DOCSLIB.ORG

Monthly Cyber Threat Briefing

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Monthly Cyber Threat Briefing Monthly Cyber Threat Briefing February 2016 855.HITRUST (855.448.7878) 1 © 2016 HITRUST Alliance. All Rights Reserved. www.HITRUSTAlliance.net Presenters • Majed Oweis: CISCP Analyst, US-CERT • Srujan Kotikela: Senior Threat Scientist, Armor • Jon Clay: Sr. Mgr – Global Threat Communications, Trend Micro • Luis Mendieta: Sr. Threat Researcher, ThreatStream • Dennis Palmer: Senior Assurance Associate, HITRUST 855.HITRUST (855.448.7878) 2 © 2016 HITRUST Alliance. All Rights Reserved. www.HITRUSTAlliance.net NCCIC/US-CERT 855.HITRUST (855.448.7878) 3 © 2016 HITRUST Alliance. All Rights Reserved. www.HITRUSTAlliance.net ARMOR: TOP THREAT ACTORS AND COMMAND AND CONTROL ACTIVITY 855.HITRUST (855.448.7878) 4 © 2016 HITRUST Alliance. All Rights Reserved. www.HITRUSTAlliance.net Top Vulnerability Exploits for the Last 30 Days NAME HITS RELATED TECHS/MALWARE NAME HITS RELATED TECHS/MALWARE Action Item: CVE-2015-8126 126 Reddit, Bitcoin CVE-2015-6612 5 Bluetooth, Alphabet Inc., Android, Telephony 1. Follow-up CVE-2014-0160 CVE-2014-3566 SSL, Google, Encryption, OpenSSL, IBM 20 OpenSSL, Yahoo, Google, Encryption, SSL 5 (Heartbleed) (POODLE) Corporation related Stagefright Android, Google, Exploit, Smartphone, Conficker, Honeypot, Microsoft, DCE/RPC, vulnerabilities 12 MS08-067 5 Vulnerability Zimperium Connection (attack tree) Adobe Flash Player, Adobe, Microsoft Control CVE-2015-0311 8 CVE-2015-3977 5 Schneider Electric, IMT25, CVSS v2 Flow Guard, Windows 8.1, Windows 8 2. Identify the CVE-2015-5655 4 patch status CVE-2015-7830 8 XML of you Adobe, Adobe Flash Player, Firefox, CVE-2015-4000 OpenSSL, Diffie-Hellman, Apache HTTP CVE-2013-0634 4 6 Microsoft Word, Microsoft Windows systems (Logjam) Server, Encryption, TLS Encryption Adobe Flash Player, Adobe, Angler Exploit 3. Prioritize your Microsoft IE, Microsoft, Explorer Elevation, CVE-2015-7645 4 CVE-2015-1743 6 Kit, Nuclear Pack Exploit Kit, Trend Micro Internet Explorer 7, RCE remediating Microsoft IE, Microsoft, Adobe, memory Adobe, Adobe Flash Player, Flash efforts CVE-2015-1745 6 CVE-2014-9163 4 corruption, RCE 15.0.0.242, Microsoft IE, Forbes 855.HITRUST (855.448.7878) 5 © 2016 HITRUST Alliance. All Rights Reserved. www.HITRUSTAlliance.net Top Emerging Malware Entities NAME HITS RELATED TECHS/MALWARE Cherry Picker 499 Abaddon, Point of Sale, Trustwave, Encryption, Radar Action Item: Bookworm 207 Microsoft, Kaspersky Lab, Palo Alto Networks, Deluxe Corp, PlugX - Korplug - Sogu 1. Identify malware entities related to b374k web shell 85 Unix shell, PDO, Perl, Injection, Java your environment and block KillerRat 9 njRAT - Bladabindi 2. Ensure your Candle Jar 9 Positive Energy, ClearBox, Results Hub, Sun Washed Linen, Diluents network sensors are always up-to- Fastoplayer 5 Microsoft Windows date and tuned to BadBarcode 5 Internet of Things detected indicators TinyLoader 4 VAWTRAK, Abaddon, Proofpoint, Fareit, Microsoft Word Karrot 4 Mobile Phone, TalkTalk Telecom Group GoMovix 4 Microsoft IE, Firefox, Mozilla, Google 855.HITRUST (855.448.7878) 6 © 2016 HITRUST