make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Threat Intelligence Updates: June 2018

06/13/2018  |  By: Jessica Mantz

Share

Social Logo Social Logo Social Logo Social Logo

Business Email Compromise Update

U.S. Law Enforcement agencies arrested 74 individuals in June and charged them with carrying out business email compromise (BEC) attacks. The arrests included 29 individuals in Nigeria and resulted in seizure of nearly $2.4 million.

Based on the information available, we are cautiously optimistic that the arrests will result in an abatement of the BEC activity we have been fighting for the past 12 months. These attacks almost always leverage the Microsoft Office 365 email environment and are pervasive across industry verticals and impact companies of all sizes.

More information can be found at:

Phishing Awareness

Despite the impressive law enforcement takedown described above, phishing attacks aren’t going away any time soon. We anticipate an increase in general phishing activity as summer begins. Summer is a busy, fun-filled time in which many individuals and families travel, making it a prime opportunity for attackers to launch phishing campaigns.  

Many phishing emails target individuals by mimicking hotel and vacation bookings, travel deals, or contain information about current events such as the World Cup. Just recently, attackers targeted Booking.com customers by possibly breaching hotels that partner with the site. Customers received WhatsApp and SMS messages, warning them to change their passwords after a security breach. These messages also included a malicious link that would grant the attacker access to the victim’s vacation bookings when clicked. Users have reported receiving additional messages demanding payment for their booked vacations immediately. Because the messages contained specific information about the victim’s vacation, such as names, dates, prices, and reference numbers, many customers thought that the communications were legitimate and fell victim to the scheme.  

Another phishing scheme that has already been underway spawns from a Facebook post claiming to be from Alaska Airlines, offering free tickets in exchange for completing a short survey and sharing the page to the user’s personal Facebook page.  

We recommend checking the sender of emails, messages, and social media posts that have a sense of urgency or advertise a deal that seems “too good to be true”. In addition, users should make certain to validate links included in any communications from a company. If a link is not affiliated with the company, users should avoid clicking on the link entirely. The same information found in emails prompting payment or providing trip confirmation details can typically be found by visiting the company’s website directly.

For more information, visit:

Uptick in Cyber Espionage Activity from China

In 2015, the U.S. and China entered into an agreement, which stated there “should be increased communication and cooperation between the two countries to investigate and prevent cyber crimes emanating from their territory, and that neither the U.S. nor Chinese government would knowingly conduct or support cyber-enabled theft of intellectual property.” 

Shortly after the agreement was signed, the cybersecurity industry noted a significant decrease in offensive cyber activity. A report by FireEye went as far as documenting quantitative decreases in the activity.

In the past few months, the cyber community has begun noticing an increase in cyber espionage activity attributed to China. The most noteworthy story involves the theft of submarine plans from a U.S. Navy contractor. The activity is outlined in detail by the Washington Post (see link below). Cybersecurity journalist Patrick Gray also provided analysis of the situation during his weekly podcast (Risky Business), where he opined that the uptick in activity from China could perhaps be tied back to strained relations between the two countries, including trade negotiations and containment of North Korea’s nuclear program.

To date, the increased activity we are aware of deals with the U.S. defense industry and its contractors. We have not seen a corresponding uptick in offensive cyber activity from China directed towards our commercial clients, but we are watching closely to see if it occurs.

Historically, the Chinese government has used cyber espionage as an effective tool for the nation to achieve its strategic goals, as outlined in a series of five-year plans. Attacks in the commercial space have focused on manufacturing and healthcare organizations, with additional activity directed at contractors and professional services firms who serve multiple client organizations. If you are in one of these verticals, you would be wise to review China’s Thirteenth Plan and incorporate the Nation-state Cyber Espionage threat into your risk assessment process. 

To view some related articles on this topic, visit:

Persistent VPNFilter Malware Affects Small Office and Home Routers

Security researchers have discovered a new malware threat, known as VPNFilter, that targets a variety of small business/home office routers and network-attached storage (NAS) devices. This malware is unique in that it can remain on an infected device even after a reboot. VPNFilter can execute commands, exfiltrate data, destroy the device, and intercept traffic traversing the device over port 80. Additionally, researchers have discovered that VPNFilter is also able to change HTTPS requests to insecure HTTP requests. This can allow an attacker to not only intercept web traffic but also view encrypted traffic that traverses an infected device. Users that own an affected device have been advised to reboot them immediately and to apply the latest patches to affected devices. In addition, users should ensure that the affected device is not using the default credentials that are preconfigured for the device.

More information can be found at:

92 Million MyHeritage Account Details Exposed After Being Discovered on Private Server

MyHeritage, a genealogy and DNS testing company, has reported that more than 92 million users’ account details were found on a private server. The company became aware of the data breach after a security researcher discovered a file titled “myheritage” on a private server, which contained email addresses and hashed passwords. Although the company is still investigating this incident, it has confirmed that the breach occurred on October 26, 2017. MyHeritage stated that the breach affects users who signed up for services on or before this date. The company has verified that other information, including credit card data, family trees, and DNA data, has not been exposed as part of the breach.

For more information on this breach, please visit:

Eventbrite’s Ticketfly Shutdown Temporarily Due to Cyber Incident

Ticketfly, a ticket distribution service owned by Eventbrite, has shut down their website after falling victim to a cyber incident that left their website’s homepage defaced. The company discovered the attack after users attempting to purchase tickets reported that the website displayed a defacement message from the attacker instead of Ticketfly’s homepage. In addition, multiple CSV files containing user data were found on Ticketfly’s website visible to anyone.  Ticketfly responded to the incident by shutting down their website while investigating.  

For more information, please visit:

Threat Intelligence Updates: June 2018

Related People

  • Jessica Mantz