When companies get hacked, word spreads quickly.
Hackers add new features all the time. And, often they specialize their attacks to focus on new vulnerabilities in order to gain advantages over other hackers. That’s just one reason you’ll want to keep an eye on these attacks.
By studying the hacked companies, you’ll learn about newly exploited vulnerabilities and techniques. The knowledge gained might just keep you from suffering a similar fate.
Even if you’re using managed security services, studying from others can help your organization to take precautions that will decrease the number of incidents.
New Phishing Attacks
A single phishing attack can cause major problems, even if you’re a billion-dollar government contractor.
Adding to the trouble is that some very effective malware, such as Emotet, has been selling their software as a service. In that case, hackers won’t even need to be tech-savvy.
Since July, Emotet has triggered over 16,000 activity alerts from state and local governments that report to the Cybersecurity and Infrastructure Security Agency. The malware sends roughly 500,000 emails every weekday. What’s worse is that more recent themes have focused on politics (Team Blue Take Action, etc.) to capitalize on the election cycle.
Of course, Emotet doesn’t have a monopoly on creativity.
Plenty of other phishing attacks display themselves as government agencies (FINRA, Texas Department of Health and Human Services, etc.), or even as phishing attack training reminders.
File-Less Cyber Attacks
When cyber security teams monitor organizations, they constantly scan for signs of an attack.
Unfortunately, some new attacks use novel, difficult-to-detect techniques. In September, an unidentified hacking group used spear phishing campaigns — email or electronic communication scams — to deliver a malicious zip file. That file is sophisticated enough to check for signs of a malware researcher (sandboxing, virtual machines, etc.) prior to executing.
Without a virtual environment, the malware delivers a .NET payload directly into the Windows memory using the Windows Error Service so that no file will be stored on the computer.
This hacking style obscures the source of an attack, which makes finding the entry point extremely difficult. However, the subsequent actions by the hackers can create traces that security monitors can eventually detect.
That said, one new Office 365 attack doesn’t use malware. Over two months, an attacker used compromised email addresses to execute a scam to steal $15 million that relied entirely upon copycat domains and built-in Office 365 features.
The attackers used forwarding rules, created hidden folders, and carefully timed their insertion into a negotiation to take possession of the bank wire transfer.
While this attack cannot be easily detected, relatively simple precautions can be taken in advance to prevent it: Two-factor authentication, enforced Office 365 password updates, blocking email auto-forwarding, monitoring for hidden folders in inboxes, and blocking legacy email protocols (which can evade multi-factor authentication).
Hackers & Ransomware Developments
The most newsworthy development regarding ransomware comes from the U.S. Treasury Department.
Officials recently warned that organizations that pay off ransomware attackers may also risk fines and penalties of up to $20 million.
The treasury department’s office of foreign assets control (OFAC) enforces sanctions against terrorists, foreign governments and criminal organizations, including North Korea’s Lazarus Group and the Iranians tied to the SamSam attacks.
This warning declares that penalties will apply to victims who knowingly or unknowingly support these organizations – as well as the cyber insurance firms, financial institutions, and cybersecurity firms that facilitate the payment.
The U.S. government appears to be trying to further discourage funding the gangs that drove a 98% increase in U.S. attacks, alone, between the second and third quarters of 2020. Meanwhile, the ransomware gangs continue to specialize and add new wrinkles to their attacks.
The new Egregor ransomware team adopted the standard 3-day grace period before leaking files to the public. What makes them notable is that if a company pays, they will also receive security recommendations along with their decryption keys.
The AgeLocker ransomware, first detected in July 2020, attacks a very specific niche: QNAP Network Attached Storage (NAS) devices. Those devices have already been under attack, by way of the eChoraix ransomware. However, the steps to prevent the older ransomware attack may not be sufficient to prevent the AgeLocker attack.
Stay Ahead of Cyber Attacks
At Ideal Integrations and Blue Bastion, we continuously study attacker behavior. We monitor techniques, and create new methods to counter them.
However, if we haven’t been informed or permitted to monitor a system, we can’t apply our expertise to it. If your organization has added NAS devices, or needs assistance setting up additional security for Office 365, complete the form below or call us today at 412-349-6680 to leverage our expertise against possible vulnerabilities.