Search
  • Avantia Threat Update

WANTED BY FBI - IRANIAN HACKERS EXPLOIT "WEAK" PASSWORDS TO BREACH SOFTWARE CO.

Updated: Apr 1, 2019


Iranian Cyber Criminal Hackers being hunted by FBI for 'breach'

This week, FBI announces a major software company breach by Iranian Hackers exploiting ‘weak’ passwords, a Dutch academic publisher is exposed, US sleep companies snooze on payment fraud, UK police face ransomware attack and Uber might be spying on us (again)*………….


This Past Week’s Top Dark Web Compromises*:

Top Source Hits: ID Theft Forums (99%) Top Compromise Type: Domain (99%) Top Industry: Construction & Engineering Top Employee Count: 11 - 50 Employees


This Past Week’s Top Targeted Industries*:

Consumer Electronics Hits: 485 | Targets: ASUS, Microsoft, SonicWall, Florida Power & Light Company

Computer Hardware Hits: 484 | Targets: ASUS, Microsoft, Apple, Cisco Systems Inc

Telecommunications Hits: 475 | Targets: ASUS, Huawei Technologies, Cisco Systems Inc, SWIFT, Verizon

Electronics Hits: 471 | Targets: ASUS, Apple

Consumer Electronics Hits: 467 | Targets: ASUS


This Past Week’s Top Threat Actors*:

Lazarus Group Hits: 210 | Targets: Sony Corp, South Korea, Cryptocurrency, United States, Poland

Hezbollah Hits: 15 | Targets: Israel, Syria, Lebanon, Iran, United States

Australian Signals Directorate Hits: 11 | Targets: Australia, Indonesia, Bambang Yudhoyono, Telecommunications, Operating system

Axiom Hacking Group Hits: 6 | Targets: Google, China, Fortune 500, South Korea, Anthem

Anonymous Venezuela Hits: 5 | Targets: Venezuela, United States, Petare, GNB, Cuba


This Past Week’s Top Malware Exploits*:

LockerGoga Hits: 93 | Targets: United States, Altran Technologies SA, Norway, Hexion, Norsk Hydro

Ursnif Hits: 25 | Targets: Japan, Banking, Italy, United Kingdom, Bulgaria

Wcry Hits: 22 | Targets: Boeing, Microsoft Windows, United Kingdom, Bitcoin, North Korea

NotPetya Hits: 22 | Targets: Ukraine, United Kingdom, Russia, A.P. Moller-Maersk, United States

Darkirc Hits: 17


IN OTHER NEWS:


Software giant Citrix is breached by Iranian Hackers exploiting ‘weak’ passwords*.

The company said it was informed by the FBI on March 6 that its systems had been breached by “international cyber criminals.” Citrix has launched a forensic investigation and it has taken action to secure its network. Citrix’s investigation so far suggests that the attackers may have accessed and downloaded some business documents, but it has yet to determine exactly which documents may have been stolen. “While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying. (Password Spraying refers to the attack method that takes a large number of usernames and loops them with a single password. ... This method avoids password lockouts, and it is often more effective at uncovering weak passwords) Once they gained a foothold with limited access, they worked to circumvent additional layers of security,” stated Citrix CISO Stan Black. A cybersecurity firm named Resecurity claims the attack was carried out by an Iran-linked group tracked as IRIDIUM, which reportedly hit over 200 organizations, including government agencies, tech firms, and oil and gas companies. Resecurity said in a blog post it had alerted Citrix of an attack on December 28. The company believes the intrusion resulted in at least 6 terabytes of data getting stolen from Citrix, including emails and files associated with project management and procurement. “The incident has been identified as a part of a sophisticated cyberespionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy,” Resecurity said. “The arsenal of IRIDIUM includes proprietary techniques allowing to bypass 2FA authorization for critical applications and services for further unauthorized access to VPN (Virtual Private Networks) channels and SSO (Single Sign-On),” the firm added. Resecurity representatives told NBC News that the attackers may have been lurking inside Citrix’s network for the past 10 years. A recent article from The Wall Street Journal on attacks carried out by Iranian hackers cited Resecurity saying that Citrix had been hit by Iranian hackers. However, in a statement the software giant claimed that a single employee account was compromised in 2018 and that the hacker only gained access to an old version of a list containing Citrix employee contact information. Citrix claimed at the time that it had found no evidence that any other accounts had been compromised or that the attack may have been the work of a state-sponsored actor. Resecurity has stated that the recent attack on Australia’s political parties and parliament was also the work of Iranian hackers. The Australian government has not pointed the finger at anyone, but it did say the attack was apparently carried out by a “sophisticated state actor.” However, sources close to the investigation told The Sydney Morning Herald that the prime suspect was actually China. Kaspersky’s Costin Raiu pointed to some inconsistencies in Resecurity’s claims -- the company said the hackers may have had access to Citrix systems for the past ten years, but also told NBC News that Citrix came under attack twice, once in December and “again on March 4”. Citrix also suffered a breach back in 2015, but the company claimed at the time that the hacker had not accessed any customer or sensitive corporate data.