Alliance. All Rights Reserved. www.HITRUSTAlliance.net Hacker Activity NAME HITS NAME HITS Anonymous 2794 Anonymous Palestine 2 Action Item: CtrlSec 378 APT17 Deputy Dog 2 1. Follow hacker Cyber Caliphate 257 Anonymous Mexico 2 activity that Lizard Squad 75 are a threat to Kelvin Security Team 1 your brand GhostSec 18 AnonGh0st 1 2. Subscribe to Anonymous Legion 16 Hunter Gujjar 1 threat Anonymous Argentina 14 intelligences Anonymous Operation Philippines 1 Mujahidin Cyber Army 11 feeds for Guardians of Peace 1 constant Armada Collective 6 updates Anonymous Ireland 6 Al Qassam Cyber Fighters 1 Cracka With Attitude 5 Anonymous Canada 1 855.HITRUST (855.448.7878) 7 © 2016 HITRUST Alliance. All Rights Reserved. www.HITRUSTAlliance.net Top Suspicious IP Addresses NAME HITS NAME HITS 46[.]109[.]168[.]179 30 89[.]248[.]167[.]155 4 Action Item: 188[.]118[.]2[.]26 24 84[.]200[.]65[.]2 4 1. Ensure your security 118[.]170[.]130[.]207 18 41[.]33[.]194[.]107 4 monitor list is 81[.]183[.]56[.]217 11 updated with 208[.]100[.]26[.]230 4 the latest 114[.]44[.]192[.]128 10 threat IPs 176[.]98[.]26[.]188 4 87[.]222[.]67[.]194 6 113[.]207[.]36[.]253 3 23[.]239[.]65[.]180 4 216[.]243[.]31[.]2 4 123[.]151[.]149[.]222 3 93[.]174[.]95[.]77 4 112[.]82[.]223[.]47 3 855.HITRUST (855.448.7878) 8 © 2016 HITRUST Alliance. All Rights Reserved. www.HITRUSTAlliance.net Ransomware Criminals Infect Thousands with Weird WordPress Hack An unexpectedly large number of WordPress websites have been mysteriously compromised and are delivering the TeslaCrypt ransomware to unwitting end-users. Antivirus is not catching this yet. Malware researchers from Malwarebytes and other security firms have reported that a massive number of legit WordPress sites have been compromised and are silently redirecting visitors to sites with the Nuclear Exploit Kit. Currently it's not yet clear how the WordPress sites are getting infected, but it is highly likely that there is a new vulnerability that is being exploited in either WP or a very popular WP plugin. The WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads. The compromised WordPress sites were hacked and included encrypted code at the end of all legitimate JavaScript files. The malware tries to infect all accessible .js files. The attack tries to conceal itself and the code redirects end-users through a series of sites before dropping the ransomware payload. Once a WP Server is infected, the malware also installs a variety of backdoors on the machine. Action Item: 1. Patch Server Operating Systems 2. Patch WordPress 3. Get rid of unused WP plugins as soon as possible and patch the current ones 4. Update all your WP instances at the same time to prevent cross-infections 5. Lock down all WP instances with a very strong password and the WP 2-factor authentication 6. Backup your data and keep daily off-site backups. 7. Regularly pentest your websites 855.HITRUST (855.448.7878) 9 © 2016 HITRUST Alliance. All Rights Reserved. www.HITRUSTAlliance.net Healthcare Supply Chain List Posted on Deepweb Sr no.|Topic|Company Name |Website |Currency|EmailAddress|Phone Number|Fax Number|Country| 2580|IT Health Care|Vignette|http://www.vignette.com/|U.S.D|[email protected]|512 Threat Actor: Thanos 741 4300 |512 741 1537 |U.S.A| 2581|IT Health Care|Welch Allyn|http://www.welchallyn.com/|U.S.D|[email protected]|800 535 6663|315 TTP: Supply Chain Attacks 685 3361|U.S.A| 2582|IT Health Care|Lexmark International, Inc|http://www1.lexmark.com|U.S.D |[email protected]|859 232 2000|212 880 2828|U.S.A| 2583|IT Health On January 19th, 2016, an actor known as 'Thanos' shared Care|TANDBERG|http://www.tandberg.com|U.S.D|[email protected]|617 933 some contact information for supply chain providers to 8919|617 933 8920|U.S.A| 2584|IT Health Care|concentra|https://contact.concentra.com|U.S.D|[email protected]|860 Healthcare Organizations. 289 5561|860 291 1895 |U.S.A| 2585|IT Health Care|Sage|http://www.sagenorthamerica.com|U.S.D|[email protected]| 770 724 4000| |U.S.A| 2586|IT Health Care|ePartners While all of the information is generally public, the packaging of Inc|http://www.epartnersolutions.com/|U.S.D|[email protected]|972 819 2700|972 819 2705|U.S.A| 2587|IT Health Care|Jacada Ltd (NASDAQ: JCDA)| the information in this format could indicate future supply chain http://www.jacada.com/|U.S.D|[email protected]|770 352 1300|770 352 1313|U.S.A| 2588|IT Health Care|HK Systems , attacks against US and EU based healthcare organizations. Inc.|http://www.hksystems.com/|U.S.D|[email protected]|262 860 6715|262 860 7010|U.S.A| 2589|IT Health Care|Intacct Organizations are advised to pay close attention to Corporation|http://us.intacct.com/|U.S.D|[email protected]|408 878 0900|408 878 0910 |U.S.A| 2590|IT Health Care|Tectura interconnections and communication (including email) to and Corporation|http://www.tectura.com|U.S.D|[email protected]|650 235 1925|650 585 5599 |U.S.A| 2591|IT Health Care|Keane , Inc. (NYSE: KEA)|http://www.keane.com/|U.S.D|[email protected]|877 885 3263|617 241 9507|U.S.A| from the listed organizations. 2592|IT Health Care|3i Infotech Limited|http://www.3i-infotech.com|U.S.D|[email protected]|952 828 9868|952 828 9867|U.S.A| 2593|IT Health Care|Ergotron Action Item: Inc|http://www.ergotron.com/|U.S.D|[email protected]|800 888 8458|651 681 7600|U.S.A| 2594|IT Health Care|Jobscience 1. Patch Server Operating Systems Inc|http://www.jobscience.com/|U.S.D|[email protected]|866 284 1892|415 777 1085 |U.S.A| 2595|IT Health Care|Medversant Technologies LLC|http://www.medversant.com /|U.S.D|[email protected]|800 508 5799| |U.S.A| 2596|IT Health Care|Hayes Management Consulting|http://www.hayesmanagement.com|U.S.D|[email protected]|617 559 0404|617 559 0415|U.S.A| 2597|IT Health 855.HITRUST (855.448.7878) 10 © 2016 HITRUST Alliance. All Rights Reserved. www.HITRUSTAlliance.net Critical Fixes for IE Vulnerabilities and updates for Flash Player Microsoft released 13 security bulletins addressing vulnerabilities in Internet Explorer, Microsoft Windows, and Microsoft. Out of these bulletins 6 are tagged as Critical while 7 are marked as Important. One of the critical bulletins (MS16-009) resolves issues affecting older versions of Internet Explorer (IE 9, 10) as well as IE 11. When exploited successfully, it could lead to remote code execution thus compromising the security of the system.
