National Human Rights Commission (NHRC) chairperson Justice (Retd) Arun Kumar Mishra on Thursday called for a stringent law to deal with "unlawful Internet behaviour and cyber crimes."
He was speaking after the inauguration of the 25th All India Forensic Science Conference at the National Forensic Sciences University in Gandhinagar. "It is necessary to promote cyber ethics. And there should be stringent legislation by the government to penalise and punish unlawful Internet behaviour and cyber crimes," the former Supreme Court judge said. Many countries have amended their laws "specifically to deal with cyber crimes along with the advent of newer kinds of crimes," he said. Freedom of expression applicable for "social media and cyber space" is not "larger" than what is granted to individuals or the media, Mishra said. "Freedom of expression under Article 19 of the Constitution given to the media or individuals is the same as that given to the social media or the cyberspace, it is not larger than that…So there should be stringent legislation to deal with cyber crime. We need to deal with misuse very sternly," he said. Cyberspace was being used for infringing civil and human rights and violating individual privacy, the former judge added. "Cyber space is causing breach of privacy of online personalities and infringing the right to live with dignity. Cyber security is the key to fight cyber crime and preservation of human rights. Global studies indicate India is third in cyber threats and second in targeted attacks," he said. (Only the headline and picture of this report may have been reworked by the Business Standard staff; the rest of the content is auto-generated from a syndicated feed.) Exclusive Stories, Curated Newsletters, 26 years of Archives, E-paper, and more! Insightful news, sharp views, newsletters, e-paper, and more! Unlock incisive commentary only on Business Standard. Download the Business Standard App for latest Business News and Market News . First Published: Thu, February 02 2023. 21:00 IST
Today, February 28, 2023 14 c°/ clear sky By Rana Tayseer – Feb 01,2023 – Last updated at Feb 01,2023 Representative image (Photo courtesy of unsplash) AMMAN — Parental awareness along with strict government policies hold key to preventing children from falling prey to cyber crimes, say experts. The Cybercrime Unit of the Public Security Directorate on Tuesday said that cybercrimes have increased six-fold since 2015, attributing the surge to the widespread use of technology, smartphone applications and social media. Hussam Khattab, a cybersecurity expert, highlighted the need for a comprehensive awareness, inclusive of all age groups. “Parents must play an important role in monitoring children, their behaviour and the sites they use. There are options to protect children from cybercrimes and parents can download apps that are made only for children,” Khattab told The Jordan Times. Tareq Al Qudah, a lawyer and cybersecurity expert, stressed the need for a deterrent punishment for perpetrators of cybercrimes. “If the judiciary keeps applying the minimum punishment, people will keep committing cybercrimes,” Qudah told The Jordan Times. “Children must be taught how to deal with the digital world and how to protect themselves, he added. In its report, the Cyber Crime Unit said that due to a growing understanding of rights and ability to litigate, the number of registered crimes increased, as victims are encouraged to file legal complaints. According to the 2022 report, cybercrimes rose six-fold over the last seven years, jumping from 2,305 cases in 2015 to 16,027 cases in 2022, according to the report. The unit affirmed that it continues to implement educational campaigns on the dangers of cybercrime in light of the widespread use of social media, which has facilitated the disruption of societal peace through a number of issues, including child abuse. Calling on social media users to exercise caution when using these platforms, the unit also urged the public to avoid filling in or sending any personal information to unreliable websites, and refrain from clicking fake links that are sent to them for the purposes of hacking their personal accounts, according to the report.
An official website of the United States government Here’s how you know Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. Search Tactical actions for MSPs and their customers to take today: • Identify and disable accounts that are no longer in use. • Enforce MFA on MSP accounts that access the customer environment and monitor for unexplained failed authentication. • Ensure MSP-customer contracts transparently identify ownership of ICT security roles and responsibilities. The cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.[1] This joint Cybersecurity Advisory (CSA) provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. This advisory describes cybersecurity best practices for information and communications technology (ICT) services and functions, focusing on guidance that enables transparent discussions between MSPs and their customers on securing sensitive data. Organizations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations. MSP customers should verify that the contractual arrangements with their provider include cybersecurity measures in line with their particular security requirements. The guidance provided in this advisory is specifically tailored for both MSPs and their customers and is the result of a collaborative effort from the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC). Organizations should read this advisory in conjunction with NCSC-UK guidance on actions to take when the cyber threat is heightened, CCCS guidance on Cyber Security Considerations for Consumers of Managed Services, and CISA guidance provided on the Shields Up and Shields Up Technical Guidance webpages. This advisory defines MSPs as entities that deliver, operate, or manage ICT services and functions for their customers via a contractual arrangement, such as a service level agreement. In addition to offering their own services, an MSP may offer services in conjunction with those of other providers. Offerings may include platform, software, and IT infrastructure services; business process and support functions; and cybersecurity services. MSPs typically manage these services and functions in their customer’s network environment—either on the customer’s premises or hosted in the MSP’s data center. Note: this advisory does not address guidance on cloud service providers (CSPs)—providers who handle the ICT needs of their customers via cloud services such as Software-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service; however, MSPs may offer these services as well. (See Appendix for additional definitions.) MSPs provide services that usually require both trusted network connectivity and privileged access to and from customer systems. Many organizations—ranging from large critical infrastructure organizations to small- and mid-sized businesses—use MSPs to manage ICT systems, store data, or support sensitive processes. Many organizations make use of MSPs to scale and support network environments and processes without expanding their internal staff or having to develop the capabilities internally. Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities have previously issued general guidance for MSPs and their customers.[2],[3],[4],[5],[6],[7],[8] This advisory provides specific guidance to enable transparent, well-informed discussions between MSPs and their customers that center on securing sensitive information and data. These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance. A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community. Download the Joint Cybersecurity Advisory: Protecting Against Cyber Threats to Managed Service Providers and their Customers (pdf, 697kb). The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities recommend MSPs and their customers implement the baseline security measures and operational controls listed in this section. Additionally, customers should ensure their contractual arrangements specify that their MSP implements these measures and controls. In their efforts to compromise MSPs, malicious cyber actors exploit vulnerable devices and internet-facing services, conduct brute force attacks, and use phishing techniques. MSPs and their customers should ensure they are mitigating these attack methods. Useful mitigation resources on initial compromise attack methods are listed below: It can be months before incidents are detected, so UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities recommend all organizations store their most important logs for at least six months. Whether through a comprehensive security information and event management (SIEM) solution or discrete logging tools, implement and maintain a segregated logging regime to detect threats to networks. Organizations can refer to the following NCSC-UK guidance on the appropriate data to collect for security purposes and when to use it: What exactly should we be logging? Additionally, all organizations—whether through contractual arrangements with an MSP or on their own—should implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting. Organizations should secure remote access applications and enforce MFA where possible to harden the infrastructure that enables access to networks and systems.[9],[10] Note: Russian state-sponsored APT actors have recently demonstrated the ability to exploit default MFA protocols; organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.[11] Organizations should understand their environment and segregate their networks. Identify, group, and isolate critical business systems and apply appropriate network security controls to them to reduce the impact of a compromise across the organization.[12],[13] Organizations should apply the principle of least privilege throughout their network environment and immediate update privileges upon changes in administrative roles. Use a tiering model for administrative accounts so that these accounts do not have any unnecessary access or privileges. Only use accounts with full privileges across an enterprise when strictly necessary and consider the use of time-based privileges to further restrict their use. Identify high-risk devices, services and users to minimize their accesses.[14] Both MSPs and customers should periodically review their internet attack surface and take steps to limit it, such as disabling user accounts when personnel transition.[15] (Note: although sharing accounts is not recommended, should an organization require this, passwords to shared account should be reset when personnel transition.) Organizations should also audit their network infrastructure—paying particular attention to those on the MSP-customer boundary—to identify and disable unused systems and services. Port scanning tools and automated system inventories can assist organizations in confirming the roles and responsibilities of systems. Organizations should update software, including operating systems, applications, and firmware. Prioritize applying security updates to software containing known exploited vulnerabilities. Note: organizations should prioritize patching vulnerabilities included in CISA’s catalogue of known exploited vulnerabilities (KEV) as opposed to only those with high Common Vulnerability Scoring System (CVSS) scores that have not been exploited and may never be exploited.[16],[17],[18],[19] Organizations should regularly update and test backups—including “gold images” of critical systems in the event these need to be rebuilt (Note: organizations should base the frequency of backups on their recovery point objective [20]). Store backups separately and isolate them from network connections that could enable the spread of ransomware; many ransomware variants attempt to find and encrypt/delete accessible backups. Isolating backups enables restoration of systems/data to their previous state should they be encrypted with ransomware. Note: best practices include storing backups separately, such as on external media.