ioT Security meets Healthcare (ioMT)*:

The Internet of Medical Things (IoMT) — networked medical devices and applications in healthcare IT — has forever changed the future strategies for healthcare organisations and the space as a whole. It’s added an entirely new layer of possible benefits affecting diagnostics, treatments and general patient health management while lowering cost in the process. All of this was on full display earlier this month at the annual HIMSS (Healthcare Information and Management Systems Society) Conference in Orlando, Florida USA. But there’s a big caveat for all the good IoMT can offer. Like in any environment, more connected devices means a larger attack surface. I’s been proven time and again that security breaches are a significant challenge for healthcare organizations, resulting in major fallout. Security is not optional. Healthcare providers are beginning to experience higher scrutiny with the prevalence of cyber attacks on healthcare organizations. WannaCry ransomware did significant damage in 2017. Both management systems and medical devices were directly infected, interrupting healthcare services and placing patients at risk. Britain’s National Health Service (NHS) experienced the worst of it, at one point resorting to good old pen and paper. According to reports, the attack cost the NHS almost £100 million and the cancellation of 19,000 appointments. The interesting part is that it wasn’t even the direct target of the attack. Locking down NHS systems was just collateral damage. Imagine if it had been done with intent and precision. The incident prompted medical device manufacturers to release security advisories. The FDA in the U.S. also provided its own recommendations. But companies are not obligated to follow them as they are guidelines and not legal mandates. Due to the lack of legal consequences, many manufacturers are not incentivized to add provisions about medical device security in their contracts. Ultimately, healthcare providers using these medical devices are placed in a compromising position, dealing with the aftermath of breaches and cyber attacks due to the general poor risk management. But where do these issues stem from? Healthcare organizations believe that most of their security woes come from the flaws in legacy devices more than their implementations — a debatable topic. But digital technology does become old fast, unlike its hardware counterparts, leading to risk for both healthcare providers and patients as updates are slow to roll out and inconvenient to implement over time. Additionally, manufacturers don’t allow customers to troubleshoot or patch devices, sometimes voiding warranties if customers do. Add this to devices often lacking encryption and the use of hard-coded credentials, and you have a recipe for potential disaster that is only made worse by generally lax security controls in the healthcare space. Beyond manufacturer-related security issues, organizational lapses can also negatively affect security. Gaps in security ownership, coupled with poor asset and inventory visibility, actually lead to the greatest risk of a breach, according to a recent KLAS/ CHIME benchmarking report. The key to nipping the issue in the bud is to establish a centralized security strategy to anticipate and prevent potential threats, and bridge any gaps across operations. At the core of this effort should rest a robust technology stack that helps manage data, privacy and orchestration of all connected devices and related data. Going back to basics is important. You can’t improve on a system that’s already broken. The importance of ensuring IT deployments experience near 100 percent uptime, are protected against security threats, and are set up to be scalable cannot be overstated. How do you do this? It’s about the efficient use of data. The very same data being generated by IoMT devices can be used for monitoring, creating baselines and generally providing a better window into a healthcare organization’s IT setup. With a clearer view into the inner IT workings of a healthcare organization, patient outcomes can improve, fraud can be curbed by noticing anomalous behaviour and even billing errors can be avoided with the monitoring of HL7 data transactions. New technology like IoMT in any space is always a double-edged sword. But the onus is not on manufacturers alone. It’s up to healthcare organizations to take the initiative to manage and secure their environments.


The top cybercrime and state-sponsored infections in today malware landscape are the weaponized Microsoft Office documents delivered via Email*.

The top cybercrime and state-sponsored hackers cyber infections in today malware landscape are the weaponized Microsoft Office documents delivered via email. The second is the abusing of Microsoft protocols. It has been revealed by Yoroi-Cybaze Cyber Security experts, who analyzed some samples of the last cyber attacks with this technique. The reason of this cybercrime “love” for the weaponized email is simple. Very often, macro malware does not rely on most-expensive-to-deploy-exploit, and could bypass end-point security solutions (macro are often whitelisted in an enterprise environment) due to extensive use of multi-layered obfuscation mainly in powershell, broadly speaking with a very low barrier-to-entry. Furthermore, APTs Office documents with macros rely on simple social engineering tricks to lure users to enable them.

According to Yoroi, several APTs today are using spear-phishing Email with weaponized office document as an attachment. Just to name a few, OilRIG APT have used Bonds Updated in a campaign. In 2017 it targeted a different Middle Eastern Governmental Organization with a malicious macro that download a 2-stage powershell. A similar vector was used in a recent APT28 campaign targeting individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). The attackers didn’t use any zero-day vulnerabilities in this campaign, instead, they relied on weaponized Office documents used to deliver a new variant of the Seduploader. Also TURLA APT use weaponized document in their recent campaigns to deliver KopiLuwak with a heavily obfuscated ( Obfuscation is the obscuring of the intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language.) Javascript payload. This sample show a high level of obfuscation to defeat AV and does not use any exploit.


The Huawei issue explained*:

It's the world's No. 1 telecom supplier and No. 2 smartphone maker. Yet it's a pariah in several countries, including the US, to the point that the FBI reportedly set up a sting in 2019. The Chinese telecom giant may have run into its biggest trouble yet in late January when the US Justice Department unsealed indictments that included 23 counts pertaining to the theft of intellectual property, obstruction of justice and fraud related to its alleged evasion of US sanctions against Iran. But the core issue with Huawei has been concerns over its coziness with the Chinese government and fears that its equipment could be used to spy on other countries and companies. It's the reason why the US banned companies from using Huawei networking equipment in 2012. Over the last few months, there has been an upswing of scrutiny on Huawei, with a number of countries banning the use of its networking equipment. That's why its smartphones are virtually invisible in the US despite its massive presence around the world. Huawei, for its part, has long denied any wrongdoing and continues to maintain its innocence through the recent charges. It can be tough to keep pace with the sheer number of headlines, so let's put what's happened over the past year in a handy timeline.


Jan. 9, 2018: At the Consumer Electronics Show, Huawei CEO Richard Yu addresses the loss of AT&T support.

Feb. 13, 2018: FBI Director Chris Wray warns against buying Huawei and ZTE phones.

March 22, 2018: Huawei loses Best Buy as retail partner.

May 2, 2018: The Pentagon bans the sale of Huawei and ZTE phones on US military bases.

June 6, 2018: A report reveals that Facebook gave Huawei special access to user data.

June 7, 2018: Congress calls out Google over its ties with Huawei.

July 11, 2018: Australia says it'll ban Huawei from 5G rollout amid security concerns.

July 19, 2018: Huawei crosses 100 million shipments mark for the year to date.

Aug. 1, 2018: Knocking off Apple, Huawei becomes the No. 2 phone seller.

Sept. 5, 2018: In a Senate hearing on Facebook and Twitter, Huawei and ZTE get called out.

Sept. 7, 2018: Huawei gets caught cheating on a phone benchmark test.

Oct. 18, 2018: Huawei tussles with US startup CNEX Labs over theft of technology.

Dec. 5, 2018: Britain's BT says it'll strip Huawei equipment from 4G network by 2021 and won't use it in 5G core.

Dec. 6, 2018: Huawei CFO Meng Wanzhou is arrested in Canada at the request of the US.

Dec. 7, 2018: Reuters reports that Japan will stop buying Huawei, ZTE equipment.

Dec. 12, 2018: A Canadian court grants Huawei's CFO $10 million bail.

Dec. 24, 2018: Huawei exceeds 200 million smartphone shipments.


Jan. 3, 2019: A report suggests that President Trump may use an executive order to ban Huawei and ZTE purchases.

Jan. 4, 2019: Senators introduce a bipartisan bill to address concerns about Chinese tech companies.

Jan. 8, 2019: Huawei fights to stay in the US with laptops and tablets at CES.

Jan. 11, 2019: In Poland, a Huawei employee gets arrested over alleged spying.

Jan. 14, 2019: Huawei sacks that arrested employee.