Load more

Recommended publications
  • (U//Fouo) Assessment of Anonymous Threat to Control Systems
    UNCLASSIFIED//FOR OFFICIAL USE ONLY A‐0020‐NCCIC / ICS‐CERT –120020110916 DISTRIBUTION NOTICE (A): THIS PRODUCT IS INTENDED FOR MISION PARTNERS AT THE “FOR OFFICIAL USE ONLY” LEVEL, ACROSS THE CYBERSECURITY, CRITICAL INFRASTRUCTURE AND / OR KEY RESOURCES COMMUNITY AT LARGE. (U//FOUO) ASSESSMENT OF ANONYMOUS THREAT TO CONTROL SYSTEMS EXECUTIVE SUMMARY (U) The loosely organized hacking collective known as Anonymous has recently expressed an interest in targeting inDustrial control systems (ICS). This proDuct characterizes Anonymous’ capabilities and intent in this area, based on expert input from DHS’s Control Systems Security Program/Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT) in coordination with the other NCCIC components. (U//FOUO) While Anonymous recently expressed intent to target ICS, they have not Demonstrated a capability to inflict Damage to these systems, instead choosing to harass and embarrass their targets using rudimentary attack methoDs, readily available to the research community. Anonymous does have the ability to impact aspects of critical infrastructure that run on common, internet accessible systems (such as web‐based applications and windows systems) by employing tactics such as denial of service. Anonymous’ increased interest may indicate intent to Develop an offensive ICS capability in the future. ICS‐CERT assesses that the publically available information regarding exploitation of ICS coulD be leveraged to reDuce the amount of time to develop offensive ICS capabilities. However, the lack of centralized leadership/coordination anD specific expertise may pose challenges to this effort. DISCUSSION (U//FOUO) Several racist, homophobic, hateful, and otherwise maliciously intolerant cyber and physical inciDents throughout the past Decadea have been attributeD to Anonymous, though recently, their targets and apparent motivations have evolved to what appears to be a hacktivist1 agenda.
    [Show full text]
  • About the Sony Hack
    All About the Sony Hack Sony Pictures Entertainment was hacked in late November by a group called the Guardians of Peace. The hackers stole a significant amount of data off of Sony’s servers, including employee conversations through email and other documents, executive salaries, and copies of unreleased January/February 2015 Sony movies. Sony’s network was down for a few days as administrators worked to assess the damage. According to the FBI, the hackers are believed have ties with the North Korean government, which has denied any involvement with the hack and has even offered to help the United States discover the identities of the hackers. Various analysts and security experts have stated that it is unlikely All About the Sony Hack that the North Korean government is involved, claiming that the government likely doesn’t have the Learn how Sony was attacked and infrastructure to succeed in a hack of this magnitude. what the potential ramifications are. The hackers quickly turned their focus to an upcoming Sony film, “The Interview,” a comedy about Securing Your Files in Cloud two Americans who assassinate North Korean leader Kim Jong-un. The hackers contacted Storage reporters on Dec. 16, threatening to commit acts of terrorism towards people going to see the Storing files in the cloud is easy movie, which was scheduled to be released on Dec. 25. Despite the lack of credible evidence that and convenient—but definitely not attacks would take place, Sony decided to postpone the movie’s release. On Dec. 19, President risk-free. Obama went on record calling the movie’s cancelation a mistake.
    [Show full text]
  • Alcatel-Lucent Security Advisory Sa0xx
    Alcatel-Lucent Security Advisory No. SA0053 Ed. 04 Information about Poodle vulnerability Summary POODLE stands for Padding Oracle On Downgraded Legacy Encryption. The POODLE has been reported in October 14th 2014 allowing a man-in-the-middle attacker to decrypt ciphertext via a padding oracle side-channel attack. The severity is not considered as the same for Heartbleed and/or bash shellshock vulnerabilities. The official risk is currently rated Medium. The classification levels are: Very High, High, Medium, and Low. The SSLv3 protocol is only impacted while TLSv1.0 and TLSv1.2 are not. This vulnerability is identified CVE- 2014-3566. Alcatel-Lucent Enterprise voice products using protocol SSLv3 are concerned by this security alert. Openssl versions concerned by the vulnerability: OpenSSL 1.0.1 through 1.0.1i (inclusive) OpenSSL 1.0.0 through 1.0.0n (inclusive) OpenSSL 0.9.8 through 0.9.8zb (inclusive) The Alcatel-Lucent Enterprise Security Team is currently investigating implications of this security flaw and working on a corrective measure, for OpenTouch 2.1.1 planned in Q4 2015, to prevent using SSLv3 that must be considered as vulnerable. This note is for informational purpose about the padding-oracle attack identified as “POODLE”. References CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 Advisory severity CVSS Base score : 4.3 (MEDIUM) - AV:N/AC:M/Au:N/C:P/I:N/A:N https://www.openssl.org/news/secadv_20141015.txt https://www.openssl.org/~bodo/ssl-poodle.pdf Description of the vulnerabilities Information about Poodle vulnerability (CVE-2014-3566).
    [Show full text]
  • Systematization of Vulnerability Discovery Knowledge: Review
    Systematization of Vulnerability Discovery Knowledge Review Protocol Nuthan Munaiah and Andrew Meneely Department of Software Engineering Rochester Institute of Technology Rochester, NY 14623 {nm6061,axmvse}@rit.edu February 12, 2019 1 Introduction As more aspects of our daily lives depend on technology, the software that supports this technology must be secure. We, as users, almost subconsciously assume the software we use to always be available to serve our requests while preserving the confidentiality and integrity of our information. Unfortunately, incidents involving catastrophic software vulnerabilities such as Heartbleed (in OpenSSL), Stagefright (in Android), and EternalBlue (in Windows) have made abundantly clear that software, like other engineered creations, is prone to mistakes. Over the years, Software Engineering, as a discipline, has recognized the potential for engineers to make mistakes and has incorporated processes to prevent such mistakes from becoming exploitable vulnerabilities. Developers leverage a plethora of processes, techniques, and tools such as threat modeling, static and dynamic analyses, unit/integration/fuzz/penetration testing, and code reviews to engineer secure software. These practices, while effective at identifying vulnerabilities in software, are limited in their ability to describe the engineering failures that may have led to the introduction of vulnerabilities. Fortunately, as researchers propose empirically-validated metrics to characterize historical vulnerabilities, the factors that may have led to the introduction of vulnerabilities emerge. Developers must be made aware of these factors to help them proactively consider security implications of the code that they contribute. In other words, we want developers to think like an attacker (i.e. inculcate an attacker mindset) to proactively discover vulnerabilities.
    [Show full text]
  • Sample Iis Publication Page
    https://doi.org/10.48009/1_iis_2012_133-143 Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012 HACKERS GONE WILD: THE 2011 SPRING BREAK OF LULZSEC Stan Pendergrass, Robert Morris University, [email protected] ABSTRACT Computer hackers, like the group known as Anonymous, have made themselves more and more relevant to our modern life. As we create and expand more and more data within our interconnected electronic universe, the threat that they bring to its fragile structure grows as well. However Anonymous is not the only group of hackers/activists or hacktivists that have made their presence known. LulzSec was a group that wreaked havoc with information systems in 2011. This will be a case study examination of their activities so that a better understanding of five aspects can be obtained: the Timeline of activities, the Targets of attack, the Tactics the group used, the makeup of the Team and a category which will be referred to as The Twist for reasons which will be made clear at the end of the paper. Keywords: LulzSec, Hackers, Security, AntiSec, Anonymous, Sabu INTRODUCTION Information systems lie at the heart of our modern existence. We deal with them when we work, when we play and when we relax; texting, checking email, posting on Facebook, Tweeting, gaming, conducting e-commerce and e- banking have become so commonplace as to be nearly invisible in modern life. Yet, within each of these electronic interactions lies the danger that the perceived line of security and privacy might be breached and our most important information and secrets might be revealed and exploited.
    [Show full text]
  • The 2014 Sony Hack and the Role of International Law
    The 2014 Sony Hack and the Role of International Law Clare Sullivan* INTRODUCTION 2014 has been dubbed “the year of the hack” because of the number of hacks reported by the U.S. federal government and major U.S. corporations in busi- nesses ranging from retail to banking and communications. According to one report there were 1,541 incidents resulting in the breach of 1,023,108,267 records, a 78 percent increase in the number of personal data records compro- mised compared to 2013.1 However, the 2014 hack of Sony Pictures Entertain- ment Inc. (Sony) was unique in nature and in the way it was orchestrated and its effects. Based in Culver City, California, Sony is the movie making and entertain- ment unit of Sony Corporation of America,2 the U.S. arm of Japanese electron- ics company Sony Corporation.3 The hack, discovered in November 2014, did not follow the usual pattern of hackers attempting illicit activities against a business. It did not specifically target credit card and banking information, nor did the hackers appear to have the usual motive of personal financial gain. The nature of the wrong and the harm inflicted was more wide ranging and their motivation was apparently ideological. Identifying the source and nature of the wrong and harm is crucial for the allocation of legal consequences. Analysis of the wrong and the harm show that the 2014 Sony hack4 was more than a breach of privacy and a criminal act. If, as the United States maintains, the Democratic People’s Republic of Korea (herein- after North Korea) was behind the Sony hack, the incident is governed by international law.
