focuses in on technology firms and other high value targets.  The depth and level of sophistication associated with these attacks should raise red flags.  The more accurate and relevant the phishing content, the higher the likelihood the end user will fall into the trap and click the link.

Please be diligent in your awareness training and notifications to end users.  These threats are very real!

https://blog.knowbe4.com/a-new-attack-category-is-born-you-now-need-to-also-worry-about-evasive-spear-phishing

Ransomware – Are We Asking the Right Questions?

ransomware-2320793_640

Pete Linforth from Pixabay

A couple of weeks ago, a story broke on our local news outlets involving a ransomware attack against the Smyth County Virginia school system.  Smyth County is located in Southwest Virginia and is comprised of 3 towns (Marion, Chilhowie and Saltville) and approximately 32,000 residents.  The focus of the majority of the news coverage for this cybersecurity event surrounded the fact that the ransomware attack forced the school system to shut down significant portions of their network including student Internet access as a precaution against the spread of the ransomware infection.  Interviews with the school system’s Director of IT revealed that several Windows-based servers were encrypted and inaccessible.  Recovery from backups was underway for those resources as the school system had wisely chosen not to pay the ransom.

Subsequent follow-up coverage of this event has revealed the continued efforts by the school system to recover data and rebuild servers, and the steps the school system has taken to mitigate the impact of a future ransomware attack.  According to the system’s Director of IT, new anti-malware software is being deployed and a previously planned project to move additional systems to a cloud-hosted platform has been moved up on the calendar and expedited.  All of this information has added to the overall ransomware narrative and the difficulties that any organization would face if infected by a ransomware attack.  But as an IT security professional, I find myself incredibly frustrated by this event and the general emphasis of the news story that has been crafted and repeated.  My frustration lies in the simple fact that two very important questions have not been asked and answered – 1) How did the ransomware infiltrate the school system’s network? and 2) What controls were in place to prevent this attack in the first place?

These two questions are at the heart of the “how” and the “why” of this event, and it is from the answers to these two crucial questions that we actually learn something of value from this painful experience.  Everything discussed in the media to this point and everything shared by school system officials has been reactive in nature.  The network was shut down and Internet access was disabled to prevent the spread of the infection after it had taken hold in the Windows environment.  New anti-malware software is being deployed to prevent future attacks.  Data is being moved to the cloud to limit future exposure.  All of this work is important for Smyth County.  But for the rest of us, and more specifically, for other school systems in the region, the conversation needs to be centered on how the infection started, which controls worked, which controls failed, and which controls were simply missing that led to downtime, system failures and the potential loss of critical data.

Many of the reactionary controls mentioned to this point may not be affective against future ransomware attacks based on the changes in attack vectors used by cybercriminals today.  According to the 2019 CrowdStrike Global Threat Report, more than 70% of attacks against healthcare and education targets in past year were malware free.  This means that the initial tactic used by the cybercriminal did not result in a file or file fragment being written to disk on the target platform.  In other words, the bad guys used social engineering, stolen credentials or some other out of band mechanism to gain access to the information they were targeting.  Technical controls like signature-based anti-malware software cannot defend against these types of attacks.  Nor does moving data to a cloud-hosted platform fully mitigate the threat.

Some will ask why should we invest so much energy and money – and in the case of school systems we are talking about tax payer money – into combatting these types of threats.  The biggest publicly disclosed impact of the attack on the Smyth County school system was the loss of Internet access for students and staff over a two- or three-day period.  I have no doubt many parents in Smyth County were pleased to know their students had a break from the Internet for a few hours a day.  But Internet access was the biggest publicly disclosed impact, not the only impact of this type of attack.  Actual data exfiltration has not been confirmed, and data is often the biggest motivator for cybercriminals.

The 2019 Verizon Data Breach Investigations Report revealed that 80% of all breaches targeting the education sector were financially motivated, and of all reported breaches in the education sector, 26% resulted in some form of data disclosure.  Think for a moment about the type of data a school system has under its control.  For students, the school system maintains records including name, address, phone #, email address, social security #, and in many cases, medical records.  For parents, the system has similar information and, in many cases it often has some form of payment-related information.  For school system employees, the records are even more detailed.  All of these data types are incredibly valuable for cybercriminals wanting to forge identities or generate other more targeted attacks.  Consider too the fact that these students are typically under the age of 18 and do not have any form of identity protection in place or at their disposal.

I realize that the tone of this article can and may be seen as an indictment against the IT team in Smyth County, but that is far from the case.  From all accounts, that team of IT professionals identified the threat and responded quickly to limit its spread.  There were clearly requests and plans in place to strengthen the network that are now being green lit and expedited.  I believe they did everything in their power to defend their infrastructure as best they could.  Like many things in IT, success comes down to human resources and budget, neither of which tends to stretch very effectively.  My goal is not to shine a light on any failures in Smyth County, Virginia, but to instead shed some light on the larger problem all of us face in terms of a lack of understanding and preparedness when it comes to these types of cybersecurity threats.