[21],[22],[23] Incident response and recovery plans should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers. Organizations should maintain up-to-date hard copies of plans to ensure responders can access them should the network be inaccessible (e.g., due to a ransomware attack).[24] All organizations should proactively manage ICT supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.[25],[26] Both MSPs and their customers will benefit from contractual arrangements that clearly define responsibilities. All organizations should adhere to best practices for password and permission management. [28],[29],[30] Organizations should review logs for unexplained failed authentication attempts—failed authentication attempts directly following an account password change could indicate that the account had been compromised. Note: network defenders can proactively search for such “intrusion canaries” by reviewing logs after performing password changes—using off-network communications to inform users of the changes—across all sensitive accounts. (See the ACSC publication, Windows Event Logging and Forwarding as well as Microsoft’s documentation, 4625(F): An account failed to log on, for additional guidance.) This advisory was developed by UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities in furtherance their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities would like to thank Secureworks for their contributions to this CSA. The information in this report is being provided “as is” for informational purposes only. NCSC-UK, ACSC, CCCS, NCSC-NZ, CISA, NSA, and FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favouring. United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973. Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. U.S. organizations: all organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. In addition to the guidance referenced above, see the following resources: [1] State of the Market: The New Threat Landscape, Pushing MSP security to the next level (N-able) [2] Global targeting of enterprises via managed service providers (NCSC-UK) [3] Guidance for MSPs and Small- and Mid-sized Businesses (CISA) [4] Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers (CISA) [5] APTs Targeting IT Service Provider Customers (CISA) [6] MSP Investigation Report (ACSC) [7] How to Manage Your Security When Engaging a Managed Service Provider [8] Supply Chain Cyber Security: In Safe Hands (NCSC-NZ) [9] Multi-factor authentication for online services (NCSC-UK) [10] Zero trust architecture design principles: MFA (NCSC-UK) [11] Joint CISA-FBI CSA: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default MFA Protocols and “PrintNightmare” Vulnerability [12] Security architecture anti-patterns (NCSC-UK) [13] Preventing Lateral Movement (NCSC-UK) [14] Preventing Lateral Movement: Apply the principle of least privilege (NCSC-UK) [15] Device Security Guidance: Obsolete products (NCSC-UK) [16] Known Exploited Vulnerabilities Catalog (CISA) [17] The problems with patching (NCSC-UK) [18] Security principles for cross domain solutions: Patching (NCSC-UK) [19] Joint CSA: 2021 Top Routinely Exploited Vulnerabilities [20] Protecting Data from Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files (NIST) [21] Stop Ransomware website (CISA) [22] Offline backups in an online world (NCSC-UK) [23] Mitigating malware and ransomware attacks (NCSC-UK) [24] Effective steps to cyber exercise creation (NCSC-UK) [25] Supply chain security guidance (NCSC-UK) [26] ICT Supply Chain Resource Library (CISA) [27] Risk Considerations for Managed Service Provider Customers (CISA) [28] Device Security Guidance: Enterprise authentication policy (NCSC-UK) [29] Preventing Lateral Movement: Apply the principle of least privilege (NCSC-UK) [30] Implementing Strong Authentication (CISA) This advisory’s definition of MSPs aligns with the following definitions. The definition of MSP from Gartner’s Information Technology Glossary—which is also referenced by NIST in Improving Cybersecurity of Managed Service Providers—is: A managed service provider (MSP) delivers services, such as network, application, infrastructure and security, via ongoing and regular support and active administration on customers’ premises, in their MSP’s data center (hosting), or in a third-party data center. MSPs may deliver their own native services in conjunction with other providers’ services (for example, a security MSP providing sys admin on top of a third-party cloud IaaS). Pure-play MSPs focus on one vendor or technology, usually their own core offerings. Many MSPs include services from other types of providers. The term MSP traditionally was applied to infrastructure or device-centric types of services but has expanded to include any continuous, regular management, maintenance and support. The United Kingdom’s Department of Digital, Culture, Media, and Sport (DCMS) recently published the following definition of MSP, which includes examples: Managed Service Provider – A supplier that delivers a portfolio of IT services to business customers via ongoing support and active administration, all of which are typically underpinned by a Service Level Agreement. A Managed Service Provider may provide their own Managed Services or offer their own services in conjunction with other IT providers’ services. The Managed Services might include: The Managed Services might be delivered from customer premises, from customer data centres, from Managed Service Providers’ own data centres or from 3rd party facilities (co-location facilities, public cloud data centres or network Points of Presence (PoPs)). May 11, 2022: Initial version
Hi, what are you looking for? Despite some geopolitical overlaps with state attackers, the majority of cyberattacks still come from simple – or perhaps sophisticated – criminals who are more motivated by money than politics. By Flipboard Reddit Pinterest Whatsapp Whatsapp Email
SecurityWeek Cyber Insights 2023 | Criminal Gangs – Our intention here is to talk about cybercrime and cybercriminals. Despite some geopolitical overlaps with state attackers, the majority of cyberattacks still come from simple – or perhaps sophisticated – criminals who are more motivated by money than politics. “With the Russia-Ukraine War, many actors polarized, including players like Conti, Killnet and Anonymous. However, the ecosystem is much larger, and even with setbacks in cryptocurrency brokerage, which advanced the liquidity and economics of criminals online, criminal organizations are thriving, diversifying, and going gangbusters as we enter 2023,” comments Sam Curry, CSO at Cybereason. “There are no signs of this letting up and all signs indicate that criminal organizations’ real growth is e-crime going forward.” An increasing sophistication among the more elite criminals together with a more streamlined organization of the infrastructure from which they operate has been apparent for many years. This process continues and will continue throughout 2023. It is apparent in both how the gangs operate and the tools they use. “Malware will continue to evolve in 2023 as attackers find new ways to hide it to maintain persistence and get what they came for,” says Mike Parkin, senior technical engineer at Vulcan Cyber – adding, “The attack vectors they use to get a foothold will also evolve, taking advantage of new vulnerabilities, and leveraging variations of old ones.” But it is the increasing maturity of the criminal business that perhaps poses the greatest threat. “There is a significant maturing of the tools used by cybercriminal groups,” explains Andrew Barratt, VP at Coalfire. “They are becoming platforms (as a service) for other criminal groups with significantly less technical expertise to leverage.” We’ve had ransomware-as-a-service and infostealers-as-a-service for a few years, but it is becoming more accurate to describe the process as a complete ‘crime-as-a-service’. “While we’ve seen the crime-as-a-service infrastructure become very prevalent, it’s probably likely we’ll see an uptick in volume and/or pricing of these attacks in the year ahead,” adds Barratt. “We’ve looked at numerous online forums and found such a rise and diversification in the many kinds of criminal ‘as a service’ offerings that people really can set up their own cybercrime business with little to no technical knowledge or skills,” explains Christopher Budd, senior manager of threat research at Sophos. “Now you can find a vendor or supplier to cover your needs around targeting and initial compromise of victims, evasion and operational security, and malware delivery, among others.” These offerings often come with good marketing and customer service and support that meets – or even exceeds – those you get when paying for legitimate software. Calling it malware-as-a-service (MaaS) rather than crime-as-a-service, Andrew Pendergast, EVP of product at ThreatConnect, adds, “MaaS operators act like a business, because they are a business – just an illegal one. Their goals are to make as much money as possible selling their product and services. This entails making it as accessible, trustable, reliable, and easy to use as possible for their ‘market’.” He expects the CaaS providers to continue to improve their support and services to accommodate a broader set of customers and affiliates, adding, “The net results will be a broadening user base for various MaaS offerings which in 2023 likely means more ransomware attacks.” In fact, the service is now so complete that Benjamin Fabre, CEO at DataDome, points out new cybercriminals no longer need the technical skills to develop and execute cyberattacks on their own. “Cybercrime will require as much brains as holding a baseball bat to a shop owner’s window,” he comments. Chris Vaughan, a VP of technical account management at Tanium, agrees with this assessment. “Malicious cyber tools are becoming more available to be purchased online which is leading to a greater number of attacks that are also less predictable. This includes vulnerabilities and exploits as well as hackers for hire, dramatically lowering the barrier of entry for anyone interested in launching a cyberattack.” This leads us to another related concern for 2023: the potential. expansion of a recession-promoted cybercrime gig economy. “People may turn to ‘cyber hustling’ in the cybercrime gig economy to make quick cash during the economic downturn,” warns Alex Holland, senior malware analyst at HP Inc. He fears a potential increase in the number of cyber hustlers seeking to make additional – or, indeed, any – income by scamming consumers who will themselves be looking for opportunities to raise some extra cash. “Cybercrime tools and mentoring services are readily available at low costs, enticing cyber hustlers – opportunists with relatively low levels of technical skill – to access what they need to turn a profit.” The interconnected nature of the cybercrime gig economy means threat actors can easily monetize attacks. “And if they strike gold and compromise a corporate device, they can also sell that access to bigger players, like ransomware gangs. This all feeds into the cybercrime engine, giving organized groups even more reach.” Fundamental to the emergence of streamlined CaaS has been the evolution of career specializations within the gangs. “In many ways, the cybercrime ecosystem has developed specialized ‘career fields’ in a similar way that cybersecurity has developed specializations,” comments John Bambenek, principal threat hunter at Netenrich. This means there are many more partnerships and boutique actors helping a variety of groups. “Getting initial access is a specialized skill set, just like money laundering (in cryptocurrency) and ransomware development are skill sets,” he added. “This specialization makes the ecosystem as a whole more resilient and more difficult to bring to justice.” This process of business refinement will continue through 2023. “Criminal organizations will continue to grow in scope and capabilities, with increased focus on functional areas,” suggests Chris Gray, AVP of security strategy at Deepwatch. “Specialization will allow these groups to maintain the razor margins needed to operate at levels