_________________________________________________________________________


THREAT FOCUS*: Oregon Department Of Human Service – USA

Exploit: Employee phishing scam Oregon DHS: State agency of Oregon

Risk to Small Business: 1.888 = Severe: Last Thursday, the Oregon DHS announced that it suffered a data breach after nine employees opened phishing emails and exposed their accounts to hackers. As a result, the social security and personal information of an undecided number of citizens could have been exposed. Along with having to inform the affected individuals, the state’s largest agency will be forced to upgrade security efforts and likely conduct cybersecurity training for employees.

Individual Risk: 2.571 = Moderate: The privacy breach could have included first and last names, addresses, DOBs, SSNs, and case numbers related to DHS programs. State residents should monitor their credit reports for possible payment fraud but will remain at risk

Customers Impacted: To be determined

Effect on Customers Business: In the wake of numerous phishing attacks resulting in privacy breaches, organizations storing personal information must take notice and begin protecting individuals. Employee phishing scams are entirely preventable with proper cybersecurity training, which can effectively mitigate the risk of breach. The case and ROI for phishing security solutions becomes intuitive when we consider the potential damages and costs

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS*: My Pillow & Amerisleep – USA

Exploit: Magecart attack on website checkout pages MyPillow and Amerisleep: Pillow and mattress companies in the U.S.

Risk to Small Business: 1.666 = Severe: After being targeted as early as 2017, both online retailers faced card skimming attacks. In this scheme, hackers will insert malicious code into website checkout pages and covertly swipe customer payment information. Although MyPillow discovered the first compromise almost immediately, it argued that the second attack did not result in the loss of information. On the other hand, Amerisleep has not responded to comments. Depending on what further investigations reveal, it is possible that the sleep companies will face hefty fines for their delay in responding as well as scrutiny from online shoppers.

Individual Risk: 2.428 = Severe As you can imagine, any information provided on a checkout page is up for grabs during a Magecart attack. This could include first and last names, addresses, credit card numbers, and more.

Customers Impacted: To be determined

Effect On Customers: Most recent Magecart attacks such as those on British Airways and Newegg were targeted towards larger firms, but now hacking groups are shifting their focus to small businesses. Skimming schemes are especially dangerous since they can be hard to trace, yet able to extract valuable customer information. Once cybercriminals can get their hands on such data, they will move to the Dark Web to make profits or conduct payment fraud.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS*: Canada Natural Health Services – CANADA

Exploit: Breach of medical records Natural Health Services: Largest referral network of medical cannabis users

Risk to Small Business: 1.555 = Severe: Between December 4, 2018, and January 7, 2019, attackers gained access to the electronic medical records (EMR) system containing personal health information. The company was forced to notify its B2B clients, which could result in turnover and a degradation of trust. Individual Risk: 2.142 = Severe Exposed information included patient’s personal information, medical diagnoses, and referral data. At the same time, no patient prescriptions, credit card information, or SSNs were involved.

Customers Impacted: To be determined

Effect On Customers: Organizations that store large amounts of personal data on behalf of B2B clients should be especially vigilant for cyber-attacks, given the amount of information at stake. In the event of such a breach, a security solution that employs a Dark Web monitoring tool can be crucial in determining if stolen information is trading hands between cybercriminals.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS*: Health Services Executive – IRELAND

Exploit: Unauthorized adtech National Service Executive: National health service website

Risk to Small Business: 1.888 = Severe: Webpage users are having their data “continuously and invisibly leaked to commercial actors,” including sensitive topics with health-related information. A study of adtech installed on public health service websites found that 73% of HSE landing pages contained ad trackers. Although organizations are not being held responsible for this type of data exposure, consumers are easily spooked. Because of the study and the looming threat of GDPR compliance fines, the HSE is in the process of redesigning its website.

Individual Risk: 2.428 = Severe Cookies placed on the website could be used to infer sensitive information about user health information. These companies can build profiles and sell them to third-party marketers, insurers, credit raters, and more. Nevertheless, this news only brings mid-level risk since the companies involved are typically not malicious in nature.

Customers Impacted: To be determined.

Effect On Customers: The business of leveraging customer data for precision marketing is coming under scrutiny, especially with the introduction of GDPR in Europe. As the public becomes more aware of how their data is being used, companies must adapt by implementing security solutions to protect their consumers.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS*: Group Of Italian Investors – ITALY

Exploit: Crypto fraud via social engineering Group of Italian Investors: Independent investors

Risk to Small Business: 2.444 = Severe: The Italian authorities recently arrested a computer expert who was able to exploit communication channels and false identities from the Dark Web to defraud crypto investors. The hacker posed as a representative of a reputable Swiss investment firm to earn the trust of the victims. Although no individual business faces risk, more crypto-related breaches may result in an eventual downturn in investments.

Individual Risk: 2.428 = Severe: Investors in the crypto market should be wary of such hacks, since crypto transactions are typically untraceable and irreversible. Nevertheless, personal and payment information is not at stake, so the individual risk of future breaches is not impacted.

Customers Impacted: Unknown

Effect On Customers: This incident is proof of how identities on the Dark Web can be leveraged by hackers to conduct payment fraud via social engineering. To stop such exploits from occurring in the first place, companies must protect employees and customers by investing in security solutions that can guard against phishing and privacy-related attacks.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS*: Elsevier Publishing – HOLLAND

Exploit: Server misconfiguration Elsevier: Scholarly paper publisher and analytics company

Risk to Small Business: 2.111 = Severe: Login credentials for users were exposed after the company’s servers were misconfigured, affecting students and teachers at universities across the world. Since it was a human error attack, Elsevier was able to secure the leaky server quickly and is issuing password reset links to users. Like other B2B breaches, such an exposure is certainly bad for business and can result in the loss of clientele.

Individual Risk: 2.714 = Moderate: User email addresses and passwords may have been compromised, which could jeopardize other accounts where the same passwords are used. Those affected should change their passwords across all accounts immediately.

Customers Impacted: To be determined

Effect On Customers: Organizational data can be leveraged by hackers and put up for sale on the Dark Web or used to conduct payment fraud. With the knowledge that cybercriminals are looking for targets with limited security controls and valuable data, small businesses need to work with security providers to protect themselves and their customers.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


THREAT FOCUS*: Uber Car Share – AUSTRALIA

Exploit: Spyware Uber: Transportation network company headquartered in San Francisco. Risk to Small Business: 2 = Severe: A rogue employee deployed a “secret spyware program” to help Uber get a competitive advantage against local businesses in Australian markets. Dubbed Surfcam, the software was developed in 2015 and scraped driver and vehicle data. The company spokesperson is denying any claims, but this is now the second time Surfcam has been mentioned after similar allegations were made in Singapore.

Individual Risk: 3 = Moderate: Although the spyware program is likely using rider data to optimize marketing efforts on behalf of Uber, it can have serious consequences for competitors and consumers in the long run. At the same time, users do not face immediate threat.

Customers Impacted: Unknown

Effect On Customers: The improper use of data is making headlines across the world, and companies must do everything they can to avoid being involved. The stewardship of personal and payment information should be at utmost importance for small businesses and can be accomplished by partnering with the right security solution.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


POSTSCRIPT*:


Why small businesses struggle with cybersecurity best practices

A recent report unveiled that almost 70% of companies have cybersecurity best practices in place but neglect to take the necessary steps for securing their business. The new study by ESET and Kingston Digital that surveyed 500 British business leaders also found that 44% do not even secure devices with anti-virus software, exposing themselves to cyber threats and GDPR fines.

The reason? A disconnect between the procurement teams responsible for providing equipment, IT teams who implement guidelines, and employees who follow them. To shift the paradigm, security professionals must work closely with other departments to avoid silos and use the right tools to ensure employee adherence.

Phishing continues to be a top exploit for small business breaches, and companies should take notice. Of the 360,000 spear phishing email attacks examined over a three-month period, the most common types were brand impersonation (83%) and business email compromise (11%). Such breaches can be leveraged to steal payment and personal information.



*Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions.

Subscribe below to receive our weekly Threat Updates straight to your inbox.

Call (07) 3010 9711 

info@avantiacorp.com.au

 

Avantia Corporate Services Pty Ltd,                    Level 7, 320 Adelaide Street

Brisbane, Queensland 4000

AUSTRALIA.

  • LinkedIn Social Icon
  • Facebook Social Icon

DISCLAIMER*: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach and cybersecurity information to us in real-time. Given their international focus and experience in the cyberspace arena, we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the content's accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services  PTY LTD - All Rights Reserved.

© 2020 by Avantia CORPORATE SERVICES . All Rights Reserved.