As 2019 draws to a close, you may be tempted to relax and enjoy the holidays. However, before you do so, let’s make sure you’re keeping up with the new wave of evolved attacks and vulnerabilities.
Sometimes, evolution does not involve a novel attack, but instead, a new way to use an old attack.
Last month, Microsoft discussed the Iranian hacker group, APT33, and its attempts to use password spraying attacks against US targets. A password spray is an attack that attempts to access a large number of user usernames with a few commonly used passwords to gain access to infrastructure.
To detect such an attack on your organization, check for a large spike in attempted logins against the web-based applications or the enterprise SSO portal. Note that the APT33 team seems to just use one password, per user, at a time and then cycles through a long list of usernames. This strategy avoids user-name-lock due to excessive incorrect password attempts within a short time frame.
If you find evidence of a large number of single-time failed attempts from a long list of users, your organization should take action. Perhaps force users to change their passwords or refer to our previous post on improving password security.
The Evolution of These Cyber Attacks
Since a password spray attack is a classic method, how is this an evolution? It’s an evolution because of sheer scale and the specific targets.
APT33 narrowed its attacks to only 2,000 attacks per month – primarily aimed at industrial equipment and software firms. Investigators worry this is the first step in a multi-tiered attack to gain access to infrastructure suppliers and their customer lists.
The NotPetya attacks, which originated in the Ukraine, demonstrated how quickly a supplier-side update attack can cripple its victims. Maersk admitted that, within seven minutes, its entire IT infrastructure was shut down worldwide! If APT33 can launch a similar attack upon the U.S. infrastructure, how much damage could it do?
NotPetya provided a reminder that not all software should be allowed to update automatically. It is standard advice that all updates should be done first on a test system before its deployed to the rest of the company. But, smaller companies often lack the resources to do such testing.
Of course, there are often reminders that we should try to patch as quickly as possible. In November, DarkReading offered a reminder to patch Oracle’s E-Business Suite. Although the patches have been available since April, accounting departments often resist a system shut down.
If your accounting department joined that resistance, then be sure to help your team understand how attackers can exploit the system and bypass any approvals process to add suppliers, add bank accounts, and issue payments to their fake supplier!
These flaws exploit Oracle’s Thin Client Framework, which is installed by default on E-Buiness Suite systems. The exposure is estimated to be as high as 21,000 companies, and an undetected attack could result in a complete take-over of the Oracle system.
Not everyone sees vulnerabilities as evolution, but the exposure of flaws certainly begins a cycle of evolution as attackers begin working on ways to exploit them. Unfortunately, not all suppliers take an active position to fix their flaws.
D-Link now has a confirmed list of 13 models vulnerable to a Remote Code-Execution flaw, but D-Link does not intend to issue a patch. D-Link notes that “turning off the remote management function of the [affected] routers and [resetting] the routers with complicated passwords” should mitigate the attacks.
However, there have been a series of vulnerabilities in D-Link routers that have been revealed over the past few years, and D-Link either seems incapable or unwilling to provide fixes. Your organization may need to investigate its infrastructure to determine if any routers should be upgraded to avoid exposed vulnerabilities known to hackers.
Criminals & Bluetooth Devices
Not all vulnerabilities come from security flaws, though. Some vulnerabilities arise when attackers make novel use of intended features.
Do your users shut down their laptops completely before travel, or do they use sleep mode? Burglars are believed to be using Bluetooth scanners to locate valuables that are otherwise hidden in locked cars.
Bluetooth scanners are easily available, and can be installed on phones. The scanners reveal which types of devices they pick up, and other details, such as the distance between them and the Bluetooth enabled device.
Sure, that’s more about losses related to cars, but it is very easy to imagine how such a scanner may be used to target unwary travelers in airports, inattentive bar patrons, devices left in hotel rooms, and even offices.
If you want to try this for yourself, download a ‘find lost device’ app to locate lost FitBits and other peripheral devices. Then, take a stroll through your office building or parking lot.
It’s typically a recommendation that you not to leave any valuables unattended. However, if you must do so, shut down those laptops.
Some users put smart phones and tablets airplane mode, but that does not always prevent them from broadcasting for Bluetooth pairing, so a power shut down is preferred. Peripherals, such as wireless earphones should also be turned off. After all, if the wireless earbuds are broadcasting, a thief can assume the device might be nearby as well.
Of course, we also need to prepare for some novel advancements in malware.
Earlier this month, the Paul’s Security Weekly podcast covered some new techniques observed by Eric Brown, senior security analyst at LogRhythm. Malware attackers understand how antivirus scans attachments for malware.
To avoid this scan, attackers have begun to send phishing attacks that place the malware (or a file with links to the malware) on a well-known file sharing site (Box.com, Dropbox, Google Drive, etc.), and then they send a phish with a legitimate-looking link.
Bleeping Computer shows an example of how this might work with news regarding new methods used by the TrickBot Trojan virus (which we covered several weeks ago). Since then, the malware creators have decided to take advantage of the season by sending phishing emails with links to documents detailing a potential annual bonus.
Since there is no virus attached to the email, and no suspicious links, this phishing campaign avoids many of the clues that phishing training has taught us to monitor. The offer of a potential annual bonus is a compelling bait that many employees will be unable to resist. That offer joins a list of other apparently irresistible bait, such as sexual harassment complaints and McDonald’s advertising.
Fortunately, Microsoft has been working to help organizations protect themselves from phishing campaigns. A new feature, 365 Advanced Threat Protection, can be enabled to survey corporate user accounts and detect the telltale flurry of phishing campaign emails. By monitoring this data, corporations can now warn employees, or even use the phishing list as a starting point, to investigate endpoints for potential infection.
The Right Support
Cyber attack evolution protection involves monitoring all systems and protecting corporate IT in a continuously shifting environment. That’s a 24/7/365 job.
We’ll help improve your security profile and test its effectiveness with red teaming to make sure your data and your organization remain safe. Your evolution will always be ahead of cyber criminals.
It’s time to maximize your return on IT!
For a risk-free demonstration, contact us today by completing the form below, or by calling us at 412-349-6680.
If you’ve been actively breached, and you need immediate support, call our incident response team at 412-349-6678.
Building networks and partnerships, we are on your side.