Avantia Threat Update
CHINA CALLED OUT.......
This week, Chinese hackers working for Chinese Government called out, illegal drug trade vs cyber crime. Big W fumbles & “gone phishing” in the holidays………..
Top Dark Web Compromises this past week*:
Top Source Hits: Social Media (57%) Top Compromise Type: Email Top Industry: Medical / Healthcare Top Employee Count: 11-50 employees (47%)
Top Targeted Industries this past week*:
Information Technology Hits: 268 | Targets: Yahoo, HP, IBM Corporation, Twitter, Google
Software Hits: 225 | Targets: Yahoo, IBM Corporation, Twitter, Google, Facebook
Cybersecurity Hits: 102 | Targets: HP, IBM Corporation, Proofpoint, Inc.
Consumer Goods Hits: 94 | Targets: Caribou Coffee, Marriott International, Starwood Hotels & Resorts Worldwide, Sony Corp, Huawei Technologies
Consumer ElectronicsHits: 92 | Targets: HP, Hewlett Packard Enterprise Co., Microsoft, Eastman Kodak
Top Threat Actors this past week*:
Hezbollah Hits: 43 | Targets: Israel, Lebanon, Iran, Syria, United States
Ministry of State Security (China) Hits: 42 | Targets: HP, Australia, United States, Marriott International, IBM Corporation
APT34 OilRig Hits: 33 | Targets: Saudi Arabia, United States, Microsoft IIS, Middle Eastern government, Petroleum
APT28 Fancy Bear Hits: 26 | Targets: Democratic National Convention, Democratic National Committee, United States, Germany, United States Senate
APT10 Stone Panda Hits: 16 | Targets: Japan, United States, Manufacturing, India, Germany
Top Malware discoveries this past week*:
NotPetya Hits: 17 | Targets: Ukraine, United Kingdom, Russia, A.P. Moller-Maersk, United States
Shamoon Wiper Hits: 12 | Targets: Saudi Arabia, Saudi Aramco, Italy, Europe, Sony Corp
Mirai Hits: 10 | Targets: Internet of Things, Dynamic Network Services, Inc (Dyn), Deutsche Telekom, Germany, United States
Wcry Hits: 8 | Targets: Boeing, Microsoft Windows, United Kingdom, Bitcoin, North Korea
Webalta Hits: 7 | Targets: Google
IN OTHER NEWS:
CHINA CALLED OUT FOR CYBER CRIME*: Australia has called on China to respect international commitments on cybercrime after the US and UK revealed an alleged plot by a hacking group backed by state intelligence to steal intellectual property from the west on an industrial scale. On Friday Australia’s national cyber security adviser and the head of the Australian Cyber Security Centre, Alastair MacGibbon, described the hacking as “a global campaign” which had affected Australian companies. “It’s audacious, it is huge and it impacts potentially thousands of businesses globally,” he said.
Two Chinese nationals have been charged in the US over their alleged membership of a hacking group operating in China known in global intelligence circles as Advanced Persistent Threat 10, or APT10. The group, acting on behalf of the Chinese Ministry of State Security, is accused of targeting companies and government agencies in at least a dozen countries and trying to access intellectual property and other sensitive business information. A US indictment unsealed on Thursday in unison with a series of British statements accused the hackers of obtaining unauthorised access to the computers of at least 45 entities, including commercial and defence technology companies and US government agencies such as Nasa and the US navy. The hackers had focused on large managed service providers (MSPs) – companies that manage IT services and infrastructure for medium-to-large businesses and organisations – including in Australia. The US deputy attorney general, Rod Rosenstein, called the alleged hacking “outright cheating and theft”. He said the hacked data gave China an unfair advantage at the expense of businesses and countries that followed international law. Rosenstein said the threats posed by the hacking operation, which dates back to 2006, had never been more severe or more pervasive, and were part of China’s ultimate goal to replace the US as the world’s leading superpower. The US indictment said Zhu Hua and Zhang Shilong allegedly worked for a company that acted in association with the Chinese Ministry of State Security’s Tianjin state security bureau, the US Justice Department said.
MacGibbon said: “We know there are victims in Australia. We know that these MSPs as trusted providers for companies and governments all around the world have unique access [and] once they are compromised by this particular actor, APT10, working on behalf of the Chinese government, they can gain access to commercial secrets. “This isn’t about espionage, this is about stealing the unique aspects of an economy in order to advance another one’s. “It is global in scale and very significant.”
CYBERCRIME MORE LUCRATIVE THAN DRUG TRADE*: According to researchers, cybercrime is the world’s fastest growing criminal industry. This may come as a surprise to some, considering cybercrime in this comparison goes head to head with the infamous and profitable illegal drug trade. Cyber defence spending will increase as well, with the report predicting over $1 trillion in spending, internationally, on cybersecurity between 2017 and 2021 and keeping the cybersecurity unemployment rate around 0%.
ITS HOLIDAYS, LETS GO PHISHING*: We’ve all heard the proverb: “Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.” Well now, threat actors don’t even have to exert the effort to phish to land business email accounts. According to an alert published earlier this year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused US$12 Billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account.
These methods play out as follows:
1. Social engineering and email spoofing: Attackers will use social engineering to pose as a colleague or business partner and send fake requests for information or the transfer of funds. These emails can be quite convincing as the attacker makes a significant effort to identify an appropriate victim and register a fake domain, so that at first glance the email appears to belong to a colleague or supplier.
2. Account takeover: Here, attackers use information-stealing malware and key loggers to gain access to and hijack a corporate email account, which they then use to make fraudulent requests to colleagues, accounting departments and suppliers. They can also alter mailbox rules so that the victim’s email messages are forwarded to the attacker, or emails sent by the attacker are deleted from the list of sent emails.
These techniques have served threat actors well for quite some time. But now we are seeing new, more expeditious methods emerge to gain access to business email accounts. Compromised credentials (Usernames & Passwords) being offered on the Dark Web in criminal forums, exposed through third-party compromises (data breaches) , or vulnerable through misconfigured backups and file sharing services, make the opportunity to profit from BEC easier than ever. Email inboxes are also being used not just to request wire transfers, but to steal financially-sensitive information stored within these accounts or to request information from other employees. With declining barriers to entry for BEC, and more ways to monetize this type of fraud, we can expect the losses to continue to rise and perhaps even accelerate in the near term.
Here’s how these alternative methods work:
1. Paying for access. It’s common for accounts to be shared and sold across criminal forums, and the emails of finance departments and CEO/CFOs are no exception. It’s even possible to outsource this work to online actors who will acquire company credentials for a percentage of earnings or a set fee beginning as low as $150.
2. Getting lucky with previously compromised credentials. Individuals will often reuse passwords across multiple accounts. Research has detected more than 33,000 finance department email addresses exposed within a third-party data breach repository - 83 percent of which had passwords associated. With many email and password combinations of finance department email accounts already compromised, cybercriminals can get lucky.
3. Searching across misconfigured archives and file stores. Inboxes, particularly those of finance departments and CEO/CFOs, are replete with financially-sensitive information such as contract scans, purchase orders, and payroll and tax documents. This information can be used for fraud or re-sold on forums and marketplaces. Employees and contractors sometimes turn to easy, rather than secure, ways of archiving their emails. We identified that more than 12.5 million email archive files and 50,000 emails that contained “invoice”, “payment” or “purchase order” have been exposed due to unauthenticated or misconfigured file stores.
Regardless of the method attackers use to perform a BEC scam, these seven security measures can help to mitigate the risks.
1. Update your security awareness training content to include the BEC scenario. This should be a part of new hire training, but you should conduct ad-hoc training for this scenario now.
2. Build BEC into your contingency plans, just as you have built ransomware and destructive malware into your incident response/business continuity planning.
3. Work with your wire transfer application vendors to build in manual controls as well as multiple person authorizations to approve significant wire transfers.
4. Monitor for exposed credentials (Usernames/Passwords). This is crucial for your finance department email, but it’s important for all user accounts. Multifactor authentication will also increase the difficulty for attackers to perform account takeovers.
5. Conduct ongoing assessments of your executives’ digital footprints. You can start with using Google Alerts to track new web content related to them.
6. Prevent email archives from being publicly exposed. For services like Server Message Block (SMB), rsync and the File Transfer Protocol (FTP), use a strong, unique password and disable guest or anonymous access and firewall the port off from the Internet. If it needs to be on the Internet or without a password, then make sure you whitelist the IPs which are expressly permitted to access the resource.
7. Be aware of the risks of contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default. Ideally, organizations should provide training on the risks of using home NAS drives, as well as offer backup solutions so that contractors and employees don’t feel the need to backup their devices at home.
BEC is becoming increasingly profitable for threat actors as organizations are making it easy for adversaries to gain access to the valuable information that sits within these inboxes. However, with the right combination of people, processes and technology, organizations can mitigate the risk.
BIG W, DROPS THE BALL*: A Big W worker accidentally leaked the personal information of 32 people earlier this year when repairing a printer for a customer, Office of the Australian Information Commissioner (OAIC) disclosure revealed.
The Woolworths-owned discount department store has admitted to an extraordinary instance of human error where an employee enclosed confidential information within a pile of test print-outs provided to a customer to show their printer was fixed. The document contained the names, addresses and a form of ID for over two-dozen people. “Woolworths was made aware that a member of the public had inadvertently been provided with a printed copy of an internal confidential document by Big W,” the OAIC disclosure reads. “The member of the public shared this document with [name redacted] who contacted Big W.” Woolworths said it has been unable to recover the information as the customer in question has not been willing to engage with Big W. Woolworths requested additional information about the data breach be kept confidential because “it contains information regarding BIG W’s business processes and identify and role of individuals involved”.
In a statement, a Big W spokesperson said it informed the affected customers of the breach in May, and notified the OAIC within the required time frame.
“We deeply regret this happened and have apologised to each customer personally,” the spokesperson said. “Following the event, we updated our store policies and team training on data protection across all BIG W stores so that an error like this will not occur in the future.” No financial information was compromised in the leak, but Andrew Bycroft, chief executive of the International Cyber Resilience Institute, says the breach showcases that information security is not just digital. “It’s more prevalent than we believe,” he says. “A lot of this goes unreported because it’s not considered a data breach.”
Bycroft says the prevalence of digital data breaches has resulted in information security being lumped in with digital technology in recent years, which is dangerous. “One of the common ones is people disposing of information in the garbage instead of shredding it. “The other one as well that tends to happen is people printing documents and reading them on the train — everyone has a smartphone these days,” he concluded.
THREAT FOCUS*: Boomoji - China
Exploit: Exposed database. Boomoji: A Chinese company that makes personalized animated avatar to be sent over text and other various apps. Risk to Small Business: 2.111 = Severe: Exposed databases can be very embarrassing for a company because there is no excuse for leaving the database where customer information is stored unsecured. Customers are unlikely to return to the service, and if they do could be hesitant to enter in credit card information or reveal more of their data because they figure it could be at risk as well. Individual Risk: 2.111 = Severe: Those affected by this breach are at an increased risk of phishing attacks. This is made a severe risk in this case because the exposed information included the contact books of the users who gave the app permission to access it. Customers Impacted: Over 5 million users.
Customer Impact: Not only is the exposed database embarrassing for the organization, but the company lied about the extent of the breach by stating the databases were for testing purposes only. Not being upfront about the breach can result in a further loss of trust in the company by the customer. Risk Levels: 1 - Extreme Risk 2 - Severe Risk 3 - Moderate Risk *The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.
THREAT FOCUS*: Cadastro de Pessoas Físicas Database - Brazil
Exploit: Exposed database. Cadastro de Pessoas Físicas (CFP) Database: CFP is a Brazilian national identifying number attributed by the Brazilian Federal Revenue, that must be issued before opening a bank account, creating a business, paying taxes, or getting a loan. Risk to Small Business: 1.777= Severe: The breach only contained user’s subscription status, but it is believed that this could be the first part of a more extreme breach. Because the bad actor knows if user’s subscriptions are active, inactive, or paused, they could send out spear-phishing emails about the subscriptions that would trick users into clicking. Individual Risk: 1.857= Severe: There is a significant amount of personal information that was exposed during this breach that would be highly useful to a bad actor wishing to engage in a spear phishing campaign. Customers Impacted: 120 million Brazilians. Customer Impact: The personal data of customers was exposed which would be highly damaging for any organization. In many countries, the organization would also face consequences from the government such as fines. Risk Levels: 1 - Extreme Risk 2 - Severe Risk 3 - Moderate Risk *The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.
CYBER CRIME AUSTRALIA – BY THE NUMBERS*:
For small businesses, the idea of being hit by a cyber attack is probably an unpleasant one, and most SME owners would by now be aware of the risks associated with being a victim of digital crime. And while you might know topline statistics about Australia’s cybercrime landscape — such as the fact it costs the economy over $1 billion each year — you might not know some of the scarier and more worrying stats. To help you get a sense of it, we’ve collated some of the most shocking statistics from reports on how Australia’s small to medium businesses approach cyber security. Check them out below.
Cyber security by the numbers:
· 516,380 — the number of Australian small businesses that fell victim to cyber crime in 2017, according to Norton.
· $4677 — the average amount the majority of SMEs would have to pay to free their data from ransomware.
· 25 hours or more — the amount of downtime one in four businesses hit by cyber attacks suffer.
· $1.9 million — the average cost to a medium sized business if hit by a cyber attack.
· One third — the number of SMEs who say they continuously back up their systems’ data.
· One — the number of staff members that hackers need to dupe in order to gain access to your business’ data
What you need to know about Australia’s 3 most common Cyber Threats
· 63 — the number of data breaches the Office of the Information Commissioner was notified about in the first six weeks of mandatory data breach reporting.
· 1,800,000 — the number of dollars you might have to cough up if you don’t comply with the mandatory data breach laws
· $8,429 — the price of one Bitcoin (at the moment). Businesses often require the digital currency to send to hackers as a ransom payment.
· 30 — the number of gigabytes of sensitive Department of Defence data lost by a small “mum and dad” business in a 2016 data breach
· $14 million — the amount in compensation offered to users of Ashley Madison after the adultery site’s famous 2015 data breach.
· Three — the number of really weirdly named ransomware attacks that devastated global businesses in 2017.
* Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions.