Ride The Lightning

FireEye’s Mandiant Issues M-Trends 2021 Report

2021-04-20T10:00:00-04:00

The M-Trends 2021 Report was published by FireEye's Mandiant division on April 13 and is free to download. The data is based on Mandiant investigations between October 1, 2019 and September 30, 2020.

Some of the highlights:

59% of the cyber incidents Mandiant investigated were discovered by the affected organizations themselves, an improvement of 12% over the previous year's report.

The global median dwell time was 24 days, the first time it has dipped below one month. This may have been caused by flood of ransomware which was quickly identified as such.

Ransomware was involved in 25% of the investigations, up from 14% in the previous year.

What John and I call version 2.0 of ransomware, Mandiant now calls "multifaceted extortion." That works too.

What does it involve?

It still encrypts the victim's data but now it steals the victim's data as well.

The cyber criminals publish the data on a "name and shame" website.

They notify the media.

They notify the people whose data has been stolen, prompting data breach disclosures.

They call and harass employees.

They conduct denial of service attacks on the victim to further disrupt operations.

All of this, you'll be shocked to hear, causes disruption and brand damage.

There is a very long list of proactive steps that organizations can take to reduce their risk. Guaranteed that most of the folks who read those steps won't understand them – and that's the problem with trying to help organizations help themselves!

HT to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: snelson@senseient.com Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

The Top 21 Cybersecurity Experts to Follow on Twitter in 2021

2021-04-19T10:00:00-04:00

I'm sure glad that Security Boulevard published a post, on April 11, of the 21 cybersecurity experts you should follow on Twitter in 2021. People are always asking me who to follow – now I have a hyperlink to give them without having done the actual work myself.

HT to Dave Ries!

FBI Blasts Away Web Shells on US Servers Without Telling Owners

2021-04-15T10:00:00-04:00

ZDNet reported on April 14 that the Department of Justice revealed on April 13 that the FBI had received authorization from a court to remove web shells installed on compromised servers related to the Exchange vulnerabilities.

"Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated," the department said.

"This operation removed one early hacking group's remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to US networks."

Despite the operation, entities that run Exchange servers should still follow Microsoft's advice as well as to ensure servers are properly patched.

"The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path)," the department said.

"This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells."

Due to each shell having a unique file path and name, the department added it may have been difficult for "individual server owners" to find and remove them. As of the end of March, the department was aware of "hundreds" of shells still working on US servers. Microsoft released its first alerts on the vulnerabilities at the start of March.

If you were running an Exchange server in the United States, it could have been compromised, and somewhat mitigated by the FBI without your knowledge.

The FBI is trying to alert server owners that it removed shells from. Affected users with publicly available contact information will receive an "e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search", and failing that, ISPs will be contacted to provide notice.

"Today's court-authorized removal of the malicious web shells demonstrates the department's commitment to disrupt hacking activity using all of our legal tools, not just prosecutions," Assistant Attorney General for national security John C. Demers said.

On March 24, Microsoft said 92% of vulnerable servers were patched or mitigated.

Does it unnerve anyone else that the government can go into privately-owned servers, even with good intentions, without prior notice?

564% Increase in People Affected by Data Breaches in 1st Quarter of 2021

2021-04-14T10:00:00-04:00

The Identity Theft Resource Center® reported on April 7 that publicly-reported U.S. data compromises in Q1 2021 are up 12 percent (363) from Q4 2020. The figure that has drawn all the attention is that the number of individuals impacted is up 564 percent (51 million in Q1 2021 versus eight million in Q4 2020). A primary reason for the gap in compromises and impacts is a 42 percent rise in the number of supply chain attacks compared to Q4 2020, a trend discussed in the ITRC's 2020 Data Breach Report.

One hundred and thirty-seven (137) organizations reported being impacted by supply chain attacks in Q1 2021 at 27 different third-party vendors, including IT provider Accellion. The publicly reported supply chain attacks affected seven million people. Nineteen supply chain attack-related compromises were reported in Q4 2020.

