STE WILLIAMS

From his days as an IT worker, to his work as a journalist covering information security, to his time now as a security researcher with Akamai, Steve Ragan has been watching phishing techniques evolve for nearly two decades.

But it wasn’t until late 2007, when the Storm Worm started taking off, that Ragan’s education began in earnest.

“Storm circulated via email and targeted current events as a lure to get people to open malicious attachments and URLs,” Ragan recalls. “It worked well, and the botnet continued to grow. Storm was a spam campaign — at least that is how it was commonly referred to — but it was phishing at its purest. The idea was to send an email, pique the curiosity of the recipient, and deliver a malicious payload. “

Phishing is still going strong. But what has changed since Storm’s earlier days?

Everything, according to Ragan.

Gone are the days when most phishing emails were easy to spot due to their grammar and spelling errors, he says. Criminals have evolved, and scripts are tighter, error-free, and more focused. Spear-phishing, which is a highly targeted type of phishing attempt that focuses on a specific individual or group, is on the rise. So are business email compromise (BEC) attacks, which are targeted phishing attacks on business emails — typically those held by high-level executives. In fact, according to the FBI, BEC attacks resulted in $12 billion in losses between October 2013 and May 2018.

“Criminals have been known to call the targeted organization or victim to confirm information, and public records are used to corroborate information, such as who works in accounting and who their direct report is,” Ragan says.

Phishing continues to be a successful tactic because people are, by nature, trusting. In addition, techniques keep evolving, making it tough for security managers to stay on top. Ragan, and several other security industry experts who track phishing tactics, offer a breakdown of the latest tricks and traps phishing criminals are up to these days. 

{Continued on Next Page}

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/phishers-latest-tricks-for-reeling-in-new-victims/b/d-id/1335757?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Up until just a few years ago, unless you were working as a secret agent, your only chance of seeing spy tools and gadgets was in the movies. These days, it still isn’t easy to buy a lipstick pistol or a Bulgarian umbrella, but it has become shockingly easy to legally buy hardware-based cyberattack tools.

Although IT security tools have quickly and significantly improved and threat-hunting teams of the leading enterprises have become more professional, cybercriminals aren’t giving up.

Document leaks, such as the NSA ANT catalog and the US Central Intelligence Agency’s Vault 7, released a huge hacking tool arsenal including concepts of operation, drawings, source code, etc., and allowed individuals and specialized companies to join the game. Hardware cyberattack tools that were in the hands of only governments and intelligence agencies are now available for purchase as legitimate penetration-testing tools starting at less than $10.

A recent example of a dangerous tool is the USB Ninja cable, which was introduced earlier this year. The Ninja cable looks like any ordinary and innocent smartphone-charging cable, and will charge a smartphone as usual. However, this cable’s design and internals are inspired by the leaked NSA Cottonmouth, a USB hardware implant that provides a wireless bridge into a target network as well as the ability to load exploit software onto target PCs. (For information on the original device, see the background story here.) When it was a top-secret weapon in use by the government, the unit price was $20,000. These days, when publicly offered as a pen-testing tool, anyone can buy it for around $99.

Now just imagine a cybercrime organization trying to get into a bank’s internal network. Chances of being able to overcome the network security tools such as firewalls, email scanners, etc., are not that high, and every failing attempt will just make the systems and security team more alert. But what if the threat actor could drop some of those cables around the company’s HQ lobby? What if a cable is left on the cafeteria table? What if the ATM custodian gets one as a freebie? Probably, this cable will be plugged into a corporate laptop sooner rather than later, just for the sake of charging the phone.

The method of using infected hardware devices as attack vehicles and as invisible doors into sensitive infrastructure is even more attractive because the attacker can jump over air gaps and enter into (or steal information from) parts of the network that are segregated from the Internet or other parts of the enterprise network.

There is a huge gap in the awareness of IT and security teams between software deployment and usage policies and those that relate to hardware devices.

Corporate employees or contractors will never be able to install or use uncontrolled software on an enterprise workstation or laptop. There are not only regulations and processes, but the entire system of authorization levels and user management will block it even if they tried.

On the other hand, in many places, anyone can bring in and connect any uncontrolled gadget or peripheral device directly to the infrastructure. Not only are there no policies in place to define what’s allowed and what’s forbidden, there isn’t even a way for CISOs or risk officers to know and understand the attack surface they’re in charge of protecting.

Know the Risk
The good news is that it’s possible to address this rapidly growing threat. As always, being aware and understanding the risk is the most important step. This change in mindset is quickly taking hold in the industry —the Center for Internet Security (CIS, a nonprofit with large companies, government agencies, and academic institutions as members) has defined inventory and control of hardware assets as a top priority.

CIS urges organizations to actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. For more details, check out the tips from CIS.

Related Content:

• The State of IT Operations and Cybersecurity Operations
• 7 Breaches Hacks That Throw Shade on Biometric Security
• ISAC 101: Unlocking the Power of Information
• To Navigate a Sea of Cybersecurity Solutions, Learn How to Fish

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Phishers’ Latest Tricks for Reeling in New Victims.”

Iftah Bratspiess is a cybersecurity leader and entrepreneur with over 25 years of business and technology experience as an engineer, software developer, product line owner, manager, and strategist. Throughout his career, Iftah has successfully navigated multidisciplinary … View Full Bio

Article source: https://www.darkreading.com/risk/from-spyware-to-ninja-cable/a/d-id/1335710?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Source: notoriousBAIG

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Beyond the Edge content is curated by Dark Reading editors and created by external sources, credited for their work. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/just-a-few-questions-before-that-bank-withdrawal--/b/d-id/1335761?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The state of Texas is so far refusing to comply with the demands of a ransomware attack that affected 22 local governments, the Texas Department of Information Resources (DIR) reports. None of the affected municipalities have paid the $2.5 million ransom demanded.

On August 16, a coordinated ransomware campaign hit systems of cities and towns across Texas, prompting state officials to activate a task force consisting of the DIR, Texas AM University System’s Security Operations Center, the Texas Department of Public Safety, and emergency and military responders. By August 23, all affected entities had transitioned from assessment to remediation and recovery; now, more than half have resumed their normal operations.

The DIR is now scheduling follow-up visits with governments to ensure their rebuilding efforts are successful, according to an update the organization published late last week. It is unaware of ransom being paid by any of the 22 affected municipalities in the aftermath of the attack.

Ransom payments are a controversial topic among security professionals, most of whom disagree with paying attackers and fueling their motivation to launch future campaigns. Still, depending on the size of the attack and amount of money requested, ransom payments may amount to less than the cost of rebuilding networks from scratch — a burden that could potentially fall on taxpayers’ shoulders, commented ImmuniWeb CEO Ilia Kolochenko.

“However, given that no human lives are at stake, in a long term prospective, such rigid tactics may well disincentivize the attackers,” he said of the Texas attack. It’s imperative governments have processes in place to handle incidents of this scale. Based on the DIR’s latest update, it seems Texas had done sufficient preparation to avoid making a high ransom payment.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Phishers’ Latest Tricks for Reeling in New Victims“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/texas-refuses-to-pay-$25m-in-massive-ransomware-attack/d/d-id/1335763?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

China-based advanced persistent threat group (APT) Thrip continues to pose a major threat to organizations in the satellite, telecommunications, and military sectors in Southeast Asia more than a year after Symantec first exposed its activities.

Far from being deterred by the exposure, the group has continued its attacks unabated on companies in the region. Since June 2018, Thrip has attacked at least 12 high-level targets in multiple countries, including Hong Kong, Indonesia, Malaysia, and the Philippines, Symantec said in an update on Thrip’s activities this week.