that are capable of bypassing security program components at advanced targets and/or operate at scale against more susceptible targets.” Three categories of crime-as-a-service are likely to be prevalent in 2023: ransomware-as-a-service (RaaS), stealer-as-a-service (SaaS), and victims-as-a-service (VaaS). The ‘pay-per-use’ version of delivering ransomware is, says, Camellia Chan, CEO and founder of X-Phy, “a sophisticated, and yet much more accessible form of ransomware, with malicious actors no longer requiring advanced technical skills to carry out attacks.” This is a win for wannabe criminals who cannot code. But it is also a win for the more elite coding criminals trying to avoid the eye of law enforcement. “The number of different entities involved adds another layer of complexity,” explains Chan. “While RaaS operators develop the infrastructure, access brokers focus on the identity posture and external access portals. To finish, the affiliate buying the RaaS handles the exfiltration of data to ransom, then deploying the actual ransomware payload.” Mike McLellan, director of intelligence at Secureworks, continues: “New RaaS schemes will continue to emerge, but the landscape will be dominated by a handful of cybercriminal groups operating a small number of very active schemes.” He expects the dominant schemes to increase their capacity to support more affiliates. “Experienced cybercriminals under sanction by the U.S. authorities will make use of existing RaaS schemes as a way of complicating attribution of their attacks. At the other end of the spectrum, less sophisticated affiliates will conduct simplistic ransomware deployments against small numbers of hosts, rather than full blown, enterprise-wide encryption events.” A study published by Group-IB on November 23, 2022, reported that 34 Russian-speaking groups were distributing infostealers as part of stealers-as-a-service operations. On average, each of these groups has some 200 active members. Twenty-three of the groups distributed the Redline infostealer, while eight concentrated on Raccoon. “An infostealer,” explains Group-IB, “is a type of malware that collects credentials stored in browsers (including gaming accounts, email services, and social media), bank card details, and crypto wallet information from infected computers, and then sends all this data to the malware operator.” Given that credentials remain the starting point for most cyberattacks, the demand is and will remain high. Group-IB suggests “Stealers are one of the top threats to watch in the coming year.” The company notes, “In the first seven months of 2022, the gangs collectively infected over 890,000 user devices and stole over 50 million passwords.” While the targets are individual computers often used by gamers and remote workers, the potential knock-on effect against corporates should not be under-estimated. “The threat actor responsible for the most recent attack on Uber purchased the credentials compromised with the Raccoon stealer,” says Group-IB. Uber itself explained the process in a statement: “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.” This demonstrates both the success of stealers and the failure of MFA to offer a complete access solution. The Uber instance seems to be a variation on what Tanium’s Vaughan describes as an MFA push exhaustion attack. “This,” he explains, “is where an attacker sends a large number of MFA acceptance prompts to a user’s phone which may cause them to click accept in order to stop the barrage of requests.” This whole process of SaaS-delivered stealers acquiring credentials and attackers defeating MFA will persist and increase in 2023. Mark Warren, product specialist at Osirium, believes there is a new service offering on the rise: hacker teams offering victims-as-a-service. “For the last couple of years, threat actors have been team-based,” he explains. “Before cryptocurrency, they were lone wolves – or, occasionally, a loosely connected group who’d met online. Then they started working in teams, and because they were paid money those teams became tightly bonded. Over the next year we’ll see more teams divide out into skills-based groups.” He uses REvil as an example of a successful RaaS model offering an end-to-end solution for attackers that included encryption software, access tools, helpdesks for victims, payment services and much more. “But,” he says, “there’s still a market for smaller teams that focus on specific attack skills. For example, they may breach defenses to acquire user or admin credentials, or even install malware to provide back door entry for use at a later date.” Providers of such a service don’t need to take the risk of executing the attack or handling payment; they can make good money just by selling the access on dark web marketplaces. The access could be obtained via relatively risk-free phishing campaigns. The approach could be modular. “Company intelligence may be another specialist service,” he suggests. “For example, knowing what cyber insurance a potential victim has could reveal the kinds of defenses they’ll have in place and even how much they’re insured for, so ransomware demands can be tailored.” In this sense, VaaS can be seen as an extension and expansion of the existing access broker criminal service. Aamir Lakhani, cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs, adds further subtleties that will emerge. “Going forward, subscription based CaaS offerings could potentially provide additional revenue streams. In addition, threat actors will also begin to leverage emerging attack vectors such as deepfakes, offering these videos and audio recordings and related algorithms more broadly for purchase.” This continuing professionalization of the criminal fraternity is causing the inevitable emergence of what Omer Carmi, VP of cyber threat intelligence at Cybersixgill, calls the quasi-APT. “In 2023,” he warns, “the quasi-APT’s emergence will escalate due to the democratization of cyberweapons and the democratization of access enabled by powerful technology now accessible to the cybercrime underground.” The growth of specialized roles and CaaS means that for as little as $10, threat actors can purchase access and gain a steady foothold into their targets’ systems. They can get a beachhead into highly secured organizations without having to bother with the complex, drawn-out process of gaining initial access on their own. “By outsourcing access, attackers of all levels of sophistication can leapfrog several steps, jumping yet another step closer to the level of an APT – hence the birth of the quasi-APT,” he warns. The constantly improving sophistication and professionalization of the criminal underground will continue through 2023 and beyond. For example, Mikko Hypponen, chief research officer at WithSecure, sees artificial intelligence adding a new string to the criminal bow in 2023. “Malware campaigns will move from human speed to machine speed,” he warns. “The most capable cybercrime groups will reach the capability to use simple machine learning techniques to automate the deployment and operation of malware campaigns, including automatic reaction to our defenses. Malware automation will include techniques like rewriting malicious emails, registering and creating malicious websites, and rewriting and compiling malware code to avoid detection.” 2023 may see the beginning of a new crime gang service: AI-as-a-Service.
Australian insurance company Medibank has made a public statement after being contacted by a malicious party claiming to have customer data and wanting a ransom for its deletion. The initial cyber security incident occurred on October 13, when Medibank detected some “unusual activity” on its internal systems. After dealing with the cyber-attack, Medibank said in a statement about the October 13 breach that there was “no evidence that customer data has been accessed” during the breach. Medibank was then contacted on October 17 by the malicious party, who aimed to “negotiate with the company regarding their alleged removal of customer data”. Medibank has not confirmed what data the supposed hackers claim to have, only saying that as an insurance and healthcare company, it possesses “a range of necessary personal information of customers”. The insurer said it is working to verify these claims, and based on its “ongoing forensic investigation” it is treating the potential cyber security incident “seriously”. According to The Sydney Morning Herald, who claim to have seen the ransom note, the malicious party are threatening to sell 200GB worth of confidential data if their demands are not met. The group threatened to release the data of Medibank’s “1k most [prominent] media persons” which includes “[those with the] most [social media] followers, politicians, actors, bloggers, LGBT activists [and] drug addicted people” as well as people with “very interesting diagnoses”. As a result of the attempted ransom and to ensure it meets its continuous disclosure obligations, Medibank has called a trading halt which will continue until further notice. The company has also employed the help of “specialist cyber security firms” and has alerted the Australian Cyber Security Center (ACSC). Medibank CEO David Koczkar said of the potential data breach: “I apologize and understand this latest distressing update will concern our customers. We have always said that we will prioritize responding to this matter as transparently as possible. Our team has been working around the clock since we first discovered the unusual activity on our systems, and we will not stop doing that now. We will continue to take decisive action to protect Medibank customers, our people and other stakeholders.” Medibank noted that as its internal systems had not been encrypted by ransomware, normal operations can continue, although they may be affected by the ongoing investigation into the hacking claims. Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market. Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more. Cyber Security Hub, a division of IQPC
Careers With IQPC| Contact Us | About Us | Cookie Policy Become a Member today! Already an IQPC Community Member? Sign in Here or Forgot Password Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders. We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.
Cyber Security Hub‘s top 20 movers and shakers for 2022 profiles leading cyber security professionals from around the world who have worked to innovate within the cyber security space, or have tackled and mitigated cyber security challenges over the past 12 months. Nominations were open from July to August 2022, allowing cyber security practitioners to share their success stories for consideration. The team here at Cyber Security Hub compiled our final line up of 20 leaders who have made an impact after assessing all applications and conducting additional research. The 2022 list features leaders from across a range of industries, who have worked to overcome challenges in the cyber security space. However, there are many more cyber security leaders who have not been featured on this list, which is why the ‘top 20 cyber security movers and shakers’ will return in mid-2023. For now, on behalf of the entire team here at Cyber Security Hub, thank you to everybody who took the time to submit a nomination and congratulations to all who made this year’s final list. Sarah Armstrong-Smith has been in the IT space for more than 20 years and has worked in a range of areas including data protection and privacy, cyber security and disaster recovery. In her current role she helps EMEA-based customers and partners enhance and evolve their digital strategies. She is also a non-executive director and independent board advisor, which allows her to share her technology insight and experience with SMEs. Armstrong-Smith frequently speaks publicly on the human aspects of cyber security and how humans are crucial for executing and upkeeping cyber security. She has a focus on why breaking down silos between departments and being resilient as a whole business in the face of disruption and adverse environments is key to staying ahead of the competition.