More conclusions from the Q1 2021 report:

"Phishing and ransomware attacks continue to be the primary root causes of data compromises.

The increase in data compromises and impacted individuals was also influenced by 59 data events reported in early Q1 2021 that occurred in late December 2020.

The 2020 supply chain and ransomware attack against IT provider Blackbaud continues to result in new data breach notices; 62 new notices in Q1 2021 that impacted approximately 146,000 additional individuals. More than 12.8 million people at 555 organizations have now been affected by the attack first reported in mid-2020.

The report reinforces the trends highlighted by the ITRC, the FBI, and various security vendors that point to a rise in cybercrimes focused on stealing company resources using personal information. "

The hits just keep on coming. Have you reviewed your cybersecurity posture recently? Most businesses have not.

Businesses Being Attacked Using Their Own Contact Forms

2021-04-13T10:00:00-04:00

Bleeping Computer reported on April 9 that cyber attackers are using legitimate corporate contact forms to send phishing emails that threaten businesses with lawsuits and attempt to infect them with the IcedID info-stealing malware.

IcedID is a modular banking trojan first spotted in 2017 and updated to deploy second-stage malware payloads, including Trickbot, Qakbot, and Ryuk ransomware.

The attackers can use it to download additional modules after infecting a device, steal credentials and financial information, and move laterally across the victims' networks to compromise more computers and deploy more payloads.

Recently detected by the Microsoft 365 Defender Threat Intelligence Team, this phishing campaign seems to have found a way to bypass contact forms' CAPTCHA protection to target businesses with a flood of phishing messages.

Microsoft threat intelligence analysts Emily Hacker and Justin Carroll observed "an influx of contact form emails targeted at enterprises by means of abusing companies' contact forms."

"This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections," the Microsoft threat analysts said.

Importantly, by using this tactic, the attackers bypass the targeted enterprise's secure email gateways, significantly increasing their phishing messages' chance of landing in a target's inbox instead of getting flagged and sent to the spam folder.

To increase their attacks' success, the would-be hackers threaten their targets with legal action for copyright infringements to pressure them into clicking embedded links directing them to IcedID payloads.

The recipients are told to click on an embedded link to review the attackers' "evidence" but are instead redirected to a Google Sites-hosted website used to deliver the IcedID malware. The targets are asked to log in using their Google accounts to view the content. After logging, an archive containing a heavily obfuscated .js-based downloader is downloaded on their computers. An IcedID payload and a Cobalt Strike beacon are then downloaded on the compromised device using WScript and Powershell.

"While this specific campaign delivers the IcedID malware, the delivery method can be used to distribute a wide range of other malware, which can in turn introduce other threats to the enterprise," the Microsoft analysts added.

This was a new threat to me – time to raise the alarm to make sure law firms and businesses are protected from this attack.

Hat tip to Dave Ries.

Microsoft Releases a Cyberattack Simulator

2021-04-12T10:00:00-04:00

Bleeping Computer reported on April 8 that Microsoft has released an open-source cyberattack simulator which permits security researchers and data scientists to create simulated network environments and see how they operate against AI-controlled cyber agents.

The project is named 'CyberBattleSim' built using a Python-based Open AI Gym interface.

The Microsoft 365 Defender Research team created CyberBattleSim to model how a threat actor spreads laterally through a network after its initial compromise. Nice graphics included in the link above.

The Microsoft Defender Research Team, in new blog post, says "The environment consists of a network of computer nodes. It is parameterized by a fixed network topology and a set of predefined vulnerabilities that an agent can exploit to laterally move through the network. The simulated attacker's goal is to take ownership of some portion of the network by exploiting these planted vulnerabilities. While the simulated attacker moves through the network, a defender agent watches the network activity to detect the presence of the attacker and contain the attack."

