STE WILLIAMS

Attackers continue to use many of the same phishing techniques as in the past, but, increasingly, the scams are much more targeted and, in some cases, have moved to mobile devices, according to two reports published today.

In its report, messaging-security firm Barracuda Networks found that 83% of targeted phishing attacks, also known as spear-phishing, appear as a message from an administrator at a popular service, asking for the user to log in. The scams use a variety of reasons, from claiming the account has been frozen to asking the user to review a document.

Overall, attackers are moving to spear-phishing attacks because they are relatively low volume and can be sent from popular e-mail services, making it less likely they will be blocked, says Asaf Cidon, vice president of content security at Barracuda.

“Because they are not sending a high volume of attacks — it’s quality and not quantity — and it is usually a human manually sending the e-mail and tailoring it, they can afford to send it from a Gmail account,” he says. “And basically the popular e-mail security services and cloud providers won’t block the e-mail because those services have a high reputation.”

Despite advances in anti-spam systems, fraudulent messages continue to reach end users, aiming to take advantage of nontech-savvy workers to steal their credentials, convince them to pay fake invoices, or convince them that lurid secrets are in criminals’ hands.

While e-mail scams that attempt to fool users into giving up their credentials for popular services are the most numerous, the most costly threat continues to be business e-mail compromise (BEC), where the fraudster attempts to fool an employee into paying a fake invoice. While BEC attacks only make up 6% of all spear-phishing attacks, according to Barracuda, they account for the most losses.

In 2017, for example, more than 15,000 BEC complaints  were filed with the Internet Criminal Complaint Center (IC3), amounting to an adjusted loss of $675 million, according to the center’s annual report. By comparison, ransomware only accounted for $2.3 million in losses in 2017, the latest data available, according to the annual IC3 report.

Reprising the theme of using high-reputation services, more than 60% of BEC attacks come from one of 10 different e-mail service providers, Barracuda’s Cidon says.

“What happened over time is that all these services actually started getting very high sender reputation,” he says. “So, effectively, Gmail and Office 365 treat free e-mail services as very high-reputation sender domains.”

In some cases, attackers have also started moving victims over to text messaging as the primary conduit for the scam, according to the second report from messaging-security firm Agari. In its analysis, the firm described how the attack starts with a purported message from the company CEO asking for the employee’s personal cell to “complete a task for me.” The attacker then moves the discussion to SMS text messaging. 

Rather than aim for high-value accounts, the scam typically focuses on getting the employee to buy gift cards with the corporate credit card, the Agari report states. Gift cards have become a common way for scammers to cash out, with a quarter of fraud ending in payment by gift card, up from 7% in 2015, according to the U.S. Federal Trade Commission.

For victims of BEC scams, text messaging presents additional dangers. The attacker now has the target’s mobile number, which allows them to potentially punish non-compliant victims with spam. Employees need to be trained to recognize such fraud, says Crane Hassold, director of threat research at Agari.

In addition, companies need to have a procedure in place to catch the fraudulent transactions before they occur, he says.

“There needs to be a secondhand verification for that request,” Hassold says. “If someone is asking for a wire transfer, confirm through a second channel.”

Perhaps the easiest way to monetize leaked credentials — no matter what service the username and password originates — is through the increasingly popular sextortion scam. Blackmail, primarily sextortion, accounts for 1 in 10 spear-phishing messages, Barracuda stated in its report. The attackers typically pretend to have access to an online cache of pornography accessed by the target, to have recorded the target watching pornography, or to be a law enforcement agency investing child pornography.

“The fact that, at this point, it is 10% of targeted attacks is surprising,” Barracuda’s Cidon says. “It didn’t exist a few months back, and now it is one of the most popular attacks on e-mail.”

The attacks are likely underreported because of the sensitive nature of the threats, he says. 

The vast majority (88%) of all sextortion e-mail messages used subject lines having to do with a security alert or requesting a password change, Barracuda said. The majority of e-mail messages (60%) used only 30 subject lines.

Messaging attacks will continue to be a major threat for companies because they offer an easy way to gain employee credentials, compared with other cyberattacks based on malware, says Agari’s Hassold. 

“We have seen cyberattacks decrease significantly over the past couple of years compared to social engineering attacks,” he says. “The ROI for social-engineering attacks is much lower. I do not have to stand up that much infrastructure, and I do not need a lot of technical knowledge.”