So far in this post, I have provided a ton of critical feedback surrounding how this breach was covered in the news and how the school system did or did not respond, so allow me to stop and provide some applicable recommendations on how to help mitigate if not prevent these types of attacks moving forward:

  • Deploy an Advanced Malware Protection Platform to replace traditional signature-based anti-virus software – Gone are the days when we can wait for and trust a downloaded signature file from an anti-virus vendor to defend us against malicious activity on our PC’s and servers. Threats are evolving too quickly for signature files to keep up and many threats do not involve detectable code.  Organizations need a platform in place that can intelligently monitor, detect and remediate threats based on computer and application behavior, anomalous end user inputs, and unexpected or inappropriate network traffic.  Many sound platforms exist, and many include 3rd party monitoring components that can increase response times to threats and reduce the potential impact of false positive detections.
  • Implement modern UTM (unified threat management) controls and DNS-based content filtering on all ingress/egress points for the network – We can no longer rely on basic stateful packet inspection and port-based firewall rules to successfully filter our Internet traffic. Modern UTM can filter and inspect at the application level, and DNS-based content filtering can successfully identify and restrict access to those command and control servers so many ransomware platforms rely on for effectiveness.  Some statistics give DNS-based content filtering a success rate against ransomware infections as high as 93%.
  • Upgrade and patch your servers and PC’s – This sounds like an obvious statement, but far too many school systems still rely on donated hand-me-down hardware from businesses and higher education resources to survive. Those computers are often running outdated operating systems and have no mechanism in place for properly patching and security updates.  It only takes a small toe hold on the network for the bad guys to land and expand and wreak havoc.
  • Train your employees and students, all of them, frequently – Social engineering (phishing, vishing, in-person) is the biggest threat to most organizations. All the technical controls in the world cannot prevent an end user with authorized access from doing harm to a network.  We have to educate everyone to the threat landscape.  We have to teach individuals how to respond to social engineering and other observed unusual activity.  People need to know who to inform and to do so quickly.  And this education should span beyond the four walls of the organization to the home and personal IT security best practices.  The threats are real whether we are at work sitting at our desks or at home sitting on our couches.
  • Develop more than a backup solution. Build a disaster recovery plan and test it – During the initial interviews with school system officials in Smyth County, those officials indicated that server restoration processes were underway using backup data.  In one follow-up print article nearly two weeks later, those same officials indicated that those restoration processes were still ongoing.  Depending on the criticality of the system and data affected by an attack, most organizations cannot wait weeks for systems to come back online.  It is incredibly important to consider and define a valid Recovery Time Objective for the organization.  How long can you survive without access to your information and systems?  Based on the answer to that question, deploy redundant servers and backup solutions that can have you back online and functioning before it becomes too late for the effective survival of your organization.

Over the last couple of weeks, I have been reading The Only Plane in the Sky – An Oral History of 9/11 by Garrett M. Graff.  This book is a heart wrenching compilation of 1st person accounts from those people who lived through the hours and days surrounding that life altering day in our nation’s history.  Through these personal stories and quotes, I am reminded that we as a nation responded to those attacks using emergency procedures and protocols that were largely born from the Cold War.  Some of that training and some of those plans and procedures were effective and saved lives and restored some order to a chaotic situation.  Other components of those plans and procedures were completely inapplicable to the situation, leaving many government officials and first responders groping in the dark for answers and developing strategies on the fly to cope with the disaster at hand.  We need to learn from that horrific day.

I am wholly convinced that the next great threat to our country is not another series of plane hijackings or a terrorist with a bomb or even a nuclear weapon controlled by a hostile nation state.  The next great threat we face is a cyber-attack against our infrastructure.  It may come from a terrorist cell, a politically motivated activist group, a hostile nation or even a highly motivated disgruntled individual, but it will come, and it will wreak havoc on our way of life.  I am far from convinced that we are properly prepared.   Such an attack can be mitigated, but it will take each and every one of us.  It will take IT professionals willing to work hard, deploy the right controls, and avoid the short cuts that make our computer networks vulnerable.  It will take organizational leadership willing to invest the right amount of time and energy and funding to support those IT professionals.  And it will take the rest of us, willing to train, build good personal security habits, and learn the signs of a cyber-attack and how to respond appropriately.  The time for reactive responses is over.  We need to become proactive.  We need to prepare.  And we need to continue the conversation loudly and publicly.

Web scraping doesn’t violate anti-hacking law, appeals court rules

This is an intriguing legal development that may have far reaching implications on intellectual property and privacy fronts.  The fact that current legal standards cannot appropriately address web scraping means that our US laws are woefully outdated and unable to tackle the challenges of a highly technical and quickly evolving society.  Agility should be an important component to all future legislative processes.

https://arstechnica.com/tech-policy/2019/09/web-scraping-doesnt-violate-anti-hacking-law-appeals-court-rules/

Wikipedia, World of Warcraft Downed By Weekend DDoS Attacks

This article discusses yet another series of DDOS attacks targeting well known websites.  Based on the article, these DDOS attacks are an example of a hacking group trying to validate skills and work toward larger attacks which will in turn inspire other attacks against new targets by other new hacking groups.  This is a systemic problem that will continue to grow and plague businesses and organizations worldwide.

It is important to consider the potential damage that can be caused by a DDOS attack and how your organization would remediate or mitigate such an attack.

https://threatpost.com/wikipedia-world-of-warcraft-ddos-attacks/148121/