To build their simulated environment, researchers will create various nodes on the network and indicate that services are running on each node, their vulnerabilities, and how the device is protected.

Automated cyber agents (threat actors) are then deployed in the environment, where they randomly select actions to perform against the various nodes to take control over them.

While many of these activities may trigger alerts in an XDR or SIEM system, Microsoft hopes that the security community can use this simulator to better understand how AI can analyze post-breach movements and better defend against them.

Microsoft said, "With CyberBattleSim, we are just scratching the surface of what we believe is a huge potential for applying reinforcement learning to security. We invite researchers and data scientists to build on our experimentation. We're excited to see this work expand and inspire new and innovative ways to approach security problems."

Shall we play a game?

Hat tip to Dave Ries.

Law Firm Breach Results in Michigan Title IX Lawsuits Leak

2021-04-08T10:00:00-04:00

The State News (Michigan) reported on April 6 that Michigan State sent out an email to just under 350 people on April 5 notifying them that Title IX case files from Michigan State were a part of a data breach of Bricker and Eckler Law Firm, which assisted in Michigan State's Title IX investigations, Michigan State's Title IX Communications Manager Christian Chapman said.

Bricker and Eckler is an Ohio law firm that is the parent company of INCompliance Consulting, which was hired by the University to assist in Title IX investigations and hearings.

Chapman said that because of the investigations into Larry Nassar's abuse, the university was required to work with external investigators to help process cases that were working for policy violations, which could include cases surrounding relationship violence and sexual misconduct as well as anti-discrimination policies.

"INCompliance is the entity that we work with on some of those external investigations," Chapman said. "Bricker and Eckler is their parent company or law firm, so to speak."

Bricker and Eckler was hit by a ransomware attack between Jan. 14 and Jan. 31, which leaked personal information from its clients, including information from INCompliance Title IX investigations that they were a part of at Michigan State.

"So just to be completely clear, none of the MSU systems were accessed," Chapman said. "It was just the Bricker and Eckler systems and the cases that they handled from MSU. So a small subset. It was less than 350 people affected. And the type of information were case files."

Chapman said that none of Michigan State's systems or resources have been affected by the leak and will continue to operate as usual.

Bricker and Eckler posted the following on their website:

"Bricker & Eckler LLP ("Bricker"), a full-service law firm with offices throughout Ohio, was recently the target of a ransomware attack. In the course of Bricker's work on behalf of clients, it is at times provided access to personal information as a part of the client engagement. Bricker receives and utilizes this data solely in its representation of and to provide legal counsel to its clients.

What Happened?

On January 31, 2021, Bricker learned that it was the target of a ransomware attack. Upon learning of the incident, Bricker immediately took measures to contain the incident, launched an investigation, and third-party cybersecurity forensic experts were engaged to assist. Bricker also notified federal law enforcement.

The investigation determined that an unauthorized party gained access to certain Bricker internal systems at various times between approximately January 14, 2021 and January 31, 2021. Findings from the investigation indicate that the party obtained some data from certain Bricker systems during this period. Bricker was able to retrieve the data involved from the unauthorized party and has taken steps to delete the data. At this time, Bricker has no reason to believe this data was further copied or retained by the unauthorized party. Bricker conducted a thorough review of the data to identify individuals whose personal information may have been involved. On or around March 12, 2021, Bricker substantially completed its review of the data and began formally notifying clients of any client-related personal information included in these files.

What Information Was Involved?

The review determined that the data involved contained some personal information, including names, addresses, and in certain instances, medical-related and/or education-related information, driver's license numbers, and/or Social Security numbers.

What We Are Doing

On April 6, 2021, Bricker will begin mailing letters to individuals whose information was involved and for whom Bricker has mailing addresses. Bricker also established a dedicated call center to answer questions about the matter.

