Uncategorized

A review of the Phishing attacks for the Year 2020 has been summarized below:
A report by Interisle Consulting Group and Illumintel states some major facts about the phishing landscape in 2020.
First off, the exact size of the phishing problem remains unknown. However, the problem is bigger than it seems.
Most phishing is focused on a small number of domain registrars and registries and hosting providers.
Of all the maliciously registered domains, 65% is used within 5 days of registration.
Around 9% of phishing attacks are conducted on a small number of subdomain service providers.

The amount of phishing attacks discovered every year continues to increase. It takes advantage of our cognitive biases and fools us into giving away our details. When these biases are combined with clever tactics used by cybercriminals, the attacks become even more effective.

Reference: https://cyware.com/news/how-much-phishing-is-too-much-phishing-6de63298

This week’s reading article introduced us to the world of malware. The article provided a fundamental definition of malware as well as provided brief definitions of the types of malware.
It was interesting to read how the malware propagates through systems once they are infected. The article also provided history of malware in computer systems and concluded with a methodology of six basic steps which constitute a malware response plan.

Question:
What skills are needed for writing malware?

Malware

• Described as malicious software intentionally designed to cause damage to a computer, server, client, or computer network. (ex.  computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, and scareware)
• Detect/remove malware: windows defender/Malwarebytes
• The term was coined by Yisrael Radai in 1990
  • first-known malware is Creeper: moved around different mainframes with a message that said “‘I’m the creeper: Catch me if you can.”
• PUP(Potentially unwanted software): tricks users into installing into their systems through browser toolbars
  • can contain spyware functionality…not normally considered malware unless executes malicious features.

 

Questions:

1. Have you ever encounter a malware attack? How and why?
2. What can be used to defend against a malware attack?

Many Apple Users also use the navigation software app called Waze. Security engineer Peter Gasper found out when he was using the app’s web interface that it doesn’t just display his coordinates, it also displays the coordinates of the driver’s nearby. Each driver/account is assigned a unique ID and it doesn’t change over time. This means that if someone with malicious intent were to track a driver, they can also track the driver’s complete journey, what cities they go through, and their stops. This is incredibly dangerous because if there were any human trafficking/kidnappings to occur, the trafficker could’ve used Waze’s vulnerability to locate their target. This vulnerability has been patched since then but it’s interesting to think how as much as technology helps us, it can also make the world a more dangerous place.

 

https://www.infosecurity-magazine.com/news/waze-vulnerability-identifies-users/

Social Engineering:

• Human behavior of social engineering(attack vs. attacker): Financial gain, self-interest, Revenge, external pressures
  • Reverse social engineering: enticed to ask the aggressor for help(through tricking them), aggressor offers help just to make sure the victim remains unsuspicious while the attacker probes more
• Counter-measures: creating controls (training/policies/security/management/…)
  • Perform regular reviews that the controls are working as created.
  • Simulate an attack(hire pen testing specialists)

 

Question for the class:

1. Have you ever been a victim to social engineering?
2. What’s one physical control that can be used to mitigate chances of a social engineering attack?

 

A newly discovered APT attack has been combining VPN exploits with the Zerologon bug. It has been considered a serious threat because of the vulnerabilities are exploited to gain access to networks. The aftermath of the attacks is still being observed but the bug is first gaining initial access to Active Directory. Then using the stolen legitimate credentials, they’re able to connect to virtual environments through RDP and VPN. There are talks that this might have some influence over the upcoming election, many government/non-government agencies are being attacked. Activities tracked of the bug has seen that they target multiple sectors not just SLTT entities, CISA and the FBI are finding mitigation techniques and pushing out best practices to decrease the risk of an attack.

 

https://www.infosecurity-magazine.com/news/attackers-chaining-zerologon-with/

Tyler Technologies, Inc. is the largest provider of software to the United States public sector.
On September 23rd, Tyler Technologies announced they had suffered a ransomware attack and its customers reported finding suspicious logins and previously unseen remote access tools on their networks.
IT was reported that hackers breached the internal network of the company and deployed the malware.
Security researchers have speculated that, Tyler Technologies were exposed to ‘The RansomEXX’, which is a human-operated ransomware, this means that attackers manually infected the systems after gained access to the target network.
According to BleepingComputer, which cited a source informed on the event, Tyler Technologies paid a ransom of an unspecified amount to receive the decryption key and recover encrypted files.
It is speculated that the senior management of Tyler technologies reluctantly paid the unspecified ransom as many school districts, court systems, and local and statement governments in the United States uses Tyler Technologies software.

References: https://securityaffairs.co/wordpress/109334/cyber-crime/tyler-technologies-paid-ransom.html

On September 20, eResearch Technology (ERT) was attacked, this company specializes in clinical services, they collect, analyze, and distribute electronic patient-reported outcomes. Many companies were using this technology to track clinical trials on Covid-19 treatments. Due to the attack, the researchers had to revert to pen and paper, to track the outcomes and caused delays in trials conducted. Other healthcare companies affected by ransomware attacks are IQVIA(hired to assist AstraZeneca’s COVID Vaccine Trials) and Bristol-Myers Squibb(Drug manufacturers). Since then, the company has taken its systems offline and the incident has been reported to the FBI. However, the perpetrators have not even linked yet, and there isn’t conclusive information about whether or not the ransom was met, or how much they asked for.

 

https://www.infosecurity-magazine.com/news/ransomware-disrupts-covid19/

A new type of vaccine has been created to help defend against ransomware called raccine.exe. The program will not stop ransomware from being installed on a PC, but it can help with the recovery process. This vaccine will terminate any processes that try to delete the shadow copies volume on a windows machine. Windows creates daily backups of your system and data files (when activated) and stores them as snapshots in Shadow Volume Copy. These snapshots are useful for recovering files if they are accidentally changed or deleted.

Many ransomware programs do not want their victims to use this feature as it can aid them in recovering their files for free. One of the first things most ransomware programs do is to delete all Shadow Volume copies on the computer. This generally executed by the command “vssadmin delete shadows /all /quiet.” The new vaccine is an executable that is a debugger for vssadmin.exe. Anytime vssadmin is executed on a computer raccine.exe will launch as well and check to see if vssadmin is trying to delete shadow copies and terminate the process.

 

https://www.bleepingcomputer.com/news/security/new-ransomware-vaccine-kills-programs-wiping-windows-shadow-volumes/

Cyber criminals are exploiting Facebook’s offering of $100 million in cash grants to businesses affected by the coronavirus pandemic.
Potential victims see an article seemingly from CNBC, a world leader in business news with a monthly audience in the hundreds of millions, saying Facebook is giving grants to users hit by COVID-19 and including a link to apply for a grant. The grammar should give away the game, and the URL, which does not start with cnbc.com, is another suspicious element.
Those who turn a blind eye to the clumsy English and wrong URL are taken to another portal that bears more than a striking resemblance to the official site of Mercy Corps, a charity that helps victims of natural disasters and armed conflicts. However, the only topic on this one is Facebook grants, and the victim is asked to specify how many years they have been a user of the social network. Victims are asked for their Facebook username and password credentials which go straight to the cybercriminals. Then, to accept the application, the site requires a lot more information, supposedly to verify your account: your address, social security number (for US citizens), and even a scan of both sides of your ID. No fields can be left blank, and the site diligently prompts you about any omissions.

Reference: https://www.kaspersky.com/blog/facebook-grants/37181/?web_view=true