Related Content:

• Cyber Extortionists Can Earn $360,000 a Year
• Email Bomb Threats Follow Sextortion Playbook
• 6 Tax Season Tips for Security Pros
• New Phishing Campaign Packs Triple Threat
• Cybercriminals Home in on Ultra-High Net Worth Individuals

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/stealing-corporate-funds-still-top-goal-of-messaging-attacks/d/d-id/1334194?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Update 3/19: This article has been updated to reflect the discovery of LockerGoga ransomware in the Norsk Hydro attack.

Norsk Hydro, a major Norwegian aluminum producer, was hit with a ransomware attack that started Monday evening and worsened overnight, affecting IT systems for operations in Europe and the United States.

The attack was first detected around midnight Norwegian time on Monday, when IT experts noticed unusual activity on servers across global IT systems, said CFO Eivind Kallevik in a webcast briefing. It recognized Hydro was subject to “a serious cyberattack,” which the company took measures to contain and neutralize as it spread. Hydro determined it was a ransomware attack.

Norsk has shut down multiple metal extrusion plants, which turn aluminum ingots into parts for auto manufacturers and other firms. It has isolated all plants and operations from its global network and is switching to manual procedures for some operations, Kallevik said. This includes potlines, which process molten aluminum and must always be running, Bloomberg noted. Norsk’s giant smelters in Norway, Qatar, and Brazil have also switched to manual operations.

Kallevik called the incident “quite severe,” noting the company’s entire worldwide network is down. Primary plants in Norway are running as normal with a somewhat higher degree of manual operations. There is no indication primary plants outside Norway have been hit, he continued, but global products are having difficulty connecting to production systems, which is causing production challenges and temporary stoppages at some plants.

“[Our] main priority now is to ensure safe operations and limit the operational and financial impact,” he explained. The day following the attack was spent isolating plants to ensure the virus didn’t spread from one location to another. Kallevik said the company has good backup data, which will be its main strategy for restoring operations back to normal.

The Norsk cyberattack had a slight effect on the price of aluminum, which went up 1.2% to hit a three-month high of $1,944 per ton in early trade on the London Metal Exchange, Reuters reports.

Update: a spokesman for the Norwegian National Security Authority has confirmed to Reuters that Norsk was exposed to LockerGoga ransomware. This is the same ransomware CrowdStrike Intelligence asserts was involved with the infection of Altran, a French engineering company, in January of this year, says Adam Meyers, CrowdStrike vice president of intelligence.

“While details of the Norsk Hydro incident are still developing, CrowdStrike Intelligence has been able to identify a new sample of the LockerGoga ransomware that was uploaded to a public malware repository in two ZIP files from an IP address based in Oslo, Norway,” Meyers says.

Read more details here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/iot/norsk-hydro-shuts-plants-amid-ransomware-attack/d/d-id/1334195?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

When the Equifax breach — one of the largest breaches of all time — went public nearly a year-and-a-half ago, it was widely assumed that the data had been stolen for nefarious financial purposes. But as the resulting frenzy of consumer credit freezes and monitoring programs spread, investigators who were tracking the breach behind the scenes made an interesting discovery.

The data had up and vanished.

This was surprising because if the data had, in fact, been stolen with the ultimate goal of committing financial fraud, experts would have expected it to be sold on the Dark Web. At the very least, they would have expected to see a wave of fraudulent credit transactions.

Nada.

CNBC recently published an article that takes an in-depth look at what exactly happened to the credit, Social Security, and other sensitive data of 143 million people after it was stolen. The deeper the threat hunters have gone down the rabbit hole of this story, the more convinced they have become that the motive was actually even more sinister than pure financial gain.

In essence, security experts most familiar with this breach believe that a nation-state — likely China or Russia — stole the data in order to suss out current spies and pick out potential targets they could recruit as spies.

It’s the latter part that should concern organizations in the US and beyond. While the complex spy scheme sounds like something out of a movie, it actually has serious, real-world implications.

The Rise of State-Sponsored Threats 
State-sponsored threats are increasingly one of the biggest threats to information assets across the globe. Threat actors are increasingly targeting businesses, universities, and other organizations with powerful and sophisticated trade-craft techniques designed to steal confidential information that can result in massive data and revenue loss.

People have many different motives to spy on behalf of a foreign government. The vast majority of nefarious insiders are acting on financial greed, but other motivations include, anger, ideology, patriotism, and organizational conflicts. The news has been flooded about employees convicted for working on behalf of a foreign government. Most recently, Chinese-born scientist You Xiaorong was accused of using her employment at Coca-Cola to steal trade secrets, with the intent to set up a competing venture in China and win a reward from a Chinese government-backed program. Apple also has come under fire, with two employees charged with stealing self-driving car project secrets in the past year.

Power-hungry executives are a major target for state-sponsored recuitment, along with those who may be suffering from financial problems. These executives can be lured into revealing secrets in return for money or power – from credentials to highly confidential documents and trade secrets. If nation-state spies have enough information to identify potential financial instability, they can determine the best targets to identify as spies, especially individuals they can convert for monetary gain.  

Are There Spies in Your Organization?  
As more employees become the targets for spy recruitment, it is more important than ever for businesses to quickly defend themselves before it is too late.

However, the reality is that most organizations do not have much visibility into what their employees and other insiders are doing with valuable company data. One study found that 42% of organizations rely on server logs to detect threats. These are very difficult to parse and rarely provide sufficient context to indicate that an employee may be conducting nefarious activity. The study also found only about a quarter of organizations are using keylogging or session recording, while 8% admit they have zero visibility whatsoever into all employee activity.

These gaps can leave organizations open to some major risks. Criminal insider incidents can have serious financial repercussions – to the tune of an average annualized cost of $2.99 million, according to a recent Ponemon report. Many organizations simply can’t recover from the financial loss and reputational damage that an insider incident can bring.

Security teams’ lack of visibility into insiders’ actions also poses a massive security risk to organizations. With the Equifax breach’s true implications becoming increasingly clear, it has never been more important to understand what actions users are taking related to sensitive corporate data and systems. In particular, organizations should aim to gain visibility into all employee activities, especially when they are related to:

• Unauthorized cloud storage or large file-sending sites
• Disposable or temporary email clients
• USB storage devices and other removable media
• Copy/pasting, cut/copying, and large print jobs

These are just a few examples of user activities that, when put into context with the specific types of data in play and other factors, can shed valuable light on potential malicious employee activity.

Given the likelihood that we will see some major spy-recruitment efforts take place over the coming years, any business that stores or handles sensitive data should have full visibility into exactly how all employees are using organizational data. It might sound like the plot for a good movie, but when it’s valuable company or customer data on the line, the ending could be very unpleasant.

Related Content:

• The Equifax Breach One Year Later: 6 Action Items for Security Pros
• Ex-US Intel Officer Charged with Helping Iran Target Her Former Colleagues
• Spies Among Us: Tracking, IoT the Truly Inside Threat
• GAO Says Equifax Missed Flaws, Intrusion in Massive Breach

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Mike McKee brings 20-plus years of cross-functional, global experience in technology to ObserveIT. Previously, he led the award-winning Global Services and Customer Success organizations at Rapid7, served as senior vice president, CAD Operations and Strategy, … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/the-case-of-the-missing-data/a/d-id/1334181?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Pixabay

The automation, stability of infrastructure, and inherent traceability of DevOps tools and processes offer a ton of security and compliance upsides for mature DevOps organizations.

According to a new survey of over 5,500 IT practitioners around the world, conducted by Sonatype, “elite” DevOps organizations with mature practices, such as continuous integration and continuous delivery of software, are most likely to fold security into their processes and tooling for a true DevSecOps approach.

Throughout the “DevSecOps Community Survey 2019,” responses show that mature DevOps organizations have an increasing awareness of the importance of security in rapid delivery of software and the advantages that DevOps affords them in getting security integrated into their software development life cycle.

“The incorporation of security as part of the product development cycle is key,” said Ariel Kirshbom of Ernst Young, in response to one question about why DevSecOps is important to her organization. “To really embrace DevOps, security needs to be seamlessly integrated to the software development life cycle.”

Most importantly, the study offers concrete statistical evidence that DevOps organizations are doing better in key areas including automating security functions, tracking components and changes for compliance purposes. They are also making faster headway on securing emerging infrastructure technologies like containers and container orchestration. Read on for more about why they excel.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/application-security/6-ways-mature-devops-teams-are-killing-it-in-security/d/d-id/1334182?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple