Last September 21st we first discussed the CC Cleaner breach. In that post we described how the hackers behind the attack used the malicious doppleganger software to cast a wide net, infecting hundreds of thousands of users in the hopes of finding a few big fish amongst the fry.

Yesterday on the Avast blog, Avast CTO, Ondrej Vlcek, shared some insights and a timeline that shows just how the breach was developed.

How Does a Security Company Get Breached?

The old fashioned way – with user credentials!

According to Vlcek:

To initiate the CCleaner attack, the threat actors first accessed Piriform’s network on March 11, 2017, four months before Avast acquired the company, using TeamViewer on a developer workstation to infiltrate. They successfully gained access with a single sign-in, which means they knew the login credentials. While we don’t know how the attackers got their hands on the credentials, we can only speculate that the threat actors used credentials the Piriform workstation user utilized for another service, which may have been leaked, to access the TeamViewer account.

Updating the Numbers

In our initial post we cited experts from Talos who were putting the size of the infection at approximately 700,000 users with approximately 20 of those becoming actual targets for the second stage of the exploitation. Yesterday Vlcek provided more accurate figures.

In terms of CCleaner, up to 2.27 million CCleaner consumers and businesses downloaded the infected CCleaner product. The attackers then installed the malicious second stage on just 40 PCs operated by high-tech and telecommunications companies. We don’t have proof that a possible third stage with ShadowPad was distributed via CCleaner to any of the 40 PCs.

Very Similar to the NetSarang Compromise

Last year Kaspersky identified and shutdown a similar attack that used an infected version of the popular server management software produced by NetSarang.

Further Kaspersky Lab analysis showed that the suspicious requests were actually the result of the activity of a malicious module hidden inside a recent version of the legitimate software. Following the installation of an infected software update, the malicious module would start sending DNS-queries to specific domains (its command and control server) at a frequency of once every eight hours. The request would contain basic information about the victim system (user name, domain name, host name). If the attackers considered the system to be “interesting”, the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer. After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code. (Emphasis added to highlight similarities)

Konsultek’s Approach

Protect, detect and respond are the hallmarks of a robust security solution. When Konsultek develops your custom security solution you can bet that all 3 approaches will be included. Interested in taking your security to the next level? Call us and let’s begin a dialogue.

 

read more

Often we report on breaches that start with spearphishing. An employee gets an email from someone posing as a trusted supplier or customer or perhaps a high-ranking fellow employee and downloads the infected attachment without a second thought.

Today we report on a completely different approach. Rather than shooting for one fish at a time the folks behind the CCleaner infection decided to catch upwards of a million fish and toss the small ones back while keeping just trophy fish.

Keep the Big Ones, Throw the Little Ones Back

Millions of people have taken advantage of the CCleaner free security tool to help them clean up and steer clear of malware, viruses and other types of hacking exploits. Unfortunately according to reports from Morphisec and Cisco it looks like 700,000+ computers were infected with a backdoor by downloading CCleaner. Well bad enough, it was the report by Cisco’s Talos security division that revealed that this mass hack was really just the top of the funnel in an effort to penetrate a much smaller set of targets.

From 700,000+ to 20

According to Talos, code within the backdoor indicates that the infected computers were being filtered to identify whether or not they belonged to 20 or so primary targets, big tech firms such as Intel, VMware, Samsung, Sony and wait for it… Cisco itself!

This finding abruptly turned a mass infection into what appears to be a corporate espionage play, potentially with state sponsorship.

A Couple of Take Aways

CCleaner is primarily a consumer level product and frankly, has no place as a security tool in any but the smallest organizations. For the corporations of this size to have infected computers in their network is alarming and suggests a breakdown in security protocol and user privileges.

Konsultek Doesn’t Use Consumer Software

Software such as CCleaner, while normally effective and safe, is a consumer level product and not something that we at Konsultek use as part of our custom security solutions. So if your business is ready to move beyond consumer level solutions, give us a call.

 

read more

Ever wonder how stupid or careless someone has to be to be fooled by a phishing scam? Well, according to research conducted by a group of German experts, virtually anyone can be fooled.

In their study “Unpacking Spear Phishing Susceptibility” the researchers showed that although email  phishing scams get more publicity, Facebook scams would appear to be more effective.

“By a careful design and timing of a message, it should be possible to make virtually any person click on a link, as any person will be curious about something, or interested in some topic, or find themselves in a life situation that fits the message’s content and context.”

The Goal of the Study

The researchers, sensing there was a dearth of research related specifically to spear phishing decided to create a study that would fill the gap. They constructed a study that would explore the differences in delivery medium effectiveness (Facebook vs. email) while at the same time quantify the personal motivations that led to people either clicking on the phishing link, or just as importantly, not clicking on the link.

The Phishing Scam

The selected participants were sent a phishing link either as part of an email or a personal Facebook message from fake, non-existing person. The message claiming the link led to pictures from a party.

Facebook Gets 2X Clickthrough Rate

As Table 2 shows, when the same phishing message is presented via Facebook as compared to email individuals are over 2X more likely to click on the link and begin the phishing process.

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

 

Why Did They Click?

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

Why Didn’t They Click?

Just as important to the researcher’s was attempting to understand why people didn’t click. Here is what they found.

Source:  Zinaida Benenson, Robert Landwirth, Friedrich-Alexander-Universitat, Freya Gassmann, Universitat des Saarlandes

How Can Konsultek Help?

Whenever humans are involved there are going to be errors in judgement and successful phishing. That’s why all of our custom security solutions take a holistic approach to network security using a proven model of intrusion prevention, detection and mitigation. When you are ready to take your network security to the next level, give us a call.

 

read more

There has been a major shift in the type of breach incident happening in the education services sector according to the Verizon 2017 Data Breach Investigations Report.

Can you spot the shift in the graphic below?

Source: Verizon 2017 DBIR

Cyber-Espionage has exploded since mid-2012! That’s right, because of the cutting-edge research that happens at many colleges and universities they have become a target for state-sponsored hacking.

As Verizon puts it…

“So college isn’t just pizza and tailgates—research studies across myriad disciplines conducted at universities put them in the sights of state-affiliated groups.”

So while of course the personal information of students and faculty were commonly extracted during breaches (a little more than half of all breaches) intellectual property losses were tied to a little more than a quarter of all breaches.

Targeted or Random Acts of Unkindness?

The evidence is clear that state-sponsored hacking and some criminal, profit based hacking is specifically targeting the hallowed halls of our academic institutions.

How do They do it?

Good question. Here is the answer in a graphic from the Verizon report.

Phishing email was the predominant threat vector in the social category while the use of stolen credentials was the dominant hacking technique. One interesting thing to note is the number of incidents involving Social and one or more other vector.

How Would You Like to Get a Threat Vulnerabilty Education for FREE?

At Konsultek we believe an educated client is the best client. That’s why we offer a variety of free vulnerability assessments to help you determine both your risk exposure and the likelihood of that exposure in regards to the veracity of your current security measures. Who would you rather educate you, the good guys at Konsultek or the bad guys out in the wild? Well, what are you waiting for? Pick up the phone and give us a call today so we can get your vulnerability assessment scheduled ASAP!

 

read more

The 2017 Verizon Data Breach Investigations Report (DBIR) has been released and as always, it is chock full of fascinating facts about the current state of the hacking and cyber threat world. You can get the full report from Verizon for free here.

Who are the Perps?

According to this year’s DBIR the breakdown of who’s been doing the most hacking looks like this:

  • 75% Perpetrated by outsiders
  • 51% Linked to organized criminal groups
  • 25% Involved internal actors
  • 18% Starred state affiliated actors
  • 3% Featured multiple parties
  • 2% Involved partners

How Did They Do it?

  • 62% Of breaches featured hacking
  • 51% Involved Malware
  • 81% Leveraged stolen or weak passwords
  • 43% Were social attacks
  • 14% Were linked to errors or privilege misuse
  • 8% Involve physical actions

The above information is just a sneak peek at a portion of the summary data contained in the 2017 DBIR. Next week we’ll take a deeper dive into what industries were hardest hit and by whom as well as get into specifics of how these industries were attacked.

 

 

 

read more

Woke up today to find this gem in the mailbox. Who knew that the FBI and the Central Bank of Nigeria would be looking for me!

This email is entertaining for a couple of reasons (at least!) beyond the alleged working relationship between Mr. Comey and the Central Bank of Nigeria.

Take a look at the portions highlighted with blue text! First a warning that “you should ignore any message that does not come from the above email address and phone number for security reasons.”

Next, look at Mr. Comey’s email address. I would have thought that after all the email scandals in Washington that Mr. Comey would not be using an AOL  email address for such important and sensitive business!

Re: Urgent January Notice…….

From: James B. Comey, Jr., <fbidirector@openmailbox.org> 

Jan 18 at 12:37 PM

OFFICE OF THE EXECUTIVE DIRECTOR,

MR. JAMES B. COMEY, JR,

FEDERAL BUREAUOF INVESTIGATION,

935 Pennsylvania Avenue, NW

Washington, D.C. 20535-0001. USA.

Attention: Beneficiary,After proper investigations, we, the Federal Bureau of investigation (FBI) discovered that your impending (over-due contract) payment with Central Bank of Nigeria is 100% legal and has been approved for release to you.

We recently had a meeting with the Executive Governor of the Central Bank of Nigeria, in the person of Mr Godwin Emefiele and other top officials of the concerned Ministries regarding your case and we were made to understand that your files have been held in abeyance pending on when you personally apply for the claim.

Investigations also revealed that a lady, by name Mrs. Joan B Melvin from New York has already contacted Central Bank of Nigeria with a power of attorney and some documents, which stipulated that you have mandated her to claim your fund of US$25,000,000.00 (Twenty Five Million United States Dollars) on your behalf due to your ill health.

In view of this, we have been urged to warn US citizens who have received information pertaining to their outstanding contract payment to be very careful and not to be a victim of ugly circumstance. In case you are already dealing with anybody or office of the Central Bank of Nigeria, you are strictly advised to STOP further communication with them in your best interest and thereby contact the real office of the Central Bank of Nigeria via the below information:

 

NAME: MR. GODWIN EMEFIELE

OFFICE ADDRESS: Central Bank of Nigeria,Central Business District,

Cadastral Zone, Abuja, Federal.

Capital Territory, Nigeria.

Email: central.bnk0015@aol.com

NOTE: In your best interest, you should ignore any message that does not come from the above email address and phone number for security reasons. And to enable the Central Bank of Nigeria to process and release the fund to you, you are required to re-confirm your full details such as

FULL NAMES: __________________________________

CITY: _________________________

STATE: __________________________________

ZIP: ______________COUNTRY: _______________________

SEX: _______________AGE: __________________

TELEPHONE NUMBER: _____________________

Ensure that you follow the Central Bank of Nigeria due process as enshrined in the International Banking Secrecy Act to avoid any form of discrepancy, which may hinder your fund transfer.Thanks for your understanding and cooperation as we earnestly await your urgent response.

Best Regards,

James B. Comey, Jr.,

Federal Bureau of Investigation

J. Edgar Hoover Building,

935 Pennsylvania Avenue,

NW Washington, D.C

E-mail: jjbcomeyjr@aol.com

 

read more

Top 10 Hacks of 2016

On November 17th, 2016, posted in: Hackers, Targeted Attacks by konweb

In the first of the “Top Hacks of 2016” lists I’ve seen this year (they seem to start earlier each year, similar to holiday shopping!) Tech.co has published their top 10 list.

Let’s take a look at the list and take a stroll down 2016’s memory lane of hacks.

1. World Anti-Doping Agency
2. SnapChat
3. Verizon
4. Democratic Party
5. LinkedIn
6. BitCoin
7. DropBox
8. Yahoo!
9. Cisco
10. AdultFriendFinder

The post on Tech.co doesn’t explicitly state whether or not the hacks are listed in order of decreasing severity. Personally, I would re-order the list and put the DNC (because of the potential ramifications it had on the election) or Yahoo (because of the sheer scope) at the top of the list.

Nonetheless,  a solid list in a year when pairing such a list down to just 10 is a challenge!

What do you think? Any egregious omissions? How would you order the list?

Sound Security Solutions for Organizations of all Sizes

At Konsultek we specialize in customized security solutions and managed security solutions for organizations of all types. Education, finance and healthcare are just a few of the dozens of different niches our security experts work in every week. If you are ready to learn more about your secure future, please give us a call.

 

read more

In a narrative that could have been lifted from a Tom Clancy novel, reports surfaced this week that an elite hacking group with ties to the NSA had been hacked and a treasure trove of their hacking tools stolen.

According to theHackerNews.com, the elite covert hackers known as the “Equation Group” have been hacked and a portion of their toolkit has been released publicly. Another portion of their most potent tools and exploits is apparently up for sale at auction with an asking price of $1 Million Bitcoins!

Source: Washington Post

The hackers, who go by the name “The Shadow Brokers” had this to say about their stunning hack:

“We follow Equation Group traffic,” says the Shadow Broker. “We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

While the authenticity of the hack was at first questioned, many security experts from free-lancers to Kaspersky have examined the publicly leaked materials and have concluded that they are indeed products from Equation Group.

Hack or Inside Job

In an update to the rapidly unfolding story, security expert Matt Suiche spoke with an anonymous source who used to work in the NSA’s TAO (Tailored Access Operations) unit. The credible source indicated that the leaked files were stored on a physically isolated network and that either an inside mistake or purposeful act brought the files into contact with the outside world.

For certain, this story is not over yet and probably won’t be for some time. Will the final plot twists be as interesting as something penned by Clancy? We’ll have to wait and see!

In the meantime, if you have security concerns about your information and network please pick up the phone and speak with one of our operatives, um I mean team members!

 

read more

We wouldn’t be on the cutting edge of topicality if we didn’t have a post about Pokemon Go and fortunately, thanks to the hacking group PoodleCorp, we are happy to be able to bring you a post about Pokemon GO AND Info Sec all tied together!

Softpedia broke the exclusive story of DDoS failure to launch on Aug 3. Initial reports were that hacking crew PoodleCorp’s planned Aug 1 DDoS was waylaid by an external hacker who hacked their site, dumped the database, and shared it with data breach index service LeakedSource who tweeted news of the breach to their followers.

In response to the LeakedSource Twitter proclamation of the breach, PoodleCorp fired back through a popular YouTuber that the leak was not a result of hacking but rather the inside work of a disgruntled partner.

The Games People Play

PoodleCorp also apparently fired off multiple DDoS attacks against LeakedSource, to no avail, in retaliation for LeakedSource’s announcement.

Not ones to apparently shy away from a little friendly DDoS gamesmanship, LeakedSource trolled the leaked database and reportedly found PayPal transaction information as well as the “full address information on 3 members, which we plan on reporting to the relevant authorities.”

Not sure if that counts as “check mate” but certainly well played LeakedSource!

Who Do You Want on Your Team?

At Konsultek we know that information security is not a game, but rather serious business. If you feel as though you’ve been played or want to keep from being played by hackers and cybercriminals, just pick up the phone and give us a call. Our team is always ready to take on new challenges and to help you and your business stay secure.

 

read more

In April of this year we posted a story about the disturbing trend of ransomware infecting healthcare systems. In that story we wrote this prophetic sentence.

“As cybercriminals become better at identify those niches most apt to “pay up” we will undoubtedly see concentrations of ransoms springing up.”

Today, the University of Calgary announced on its website that it had paid $20,000 CDN to unlock access to portions of its network system.

Is the University of Calgary’s experience the first among many in a new hot niche for ransomware?  I suppose only time will tell but it may very well be the case.

From their website:

“Ransomware attacks and the payment of ransoms are becoming increasingly common around the world. The university is now in the process of assessing and evaluating the decryption keys. The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time.”

What Can You Do to Prevent a Ransomware Attack?

Like every other malware, ransomware is most often delivered with the help of unsuspecting humans. Email attachments, links in email and links to malware infected sites in the form of advertisements on websites employees are known to visit are some of the most common vectors for infection.

We’ve previously touched on the need for having a “culture of security” within your organization and certainly addressing the human factor of security is becoming ever more important. However, from a technology perspective, much can be done to prevent ransomware attacks as well as mitigate their damage if an infection were to occur.

  1. Authenticate in-bound email
  2. Backup data frequently and keep a separate copy offline
  3. Be certain to protect your Internet of Things (especially critical in medical and healthcare settings)
  4. Monitor your network for unusual activity such as higher than normal file rewriting
  5. Have a ransom recovery plan in place BEFORE you need it. If and when a ransomware attack occurs the perpetrators are counting on you having insufficient time to react in a calm and clinical way.

How Konsultek Can Help?

As a company who believes wholeheartedly that an ounce of protection is better than a pound of cure, we help organizations such as yours craft intelligent, effective and customized security solutions.  So if you would like help getting your learning organization up to speed on all matters of network and information security just pick up the phone and give us a call!

 

read more