Armstrong-Smith has won a number of awards including being named one of the ‘most influential women in UK tech’ in 2021 and 2022 by Computerweekly and one of the ‘top 30 female cybersecurity leaders’ by SC Media. James Johnson has deployed tactics in his workplace at John Deere to overcome industry challenges including the growing attack surface, technology debt and complexity. To overcome these challenges, Johnson aligned with industry standards, especially in foundational processes and services like identity management, operations and monitoring, and vulnerability management. He also encouraged investment into employees’ training and development to help them intelligently operate security tools and technology. His actions allowed employees at John Deere to become proficient in policies and guidelines to understand how to handle data and report issues when needed. Additionally, the environment created, along with insight from HR, allowed employees to operate within a safe and inclusive environment. Fareedah Shaheed has based her cyber security career around internet safety and protecting children online. She launched Shekuva, a cyber security start-up that supports children as they develop their online and technological skills, while enabling their parents to protect them online. As a Forbes 30 Under 30 honoree, Shaheed currently serves on the Forbes board for the Under 30 community. Additionally, she has a demonstrated history of mentorship and frequently shares key insights to help parents gain an understanding of cyber security. Shaheed also runs cyber security workshops to help communities better understand online safety. Amar Singh is a UK-government certified cyber security trainer and the creator of the UK government’s National Cyber Security Council (NCSC)-certified Cyber Incident Planning and Response (CIPR) course. Singh is a trusted advisor to a number of institutions including financial services such as banks and insurances, as well as public sector organizations such as the police and the UK’s National Health Service. Additionally, he shares his insight and experience through mentoring CISOs, as well as guest lecturing at universities and hosting presentations to those in the cyber security industry. His insights have been featured by the BBC, The Financial Times and The Economist’s Intelligence Unit. Trisha Ventura has been recognized as one of the Top 30 Women in Security in ASEAN 2021 and one of the Top 10 Women in Security, Philippines 2020 by Issuu. She is a certified Insider Threat Program Manager (ITPM) with expertise on enterprise-wide infrastructure/IT security, cybersecurity, cloud security, security operations, insider threat, proactive threat and intelligence gathering, compliance on information security and data privacy policies, standards, procedures and incident management processes. Ventura shares her insight and expertise with the cyber security community by appearing and speaking at numerous industry events. Sharon Barber has worked in the cyber security field for 10 years and currently holds a position protecting the financial services industry from cyber-attacks. Barber has expertise in a number of areas of threat defense including supply chain compromise, malware and ransomware. Additionally, Barber was appointed as co-chair of the UK National Cyber Advisory Board (NCAB) in May 2022. In this position, she helps bring perspective, insight and expertise to discussions about cyber security in addition to helping the UK government deliver on its cyber commitments made both in the public sector and within government. Marlon Sorogon uses his 20-plus years of experience in the cyber security industry to share key learnings at various industry events and has been named as a Top 100 Global CISO in 2021 by Menlo Security. He has led and implemented numerous cyber security projects and information security programs for example adopting cloud services at Maybank with the Philippine’s regulatory framework and compliance in mind. He also has an extensive background in network and server security, IT governance, information security management and audit and risk. Currently, he holds the position of CISO at both Maybank Philippines and Maybank New York, where he works to protect these financial institutions from cyberattacks. In his free time, he is a cyber security advocate and works to educate and mentor future cyber security leaders. As president of the London Chapter of the International Information System Security Certification Consortium (known as (ISC)²), Liz Banbury’s goal is to share knowledge within the information and cyber security community, allowing trends and opportunities to be openly discussed, effectively driving forward inclusion and innovation within the sector. Banbury, who has been working in cyber security and technology for financial services for more than 17 years, also has an interest in the human side of cyber security and the impact that peoples’ behavior can have on security holistically. She has also been named as one of the Top 100 CISOs in 2022 by Menlo Security. An overall shortage of cybersecurity skills in the financial services industry led Pooja Shimpi to form the Global Mentorship for Cybersecurity program. Forty people from across the globe participated in the program, meaning 20 individuals were able to benefit from the experience and insight of 20 experienced cyber security mentors. Shimpi was the main coordinator for the program, which overall helped several individuals obtain roles within the cybersecurity field and allowed others to experience growth within their cyber security career. At Blick Art Materials, Dan Krueger built a small team featuring a cybersecurity technical lead and two analysts to tackle cloud security and on-premises vulnerability management. Led by Krueger, the team reduced the company’s overall risk score for Azure and AWS by 80 percent, in addition to remediating 95 percent of its critical and server exploitable vulnerabilities with 45- and 60-day service-level agreement (SLA). The team also created monthly cybersecurity dashboards that demonstrated a 33 percent improvement in reduction of total threats and 40 percent reduction in critical and high alerts within the company’s attack surface. Ann Mennens manages the European Commission’s Cyber Aware Program which aims to raise the cyber awareness of the Commission’s staff, highlighting their role in contributing to the safeguarding of the Commission’s assets and systems, while promoting a safe online experience. Mennes is also in charge of training and communication on cyber security as manager of the network of Local Informatics Security Officers (LISO) in the Commission. She leads the Interinstitutional Task Force on Cyber Awareness raising of the Cybersecurity Subgroup of the Interinstitutional Committee on Digital Transformation, encompassing all EU Institutions, Bodies and Agencies. She has also been certified as a trainer for Cyber Security Awareness and Culture Manager by the Belgian Cyber Security Coalition. By doing this, Mennes is able to help those from any industry to reskill in cyber security, which she believes is important in increasing diversity and inclusion within the industry. Fal Ghancha overcame a series of challenges in his role as CISO at DSP Investments to provide the company with a 360-degree view that could identify and mitigate upcoming risks and attacks, in addition to 24/7 incident monitoring and response. The company’s cyber defense center introduced an in-house cyber ‘war room’ allowing Ghancha and his team access to real-time dashboards which displayed critical and actionable metrics. These allowed his team to introduce targeted and effective awareness, which in turn allowed them to increase the volume of security issues and queries closed. The team Ghancha built was subsequently able to define the process for managing cyber security concerns seamlessly and quickly by collaborating with the company’s technology team. Soren Olson has worked in cyber security for 14 years and is currently responsible for information and cyber security across Maersk Drilling. He and his team work to protect both IT and operational technology, focusing on risk management and compliance. Olsen has been made an Information Systems Audit and Control Association (ISACA) Certified Information Security Manager (CISM) as of May 2022 and an International Society of Automation (ISA) ISA/IEC 62443 Cybersecurity Expert as of August 2022. Olsen also shares his insight and experience of working in cyber security for the oil and gas industry by speaking at various industry events. Before being appointed preseident and cyber advisory head at Inspira Enterprise, Munish Gupta worked as global practice head for enterprise security architecture, cyber resilience and cloud security advisory at Wipro until August 2022. At Wipro, Gupta faced a challenge in retaining and attracting talent within the cyber security space. To combat this challenge, Gupta developed a recruitment plan and future growth plan for attracting talent by demonstrating the maturity of the cyber security team at Wipro. By working closely with the recruitment and talent acquisition teams, his team was able to control the rejection rate and improve the conversion rate, reducing the hiring lifecycle and keeping candidates engaged. Gupta has also introduced a program to cross-skill staff within the cyber security space to navigate the challenges of finding qualified cyber security professionals. As a result of Gupta’s plan, Wipro was able to navigate the challenge of cyber security skill demand and attract available talent. As executive director of Women in Cybersecurity (WICyS), Lynn Dhom’s main focus is in supporting the recruitment, retention and advancement of women in cyber security. To do this, Dhom encourages organizations to engage in gender-neutral resume assessment and hire ‘outside of the box’. She encourages companies to pay attention to who they are hiring and employing and be conscious of their hiring actions. Dhom also sits on the international judging panel for the IFSEC global Top Influencers and Fire, the advisory board for Women in Cybersecurity – Beyond Borders and is an inaugural member of the International Information System Security Certification Consortium ((ISC)²) Diversity, Equity and Inclusion Task Force. Manish Madan Mohan came from a legacy infrastructure background and was faced with the challenge of establishing an information security program at BondEvalue. Mohan adopted a cloud-only policy, implementing a cloud-based IDAM tool, a cloud-based endpoint management tool and a SASE-based DLP protection solution. For its cloud infrastructure, his team implemented a Cloud Security Posture Management tool along with threat detection and SOC capability. This led the company to effectively manage all endpoints and cloud infrastructure, while remaining a truly on-cloud organization. Mohan effectively managed risk by selecting trustworthy third-party vendors by using a service-level agreement in addition to cyber insurance to ensure protection in the instance of a third-party breach. Ash Hunt developed and published the UK’s first quantitative framework and actuarial model for information risk. He has also advised on information security and quantitative information risk analysis to FTSE organizations and international governments. He is an advocate for using analytics and forecasting as key defense mechanisms against the impact of cyber-attack ripple effects that can be triggered by external parties working with organizations. As these effects are forcing organizations to completely re-engineer perceptions around having a stake in external parties’ security postures, Hunt has introduced a more analytical approach that includes forecasting and exploring where an organization’s greatest vulnerabilities may be. Robin Smith is a CISO and expert policy analyst focused on the future of cyber-crime. He has worked within a range of sectors including the nuclear and automotive industries, as well as within UK law enforcement. Smith has been developing a positive design cyber approach to streamline the onboarding of third parties at Aston Martin. This approach is applicable across all industries and the cyber threat intelligence management (CTIM) model can be used to understand risk intelligence within an organization’s supply chain. With CTIM, Smith aims to give organizations a better chance of being able to profile their issues, allocate their resources and be more agile in their responses rather than simply being reactive to cyber incidents. Gaurav Miglani is a seasoned cybersecurity professional and director in Visa with decade of experience in IAM and PAM domains. He as a specialist and product manager has led multiple large projects to transform SSH/Crypto Key Management, Password Management and Kerberos and Keytab Management in VISA on a global scale. He has also led multiple merger and acquisition integrations efforts to improve overall IAM security posture of multiple acquisitions of VISA in APAC and EMEA regions. Eric Vétillard is a security expert and leader, with a focus on high-security embedded products and the Internet of Things (IoT) and systems. Currently, he is working with all ENISA stakeholders to define new security certification schemes in the context of the European Cybersecurity Act. Previously, he has helped develop new certification schemes in addition to helping evaluate and develop secure products, security policies and automated policy enforcement tools. Vétillard has also led technical teams, and been involved in collaborative research, standardization activities and technical communication. Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market. Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more. Cyber Security Hub, a division of IQPC
Careers With IQPC| Contact Us | About Us | Cookie Policy Become a Member today! Already an IQPC Community Member? Sign in Here or Forgot Password Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders. We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.
An official website of the United States government Here’s how you know Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. Search Immediate Actions You Can Take Now to Protect Against Malware: • Patch all systems and prioritize patching known exploited vulnerabilities. • Enforce multifactor authentication (MFA). • Secure Remote Desktop Protocol (RDP) and other risky services. • Make offline backups of your data. • Provide end-user awareness and training about social engineering and phishing. This joint Cybersecurity Advisory (CSA) was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC). This advisory provides details on the top malware strains observed in 2021. Malware, short for “malicious software,” can compromise a system by performing an unauthorized function or process. Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. Some examples of malware include viruses, worms, Trojans, ransomware, spyware, and rootkits.[1] In 2021, the top malware strains included remote access Trojans (RATs), banking Trojans, information stealers, and ransomware. Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations. The most prolific malware users are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information. CISA and ACSC encourage organizations to apply the recommendations in the Mitigations sections of this joint CSA. These mitigations include applying timely patches to systems, implementing user training, securing Remote Desktop Protocol (RDP), patching all systems especially for known exploited vulnerabilities, making offline backups of data, and enforcing multifactor authentication (MFA). Download the PDF version of this report: pdf, 576 kb The top malware strains of 2021 are: Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader. Updates made by malware developers, and reuse of code from these malware strains, contribute to the malware’s longevity and evolution into multiple variations. Malicious actors’ use of known malware strains offers organizations opportunities to better prepare, identify, and mitigate attacks from these known malware strains. The most prolific malware users of the top malware strains are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information. In the criminal malware industry, including malware as a service (MaaS), developers create malware that malware distributors often broker to malware end-users.[2] Developers of these top 2021 malware strains continue to support, improve, and distribute their malware over several years. Malware developers benefit from lucrative cyber operations with low risk of negative consequences. Many malware developers often operate from locations with few legal prohibitions against malware development and deployment. Some developers even market their malware products as legitimate cyber security tools. For example, the developers of Remcos and Agent Tesla have marketed the software as legitimate tools for remote management and penetration testing. Malicious cyber actors can purchase Remcos and Agent Tesla online for low cost and have been observed using both tools for malicious purposes. Below are the steps that CISA and ACSC recommend organizations take to improve their cybersecurity posture based on known adversary tactics, techniques, and procedures (TTPs). CISA and ACSC urge critical infrastructure organizations to prepare for and mitigate potential cyber threats immediately by (1) updating software, (2) enforcing MFA, (3) securing and monitoring RDP and other potentially risky services, (4) making offline backups of your data, and (5) providing end-user awareness and training. As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent the spread of ransomware and threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. The ACSC has observed ransomware and data theft incidents in which Australian divisions of multinational companies were impacted by ransomware incidents affecting assets maintained and hosted by offshore divisions outside their control. The information in this report is being provided “as is” for informational purposes only. CISA and ACSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring. Malware Snort Detection Signature Agent Tesla alert any any -> any any (msg:”HTTP GET request /aw/aw.exe”; flow:established,to_server; sid:1; rev:1; content:”GET”; http_method; content:”/aw/aw.exe”; http_uri; reference:url, https://www.datto.com/blog/what-is-agent-tesla-spyware-and-how-does-it-work; metadata:service http;) AZORult alert tcp any any -> any any (msg:”HTTP Server Content Data contains ‘llehS|2e|tpircSW’”; sid:1; rev:1; flow:established,from_server; file_data; content:”llehS|2e|tpircSW”; nocase; fast_pattern:only; pcre:”/GCM(?:x20|%20)*W-O*/i”; reference:url,maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/; metadata:service http;) AZORult alert tcp any any -> any any (msg:”HTTP POST Client Body contains ‘J/|fb|’ and ‘/|fb|’”; sid:1; rev:1; flow:established,to_server; content:”POST”; http_method; content:”.php”; http_uri; content:”J/|fb|”; http_client_body; fast_pattern; content:”/|fb|”; http_client_body; depth:11; content:!”Referer|3a 20|”; http_header; metadata:service http;) FormBook alert tcp any any -> any any (msg:”HTTP URI POST contains ‘&sql=1’ at the end”; sid:1; rev:1; flow:established,to_server; content:”&sql=1″; http_uri; fast_pattern:only; content:”POST”; http_method; pcre:”/(?(DEFINE)(?’b64std'[a-zA-Z0-9+/=]+?))(?(DEFINE)(?’b64url'[a-zA-Z0-9_-]+?))^/[a-z0-9]{3,4}/?(?P>b64url){3,8}=(?P>b64std){40,90}&(?P>b64url){2,6}=(?P>b64url){4,11}&sql=1$/iU”; reference:url,www.malware-traffic-analysis.net/2018/02/16/index.html; metadata:service http;) alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/list/hx28/config.php?id=’”; sid:1; rev:1; flow:established,to_server; content:”/list/hx28/config.php?id=”; http_uri; fast_pattern:only; content:”Connection|3a 20|close|0d 0a|”; http_header; reference:url,www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html; metadata:service http;) Ursnif alert tcp any any -> any any (msg:”HTTP POST Data contains .bin filename, long URI contains ‘/images/’”; sid:1; rev:1; flow:established,to_server; urilen:>60,norm; content:”/images/”; http_uri; depth:8; content:”POST”; nocase; http_method; content:”Content-Disposition|3a 20|form-data|3b 20|name=|22|upload_file|22 3b 20|filename=|22|”; http_client_body; content:”|2e|bin|22 0d 0a|”; http_client_body; distance:1; within:32; fast_pattern; reference:url,www.broadanalysis.com/2016/03/23/angler-ek-sends-data-stealing-payload/; metadata:service http;) alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/images/’ plus random sub directories and an Image File (Ursnif)”; sid:1; rev:1; flow:established,to_server; content:”/images/”; http_uri; fast_pattern:only; content:!”Host: www.urlquery.net”; http_header; pcre:”//images(/(?=[a-z0-9_]{0,22}[A-Z][a-z0-9_]{0,22}[A-Z])(?=[A-Z0-9_]{0,22}[a-z])[A-Za-z0-9_]{1,24}){5,20}/[a-zA-Z0-9_]+.(?:gif|jpeg|jpg|bmp)$/U”; metadata:service http) LokiBot alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)’”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)|0d 0a|”; http_header; fast_pattern:only; metadata:service http; ) LokiBot alert tcp any any -> any any (msg:”HTTP URI POST contains ‘/*/fre.php’ post-infection”; sid:1; rev:1; flow:established,to_server; content:”/fre.php”; http_uri; fast_pattern:only; urilen:<50,norm; content:”POST”; nocase; http_method; pcre:”//(?:alien|lokyd|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll/NW|wrk|job|fived?|donemy|animationdkc|love|Masky|vd|lifetn|Ben)/fre.php$/iU”; metadata:service http;) LokiBot alert tcp any any -> any any (msg:”HTTP URI POST contains ‘/w.php/’”; sid:1; rev:1; flow:established,to_server; content:”/w.php/”; http_uri; fast_pattern:only; content:”POST”; nocase; http_method; pcre:”//w+/w.php/[a-z]{13}$/iU”; metadata:service http;) MOUSEISLAND alert tcp any any -> any any (msg:”HTTP URI GET contains ‘/assets/<8-80 hex>/<4-16 alnum>?<3-6 alnum>=’”; sid:9206287; rev:1; flow:established,to_server; content:”/assets/”; http_uri; fast_pattern:only; content:”HTTP/1.1|0d 0a|”; depth:256; content:!”|0d 0a|Cookie:”; content:!”|0d 0a|Referer:”; pcre:”//assets/[a-fA-F0-9/]{8,80}/[a-zA-Z0-9]{4,16}?[a-z0-9]{3,6}=/U”; metadata:service http;) NanoCore alert tcp any any -> any 25 (msg:”SMTP Attachment Filename ‘Packinglist-Invoice101.pps’”; sid:1; rev:1; flow:established,to_server,only_stream; content:”Content-Disposition|3a 20|attachment|3b|”; content:”Packinglist-Invoice101.pps”; nocase; distance:0; fast_pattern; pcre:”/Content-Dispositionx3ax20attachmentx3b[x20trn]+?(?:file)*?name=x22*?Packinglist-Invoice101.ppsx22*?