Thrip, which is known for leveraging legitimate tools such as PsExec, PowerShell, and LogMeIn in its attacks, also has added more custom weapons to its arsenal. According to Symantec, the Chinese group recently began using a previously unseen backdoor called Hannotog to try and gain persistent remote access on compromised systems. Hannotog takes advantage of the built-in Windows Management Instrumentation (WMI) component in Windows as part of its execution on victim networks.

Thrip also is using Sagerunex, another backdoor, recent attacks, suggesting a strong link between Thrip and Billbug Group (aka Lotus Blossom), a well-known Chinese cyber-espionage group that has been operating since at least early 2009. Sagerunex appears to be a more evolved version of malware dubbed Evora, which Billbug has been known to use. Based on this and other available telemetry it appears Thrip is a subgroup of Billbug, Symantec said.

For organizations on its radar, Thrip presents a clear and present danger, says Vikram Thakur, technical director at Symantec.

“Attackers will continue to target organizations regardless of public exposure of their campaigns and tools,” he says. “[Organizations] in targeted market segments should take note of the techniques leveraged by Thrip and ensure they have appropriate tools to both instrument and respond in case the attacker turns their way.” 

One complicating factor is Thrip’s heavy use of legitimate and dual-use tools for lateral movement, credential theft malware execution, and other malicious activities. By hiding its attack traffic in a sea of legitimate traffic, the group — like a growing number of other threat actors — has made it much harder for organizations to stop them using typical antimalware and theft detection tools.

Beyond Cyber Espionage?
Thrip’s main motive continues to be cyber espionage, Thakur says. But in at least a few of its attacks, the group appears to have gained a dangerous level of access to operational systems.

In one attack on a satellite communications provider that Symantec investigated last year, Thrip actors seemed particularly interested in infecting computers that monitored and controlled satellites. In another attack involving a Southeast Asian geospatial imaging and mapping company, Thrip once again went after operational systems. That time, the group attacked systems using for critical application development tasks and those running imaging software and Google Earth Server.

Thakur says Symantec is not sure what exactly the attackers would have been able to do with their access to these systems. “Our visibility stops at attackers being able to get onto machines,” he notes.

Data from attacks on at least three other communications firms in Southeast Asia suggested Thrip was primarily targeting the companies themselves and not their customers, Symantec said.

For the moment, at least, Thrip appears solely focused on organizations in Southeast Asia. But there’s no telling when that might change. “While we don’t have any evidence of US targeting in the past year of Thrip’s activity, this can change at any moment,” Thakur warns. “We always urge peers within targeted verticals to take note of ongoing attacks and bolster their own defenses in the event the attackers change targeting.”  

Related Content:

• How China Russia Use Social Media to Sway the West
• DHS Warns of Data Theft via Chinese-Made Drones
• China’s Great Cannon: The Great Firewall’s More Aggressive Partner
• The Truth About Your Software Supply Chain 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Phishers’ Latest Tricks for Reeling in New Victims.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/public-exposure-does-little-to-slow-china-based-thrip-apt/d/d-id/1335764?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An exploit for BlueKeep, a vulnerability in Microsoft’s Remote Desktop Protocol (RDP) that can allow remote code execution, is the subject of the latest pull request of Metasploit, the open source exploit framework widely used by security researchers.

BlueKeep, designated CVE-2019-0708, affects Windows versions from 2000 through Server 2008 R2 and Windows 7. A related vulnerability, DejaBlue, is present in these versions as well as newer Windows versions through Windows 10.

A blog post at Rapid7, the security company that maintains Metasploit in conjunction with the open source community, notes that RDP attacks went up dramatically following the initial BlueKeep release, though the overall level of such activity is below what it initially expected. The company suggests that all organizations with Windows infrastructures make sure their systems are patched to current versions.

The BlueKeep exploit module for Metasploit is available on GitHub.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Phishers’ Latest Tricks for Reeling in New Victims.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/new-release-brings-bluekeep-to-metasploit/d/d-id/1335765?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple