Before we get started on this weeks wrap up of important things in the infosec world, in light of the inauguration tomorrow, I just wanted to remind people to treat each other kindly regardless of political opinions. Politics is no reason to treat others without respect. Let’s be good to one another and see how that makes you feel.
That being said, let’s see what the bad guys are up to:
While this doesn’t mean it’s time to yank all the AV off your machines, it is a reminder that endpoint protection should not be your only bacon-saving countermeasures. Many tears have fallen, and much bacon has not been saved due to the “all the eggs in one basket” mentality. Think of the bacon, think of the eggs, and incorporate a defense-in-depth approach that reduces the most risk with the least effort and cost. *cough* *cough* User security awareness training is a huge part of this and is known for it’s bacon-saving properties *cough* *cough*. I must be hungry.
The Brit’s National Healthcare System (NHS) Has Been Walloped in 2016
about 1-in-3 NHS trusts have been hit with ransomware in 2016. 80 per cent if these were targeted by a phishing scheme and Imperial College Healthcare in London was smacked 19 times in just 12 months. This is not new, I have previously talked about this, but it’s a powerful reminder of just how prolific ransomware is, and the fact that most of it is being spread by email. This may be one of the biggest threats to hit the UK since Jeremy Clarkson. Stay safe out there.
IRS Issues Warning On New Tax Phishing Attack
Scammers are hitting up tax professionals in an effort to compromise their systems and then use the info to scam others in to sending their financial info, resulting in false returns being filed. This is a pretty interesting 2-part scam. There is a nice email blurb here that you can use to warn folks you know. Be safe and pick up the phone if your info is requested.
Watch for this one. They use a traditional account credential phish to get started, then look through past emails to create new messages to your contacts. They are using email attachment names and subjects similar to ones that have been previously sent by the original victim, so the new victims trust where it came from. Simply teaching people to look at the address bar before they enter any credentials will keep you safe in this attack, sadly not everyone gets good quality awareness training.
Here is an Example of a Phishing Email Targeting Navy Federal Users
This shows an example of a .pdf with a malicious link. Keep in mind, the file is not infected so it will pass any AV tests, but following the link will make a person have a rather bad day. In this case a simple link hover shows it’s not legit. This is a simple skill that users really need to know about.
Fraud Attempts Around Christmas of 2016 up 31%
Not a shocker mind you, but attempts at fraudulent digital retail sales was up 31% on an increase of 16% in e-commerce transactions over 2015.
The CIA dropped over 930k documents on it’s FOIA Reading Room
That’s over 12 million pages of data. I will not be reading them all, instead I will rely on the interwebs to let me know about the interesting bits, and will pass them along to you. So far, the most interesting thing I saw was a Dilbert cartoon that may have previously contained steganography. Stego fascinates me. It wasn’t even a particularly funny cartoon though.
Bad Guys Threaten to Contact Families of Cancer Patients When Ransomware Fails to Make Them $
There is a special place in the circles of Hell for people that mess with orgs like this. This is a cancer treatment org that provides free treatment for those unable to afford it. This was a $43,000 ransom, which can go a long way to providing treatments for folks. One thing to consider here though, I have mentioned before that I expect to see Doxxing and other behaviors like this increase. Since the software takes control of the files when it encrypts it and the bad guys have the keys, there is no reason the data cannot be exfiltrated and decrypted by the bad guys. This is why the HHS says it’s a breach by default. Sadly, I expect to see more of this behavior.
Elasticsearch is the Latest Target for Database Ransom Attacks
Like the recent MongoDb attacks, the bad guys are going after unsecured Elasticsearch databases, encrypting them and demanding .2 BTC (about $175) to get you back your data. If you run an Elasticsearch database, it’s time to lock it down. Here is some help to get you started.
I have to admit, I LOL’ed at this video. It’s a bit mind boggling to watch, but entertaining. I even got to where I was rooting for the guy a bit.
My Brethren are not to be trifled with!
The Cyber Squirrel 1 project released the results of a study at Shmoocon, showing that squirrels top the list of power grid attackers, followed by birds then snakes. I personally have felt the effects of a rodent-related power outage at a previous job. It is rumored that only a smoking tail and pile of ash remained when a squirrel chewed through some wires as a substation, causing a pretty decent outage in Tucson. Furthermore, my brethren have been blamed for the deaths of six people, allegedly (they have not been convicted in a court of law) caused by squirrels downing power lines that then struck people on the ground. “Rodent-related airborne electrocution” would be a pretty crappy cause of death if you ask me. Fear the fur people, fear the fur!
I was honored to speak at BSides San Diego last weekend
I was able to present 2 sessions, one was on social engineering and the other specifically on ransomware. The crew did a great job putting the event together, even though the waffle truck broke down several blocks away. Waffles on Wheels, sounds right up my alley! 😀 This picture was taken a little before the social engineering session started. By the time we started, it was standing room only. Thanks everyone for attending.
Chelsea Manning’s sentence was commuted.
I’m not even getting in to the politics of this here. Just know, after a bit over 7 years, Manning is being set free.
I hope you enjoyed this weekly update. See you next week!
Erich Kron, Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in InfoSec