To help prevent a similar type of incident from occurring in the future, Bricker implemented additional security protocols designed to enhance the security of Bricker's network, internal systems and applications. Bricker will also continue to evaluate additional steps that may be taken to further increase Bricker's defenses going forward. In addition, Bricker is continuing to support federal law enforcement's investigation."

My constant question is, "Did the bad guys keep a copy of the data?" The law firm says it doesn't believe that they did, but how does one ever really know?

Peeping Tom Uses Drone to Look in Woman’s Bedroom Window

2021-04-07T10:00:00-04:00

InsideNoVA reported on March 18 that Prince William County police were searching for a man who used a drone mounted with a camera to look into a woman's bedroom in northern Virginia.

The 18-year-old victim told police she was in her bedroom changing clothes when she saw the drone outside her window.

"The victim immediately looked out of the window and observed a man holding the controller for a drone standing near a residence on Rainbow Court," Prince William County police spokeswoman Renee Carr said.

Shortly afterwards, the suspect fled the area on foot and the drone flew away. The victim said she had seen the man wearing similar clothing in the area previously.

This story struck us because John and I have long discussed the possibility of drones being used as peeping Toms – but this was the first time we have seen a reported incident at a home. We have seen stories of drones surveilling beaches and people sunbathing on city rooftops. Had drones existed when "Animal House" was filmed, Bluto might have avoided his unfortunate fall with the ladder while peeping into the sorority house!

The 20 Coolest Careers in Cybersecurity from SANS Institute

2021-04-06T10:00:00-04:00

On April 5, SANS Institute posted some stats and the beginning of a countdown to the 20 coolest careers in cybersecurity. Yesterday's countdown began with job #20, Media Exploitation Analyst.

Logically enough, the cool jobs are tied to related SANS certifications, which is self-promotional of course, but also very helpful. Young folks are always asking me which cybersecurity certifications they should get – and of course that depends on the nature of the job you want.

Here is the job description for a Media Exploitation Analyst.

"If investigating computer crime excites you, and you want to make a career of recovering file systems that have been hacked or damaged, then this may be the path for you. In this position, you will assist in the forensic examinations of computers and media from a variety of sources, in view of developing forensically sound evidence.

Related SANS courses: FOR500 (GCFE Certification), FOR585 (GASF Certification), FOR518 and FOR498"

According to the Cyber security Jobs Report, the demand to fill roles within the information security industry is expected to reach 3.5 million unfulfilled positions this year. Further, unemployment in the industry is currently exceptionally low. Research in an annual global survey by the Enterprise Service Group (ESG) found that by 2021, 51% of IT decision-makers said they were struggling to fill open positions.

This statistic is why the World Economic Forum (WEF) named cyber-attacks as the fourth most serious global concern, and data breaches the fifth, but also why those with an interest in, or currently employed in an IT role, should consider learning the skills to become a Cyber Security Professional.

Hat tip to Dave Ries.

Before You Get Hit by Ransomware, Print Out Your Incident Response Plan

2021-04-05T10:00:00-04:00

Sometimes, paper is a good thing.

As ZDNet reported on April 1, there really are firms which have been hit by ransomware and no one could get to the Incident Response Plan (IRP) because it was – of course – encrypted.

Naturally, you could also have the plan on a device that is not connected to the network but having the plan in paper in several readily accessible locations makes a lot of sense. The last thing you need to worry about after a cyber attack is where your emergency plan can be found (with contact information for your data breach lawyer, your insurance company, your digital forensics company, your bank, etc.).

Have you updated your IRP recently? Most IRPs become antiques very quickly as the nature of threats and defenses morph rapidly – and yet studies show that IRPs, once completed, are often allowed to molder, sometimes for years.

Make sure there at least an annual reminder to review/revise the plan. And tabletop exercises which assume the worst has happened should be a regular occurrence. No matter how good your defenses are, you should never assume that you cannot be breached. So be prepared – and if the nightmare comes, hopefully implementing your IRP will mitigate the extent of the damage.