    [Show full text]
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • Compromised Connections
    COMPROMISED CONNECTIONS OVERCOMING PRIVACY CHALLENGES OF THE MOBILE INTERNET The Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and many other international and regional treaties recognize privacy as a fundamental human right. Privacy A WORLD OF INFORMATION underpins key values such as freedom of expression, freedom of association, and freedom of speech, IN YOUR MOBILE PHONE and it is one of the most important, nuanced and complex fundamental rights of contemporary age. For those of us who care deeply about privacy, safety and security, not only for ourselves but also for our development partners and their missions, we need to think of mobile phones as primary computers As mobile phones have transformed from clunky handheld calling devices to nifty touch-screen rather than just calling devices. We need to keep in mind that, as the storage, functionality, and smartphones loaded with apps and supported by cloud access, the networks these phones rely on capability of mobiles increase, so do the risks to users. have become ubiquitous, ferrying vast amounts of data across invisible spectrums and reaching the Can we address these hidden costs to our digital connections? Fortunately, yes! We recommend: most remote corners of the world. • Adopting device, data, network and application safety measures From a technical point-of-view, today’s phones are actually more like compact mobile computers. They are packed with digital intelligence and capable of processing many of the tasks previously confined
    [Show full text]
  • Risk Report Back in October 2016, Dyn Encountered a Massive DNS Ddos Attack That Knocked
    Dyn DNS Cyberattack By Bryce Kolton 12/7/2016 | INFO 312 Introduction On October 21st 2016, a terabit sized attack took down internet connectivity for users across the globe. Over three waves, millions of users were interrupted during main business hours. The attack targeted Dyn (pronounced “dine”), a company that in part provides Domain Name Service registration for websites. Companies affected included Amazon, BBC, CNN, Comcast, Fox, GitHub, Netflix, PayPal, Reddit, Starbucks, Twitter, Verizon, Visa, Wikia and hundreds more. Credit card terminals were inoperative, news sites unavailable, and users unable to reach some of the internet’s most popular websites. The internet ground to a halt for several hours, with major Fortune 500 companies among those affected. The focus of this risk management report will be the cyberattack at large; The background, causes, previous mitigations, response, still present risks, and recommendations after one of the largest cyberattacks ever recorded. Understanding the Domain Name Service As an illustrative example, let’s say you want to visit a new grocery store your friend just told you about, “Sya’s Grocery.” You know the name, but you need to find the physical address. By using a service like Google Maps, you can transcribe the human-readable name into the destination. The Domain Name Service works much the same way, but for URLs. When you type in “google.com,” your computer is clueless to the ‘real address’ it’s supposed to go to. That’s where DNS steps in: your device asks its closes DNS server “Who is ‘google.com’?” If the server doesn’t know, it’ll pass the request along until it finds a server that does.
    [Show full text]
  • Attack on Sony 2014 Sammy Lui
    Attack on Sony 2014 Sammy Lui 1 Index • Overview • Timeline • Tools • Wiper Malware • Implications • Need for physical security • Employees – Accomplices? • Dangers of Cyberterrorism • Danger to Other Companies • Damage and Repercussions • Dangers of Malware • Defense • Reparations • Aftermath • Similar Attacks • Sony Attack 2011 • Target Attack • NotPetya • Sources 2 Overview • Attack lead by the Guardians of Peace hacker group • Stole huge amounts of data from Sony’s network and leaked it online on Wikileaks • Data leaks spanned over a few weeks • Threatening Sony to not release The Interview with a terrorist attack 3 Timeline • 11/24/14 - Employees find Terabytes of data stolen from computers and threat messages • 11/26/14 - Hackers post 5 Sony movies to file sharing networks • 12/1/14 - Hackers leak emails and password protected files • 12/3/14 – Hackers leak files with plaintext credentials and internal and external account credentials • 12/5/14 – Hackers release invitation along with financial data from Sony 4 Timeline • 12/07/14 – Hackers threaten several employees to sign statement disassociating themselves with Sony • 12/08/14 - Hackers threaten Sony to not release The Interview • 12/16/14 – Hackers leaks personal emails from employees. Last day of data leaks. • 12/25/14 - Sony releases The Interview to select movie theaters and online • 12/26/14 –No further messages from the hackers 5 Tools • Targeted attack • Inside attack • Wikileaks to leak data • The hackers used a Wiper malware to infiltrate and steal data from Sony employee
    [Show full text]
  • Vulnerability Management: Overview
    Resource ID: w-013-3774 Cybersecurity Tech Basics: Vulnerability Management: Overview SEAN ATKINSON, CIS™ (CENTER FOR INTERNET SECURITY), WITH PRACTICAL LAW INTELLECTUAL PROPERTY & TECHNOLOGY Search the Resource ID numbers in blue on Westlaw for more. A Practice Note providing an overview of what Design, implementation, or other vendor oversights that create defects in commercial IT products (see Hardware and Software cyber vulnerability management programs Defects). are, how they work, and the key role they play Poor setup, mismanagement, or other issues in the way an in any organization’s information security organization installs and maintains its IT hardware and software components (see Unsecured Configurations). program. This Note discusses common types of Vulnerability management programs address these issues. Other cyber vulnerabilities and core process steps for common vulnerabilities that organizations must also tackle in their implementing and maintaining a vulnerability information security programs include: management program to decrease cybersecurity Gaps in business processes. Human weaknesses, such as lack of user training and awareness. risks. It also addresses common pitfalls that Poorly designed access controls or other safeguards. can lead to unnecessary cyber incidents and Physical and environmental issues. data breaches. Unlike threats, organizations can often directly control their vulnerabilities and therefore minimize the opportunities for threat actors. Most organizations depend on a combination of commercial and custom-developed hardware and software products to support their Organizations that develop their own in-house software should information technology (IT) needs. These technology components use security by design techniques to avoid creating vulnerabilities. inevitably include vulnerabilities in their design, setup, or the code that For more information on assessing overall data security risks and runs them.
    [Show full text]
  • Combat Top Security Vulnerabilities: HPE Tippingpoint Intrusion
    Business white paper Combat top security vulnerabilities HPE TippingPoint intrusion prevention system Business white paper Page 2 The year 2014 marked a new pinnacle for hackers. Vulnerabilities were uncovered in some of the most widely deployed software in the world—some of it in systems actually intended to make you more secure. HPE TippingPoint next-generation intrusion prevention system (IPS) and next-generation firewall (NGFW) customers rely on us to keep their networks safe. And when it comes to cyber threats, every second matters. So how did HPE TippingPoint do? This brief highlights the top security vulnerabilities of 2014—the ones that sent corporate security executives scrambling to protect their businesses. And it describes how HPE TippingPoint responded to keep our customers safe. Heartbleed—HPE TippingPoint intrusion prevention system stops blood flow early Any vulnerability is concerning, but when a vulnerability is discovered in software designed to assure security, it leaves businesses exposed and vulnerable. That was the case with the Heartbleed vulnerability disclosed by the OpenSSL project on April 7, 2014. They found the vulnerability in versions of OpenSSL—the open-source cryptographic library widely used to encrypt Internet traffic. Heartbleed grew from a coding error that allowed remote attackers to read information from process memory by sending heartbeat packets that trigger a buffer over-read. As a demonstration of the vulnerability, the OpenSSL Project created a sample exploit that successfully stole private cryptography keys, user names and passwords, instant messages, emails, and business-critical documents and communications. We responded within hours to protect TippingPoint customers. On April 8, we released a custom filter package to defend against the vulnerability.
    [Show full text]