Some
cybersecurity best practices and guidance for Internet of Things (IoT) device
manufacturers are now available from NIST’s
Cybersecurity for IoT Program:

• NISTIR 8259A, IoT Device
  Cybersecurity Capability Core Baseline, identifies a core
  baseline of IoT device cybersecurity capabilities for manufacturers — i.e.
  device capabilities generally needed to support common cybersecurity
  controls.
• NISTIR 8259, Foundational
  Cybersecurity Activities for IoT Device Manufacturers, provides
  specific recommended activities to help manufacturers address customer
  needs for IoT cybersecurity in their product development processes.

More information

NISTIR
8259 details
https://csrc.nist.gov/publications/detail/nistir/8259/final

NISTIR
8259A details
https://csrc.nist.gov/publications/detail/nistir/8259a/final

NIST
Cybersecurity Insights blog: “More than just a milestone in the Botnet Roadmap
towards more securable IoT devices”
https://www.nist.gov/blogs/cybersecurity-insights/more-just-milestone-botnet-roadmap-towards-more-securable-iot-devices

NIST’s
Cybersecurity for IoT Program:
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program

   Researchers at Proofpoint have discovered a phishing campaign targeting companies within the United States’ utility sector. This campaign makes use of malicious documents to upload a remote access trojan (RAT) to the target’s system.

    In July 2019, researchers observed the use of a new RAT, called FlowCloud, as part of a spear-phishing campaign targeting the U.S. energy sector. This RAT was able to access the mouse, keyboard, screen, and running services, and exfiltrate that information to a command-and-control (C2) provider. To make themselves more convincing, attackers used emails disguised as training information with subject lines relating to free trials of energy educational courses. Content of the emails also impersonated the authentic American Society of Civil Engineers and masqueraded as coming from the organization’s domain.

    Early in the campaign, the threat actors used portable executable (PE) attachments to distribute us Microsoft Word documents. Researchers then started to notice some similarities bthe malware. However, in November 2019, the threat actors shifted from PE attachments to malicioetween FlowCloud and another malware campaign, LookBack. Both FlowCloud and LookBack targeted the United States’ utility sector. Both used malicious Word documents, and as of November 2019, both used the same IP addresses for staging and surveillance. Also, similar attachment macros, installation techniques, and infrastructure confirmed to researchers that FlowCloud and LookBack are related. Proofpoint was able to determine that both campaigns, which started around the same time, are linked to the advanced persistent threat (APT) group TA410. Also, Proofpoint researchers have found similarities between TA410 and APT10, the latter being a known Chinese espionage group. However, the researchers believe that the similarities may be intentional and that “the reuse of well-publicized APT10 techniques and infrastructure may be an attempt by threat actors to create a false flag.” TA410 is currently tracked independently of APT10. Proofpoint states that both malware families demonstrate a high level of sophistication in their development and presentation. Not much is known about the impact that these campaigns have had on the energy sector.

    As demonstrated by the FlowCloud and LookBack malware campaigns, the TA410 operators demonstrate a willingness to adapt and target their phishing tactics to increase the effectiveness of each campaign. Targeted phishing emails can be hard to spot, which is why, in addition to implementing proper security  systems and protocols, employee training is so necessary. Phishing attacks are still the most common way for attackers to enter an organization’s network. Educating end-users can go a long way in preventing an organization from becoming a victim of one of these attacks.

Sources

• https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new 

•  https://threatpost.com/espionage-group-utilities-spy-tool/156425/

    The modern workplace involves a great amount of collaboration between team members and the generation of electronic documents for various purposes.  However, sharing these documents in a secure manner, especially with remote employees, has always been a troublesome issue. Citrix ShareFile is an application designed to solve that problem, but it was recently revealed that vulnerabilities in the application could lead to sharing files with more than just teammates
and other authorized personnel.

    Citrix ShareFile is a collaboration and file sharing tool designed to allow employees to securely exchange proprietary and sensitive business data. This could include product designs, financial data, security information, and much more. Citrix offers two ways to use ShareFile: Citrix hosted cloud storage or an on premises secure cloud instance that the customer manages. The storage can be split up into buckets, called storage zones, that are managed by one or more storage zone controllers.

    Multiple vulnerabilities were disclosed by Citrix in the storage zone controllers which could allow an unauthenticated attacker access to all of the files and documents managed by that controller. While the technical details on the vulnerabilities have not been released yet, they have been classified as CVE-2020-7473, CVE-2020-8982, and CVE-2020-8983.

    These vulnerabilities affect versions 5.9.0/5.8.0/5.7.0/5.6.0/5.5.0 and earlier. Companies that use the Citrix-hosted instances of ShareFile do not need to do anything to correct the issue as Citrix has already updated their storage zone controllers and storage zones. However, customer-managed storage zone controllers will need to be updated to 5.10.0+ or the x.x.1+ version of each of the
sub versions listed above. There is a caveat: any storage zones created by a storage zone controller running a vulnerable version will still have the vulnerability even if the controller is updated. Citrix released a mitigation tool that needs to be used on the storage zone controllers handling the affected zones, as well as instructions on how to do so.

    The modern workplace relies on electronic data sharing and collaboration, especially in today’s COVID-19 environment. While Citrix has tried to get ahead of these vulnerabilities, who knows if anyone has been exploiting these flaws before now. While data in storage and transmission will always be a spotlight area in cybersecurity, remember that things are not always as secure as they may seem.

Sources:
https://thehackernews.com/2020/05/citrix-sharefile-vulnerability.html

https://support.citrix.com/article/CTX269106

    The dark web is not the only place to find dark things. As we’ve shown in the past, there are plenty of criminals operating on the clear web, often in places more open than you’d expect. This week,  researchers from threat intelligence firm KELA released a report on a marketplace called MagBo.

    This particular site specializes in selling remote access to products such as compromised servers. If you’ve ever heard of xDedic, the popular shop for RDP access to compromised servers (until last year), you might think MagBo is doing the same thing. But the KELA researchers found that marketplaces have evolved beyond simply selling credentials or sitting around waiting for buyers.
MagBo, and other sites like it, are being calling Remote Access Markets (RAM).

    Products range from bulk credentials, to fully compromised networks, and the marketplace itself is streamlining operations.  In order to maximize profits, marketplaces have shifted to automated
sales platforms, allowing buyers to get what they need quickly and giving the sellers more opportunity for higher sales volumes.
  
    These shifts in marketplace dynamics are not unique to MagBo, but something else is. It’s very easy to start a marketplace, but incredibly difficult to make it successful- regardless of whether you’re on the dark web or the clear web. So why did MagBo take off? Researchers noted that most marketplaces obfuscate the target of their products in order to prevent competitors from stealing their own access, but not MagBo. They list everything in the clear. This allows the buyer to know what they are paying for and likely leads to a quicker sale. That level of transparency also allowed researchers greater insight into MagBo’s products.

    Writers from ZDNet found listings for everything from small business web pages to government portals. Access is sold for targets across all major industries and the site’s offerings are growing by the day. KELA estimates “between 200 and 400 new sites are being added on a daily basis, with around 200 being sold off.” In its roughly two years of operation, MagBo has grown to include “over 28,000 servers totaling around $700,000 worth of goods.” KELA was further able to identify 43,000 unique hostnames from historical data and they estimate around 150,000 unique websites have been offered for sale throughout MagBo’s operation. Web shells are the most popular product available and “190 different threat actors currently have active listings on the market.”

    So how do you find out if access to your organization is for sale on MagBo? That depends on who you know. It’s an invitation only marketplace, which means you either have to know someone on the in-side or find someone that is selling an invite. The best thing you can do is make sure you are following security best practices, because with all of this visibility, MagBo may not last much longer and it’s just a matter of time before another marketplace takes its place.

Sources:
  https://www.zdnet.com/article/a-cybercrime-store-is-selling-access-to-more-than-43000-hacked-servers/

https://ke-la.com/access-as-a-service-remote-access-markets-in-the-cybercrime-underground/

    Researchers at Cybereason, a cybersecurity firm based in Boston, MA, have exposed a novel banking trojan attacking
Android mobile devices dubbed
Eventbot. The Eventbot malware was
developed with original code from the
ground up and is significantly different
from all previously known Android malware code. The originality of the malware and its rapid development process,
releasing a new version every few days,
suggests that the actors behind its development are highly sophisticated and determined to make Eventbot a capable
piece of malware.

    Recent updates to the
malware have included the ability to perform dynamic library loading, enhanced
encryption schemes, and adjustments to
different locales and device manufacturers.
The Eventbot malware abuses Androids
accessibility features to harvest sensitive
information from the device such as keystrokes, PINs, and SMS messages.

    The
Accessibility Services are typically used to
help users with disabilities by giving them
a meaningful way to interact with the
device. Accessibility Services can process
the information on the screen and present it to the end-user in formats that are
more digestible but also, has the ability
to write input into fields, auto-generate
permissions on the device, perform
screen gestures and more.

    The SMS message harvesting feature of the Trojan allows it to bypass two-factor authentication often employed by legitimate banking apps to verify the identity of mobile
users by abusing the accessibility feature
which can write input from the screen
into a form field. The malware itself masquerades as a legitimate Android app, and
once installed it is designed to siphon off
credentials for over 200 banking and cryptocurrency sites. Banking apps such as
PayPal, HSBC, Capital One are a few of the
many apps at risk from Eventbot’s data
harvesting and two-factor bypass features.

    Mobile malware targeting financial apps
has become a significant risk to consumers
and businesses alike and must be considered when mobile banking is the third
most popular activity performed on mobile devices, right behind logging into social media apps and checking the weather.
Furthermore, over 60% of devices accessing or containing enterprise data are now
mobile devices, meaning if an attacker
gains access to a mobile device, the consequences for business can be catastrophic.
With the wealth of sensitive activities now
being performed on mobile devices, most
of which having little or no end-point protections installed beyond the basic app
store verification, these attacks will only
become more common.

    It is now estimated that over a third of all malware is designed to target mobile devices, this poses
significant challenges for consumers, let
alone organizations that allow bring-your own-devices.

Sources:

• https://www.finextra.com/pressarticle/82346/new-android-banking-trojan-affects-200-financial-apps

• https://techcrunch.com/2020/04/29/eventbot-android-malware-banking/ 

Apple always took a firm stance on user security and reliability when it comes
to their iPhone series. The iOS operating system is known as one of the most
secure operating systems in the market. However, 2 major vulnerabilities have
been recently discovered that have existed for years and are actively being exploited in the wild.

Researchers at security firm ZecOps were conducting a routine Digital Forensics
and Incident Response (DFIR) investigation when they ran into some abnormalities with some iPhones. This led to the discovery of 2 vulnerabilities in the default Apple Mail app – an out-of-bounds write and a heap-overflow. These vulnerabilities can lead to remote code execution and total takeover of the device.
The alarming part is how long these vulnerabilities have been around – researchers say they have existed at least since iOS 6, which was released in September of 2012.

The first attacks in the wild that they could find were from January 2018; that’s over 2 years of exploitation. Some suspected targets include
Managed Security Service Providers from the Middle East, journalists in Europe,
corporate executives from Japan and Sweden, as well as individuals at a Fortune 500 organization in North America.

The 2 vulnerabilities stem from a common issue: how the application handles
return values from system calls. The vulnerability can be exploited by sending a
large e-mail, or at least one large enough to consume enough RAM to cause the
overflow and bounds issues. In iOS 13, the exploit can work even without user
interaction, while in iOS 12 the user has to click on the e-mail, but the attack
can take place before the content is rendered. Users may notice a slight delay in
the mail app on iOS 13 for a short time, but other than that there is no other
noticeable abnormal behavior. In iOS 12, the exploit has been known to cause
the mail app to occasionally crash. Part of the attacker’s routine is to remove
the e-mail from the victim’s phone, showing operational security awareness in
cleaning their tracks.

    Apple has released a publicly-available beta of version 13.4.5 with a fix for both
vulnerabilities, but the patch has not made it to stable release yet. Until that
happens, it is recommended to disable the Apple Mail app and switch to Outlook or Gmail if updating to the beta isn’t possible. Also, make sure to log out of
the Apple Mail app as well.

Sources

• https://thehackernews.com/2020/04/zero-day-warning-its-possible-tohack.html

• https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/

• https://www.vice.com/en_us/article/pken5n/iphone-email-zero-day-hackin-the-wild

    The Domain Name System (DNS) is something most of us use every day, whether we think about it or not. It is hugely convenient for converting human readable addresses into the addresses that computers actually use to communicate
with each other. Sometimes this convenience can have unintended side effects
though, such as hundreds of thousands of computers constantly attempting to
send potentially sensitive information to an unintended location. In an attempt
to help secure computers worldwide Microsoft recently purchased the domain
name ‘corp.com’ for an undisclosed sum (likely north of a million dollars) from a
private party.
Why would they or you care about this nondescript domain name? The reason
stems back to the Windows 2000 days and poorly configured Active Directory
servers.

    Active Directory is a service commonly utilized in corporate networks
which among other things handles authentication and shared computing resources. This is the service that allows you to map network drives and printers
easily on a primarily Windows network. In order to map those services DNS is
utilized so that users don’t have to remember a bunch of IP addresses. The issue is that old versions of Active Directory defaulted to ‘corp’ as the root name,
causing collisions anywhere outside of the specific corporate network it was
setup on.
If the computer tried to look up the fileserver address for example, it would ask
the Active Directory service for the address using the name ‘fileservercorp’. On
the original network the Active Directory server would know about the ‘corp
configuration’ and return the correct address. But if the user was on a different
network, such as at a hotel or home, they would likely get back a generic DNS
response for the ‘corp.com’ domain name. The computer would then try to
access this resource as normal, potentially sending authentication tokens or
other details to the computer that ‘corp.com’ was pointing to.

     Microsoft started working on this problem in 2009 when it issued updates designed to mitigate the problem. They also issued updates in 2015 designed to
further mitigate the issue. It turns out that a lot of computers simply never updated, as information never stopped flowing to ‘corp.com’. Microsoft has also
recommended not using the default ‘corp’ setting in Active Directory for as long
as they have known about the issue. Now at least with the domain in the hands
of Microsoft they can monitor the incoming traffic and perhaps find out a way
to stop it all together.

 Sources:

https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/

Called Network security:
Restrict NTLM: NTLM authentication in this domaim

Security considerations

Vulnerability

Countermeasure

Potential impact

March 9, 2020
CMR 04-20
Secret Service Issues COVID-19 (Coronavirus) Phishing Alert

    WASHINGTON – Criminals are opportunists, and as seen in the past, any major news event can become an opportunity for groups or individuals with malicious intentions. The Coronavirus is no different. In fact, the Coronavirus is a prime opportunity for enterprising criminals because it plays on one of the basic human conditions…fear. Fear can cause normally scrupulous individuals to let their guard down and fall victim to social engineering scams, phishing scams, non-delivery scams, and auction fraud scams.

    The United States Secret Service is proactively taking steps to alert the public about the types of email scams associated with the Coronavirus. The Secret Service’s Global Investigative Operations Center (GIOC) reports the subsequent email scams:

    “Phishing” is the fraudulent practice of sending emails purporting to be from reputable companies in order to entice individuals to reveal personal information, such as passwords and credit card numbers. Phishing scams have become ubiquitous through email communication and ecommerce. Cyber criminals are exploiting the Coronavirus through the wide distribution of mass emails posing as legitimate medical and or health organizations. In one particular instance, victims have received an email purporting to be from a medical/health organization that included attachments supposedly containing pertinent information regarding the Coronavirus.
   
    This lead to either unsuspecting victims opening the attachment causing malware to infect their system, or prompting the victim to enter their email login credentials to access the information resulting in harvested login credentials. This type of incident enables further occurrences of cyber enabled financial crimes such as Business Email Compromise (BEC), PII theft, ransomware and account takeovers. Another side effect of the Coronavirus is increased teleworking, which furthers the reliance on email for communication adding yet another multiplier to these email fraud schemes. More of these incidents are expected, and increased vigilance regarding email communication is highly encouraged.

Another emerging fraud scheme exploiting the Coronavirus is using social engineering tactics through legitimate social media websites seeking donations for charitable causes related to the virus. Criminals are exploiting the charitable spirit of individuals, seeking donations to fraudulent causes surrounding the Coronavirus. Increased caution should be exercised when donating to charitable organizations.

A third fraud scheme surrounds non-delivery scams. Essentially, criminal actors advertise as an in-demand medical supply company that sells medical supplies that can be used to prevent/protect against the Coronavirus. The criminal enterprise will demand upfront payment or initial deposits then abscond with the funds and never complete delivery of the ordered products.

Quick Tips:

 Phishing Emails / Social Engineering – Avoid opening attachments and clicking on links within emails from senders you do not recognize. These attachments can contain malicious content, such as ransomware, that can infect your device and steal your information. Be leery of emails or phone calls requesting account information or requesting you to verify your account. Legitimate businesses will never call you or email you directly for this information.

Always independently verify any requested information originates from a legitimate source.

Visit websites by inputting the domain name yourself. Business use encryption, Secure Socket Layer (SSL). Certificate “errors” can be a warning sign that something is not right with the website.
The United States Secret Service will continue leading the charge to combat cyber-enabled financial crimes.

To learn more about the Secret Service’s Investigative Mission please visit us at: www.SecretService.gov

This post is a direct copy off of the Secret Service’s web site Here

    While rare, USB style
attacks can happen.
The best way to prevent
this attack is to avoid using any unknown USBs. In an
organization, informing employees about BadUSB attacks and providing a means to
report suspicious devices is an important prevention step. Additionally,
limiting physical access to machines
will help prevent a bad actor on-site from exploiting devices via USB. Some anti- virus programs now provide
keyboard authorization, which means that when
the antivirus detects that a keyboard has been plugged in, the user must verify
that it is indeed a keyboard and not a USB flash drive. BadUSB attacks can take
many forms but educating users in combination with proper security controls is
the best way to prevent the exploitation of this attack.

Sources: 

• https://www.bleepingcomputer.com/news/security/fbi-hackers-sending-malicious-usb-drives-and-teddy-bears-via-usps/

•  https://securityaffairs.co/wordpress/100661/cyber-crime/fin7-usb-teddy-bears-attacks.html