fbpx
Cybriant CTO: Analysis of a Phishing Email

Cybriant CTO: Analysis of a Phishing Email

by | Aug 27, 2019

I recently received an interesting phishing email that I shared with the rest of our company as part of our Internal Security Awareness program.  You might guess that as CTO of a security company I often receive phishing emails (and you’d be right), but this one caught my eye.  This phishing email was interesting for a few reasons:

  1. It made it past Microsoft’s ATP (Advanced Threat Protection) anti-phishing service in Office 365.
  2. It had a valid SPF record (no DKIM or DMARC).
  3. The phishing link had a clever URL encode redirect.

So, let’s take a look at the email:

There were several factors that tipped me off that things were amiss: 

  • I have never seen a similar voicemail email.
  • We don’t do business with any company named Alarmtech (looking at the email address).
  • We definitely DON’T do any business with any company named Alarmtech that has a Polish TLD (the “.pl” of “alarmtech.pl” domain in the email address).
  • The “local Wireless User” phone number was also odd.

So, I decided to take a look at the message’s full headers.

I was quite surprised to see that the email had a valid SPF record, and while it was unfortunate to see that a DKIM was not setup it is fairly common for less sophisticated admins to omit this type of email authentication.  This also explains part of why Office365 gave a phishing email a pass instead of convicting the email.

And, a quick check with MXToolbox confirmed that the SPF record was indeed valid.

Ok, at this point I was even more curious.  So, I copied the link for the “Play Record” button and utilized www.o365atp.com to de-obfuscate the link.  Bingo!  We’ve got something interesting!

Now, we have the de-obfuscated link (Office365 ATP uses a technology called Safe Links as an extra layer of protection).

__SNIP__

https://www.google.com.mx/url?q=ht%74p%73%3A%2F%2F6%34%65%35%33r%77%37.%62l%6fb.co%72%65.%77in%64%6f%77s.n%65%74%2F5%65%353%72%77%376%2F%69%6edex.%68t%6d%6c%26%236%33%3B%70z%6fne%26%23%36%31%3BY%575%6b%63mV%33Lmhh%62Wl%73d%479uQHB%79%61W1%31%63%33Nlcn%5a%70%592VzL%6dN%76%62Q%26%2361%3B%26%23%361&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

 

If you notice, the URL begins with http://www.google.com.mx/url?q= this is a clever way to have Google (in this case it’s the Mexico link for Google as it has a TLD – top level domain – of “.mx”) to redirect to the actual malicious website address, which is:

__SNIP__

ht%74p%73%3A%2F%2F6%34%65%35%33r%77%37.%62l%6fb.co%72%65.%77in%64%6f%77s.n%65%74%2F5%65%353%72%77%376%2F%69%6edex.%68t%6d%6c%26%236%33%3B%70z%6fne%26%23%36%31%3BY%575%6b%63mV%33Lmhh%62Wl%73d%479uQHB%79%61W1%31%63%33Nlcn%5a%70%592VzL%6dN%76%62Q%26%2361%3B%26%23%361&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

Yes, that is a valid FQDN and URL.  And, this is the other part of the reason why I believe that this phishing email made it past Office365’s ATP service.  It’s using a method called URL encoding.  URL encoding allows you to do things such as create spaces in a filename.  For example, the following two bullet point links would point to the exact same URL (Note:  I used a random domain name):

phishing email

The “%20” is the URL encoded value for a space “ “.  There are some genuine uses for URL encoding, and it is especially helpful when creating scripts or working with APIs.  For example, when dealing with APIs in our SOC (Security Operations Center) this is often how we have to get around restrictions such as using an “@” in a username.  Instead of user@cybriant.com it’d be: user%40cybriant.com

So, let’s de-obfuscate the link using https://urldecoder.org:

__SNIP__

https://64e53rw7.blob.core.windows.net/5e53rw76/index.html?pzone=YW5kcmV3LmhhbWlsdG9uQHByaW11c3NlcnZpY2VzLmNvbQ=&#61&sa=D&sntz=1&usg=AFQjCNEZAsy-4nufrSB7lCmGPtn98lLW9Q

__SNIP__

There we have the REAL link.  Next, we’ll explode this link in Joe Sandbox to see it’s behavior.  Click on the following link to see the full Joe Sandbox analysis, and see what our SOC would discover if they were performing this for a customer.  I’ll give you a hint, it turns out it’s malicious:

https://www.joesandbox.com/index.php/analysis/166555/0/executive

Note:

When I first exploded the URL decoded link Joe Sandbox didn’t find anything interesting.  And so, the second time I utilized the link that was a google.com.mx referrer link.  When using the referring link Joe Sandbox determined that the final destination URL was indeed malicious.  In short, the bad actor built a check into their website to ensure that the full link was being used (confirmed by seeing Google.com.mx referring the user to the phishing website).  Pretty spiffy thinking on their part! 

Andrew Hamilton

Andrew Hamilton

CTO

Andrew Hamilton is a member of the executive management team of Cybriant, a leader in the cybersecurity services industry. As CTO he is responsible for the technical vision and the delivery of services at Cybriant. Since its founding in 2015, Andrew has led the selection, evaluation, and adoption of all security technology and tools utilized by Cybriant in the delivery of its managed security services.

Learn more about Cybriant’s Continuous Threat Detection & Remediation Services: http://cybriant.com/pretect

Biggest Bank Fraud Cases in History

Biggest Bank Fraud Cases in History

by | Aug 20, 2019

Take a look at some of the most serious cases of bank fraud in recent history. Hackers, insider threats, and more are at the root cause of these. Are you doing everything you can to prevent fraud in your organization? 

The team at Fortunly recently created an infographic with information on the biggest bank fraud cases in history.

Common Security Threats

These cases are filled with so much drama that books have been written about them and Hollywood movies have been created using these storylines.

When you look at the facts, there are certain underlying similarities that you can prevent in your organization. Prevent bank fraud by being aware of these potential threats:

Insider Threats

Some of the cases of bank fraud include hacks and cover-ups from former employees. But, you are always at risk of insider threats when it comes to your security. It’s important to be sure your employees are aware of security threats and be aware of suspicious emails, etc. You also have to protect your employees by using technology or services like Managed Detection & Response that could prevent malware from executing.

Phishing Emails

Hackers are getting smarter, cyberattacks are getting more and more prevalent in 2019.

Why? Because cybercrime is big business. In 2018 alone, cybercriminals received $1.5 Trillion in revenue. 

According to a new study, 70% of American workers don’t grasp web security and privacy. The majority – 70% – of US employees fail when it comes to security and privacy best practices. Employees represent the biggest threat to their company or organization’s cybersecurity, this is just further proof. The email phishing statistics below are proof of this fact.

While this is alarming, it’s important to understand that organizations are not spending enough on technology or services to prevent cybersecurity issues from happening. While budgets are rising slowly, employees still need to be aware that they are the biggest threat to their organization. Read more phishing email stats here. 

New attack vectors and vulnerabilities are discovered every day. Your organization likely has firewalls, IDS/IPS, and AV solutions installed that look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks and advanced persistent threats. Consider using a service like our Managed Detection & Remediation.

Hackers

When your goal is to protect your organization’s data, you need to have a baseline framework that will help all future decision-making. When you have a framework in place, an assessment Compromise Assessment is helpful in discovering the potential gaps in your security strategy.

The Financial Industry’s Biggest Threat

Biggest Ever Cases of Bank Fraud

2019 Data Breach Report

2019 Data Breach Report

by | Aug 15, 2019

The 2019 Data Breach Report is available now and you’ll be surprised at the numbers so far this year. Unfortunately, the numbers are growing by the day. 

data breach report

The Privacy Rights Clearinghouse maintains a database of all breaches that have been made public in their Chronology of Data Breaches. This report acts as a source of information to assist in research involving reported data breaches from 2005 to present.

This report only includes publicly reported breaches — many organizations aren’t required to report breaches and some don’t know they have been breached. In addition, some organizations are unaware of how many records have been compromised.

The Chronology of Data Breaches includes data breaches and the number of records breached reported through either government agencies or verifiable media sources.

Current 2019 Data Breach Report:

Total Data Breaches: 222
Records Exposed: 9,727,276 

As a comparison, the data breach report for 2018 is:

Total Data Breaches: 668
Records total: 1,369,452,404

Data Breaches by Breach Type

Breach Type Codes:

Payment Card Fraud (CARD) – Fraud involving debit and credit cards that are not accomplished via hacking. For example, skimming devices at point-of-service terminals.

Hacking or Malware (HACK) – Hacked by an outside party or infected by malware

Insider (INSD)– Insider (someone with legitimate access intentionally breaches information – such as an employee, contractor, or customer)

Physical Loss (PHYS) – Includes paper documents that are lost, discarded, or stolen (non-electronic)

Portable Device (PORT) – Lost, discarded, or stolen laptop, PDA, smartphone, memory stick, CDs, hard drive, data tape, etc.

Stationary Device (STAT) – Stationary computer loss (lost, inappropriately accessed, discarded, or stolen computer or server not designed for mobility)

Unintended Disclosure (DISC) – Unintended disclosure (not involving hacking, intentional breach, or physical loss – for example sensitive information posted publicly, mishandled, or sent to the wrong party via publishing online, sending in an email, sending in a mailing, or sending via fax)

Unknown (UNKN)

Hackers Dominate 2019 Data Breach Report

Hackers can infiltrate your organization in several ways, so it is necessary to safeguard your organization. We recommend starting with a security assessment so you fully understand your threat landscape and any potential gaps that may have been overlooked.

Our 24/7 cybersecurity team offers continuous cyber threat detection and remediation through the following services:

Managed SIEM – Your organization may already have SIEM technology that aggregates data from all of your security controls into a single correlation engine, but it may also create huge amounts of alerts including false positives. Our security experts can tune your SIEM and provide insightful analysis for real-time threat detection and incident response.

Managed Detection & Remediation – Our team uses artificial intelligence to stop advanced threats and malware at the most vulnerable point – the endpoint. We offer the remediation skills and expertise to help you contain the incident as quickly as possible.

Patch & Vulnerability Management By adding real-time vulnerability scanning and responsive patch management, these services are proactive tactics that greatly reduce the technical threat landscape by continuously identifying and remediating newly discovered technical vulnerabilities within your ever-evolving environment.

By creating the proper foundation, especially with a security framework like NIST, you’ll be able to significantly reduce your threat landscape.

PREtect: Tiered Cybersecurity Services

Learn More
Capital One Data Breach: Importance of Cybersecurity Basics

Capital One Data Breach: Importance of Cybersecurity Basics

by | Aug 1, 2019

By now you’ve heard of the Capital One Data Breach that happened on July 29, 2019, where a hacker gained access to 100 million Capital One credit card applications and accounts. Read more about the thoughts from Cybriant’s Chief Technology Officer, Andrew Hamilton.

My first reaction when I saw that the Capital One data breach has been the same as many of you: someone misconfigured something and a former employee knew that misconfiguration.

What we most commonly see as a security company when organizations move to the cloud is the expectation that the cloud provider (AWS, Azure, Google) will automatically understand and take into account any security threat vector which may be particular to an organization.

Unfortunately, they can’t work in that manner because requirements and environments will always differ from one organization to the next.  What may be a potential threat vector to Capital One could be required functionality to another organization.

And so, the cloud providers afford their customers a high degree of flexibility, but they state in their Terms of Service (and recommendations) that the customer is responsible for securing their tenant.

Similarly, when we monitor a customer’s environment one of the first things we check for is whether we see customer endpoint devices utilizing external DNS servers instead of the official internal company DNS servers.

Malware loves to exfiltrate data via DNS because most of the time UDP/TCP 53 is wide open to the Internet.  And while there are certainly ways to exfiltrate data via valid CNAME and TXT records (which require additional techniques to monitor/block such as RPZ records) those are computationally less efficient than simply blasting data via a commonly trusted port DNS port and bypassing HTTPS SSL inspection.

There was an excellent article at InfoSecurity Magazine yesterday on the top 5 penetration test discoveries (link:  https://www.infosecurity-magazine.com/news/95-test-problems/).

All five boil down to good Systems Administration hygiene. They aren’t as “sexy” as buying a Palo Alto and bragging about it to friends, but instead are things that are often left by the wayside (requiring complex passwords, simple patch management, etc).

What can be even more puzzling is when we see organizations who want a VERY expensive penetration test, and yet they haven’t even begun resolving the issues found from their vulnerability scanner.  Unfortunately, this is the norm that we see across industries and company sizes.

To avoid a Capital Bank data breach at your organization, read to the end to see our recommendations.

Related: Top Cyber Security Websites

Capital One Data Breach Facts

On July 29th, 2019 Capital One Financial Corporation, a US-based bank holding company specializing in banking, credit cards, loans, and savings, today released a statement1 regarding the detection of a breach resulting in unauthorized access to personal data about over 100 million Canadian and US credit card applicants and customers.

  • The breach is believed to be one of the largest in the history of the banking industry;
  • According to the statement, Capital One does not believe the compromised data has been used fraudulently;
  • Capital One became aware of the breach following a responsible disclosure email alerting them to potentially leaked data on a GitHub account associated with the alleged threat actor (TA);
  • The breach reportedly exploited a configuration vulnerability in Capital One’s infrastructure, including at least one known firewall misconfiguration, permitting access to customer data stored on Amazon Web Services (AWS) cloud;
  • US Law Enforcement arrested an alleged TA, ‘Paige Adele Thompson’, a former Amazon Inc. employed S3 Systems Engineer2, also known as ‘Erratic’, in Seattle, WA (US) on suspicion of ‘Computer Fraud and Abuse’ as filed3 in a criminal complaint with the US District Court for the Western District of Washington at Seattle;
  • The hack is expected to cost the company up to $150 million in the near term, including paying for credit monitoring for affected customers.

Scope of breach

  • Personal data of more than 100 million US and 6 million Canadian customers (consumers and small businesses) including approximately: o 140,000 US Social Security numbers
    • 1 million Canadian Social Insurance Numbers (SIN);
    • 80,000 US bank account details;
    • Names, addresses, phone numbers & dates of birth;
    • Self-reported income;
    • Credit scores, limits, balances & payment history.
  • Stolen information about credit card applications from 2005 through 2019.

Capital One Data Breach Timeline

  • 12 March – 17 July 2019 – Period in which unauthorized access to Capital One’s infrastructure likely occurred;
  • 22 March 2019 – Capital One access logs confirm unauthorized access to AWS from a compromised account;
  • 21 April 2019 – Timestamp associated with leaked data hosted on GitHub in addition to unauthorized activity recorded by Capital One logs;
  • 26 June 2019 – Posts on a Slack channel associated with, and using an alias of, the TA include screenshots and directory listings of files belonging to Capital One and other potential victims;
  • 17 July 2019 – Responsible disclosure email received by Capital One, alerting them to ‘leaked s3 data’ hosted on a GitHub Gist account believed associated with the threat actor;
  • 18 July 2019 – Direct messages posted by the TA suggest that they were prepared to distribute the stolen data;
  • 29 July 2019 – US FBI agents arrested the TA and Capital One release a public statement about the breach (also establishing a dedicated data breach webpage4 with an FAQ for potentially affected customers).

Cybriant Recommendations:

  • Organizations using cloud-based services, such as Amazon S3, should ensure that assets are correctly configured to prevent inadvertent or unauthorized access to sensitive data. Cloud providers will provide documentation detailing identity and access policy configurations that can restrict access, be that by the user, file, bucket, or organization.
  • Patch Management is a vital service that is often overlooked or taken for granted. Cybriant offers a Responsive Patch Management service that will take the guesswork out of the administrivia of this task and maintain a healthy network.
  • Vulnerability scans may catch the majority of issues, but these need to be done continuously. If you are only scanning once a year or quarter, that leaves a long period for hackers to use those vulnerabilities for malicious purposes. The alerts that come from the scans need to be remedied. Our Risk-Based Vulnerability Management service will aid your team to identify vulnerabilities to protect your network.
  • Logging any incidents in your network is the best way to protect against advanced persistent threats, including insider threats. Our Managed SIEM with 24×7 Security Monitoring service is not only a potential compliance requirement but will address and resolve the most complex cyber risk issues.

 

Sources:

http://press.capitalone.com/phoenix.zhtml?c=251626&p=irol-newsArticle&ID=2405043
https://www.linkedin.com/in/PaigeAdeleThompson
https://www.justice.gov/usao-wdwa/press-release/file/1188626/download
https://www.capitalone.com/facts2019/

The Financial Industry’s Biggest Threat

 

Introducing PREtect: Tiered Cyber Risk Management Service

Affordable, Flexible Subscription-Based Service
Is your Business at Risk from an Advanced Persistent Threat?

Is your Business at Risk from an Advanced Persistent Threat?

by | Jul 9, 2019

More than just a single hacker or thief trying to take advantage of your business or steal information about your customers or products, the Advanced Persistent Threat is the super-villain of the hacking world and needs to be prepared accordingly.

Defining the Advanced Persistent Threat (APT)

An APT or Advanced Persistent Threat is a sophisticated and coordinated network attack that allows an invader to access a network and to remain there, undetected, for a significant amount of time. The typical attacker has a goal of stealing data; APT attackers often set their sights on businesses and organizations with valuable secure data. An APT attacker often targets government agencies, financial institutions, and other businesses dealing with high-value information.

