Archive for September 1, 2023

INKY Discovers Threat Actors Impersonating PepsiCo To Launch Attacks

Posted in Commentary with tags on September 1, 2023 by itnerd

INKY has published a new Fresh Phish that their analysts recently caught. This phish impersonates PepsiCo and uses a malicious disk image to execute code.

You can read the analysis here:

September Is National Insider Threat Awareness Month

Posted in Commentary on September 1, 2023 by itnerd

Every September, National Insider Threat Awareness Month takes place. Established in 2019 by the United States National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF), the campaign aims to educate government agencies, private sector organizations, and the public on the risks posed by insider threats and to promote the development and implementation of effective Insider Threat Programs. This year, NITAM spotlights “bystander engagement” as its theme, underscoring the vital role individuals play in identifying and responding to concerning behaviors.

I have some commentary from industry experts on National Insider Threat Awareness Month:

Carl D’Halluin, CTO, Datadobi: 

“Insider threats lurk within the very heart of organizations, disguised as trusted employees, partners, or collaborators. These individuals, armed with access privileges, possess the potential to wreak havoc that is often unseen until it’s too late. Their actions can shatter the security foundation of a company, leading to catastrophic data breaches, financial ruin through fraud, and irreparable damage to reputation.

First held in 2019, National Insider Threat Awareness Month (NITAM) is an annual campaign spanning the month of September that reminds us that mitigating insider threats demands a comprehensive strategy encompassing diverse countermeasures. This can entail the enforcement of stringent access controls, leveraging user behavior analytics, and the implementation of data loss prevention solutions, as well as vigilant user activity monitoring, and the fostering of anonymous whistleblower reporting mechanisms. However, to truly take insider threat mitigation to the next level, a solution that empowers organizations to assess, organize, and take action on their data is pivotal.

By proactively assessing data, it allows for the identification of anomalies and vulnerabilities before they escalate into significant risks. The continuous monitoring and analysis of data enable the rapid detection of unusual patterns or behaviors, facilitating timely intervention and mitigation. Moreover, the organized structuring of data enhances visibility, making it easier to pinpoint sensitive information and recognize unauthorized access or movement. When potential threats are identified, the solution enables organizations to take swift and precise actions, such as restricting access, initiating investigations, and/or moving data to another location, minimizing the potential damage. Beyond immediate responses, the solution’s adaptability ensures that countermeasures remain effective in the face of evolving insider tactics. This approach not only reduces the impact of insider threats but also contributes to operational continuity and regulatory compliance. Ultimately, the ability to harness data-driven insights enhances an organization’s proactive stance, equipping it to navigate the intricate landscape of insider threats with vigilance and resilience.”

Steve Santamaria, CEO, Folio Photonics:

“In a world where data fuels progress, the importance of National Insider Threat Awareness Month (NITAM) cannot be overstated. The campaign, which takes place each year in September, highlights the stark reality that employees, strategic partners, and other insiders with authorized access can inadvertently or intentionally inflict significant damage. This threat transcends industries, affecting both government entities and private businesses, as trust and access intersect in today’s interconnected digital landscape.

However, NITAM extends beyond simply shedding light on the issue—it drives us to seek effective mitigations, such as an active archive, which is an advanced technology designed to provide efficient and secure data storage while enabling quick access and retrieval of information. Unlike traditional archival systems that store data in a passive, offline state, an active archive maintains data in a more accessible and readily available form, making it easier to search, retrieve, and analyze. However, within the context of insider threats, an immutable active archive serves as a robust defense due to its unique qualities. By ensuring data immutability, it maintains the integrity of stored information and creates a traceable record of interactions. This traceability acts as a deterrent against malicious insider actions and aids forensic analysis during security breaches. Moreover, its alignment with regulatory compliance standards ensures adherence to legal requirements. Last but not least, real-time monitoring capabilities can further enhance its effectiveness by promptly identifying unauthorized activities. 

In closing, NITAM stands as an annual rallying cry—a time to renew our commitment to cybersecurity and acknowledge that, while trust is invaluable, preparedness is non-negotiable.”

Seth Blank, CTO, Valimail

“In today’s fast-evolving and intricate digital communication framework, DMARC (Domain-based Message Authentication, Reporting, and Conformance) acts as a pivotal element. It serves as a critical component that prevents external actors from exploiting a trusted name to deceive and mislead. Think of DMARC as the equivalent of a bouncer checking IDs at an exclusive nightclub. Its primary role is to ensure that only authorized individuals—essentially those on the guest list—can gain entry. DMARC’s primary function is to make certain that unauthorized entities are both easily detectable and unable to impersonate your employees or executives, which if left unaddressed can turn an external threat into an internal one.

However, the role of DMARC extends beyond mere prevention. With DMARC enforcement, organizations gain the clarity that their communications are secured from impostors. Yet, this clarity also brings to light another dimension of security – the risks that potentially lurk within the organization itself. While it’s imperative to fortify against external threats, an equally significant aspect of security is the continuous oversight of internal activities and behaviors.

Understanding the intricate interplay between trust, security, and the myriad channels of communication means recognizing the phased nature of protection strategies. Tools like DMARC offer the first line of defense against external hackers and other attackers. However, once these external defenses are robustly established, it becomes critical for organizations to pivot, channel resources, and focus on addressing the subtleties and complexities of internal threats. This sequential layered approach ensures a holistic defense strategy – begin by fortifying against external threats and then work meticulously to foster and maintain a trustworthy internal environment.”

Earth Estries’ Espionage Campaign Detailed By Trend Micro

Posted in Commentary with tags on September 1, 2023 by itnerd

A new hacking outfit nicknamed Earth Estries has been attributed to a new, ongoing cyber espionage campaign has been targeting the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.

Trend Micro discovered the Earth Estries campaign earlier this year and say the operation is working with “high-level resources and functioning with sophisticated skills and experience in cyber espionage and illicit activities.“

  • Uses multiple backdoors and hacking tools to enhance intrusion vectors
  • Observed using PowerShell downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism
  • Uses public services such as Github, Gmail, AnonFiles, and to exchange or transfer commands and stolen data
  • Regularly cleans and redeploys its backdoors on the infected host to reduce the risk of detection

“By compromising internal servers and valid accounts, the threat actors can perform lateral movement within the victim’s network and carry out their malicious activities covertly,” the researchers said.

“Through the Server Message Block (SMB) and WMI command line (WMIC), the threat actors propagated backdoors and hacking tools in other machines in the victim’s environment. At the end of each round of operations in a series of deployments, they archived the collected data from a specified folder. “

David Mitchell, Chief Technical Officer, HYAS had this comment:

   “Earth Estries is just another in a long line of advanced espionage groups. They appear to fully understand the network defenses and utilize living off the land (LOL) of their targets in order to go undetected. These techniques highlight the critical need to tie together endpoint and network telemetry to provide a more 360 degree view of what is happening on your infrastructure — advanced attackers know that most enterprises are blind to lateral network movement and are capitalizing on it, with ease.”

Threat actors are not just about grabbing data and holding it for ransom. They’re often about grabbing data and selling it. Or giving it to a nation state. Organizations need to factor that in when crafting how they would stop attacks like this from happening.

LockBit Pwns Commission des services electriques de Montréal… But The Victim Isn’t Paying Up

Posted in Commentary with tags , on September 1, 2023 by itnerd

On Wednesday, the LockBit ransomware gang took credit for an attack on the Commission des services electriques de Montréal (CSEM) — a 100-year-old municipal organization that manages electrical infrastructure in the city of Montreal.

The lock bit ransomware group has claimed credit (@FalconFeedsio) for an attack on the Montreal electricity supplier Commission des services electriques de Montréal (CSEM).

The company has confirmed the incident saying it was hit with ransomware on August 3rd but they refused to pay the ransom. They contacted authorities and law enforcement in Quebec and began efforts to restore its systems and claim that their IT infrastructure has been rebuilt.

“The criminal group at work in this case has made public today some of the stolen data. The CSEM denounces this illegal gesture, while specifying that the data disclosed represents a low risk for both the security of the public and for the operations carried out by the CSEM,” they said.

While public utility companies offer ransomware groups a broad target, it does seem that the attackers have not been doing their homework. The company pointed out: “It should be noted that all CSEM projects are the subject of public documents. Therefore, all these plans – engineering, construction and management – are already publicly available through the official process offices in Quebec.”

Emily Phelps, Director, Cyware had this comment:

   “Public utilities are critical to our day-to-day life, and while this attack acted as more of a warning shot, it reinforces the importance of cyber resilience for business continuity. Ransomware groups leverage their reputations to intimidate targets, and they adapt as security controls mature. Expediting threat intelligence and knowledge sharing can help mitigate the risks for enterprises. The sooner the right people get the right information about a known threat, the sooner they can adapt their defenses accordingly.”

Dave Ratner, CEO, HYAS follows with this:

   “While the risk of data disclosure from this particular attack is low, as the company has pointed out, the attack nevertheless re-enforces the need for all critical infrastructure providers to protect themselves.  

   “Attackers will continue to develop new ways to infiltrate and evade security systems; the deployment of business and operational resiliency systems, such as Protective DNS and others, is the best way to proactively ensure business continuity.”

I am happy that Commission des services electriques de Montréal didn’t pay the ransom as that only encourages these threat actors. Hopefully they take the money that they saved themselves and invest in better defensive measures so there isn’t a repeat of this.