/im”; reference:cve,2014-4114; reference:msb,MS14-060; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Body-FINAL.pdf; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Appendix-FINAL.pdf;) NanoCore alert tcp any any -> any any (msg:”HTTP Client Header contains ‘Host|3a 20|frankief hopto me’ (GenericKD/Kazy/NanoCore/Recam)”; sid:1; rev:1; flow:established,to_server; content:”Host|3a 20|frankief|2e|hopto|2e|me|0d 0a|”; http_header; fast_pattern:only; metadata:service http;) NanoCore alert tcp any any -> any any (msg:”HTTP GET URI contains ‘FAD00979338′”; sid:1; rev:1; flow:established,to_server; content:”GET”; http_method; content:”getPluginName.php?PluginID=FAD00979338″; fast_pattern; http_uri; metadata:service http;) Qakbot alert tcp any any -> any any (msg:”HTTP URI GET /t?v=2&c= (Qakbot)”; sid:1; rev:1; flow:established,to_server; content:”/t?v=2&c=”; http_uri; depth:9; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf;) Qakbot alert tcp any any -> any 21 (msg:”Possible FTP data exfiltration”; sid:1; rev:1; flow:to_server,established; content:”STOR si_”; content:”.cb”; within:50; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service ftp-ctrlchan;) Qakbot alert tcp any any -> any any (msg:”Malicious executable download attempt”; sid:1; rev:1; flow:to_client,established; file_type:MSEXE; file_data; content:”|52 DB 91 CB FE 67 30 9A 8E 72 28 4F 1C A9 81 A1 AA BE AC 8D D9 AB E4 15 EF EA C6 73 89 9F CF 2E|”; fast_pattern:only; reference:url,virustotal.com/#/file/ad815edc045c779628db3a3397c559ca08f012216dfac4873f11044b2aa1537b/detection; metadata:service http;) Qakbot alert tcp any any -> any any (msg:”HTTP POST URI contains ‘odin/si.php?get&’”; sid:1; rev:1; flow:to_server,established; content:”/odin/si.php?get&”; fast_pattern:only; http_uri; content:”news_slist”; http_uri; content:”comp=”; http_uri; reference:url,www.virustotal.com/en/file/478132b5c80bd41b8c11e5ed591fdf05d52e316d40f7c4abf4bfd25db2463dff/analysis/1464186685/; metadata:service http;) Qakbot alert tcp any any -> any any (msg:”HTTP URI contains ‘/random750x750.jpg?x=’”; sid:1; rev:1; flow:to_server,established; content:”/random750x750.jpg?x=”; fast_pattern:only; http_uri; content:”&y=”; http_uri; content:”Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|”; http_header; content:”Cache-Control|3a 20|no-cache|0d 0a|”; http_header; content:!”Accept-“; http_header; content:!”Referer”; http_header; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;) Qakbot alert tcp any any -> any any (msg:”HTTP URI contains ‘/datacollectionservice.php3′”; sid:1; rev:1; flow:to_server,established; content:”/datacollectionservice.php3″; fast_pattern:only; http_uri; metadata:service http;) Qakbot alert tcp any any -> any any (msg:”HTTP header contains ‘Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|’”; sid:1; rev:1; flow:to_server,established; urilen:30<>35,norm; content:”btst=”; http_header; content:”snkz=”; http_header; content:”Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|”; fast_pattern:only; http_header; content:”Cache-Control|3a 20|no-cache|0d 0a|”; http_header; content:!”Connection”; http_header; content:!”Referer”; http_header; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;) Qakbot alert tcp any any -> any 21 (msg:”Possible ps_dump FTP exfil”; sid:1; rev:1; flow:to_server,established; content:”ps_dump”; fast_pattern:only; pcre:”/ps_dump_[^_]+_[a-z]{5}d{4}x2Ekcb/smi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;) Qakbot alert tcp any any -> any 21 (msg:”Possible seclog FTP exfil”; sid:1; rev:1; flow:to_server,established; content:”seclog”; fast_pattern:only; pcre:”/seclog_[a-z]{5}d{4}_d{10}x2Ekcb/smi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;) Qakbot alert tcp any any -> any any (msg:”HTTP URI contains ‘/cgi-bin/jl/jloader.pl’”; sid:1; rev:1; flow:to_server,established; content:”/cgi-bin/jl/jloader.pl”; fast_pattern:only; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;) Qakbot alert tcp any any -> any any (msg:”HTTP URI contains ‘/cgi-bin/clientinfo3.pl’”; sid:1; rev:1; flow:to_server,established; content:”/cgi-bin/clientinfo3.pl”; fast_pattern:only; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;) Qakbot alert tcp any any -> any any (msg:”HTTP URI contains ‘/u/updates.cb’”; sid:1; rev:1; flow:to_server,established; content:”/u/updates.cb”; fast_pattern:only; http_uri; pcre:”/^Hostx3A[^rn]+((upd+)|(adserv))/Hmi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;) Qakbot alert tcp any any -> any any (msg:”HTTP response content contains ‘|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|’”; sid:1; rev:1; flow:to_client,established; file_data; content:”|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|”; fast_pattern:only; content:”|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 43 72 65 61 74 65 46 69 6C 65 28 29 20 66 61 69 6C 65 64|”; content:”|52 75 6E 45 78 65 46 72 6F 6D 52 65 73 28 29 20 73 74 61 72 74 65 64|”; content:”|73 7A 46 69 6C 65 50 61 74 68 3D|”; content:”|5C 25 75 2E 65 78 65|”; reference:url,www.virustotal.com/en/file/23e72e8b5e7856e811a326d1841bd2ac27ac02fa909d0a951b0b8c9d1d6aa61c/analysis; metadata:service ftp-data,service http;) Qakbot alert tcp any any -> any any (msg:”HTTP POST URI contains ‘v=3&c=’”; sid:1; rev:1; flow:to_server,established; content:”/t”; http_uri; content:”POST”; http_method; content:”v=3&c=”; depth:6; http_client_body; content:”==”; within:2; distance:66; http_client_body; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service http;) Qakbot alert tcp any any -> any any (msg:”HTTP URI GET contains ‘/<alpha>/595265.jpg’”; sid:1; rev:1; flow:established,to_server; content:”/595265.jpg”; http_uri; fast_pattern:only; content:”GET”; nocase; http_method; pcre:”/^/[a-z]{5,15}/595265.jpg$/U”; reference:url,www.virustotal.com/gui/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/detection; metadata:service http;) Remcos alert tcp any any -> any any (msg:”Non-Std TCP Client Traffic contains ‘|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|’ (Checkin #23)”; sid:1; rev:1; flow:established,to_server; dsize:<700; content:”|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|”; depth:11; fast_pattern; content:”|da b1|”; distance:2; within:2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/analysis-new-remcos-rat-arrives-via-phishing-email/; reference:url,isc.sans.edu/forums/diary/Malspam+using+passwordprotected+Word+docs+to+push+Remcos+RAT/25292/; reference:url,www.malware-traffic-analysis.net/2019/09/03/index.html; reference:url,www.malware-traffic-analysis.net/2017/10/27/index.html;) TrickBot alert tcp any any -> any any (msg:”HTTP Client Header contains ‘host|3a 20|tpsci.com’”; sid:1; rev:1; flow:established,to_server; content:”host|3a 20|tpsci.com”; http_header; fast_pattern:only; metadata:service http;) TrickBot alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|*Loader’”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|”; http_header; content:”Loader|0d 0a|”; nocase; http_header; distance:0; within:24; fast_pattern; metadata:service http;) TrickBot alert udp any any <> any 53 (msg:”DNS Query/Response onixcellent com (UDP)”; sid:1; rev:1; content:”|0B|onixcellent|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; priority:1; metadata:service dns;) TrickBot alert tcp any any -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘C=XX, L=Default City, O=Default Company Ltd’”; sid:1; rev:2; flow:established,from_server; ssl_state:server_hello; content:”|31 0b 30 09 06 03 55 04 06 13 02|XX”; nocase; content:”|31 15 30 13 06 03 55 04 07 13 0c|Default City”; nocase; content:”|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd”; nocase; content:!”|31 0c 30 0a 06 03 55 04 03|”; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;) TrickBot alert tcp any any -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘C=AU, ST=Some-State, O=Internet Widgits Pty Ltd’”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|31 0b 30 09 06 03 55 04 06 13 02|AU”; content:”|31 13 30 11 06 03 55 04 08 13 0a|Some-State”; distance:0; content:”|31 21 30 1f 06 03 55 04 0a 13 18|Internet Widgits Pty Ltd”; distance:0; fast_pattern; content:”|06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff|”; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;) TrickBot alert tcp any any -> any any (msg:”HTTP Client Header contains ‘boundary=Arasfjasu7′”; sid:1; rev:1; flow:established,to_server; content:”boundary=Arasfjasu7|0d 0a|”; http_header; content:”name=|22|proclist|22|”; http_header; content:!”Referer”; content:!”Accept”; content:”POST”; http_method; metadata:service http;) TrickBot alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.’”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|WinHTTP loader/1.”; http_header; fast_pattern:only; content:”.png|20|HTTP/1.”; pcre:”/^Hostx3ax20(?:d{1,3}.){3}d{1,3}(?:x3ad{2,5})?$/mH”; content:!”Accept”; http_header; content:!”Referer|3a 20|”; http_header; metadata:service http;) TrickBot alert tcp any any -> any any (msg:”HTTP Server Header contains ‘Server|3a 20|Cowboy’”; sid:1; rev:1; flow:established,from_server; content:”200″; http_stat_code; content:”Server|3a 20|Cowboy|0d 0a|”; http_header; fast_pattern; content:”content-length|3a 20|3|0d 0a|”; http_header; file_data; content:”/1/”; depth:3; isdataat:!1,relative; metadata:service http;) TrickBot alert tcp any any -> any any (msg:”HTTP URI POST contains C2 Exfil”; sid:1; rev:1; flow:established,to_server; content:”Content-Type|3a 20|multipart/form-data|3b 20|boundary=——Boundary”; http_header; fast_pattern; content:”User-Agent|3a 20|”; http_header; distance:0; content:”Content-Length|3a 20|”; http_header; distance:0; content:”POST”; http_method; pcre:”/^/[a-z]{3}d{3}/.+?.[A-F0-9]{32}/d{1,3}//U”; pcre:”/^Hostx3ax20(?:d{1,3}.){3}d{1,3}$/mH”; content:!”Referer|3a|”; http_header; metadata:service http;) TrickBot alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/56evcxv’”; sid:1; rev:1; flow:established,to_server; content:”/56evcxv”; http_uri; fast_pattern:only; metadata:service http;) TrickBot alert icmp any any -> any any (msg:”ICMP traffic conatins ‘hanc’”; sid:1; rev:1; itype:8; icode:0; dsize:22; content:”hanc”; depth:4; fast_pattern; pcre:”/hanc[0-9a-f]{16}../i”; reference:url,labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/;) TrickBot alert tcp any any -> any any (msg:”HTTP Client Header contains POST with ‘host|3a 20|*.onion.link’ and ‘data=’”; sid:1; rev:1; flow:established,to_server; content:”POST”; nocase; http_method; content:”host|3a 20|”; http_header; content:”.onion.link”; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:”data=”; distance:0; within:5; metadata:service http;) TrickBot alert tcp any 80 -> any any (msg:”Non-Std TCP Client Traffic contains PowerView Script Download String”; sid:1; rev:1; flow:established,from_server; content:”PowerView.ps1″; content:”PSReflect/master/PSReflect.psm1″; fast_pattern:only; content:”function New-InMemoryModule”; metadata:service else-ports;) TrickBot alert tcp any any -> any 445 (msg:”Non-Std TCP Client SMB Traffic contains ‘44783m8uh77g818_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl’”; sid:1; rev:1; flow:established,to_server; content:”44783m8uh77g818_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl”; fast_pattern:only; metadata:service netbios-ssn,service and-ports;) TrickBot alert tcp any any -> any [80,443,8082] (msg:”Non-Std TCP Client Traffic contains ‘–aksgja8s8d8a8s97′”; sid:1; rev:1; flow:established,to_server; content:”–aksgja8s8d8a8s97″; fast_pattern:only; content:”name=|22|proclist|22|”; metadata:service else-ports;) TrickBot alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.0′”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|WinHTTP loader/1.0|0d 0a|”; http_header; fast_pattern:only; pcre:”//t(?:oler|able).png/U”; metadata:service http;) TrickBot alert tcp any any -> any [443,8082] (msg:”Non-Std TCP Client Traffic contains ‘_W<digits>.’”; sid:1; rev:1; flow:established,to_server; content:”_W”; fast_pattern:only; pcre:”/_Wd{6,8}./”; metadata:service else-ports;) TrickBot alert tcp any [443,447] -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘example.com’ (Hex)”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|0b|example.com”; fast_pattern:only; content:”Global Security”; content:”IT Department”; pcre:”/(?:x09x00xc0xb9x3bx93x72xa3xf6xd2|x00xe2x08xffxfbx7bx53x76x3d)/”; metadata:service ssl,service and-ports;) TrickBot alert tcp any any -> any any+F57 (msg:”HTTP URI GET contains ‘/anchor’”; sid:1; rev:1; flow:established,to_server; content:”/anchor”; http_uri; fast_pattern:only; content:”GET”; nocase; http_method; pcre:”/^/anchor_?.{3}/[w_-]+.[A-F0-9]+/?$/U”; metadata:service http;) TrickBot alert udp any any <> any 53 (msg:”DNS Query/Response kostunivo com (UDP)”; sid:1; rev:1; content:”|09|kostunivo|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;) TrickBot alert udp any any <> any 53 (msg:”DNS Query/Response chishir com (UDP)”; sid:1; rev:1; content:”|07|chishir|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;) TrickBot alert udp any any <> any 53 (msg:”DNS Query/Response mangoclone com (UDP)”; sid:1; rev:1; content:”|0A|mangoclone|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;) GootLoader No signature available. August 4, 2022: Initial Version
Most Popular The most lucrative form of cyber crime might not be the one you first expect. While ransomware gets global attention when it takes down vital services and cyber criminals get away with multi-million dollar ransom payments, there’s another big cybersecurity issue that’s costing the world more money, but remains an embarrassing secret for many, even though, according to the FBI, it’s cost victims over $43 billion dollars to date. Business email compromise (BEC) scams may lack the drama of hacking attacks but it’s possible to argue that they’ve become the biggest cybersecurity issue facing the world today. “Business email compromise is the number one cyber-crime, period – there is no sugarcoating it. It’s an international, global problem with victims in over 90% of countries in the world – that’s the scale we’re operating at,” says Ronnie Tokazowski, principal threat advisor at cybersecurity company Cofense. SEE: The next big security threat is staring us in the face. Tackling it is going to be tough BEC attacks are built on using social engineering to trick victims into transferring a payment to cyber criminals. Often scammers will pose as a colleague, a client, your boss or a business partner to make their request seem legitimate. There are two main ways in which scammers attempt financial BEC frauds. The first is by sending emails from a spoofed account pretending to be someone you know, with a request to make a transfer. The other is more sophisticated, with attackers stealing usernames and passwords to break into legitimate email accounts and using those accounts to make their requests for funds. Sometimes this happens midway through a real conversation, which makes it seem even more plausible in what’s called a conversation-hijacking attack. In each case, the scammer asks for a payment to be made urgently. Often, in order to hurry things along, they claim that the payment must be made quickly and that it also should be kept a secret, telling the potential victim that disclosing the transaction could put a business deal at risk. The payment, of course, is in reality sent to an account owned or controlled by the cyber criminals. By the time anyone notices something is wrong, it’s likely the scammers have withdrawn and made off with the money, either spending it or laundering it elsewhere. The sums transferred as part of BEC attacks can be in the hundreds of thousands of dollars. But they’re often not reported, because many businesses that fall victim don’t class it as a cybersecurity issue – and when it is reported, because money is involved, it gets reported to finance. “Business email compromise hasn’t gotten the attention it deserves as a potential attack because, for the longest time, it’s not been a security issue,” says Adenike Cosgrove, cybersecurity strategist at Proofpoint. “They’re not going to the security team, they’re going to the finance team – and it’s escalated to the CEO or CFO and then becomes a legal and financial issue, not a security issue,” she adds. Thus, unlike ransomware – which is often visible to everyone whenever there’s an attack, because of the significant and often long-lasting disruption to services that’s caused – BEC attacks don’t get much attention. Even the most basic BEC campaigns can rake in thousands of dollars. And all a scammer needs to start BEC campaigns is an email account and some targets to go after – and if you’re going to pose as the CEO of a particular company, that information is extremely easy to find by just using a search engine. “In many cases with BEC attacks, one of the biggest benefits with doing those attacks is there’s much less overhead from a business perspective than other types of cyberattacks,” says Crane Hassold, director of threat intelligence at Abnormal Security. “In a lot of cases, it’s basic research and then simply sending emails impersonating people, so the return on investment for BEC attacks is significantly higher than other types of cyberattacks,” he adds. In some cases, malware or phishing might be used to steal login credentials to take control of a legitimate account to exploit, but a lot of the time, it’s enough to just spoof the email of the boss or CEO that the scammer is pretending to be. “It’s really leveraging a human element, socially engineering people, and I think again we forget in cybersecurity that it really is a human problem – it’s a people problem,” says Cosgrove. That’s one of the things that makes BEC attacks so challenging – when the transaction is being made, it isn’t being made by a cyber criminal. The payment is being made by someone who thinks they’re doing the right thing with the information they’re being provided with. As a result, victims often feel shame and embarrassment that they’ve been tricked – and that makes them less willing to talk about the experience, even if doing so could help stop others making the same expensive error. SEE: A winning strategy for cybersecurity (ZDNet special report) “In order to address it, we actually have to take a step back and acknowledge there’s a lot of shame that goes into this,” says Tokazowski. “Because of the shame, many of them don’t want to come forward.” Another complicated element around BEC attacks is that, in some cases, the company that gets duped into transferring a payment has never itself actually been breached by cyber criminals – instead it is one of their clients, customers or business partners that have either been impersonated or have had their system breached. “At the end of the day, the company that is sending money, that is losing money, actually doesn’t have any control over that initial compromise which is, I think, one of the most concerning aspects of this whole trend,” says Hassold. BEC attacks are easy to carry out but difficult to detect and stop – that’s why they’re so successful and why scammers are making such large amounts of money from attacks. And while it’s a major form of cyber crime, it isn’t really a technical problem, it’s a people problem – people with good intentions are tricked into transferring funds that they think are being requested for legitimate reasons. However, it isn’t a completely hopeless fight, because international cooperation has resulted in thousands of arrests of suspected members of BEC gangs, but because of how easy attacks are to carry out, the problem isn’t going to go away. If anything, with the rise of deepfakes, it could be about to get a lot worse. While there are measures that can be taken to help prevent accounts from being compromised to conduct attacks – like using multi-factor authentication – and policies that can be put in place to ensure that several people should be part of the process to authorise payments, one of the best things that can be done to help detect BEC attacks is raising awareness about the issue. And it’s vital that businesses provide a framework for staff – who worry that they may have been duped by a BEC attack – to come forward repercussion-free, so that incidents can be reported and acted upon to help people understand what they need to look out for. “We need to shift away from victim blaming,” says Cosgrove. “We want them to very quickly tell us if they see something that they think is suspicious, or if they did click on that link or send the data or wire the money. “We want them to very quickly tell us so that we can respond much more quickly – it’s not about victim blaming. It’s about having that additional source of intelligence,” she said.
