FBI Warning: Hackers don’t stop for the Holidays

FBI Warning: Hackers don’t stop for the Holidays

The FBI has released a warning about a fraudulent email scam, just in time for the holidays. According to the release, “The emails claim to be from one of three shipping businesses and claim that a package intended for the email recipient cannot be delivered. The messages include a link that recipients are encouraged to open in order to get an invoice to pick up the package, however, the link connects to a site containing malware that can infect computers and steal the user’s account credentials, log into the accounts to obtain credit card information, additional personal information, and learn about a user’s shipping history for future cyber attacks.

The messages may consist of subject lines such as: “Your Order is Ready for Shipment,” “We Could Not Deliver Your Package” or “Please Confirm Delivery.” The shipping companies say they do not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords or personal information and if you receive such a notice — don’t respond. You should delete the email immediately or forward it to the companies listed contact email address. If your interaction with the website resulted in a financial loss you should contact your bank immediately.”

I clicked! Now what?

We get it! Hackers are so good at creating emails that look very real, plus the timeliness of their messages – around the holidays –  could not be better. Many of us are waiting for packages to ship, wondering where the packages are, and hoping that they don’t get lost. If you click, you’ll probably know immediately that you messed up. The easiest way to check before you click is to hover over the link and see if the URL is one that you would trust. And then, just go to that URL and search for what you need – avoid clicking altogether.

If you click, close the browser, use task manager to end the browser process. Shut down your system and reboot.  By disconnecting, you reduce the risk of the browser reloading that malicious page once you have restarted. Immediately report to your IT team and they may recommend that you clear your cache and do a scan of your hard drive to check for malware.

Consider reporting the malicious email you received to the FBI through their Internet Crime Complaint Center (IC3). Start here: https://www.ic3.gov/default.aspx. The US is constantly being targeted by nation-state hackers and the FBI needs our help as consumers to help them learn more about these hackers and how they can protect us.

Our partner KnowBe4 has a free tool that allows your IT department (or Cybriant if you want us to manage it) to send you fake emails like the ones the FBI mentions just to see how many users at your company would click on those emails. It’s not a malicious email, so the only outcome will be that users that click on the fake emails may have to go through a little bit more security awareness training. After all, employees are the last line of defense if an email has gotten through all your organization’s firewalls, etc. Check out their free phishing security test here: https://info.knowbe4.com/phishing-security-test-partner?utm_medium=partnerurl&utm_source=Cybriant

Avoid it all together

At Cybriant, we discuss the idea of having a layered approach to security when it comes to the overall cyber risk defense of our clients. Hackers will try to get into your organization from every angle possible, so you have to be prepared, and think like a hacker. Many of the breaches you read about are the result of a small thing, like a forgotten patch, that the hackers realized before the organization’s security team. That ‘small thing’ has resulted in millions of dollars of loss for many organizations. Here’s what we recommend:

  • Real-time Vulnerability Management
  • Responsive Patch Management
  • Endpoint Detection and Response
  • 24×7 SIEM with Security Monitoring


Partner for Sending Data Breach Notifications

Notifying customers of a data breach is an essential step to protecting their safety and security. It gives customers the opportunity to take the necessary steps to protect their accounts.

This includes changing passwords, monitoring account activity, or even utilizing password manager accounts for extra protection. In addition to improving customer security, data breach notifications provide an important reminder to companies about the risks associated with storing sensitive information online.

Letting customers know that you are paying attention and taking action can help maintain trust and prevent any potential losses due to malicious activity. Contact Cybriant if you need a trusted partner for data breach monitoring.

Cybriant PREtect

How to Prepare for IPv6 DDoS attack

How to Prepare for IPv6 DDoS attack

IPv6 DDoS attacks are a persistent problem. Read more about why they have become so rampant and how to prepare your business. 

IPv6 DDoS: Explanation

Every device on the Internet is assigned a unique IP address for identification and location definition. With the rapid growth of the Internet after commercialization in the 1990s, it became evident that far more addresses would be needed to connect devices than the IPv4 address space had available.

Because there are fewer than 4.3 billion IPv4 addresses available, depletion has been anticipated since the late 1980s, when the Internet started to experience dramatic growth. This depletion is one of the reasons for the development and deployment of its successor protocol, IPv6. Currently, IPv4 and IPv6 coexist on the Internet.

The total number of possible IPv6 addresses is more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses and provides approximately 4.3 billion addresses. The two protocols are not designed to be interoperable, complicating the transition to IPv6.

IPv6 DDoS: Why are they being attacked?

IPv6 introduces an entirely new attack vector with greater attack volume. IPv4 provides approximately 4.3 billion unique 32-bit IP addresses while IPv6 uses 128-bit addresses and gives attackers over 340 undecillion addresses to play with.

Hackers know what is coming, even though only around 25% of websites completely support IPv6 today. The problem begins when IPv6 is supported by the company’s network – and the administrators may or may not be aware of it. Many IPv4 DDoS attacks can be replicated using IPv6 protocols. And, hackers are already testing new methods for IPv6 DDoS attacks.

Many on-premises DDoS mitigation tools aren’t yet fully IPv6-aware, just as countless network security devices haven’t been configured to apply the same set of rules to IPv6 traffic as to IPv4 traffic. Even large vendors who offer VPN-based services have recently been found to only protect IPv4 traffic even though they handle IPv6 traffic.

How to prepare for IPv6 DDoS attacks

As IPv6 becomes a larger part of your enterprise’s network, your exposure to every form of IPv6 DDoS attacks will increase. According to a recent report, “Administrators need to familiarize themselves now with the Secure Neighbor Discovery (SEND) protocol, which can counter some potential IPv6 DDoS attack techniques; an IPv6 node uses the Neighbor Discovery (ND) protocol to discover other network nodes but is susceptible to malicious interference.”

“Network administrators should audit their systems and review how devices handle IPv6 traffic and run a sense-check to ensure that there are no configuration settings that could lead to exploitable vulnerabilities and that tools have feature and hardware parity in both IPv4 and IPv6.”

The massive amount of address space is another area of concern. For example, one IPv6 DDoS attack technique involves sending traffic addressed to random addresses in a network and hoping that many of those addresses don’t exist. This causes a broadcast storm on the physical network, which ties up the router that must send out requests asking for the Layer 2 address that handles the non-existent destination IP address. On an IPv6 network, the number of available addresses is dramatically higher, so the amplification of the attack is greatly increased and the chance of a host existing at the address that is being used in the attack is almost zero.

To tackle this problem, administrators need to configure routers with a black-hole route for addresses not actively being used on the network while using the longest prefix-match specific routes for each real endpoint. This ensures traffic addressed to a real endpoint will be forwarded to its destination and traffic addressed to other addresses will be dropped by the black hole.

Related: https://cybriant.com/understanding-cybersecurity-attack-vectors/

Need Cyber Risk Advice?

Watch Your Back: Why You Must Have A SIEM

Watch Your Back: Why You Must Have A SIEM

Recently, an article was published on Wired about Rob Joyce, Chief of the NSA’s Tailored Access Operations, and his discussion on Disrupting Nation State Hackers. Here’s the link to the original video: Disrupting Nation State Hackers.

There are quite a few areas that Joyce discusses that make life miserable for the NSA. The things that make them the most miserable are the following: Security Information and Event Management (SIEM) tools analyzing logs, Indicators of Compromise (IOCs), out-of-band (OOB) devices to analyze traffic, and worst of all competent System Administrators that use these technologies.

Today, we are going to dive into logging, OOB devices, SIEM, IOCs, and monitoring your network with SIEM.

Technology creates a lot of information, and it typically leaves a record of what it has performed in log files. Whether it’s your router, switch, server, virtualization platform, cloud provider, smartphone, or printer a trail of events and information is created like a receipt you would get from grocery shopping.

Unfortunately, the logs are often forgotten, or commonly never analyzed unless there is a major problem. Even then, System Administrators grudgingly perform log analysis simply due to the sheer volume of data created. It’s like a scene out of The Matrix where the rebel crew members watch green characters scroll down the monitor, but slightly less exciting. However, there is a wealth of information contained in these logs, and like in The Matrix, System Administrators can use this information to observe what is happening in their infrastructure.

Now, there are specialized OOB devices that can analyze your network traffic. These are typically your Intrusion Detection Systems (IDS) that passively monitor your network from a tap or mirroring port. They are out-of-band because they are not directly in the path of the data and instead have data mirrored to them. This gives them a couple of advantages: if they break they don’t break your network, and more importantly when it comes to security, hackers cannot see the OOB device. You can think of it as having a concealed bodyguard in the dark with night vision when a mugger is trying to sneak up on you. Naturally, these OOB monitoring devices create a lot of logs which are then sent to your SIEM.

SIEM stands for Security Information and Event Management. The SIEM is a highly intelligent technology that views all of the logs coming from every device and correlates each piece of information. It sniffs out irregularities in data patterns and makes sense out of the mountains of information. The SIEM watching your logs and OOB systems is the scariest piece of technology in your arsenal to the bad guys because it can find the needle in the haystack. Fifty million events just happened on your network and it can find the handful of malicious actions stealing your data (or credit card numbers if you’re Target or Home Depot).

Related: Why is Firewall Logging and Why is it Important?

SIEMs need to be constantly updated for them to be effective. The information that updates the SIEM is called Indicators of Compromise (IOC). An IOC might be a system sending SPAM to the internet, a malicious website infecting anyone who lands on their homepage, malware traversing your network, the intern down the hall accessing HR data to which he shouldn’t have access, or data going to an inappropriate or unauthorized destination such as a country like Russia or China. IOCs enable System Administrators and Engineers to remain vigilant and stay abreast of new threats on the horizon.

As Joyce says, “If you’re looking at the Nation State hackers, we’re going to be persistent. We’re going to keep coming and coming and coming, so you’ve gotta be defending and improving and defending and improving and evaluating and improving. The static person is going to float to the back of the pack.”

And, when a bear is chasing you, you don’t have to be the fastest in the pack, just don’t be the slowest.

Finally, we get to the most important part of defending your company or organization’s jewels: the System Administrator. You can have the best network security, the best SIEM, the best IDS, and the best awesome security gadget in the world, but all of it is worthless if your System Administrator isn’t qualified and constantly monitoring, analyzing, and improving.

The responsibility doesn’t stop at them watching the bad guys do bad things. As Joyce says, the System Administrators must have clear policies and procedures on how to act once a threat has been detected. If at any point the Detect → Analyze → Remediate → Repeat approach fails, then your data will be compromised and the hacker wins.

Learn more about our Managed SIEM service.

Don’t let the hackers win.