about .. That when you share a file in zoom and other products, your computer can passes your NTLM security credentials,
domain
March 9, 2020
CMR 04-20
Secret Service Issues COVID-19 (Coronavirus) Phishing Alert
WASHINGTON – Criminals are opportunists, and as seen in the past, any major news event can become an opportunity for groups or individuals with malicious intentions. The Coronavirus is no different. In fact, the Coronavirus is a prime opportunity for enterprising criminals because it plays on one of the basic human conditions…fear. Fear can cause normally scrupulous individuals to let their guard down and fall victim to social engineering scams, phishing scams, non-delivery scams, and auction fraud scams.
The United States Secret Service is proactively taking steps to alert the public about the types of email scams associated with the Coronavirus. The Secret Service’s Global Investigative Operations Center (GIOC) reports the subsequent email scams:
“Phishing” is the fraudulent practice of sending emails purporting to be from reputable companies in order to entice individuals to reveal personal information, such as passwords and credit card numbers. Phishing scams have become ubiquitous through email communication and ecommerce. Cyber criminals are exploiting the Coronavirus through the wide distribution of mass emails posing as legitimate medical and or health organizations. In one particular instance, victims have received an email purporting to be from a medical/health organization that included attachments supposedly containing pertinent information regarding the Coronavirus.
This lead to either unsuspecting victims opening the attachment causing malware to infect their system, or prompting the victim to enter their email login credentials to access the information resulting in harvested login credentials. This type of incident enables further occurrences of cyber enabled financial crimes such as Business Email Compromise (BEC), PII theft, ransomware and account takeovers. Another side effect of the Coronavirus is increased teleworking, which furthers the reliance on email for communication adding yet another multiplier to these email fraud schemes. More of these incidents are expected, and increased vigilance regarding email communication is highly encouraged.
Another emerging fraud scheme exploiting the Coronavirus is using social engineering tactics through legitimate social media websites seeking donations for charitable causes related to the virus. Criminals are exploiting the charitable spirit of individuals, seeking donations to fraudulent causes surrounding the Coronavirus. Increased caution should be exercised when donating to charitable organizations.
A third fraud scheme surrounds non-delivery scams. Essentially, criminal actors advertise as an in-demand medical supply company that sells medical supplies that can be used to prevent/protect against the Coronavirus. The criminal enterprise will demand upfront payment or initial deposits then abscond with the funds and never complete delivery of the ordered products.
Quick Tips:
Phishing Emails / Social Engineering – Avoid opening attachments and clicking on links within emails from senders you do not recognize. These attachments can contain malicious content, such as ransomware, that can infect your device and steal your information. Be leery of emails or phone calls requesting account information or requesting you to verify your account. Legitimate businesses will never call you or email you directly for this information.
Always independently verify any requested information originates from a legitimate source.
Visit websites by inputting the domain name yourself. Business use encryption, Secure Socket Layer (SSL). Certificate “errors” can be a warning sign that something is not right with the website.
The United States Secret Service will continue leading the charge to combat cyber-enabled financial crimes.
To learn more about the Secret Service’s Investigative Mission please visit us at: www.SecretService.gov
This post is a direct copy off of the Secret Service’s web site Here
While rare, USB style
attacks can happen.
The best way to prevent
this attack is to avoid using any unknown USBs. In an
organization, informing employees about BadUSB attacks and providing a means to
report suspicious devices is an important prevention step. Additionally,
limiting physical access to machines
will help prevent a bad actor on-site from exploiting devices via USB. Some anti- virus programs now provide
keyboard authorization, which means that when
the antivirus detects that a keyboard has been plugged in, the user must verify
that it is indeed a keyboard and not a USB flash drive. BadUSB attacks can take
many forms but educating users in combination with proper security controls is
the best way to prevent the exploitation of this attack.
This new attack works in an opposite fashion compared to
previous attacks like Spectre and Meltdown. “We smuggle — ‘inject’ — the
attacker’s data through hidden processor buffers into a victim program and
hijack transient execution to acquire sensitive information, such as the victim’s
fingerprints or passwords”, according to the researchers. This is in contrast to previous attacks
where the victim’s
information was leaked directly to the attacker via arbitrary memory reads.
While the researchers haven’t found a way to leverage this new attack across
virtual machine domains, they believe it is theoretically possible.
Kristin Del Rosso, a researcher with mobile cybersecurity firm Lookout,
has associated the malware with over 30 rogue Android applications to date.
The re- searchers have not yet
associated the various corrupt apps with any
nationstate backed
actors but do note that the “use of these commercial surveillance- ware
families has been observed in the past as part of the tooling used by nationstates in the Middle East.”
Researchers at
Lookout tracked down the command and control server for the app and pivoted
from there to find 30 other unique apps that all share the same infrastructure,
suggesting a much larger surveillance campaign has been in progress for some
time. The command and control domain appears to be hosted through the dynamic
DNS provider No-IP and resolves several different addresses within the same
range. The address space is operated by the Libyan Telecom and Technology
internet service provider. The researchers at Lookout also noted that these
apps were never available from the Google Playstore and that most instances are
being downloaded from third-party sites.
Kristin Del Rosso also noted,
“This surveillance campaign highlights how in times of crisis, our innate need
to seek out information can be used against us for malicious ends. Furthermore,
the commercialization of ‘off-the-shelf’ spyware kits makes it fairly easy for
these malicious actors to spin up these bespoke campaigns almost as quickly
as a crisis like COVID-19 takes hold.”
https://blog.lookout.com/commercial-surveillanceware-operators-latest-to-take-advantage-of-covid-19
The Cybersecurity and Infrastructure Security Agency (CISA) warns
individuals to remain vigilant for scams related to Coronavirus Disease 2019
(COVID-19). Cyber actors may send emails with malicious attachments or links to
fraudulent websites to trick victims into revealing sensitive information or
donating to fraudulent charities or causes. Exercise caution in handling any
email with a COVID-19-related subject line, attachment, or hyperlink, and be
wary of social media pleas, texts, or calls related to COVID-19.
CISA encourages individuals to remain vigilant and take the following
precautions.
Cloud security is as important as ever as more and more services are moved to the cloud. Unfortunately misconfigured servers still exist, regardless of where they are located. A simple Google search (no Shodan required) is all it takes to find unsecured S3 buckets, which can be treasure troves of information. Let’s be real though, that type of find is low-hanging fruit that any script kiddie or automated tool can find. There’s something far more sophisticated lurking in the cloud and there’s a good chance a nation state is behind it.
Researchers over at SophosLabs announced the discovery of Cloud Snooper this week. They were looking into infected cloud servers hosted by Amazon Web Services (AWS) when they noticed unusual traffic on a Linux server. The security groups (SGs), which are firewall rules designed to limit traffic to the server, were properly configured. But a rootkit and a backdoor were found on the system that allowed the adversary to bypass the firewall altogether.
It all works by piggybacking malicious packets on legitimate traffic allowed by the SGs. The attacker sends these “disguised” requests to the rootkit, where they are intercepted. The malware sends the command to the backdoor. The outbound traffic is then obfuscated in the same way, giving the adversary the ability to siphon data and execute commands. The researchers noted that because
of this technique “the C2 traffic stays largely indistinguishable from the legitimate web traffic.”
Linux servers aren’t the only ones vulnerable to Cloud Snooper – there’s also a Windows version based on the notorious Gh0st RAT. What’s worse is that it isn’t limited to cloud services either. The researchers pointed out that the technique could potentially bypass nearly any firewall. Security best practices will help to mitigate the threat, which includes keeping all security services and patches up to date, proper configuration management, and two-factor authentication.
Sources:
Wireless network security has come a long way since the days of easily breakable Wired Equivalent Privacy (WEP). WiFi Protected Access (WPA) 2 has been the most commonly used standard since it was released in 2004 and has had very few vulnerabilities since the original release.
This week however researchers from ESET released the details of a new attack called Kr00k, which affects millions of devices all over the world. This vulnerability can allow an attacker to read data between the device and access point as if there was no encryption at all.
As detailed in a previous blog, device manufacturers rarely implement common standards like Bluetooth of WiFi into their products from scratch. They instead purchase and integrate one of
the many off the shelf solutions provided by Broadcom or others, tweaking for their specific use case.
The two most popular chipsets for WiFi come from Broadcom and Cypress, both of which are vulnerable to the Kr00k attack. These chipsets are used in millions of devices including smartphones, laptops, IoT devices, etc. This means that the attacks spans nearly every manufacturer of electronics
that uses WiFi in their products.
The attack itself is based on a bug in the access point disassociation logic. Disassociations happen via special control frames in a WiFi connection and happen all the time legitimately, whether from low signal or an intentional disconnect from an access point. When a disassociation request happens the vulnerable chipsets reset the transmit buffer with an encryption key of all zeros. This buffer is then finalized by being transmitted out using the all zero encryption key which makes it vulnerable to sniffing by a 3rd party. The transmit buffer is relatively small at only 32 kilobytes but using the attack sequentially via a script makes it possible to leak larger pieces of data given enough time. The same attack can also be used on the access point itself and is not limited to attacking a single client only.
By using the attack on a vulnerable access point it would be possible to eavesdrop on any client connected to the wireless net-work, whether it has already been patched or not.
After ESET researchers found the bug they responsibly disclosed it to the chipset makers and began a 120-day countdown for public disclosure. This gave manufacturers plenty of time to create a patch and start rolling it out to vulnerable devices. To make sure that your network is not vulnerable each device utilizing WiFi should be checked to make sure it is patched and up to date. It would also be wise to utilize VPN software when on untrusted networks as it may not be possible to verify that the access point is not vulnerable.
Sources:
• https://threatpost.com/billions-of-devices-wifi-encryption-hack/153267/
• https://www.zdnet.com/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/