An official website of the United States government Here’s how you know Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. Search Actions for ZCS administrators to take today to mitigate malicious cyber activity: • Patch all systems and prioritize patching known exploited vulnerabilities. • Deploy detection signatures and hunt for indicators of compromise (IOCs). • If ZCS was compromised, remediate malicious activity. Updated November 10, 2022: This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) with contributions by the Federal Bureau of Investigation (FBI). CISA and the MS-ISAC are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. CVEs currently being exploited against ZCS include: Cyber threat actors may be targeting unpatched ZCS instances in both government and private sector networks. CISA and the MS-ISAC strongly urge users and administrators to apply the guidance in the Recommendations section of this CSA to help secure their organization’s systems against malicious cyber activity. CISA and the MS-ISAC encourage organizations who did not immediately update their ZCS instances upon patch release, or whose ZCS instances were exposed to the internet, to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of this CSA. Organizations that detect potential compromise should apply the steps in the Incident Response section of this CSA. Updated November 10, 2022: This CSA has been updated with additional IOCs. For a downloadable copy of the IOCs, see the following Malware Analysis Reports (MARs): Update End Download the PDF version of this report: pdf, 480 kb Download the IOCs: .stix 12.2 kb CVE-2022-27924 is a high-severity vulnerability enabling an unauthenticated malicious actor to inject arbitrary memcache commands into a targeted ZCS instance and cause an overwrite of arbitrary cached entries. The actor can then steal ZCS email account credentials in cleartext form without any user interaction. With valid email account credentials in an organization not enforcing multifactor authentication (MFA), a malicious actor can use spear phishing, social engineering, and business email compromise (BEC) attacks against the compromised organization. Additionally, malicious actors could use the valid account credentials to open webshells and maintain persistent access. On March 11, 2022, researchers from SonarSource announced the discovery of this ZCS vulnerability. Zimbra issued fixes for releases 8.8.15 and 9.0 on May 10, 2022. Based on evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on August 4, 2022. Due to ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks. CVE-2022-27925 is a high severity vulnerability in ZCS releases 8.8.15 and 9.0 that have mboximport functionality to receive a ZIP archive and extract files from it. An authenticated user has the ability to upload arbitrary files to the system thereby leading to directory traversal.[1] On August 10, 2022, researchers from Volexity reported widespread exploitation—against over 1,000 ZCS instances—of CVE-2022-27925 in conjunction with CVE-2022-37042.[2] CISA added both CVEs to the Known Exploited Vulnerabilities Catalog on August 11, 2022. CVE 2022 37042 is an authentication bypass vulnerability that affects ZCS releases 8.8.15 and 9.0. CVE 2022 37042 could allow an unauthenticated malicious actor access to a vulnerable ZCS instance. According to Zimbra, CVE 2022 37042 is found in the MailboxImportServlet function.[3][4] Zimbra issued fixes in late July 2022. CVE-2022-30333 is a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX allowing a malicious actor to write to files during an extract (unpack) operation. A malicious actor can exploit CVE-2022-30333 against a ZCS server by sending an email with a malicious RAR file. Upon email receipt, the ZCS server would automatically extract the RAR file to check for spam or malware.[5] Any ZCS instance with unrar installed is vulnerable to CVE-2022-30333. Researchers from SonarSource shared details about this vulnerability in June 2022.[6] Zimbra made configuration changes to use the 7zip program instead of unrar.[7] CISA added CVE-2022-3033 to the Known Exploited Vulnerabilities Catalog on August 9, 2022. Based on industry reporting, a malicious cyber actor is selling a cross-site scripting (XSS) exploit kit for the ZCS vulnerability to CVE 2022 30333. A Metasploit module is also available that creates a RAR file that can be emailed to a ZCS server to exploit CVE-2022-30333.[8] CVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail clients running releases before 8.8.15 patch 30 (update 1), which contain a cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files. Researchers from Volexity shared this vulnerability on February 3, 2022[9], and Zimbra issued a fix on February 4, 2022.[10] CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on February 25, 2022. DETECTION METHODS Note: CISA and the MS-ISAC will update this section with additional IOCs and signatures as further information becomes available. CISA recommends administrators, especially at organizations that did not immediately update their ZCS instances upon patch release, to hunt for malicious activity using the following third-party detection signatures: IP Addresses Note 62.113.255[.]70 New September 27, 2022: Used by cyber actors during August 15-26, 2022 while attempting to exploit CVE-2022-27925 and CVE-2022-37042 185.112.83[.]77 New September 27, 2022: Used by cyber actors during August 15-26, 2022 while attempting to exploit CVE-2022-27925 and CVE-2022-37042 207.148.76[.]235 A Cobalt Strike command and control (C2) domain 209.141.56[.]190 New September 27, 2022 alert tcp any any -> any any (msg:”ZIMBRA: HTTP POST content data ‘.jsp’ file’”; sid:x; flow:established,to_server; content:”POST”; http_method; content:”|2f|service|2f|extension|2f|backup|2f|mboximport”; nocase; http_uri; content:”file|3a|”; nocase; http_client_body; content:”|2e|jsp”; http_client_body; fast_pattern; classtype:http-content; reference:cve,2022-30333;) alert tcp any any -> any any (msg:”ZIMBRA: Client HTTP Header ‘QIHU 360SE’”; sid:x; flow:established,to_server; content:”POST”; http_method; content:”|2f|service|2f|extension|2f|backup|2f|mboximport”; nocase; http_uri; content:”QIHU|20|360SE”; nocase; http_header; fast_pattern; classtype:http-header; reference:cve,2022-30333;) alert tcp any any -> any any (msg:”ZIMBRA:HTTP GET URI for Zimbra Local Config”; sid:x; flow:established,to_server; content:”/public/jsp/runas.jsp?pwd=zim&i=/opt/zimbra/bin/zmlocalconfig|3a|-s”; http_uri; classtype:http-uri; reference:cve,2022-30333;) CISA and the MS-ISAC recommend organizations upgrade to the latest ZCS releases as noted on Zimbra Security – News & Alerts and Zimbra Security Advisories. See Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 for mitigation steps. Additionally, CISA and the MS-ISAC recommend organizations apply the following best practices to reduce risk of compromise: If an organization’s system has been compromised by active or recently active threat actors in their environment, CISA and the MS-ISAC recommend the following initial steps: See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and the MS-ISAC also encourage government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide detailed operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. CISA and the MS-ISAC would like to thank Volexity and Secureworks for their contributions to this advisory. The information in this report is being provided “as is” for informational purposes only. CISA and the MS-ISAC do not provide any warranties of any kind regarding this information. CISA and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring. August 16, 2022: Initial Version|August 22, 2022: Added Snort Signatures|August 23, 2022: Updated Detection Methods Snort Signatures|October 19, 2022: Added new Malware Analysis Report|November 10, 2022: Added new Malware Analysis Report
An official website of the United States government Here’s how you know Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. Search Actions to take today to mitigate cyber threats from ransomware: • Prioritize remediating known exploited vulnerabilities. • Train users to recognize and report phishing attempts. • Enable and enforce multifactor authentication. Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Download the PDF version of this report: pdf, 999 kb Download the YARA signature for Zeppelin: YARA Signature, .yar 125 kb Download the IOCs: .stix 113 kb Note: this advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques. Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS). From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars. Zeppelin actors gain access to victim networks via RDP exploitation [T1133], exploiting SonicWall firewall vulnerabilities [T1190], and phishing campaigns [T1566]. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups [TA0007]. Zeppelin actors can deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader. [1] Prior to encryption, Zeppelin actors exfiltrate [TA0010] sensitive company data files to sell or publish in the event the victim refuses to pay the ransom. Once the ransomware is executed, a randomized nine-digit hexadecimal number is appended to each encrypted file as a file extension, e.g., file.txt.txt.C59-E0C-929 [T1486]. A note file with a ransom note is left on compromised systems, frequently on the desktop (see figure 1 below).
Figure 1: Sample Ransom Note
The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.
Zeppelin actors use the ATT&CK techniques listed in Table 2. Initial Access Technique Title ID Use Exploit External Remote Services T1133 Zeppelin actors exploit RDP to gain access to victim networks. Exploit Public-Facing Application T1190 Zeppelin actors exploit vulnerabilities in internet-facing systems to gain access to systems Phishing T1566 Zeppelin actors have used phishing and spear phishing to gain access to victims’ networks. Execution Technique Title ID Use Malicious Link T1204.001 Zeppelin actors trick users to click a malicious link to execute malicious macros. Malicious File Attachment T1204.002 Zeppelin actors trick users to click a malicious attachment disguised as advertisements to execute malicious macros. Persistence Technique Title ID Use Modify System Process T1543.003 Zeppelin actors encrypt Windows Operating functions to preserve compromised system functions. Impact Technique Title ID Use Data Encrypted for Impact T1486 Zeppelin actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. Download the YARA signature for Zeppelin: YARA Signature, .yar 125 kb The FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Zeppelin ransomware: The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office. The information in this report is being provided “as is” for informational purposes only. CISA and the FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI. August 11, 2022: Initial Version