The Navy recently detailed the five stages of a cyber intrusion. 

A recent piece in Wired magazine highlighted the growing number of Romanian cyber criminals who have focused on stealing from US consumers at a rate of over $1 trillion each year. Unlike the stereotypical hacker who lives and works in his mom’s basement, these cybercriminals have learned to band together and collaborate. These collaborations in Romania and around the world allow a team of criminals to work together, increasing their potential gains while reducing their risk of prosecution by local law enforcement.

While these cybercriminals cause headaches for consumers, they rarely launch large-scale attacks against business organizations. Nations-sponsored espionage teams often engage in the same sort of collaborative efforts as their consumer swindling counterparts but focus on long-term gains and results. These organizations are often identified as Advanced Persistent Threats, and as the name indicates, they are both skilled at infiltration and likely to make repeated attempts to damage your organization.

Related: The Financial Industry’s Biggest Threat

Since APTs are clouded in secrecy and their operations can vary, learning more about how they operate and how they have impacted other organizations can help you protect your business from this particular brand of criminal.

Recent APT Attacks in the News

  • Anthem Health Insurance was targeted by hackers, and authorities believe that the attackers may have had access to the system for over six months before they were discovered. Malware and a series of faked domain names opened the door into the network, though the actual entry point is unknown. In all, hackers were able to operate within the network for eight weeks before being discovered and they were discovered by accident.
  • In 2015, the US Office of Personnel Management was breached, and hackers stole multiple terabytes of confidential information. The breach impacted over 20 million individuals, as the hackers were able to identify defense contractor users and target the specific systems they were operating.
  • Sony lost large amounts of data in 2014, including unreleased movies, private information, data about roughly 6,000 employees, and various other pieces of confidential information. According to the FBI, only about 10% of organizations would have been prepared to withstand this malicious attack

How an APT Attacker Gets Into your Network

  • The attacker will heavily research the target organization, focusing heavily on the people who work there in the hope of exploiting someone for information. Once a few targets have been identified, the APT hacker then launches a phishing attack to gain credentials or access to the network.
  • Once inside, the attacker explores the network and begins to slowly remove or export information. If service disruption is a goal, then the attacker may also attempt to disrupt operations or even cause physical damage to the organization.

Related: Top Cyber Security Websites

What can be done about Advanced Persistent Threats?

The security industry continues to create new protection and detection methods; these are used to identify possible issues and potential vulnerabilities before the criminal can get in. Various methods are used to shore up the technological side of the equation, but employee education and training are a must if an organization wants to prevent an attack by an APT.

Improve Employee Awareness and Education: Employees are a weak spot and can be easily exploited by any group wishing to harm your organization. Your workers do not have to be malicious to allow an APT attacker to access your system; they can be tricked by phishing scams, faked websites, and other methods. Boosting education and employee awareness of this type of attack can help reduce the risk of human error or malicious activity.

Better yet, monitor your organization’s endpoints so malware can’t execute. It’s possible with managed endpoint detection and response. 

Consider Baas or DRaaS: Both Backup as a Service and Disaster Recovery as a Service make it fast and easy for your brand to recover if you are breached. By having an up-to-date backup in place you can access your files and network from a remote location, without losing data. When you opt for DRaaS or have a robust recovery plan, you ensure that your business runs without interruption and that you don’t lose time and money restoring your full systems on a new network.

Choose Enterprise-Level Anti-Virus Protection: Multi-layered antivirus software and packages can help protect your system; the right AV system will include behavioral analysis and the ability to recognize and remove unknown programs and malware. A consumer solution may not offer the level of security needed to block an APT attack. Since infiltration is only the first step, regular monitoring of the way your systems are accessed via behavioral analysis can help you recognize an intruder and limit the amount of damage they cause.

Manage Devices: Any device, including smartphones, tablets, and other mobile devices that can access your system also exposes you to risk. The devices allowed to connect with your enterprise can be targeted for infection or data theft, allowing an APT attacker a way into your system. Placing limits on data transfer, using encryption, and monitoring the way devices access your system can help cut your risk.

Include that in your overall cybersecurity strategy. Consider outsourcing the security monitoring of your SIEM, endpoints, patching, and vulnerability protection with a single service. 

Awareness of the danger is an ideal first step when you want to protect your network from APT attacks. Having an emergency backup plan in place and a robust disaster recovery setup can help you get back to work quickly if the worst happens.

Defend Against Advanced Persistent Threats

Try PREtect