Connect with us

Cyber Security

Three recent events prove the need for an insider risk playbook



Every company, regardless of size, should have an insider risk management playbook in place to address the insider threat. The human factor is always in play, mistakes will happen that inadvertently place the company at risk. The other side of the human factor are the malevolent individuals who opt to break trust and willingly push aside their NDAs and in-place IT data handling processes and procedures to knowingly abscond with sensitive data.

Three recent incidents underscore the importance of having an insider risk management playbook:

Ubiquiti’s insider risk mitigation plan pays off

Malicious insider Nikolas Sharp of Ubiquiti stole his company’s data and then attempted to maneuver the post-investigation efforts away from his own actions and to extort from his employer $2 million. While the Ubiquiti team did not stop the exfiltration of the data, once an anomalous activity was discovered, they executed on their mitigation plan, and eventually brought in the FBI to address the criminal aspects of their insider incident.

Code42 detects improper downloads early

Prime components of the mitigation playbook, or plan, according to Code42’s vice president of portfolio strategy and product marketing, Mark Wojtasiak, is embracing the three T’s of transparency, training and technology. In his December 2021 piece, “Your employees are making a run for it, and so is your data,” he emphasized the need to “Teach them company data ownership policies, set expectations in terms of ownership and develop guidelines they can follow when in doubt.”

Wojtasiak, wrote the above from a position of personal experience. Speaking to this writer for an earlier article, he noted how a recent incident within his own team at Code42 served to highlight the importance of having the insider incident playbook. In the Code42 case, the employee had given their notice that they were leaving Code42 for another opportunity. The company standard operating procedure (SOP) called for a review of the last 90 days of activity by the employee. The review team discovered the employee had downloaded sensitive internal customer lists to an unmanaged device.

Wojtasiak explained how the playbook allowed Code42 to immediately work the problem. HR, Legal, infosec and the business unit all have a role. He emphasized how the working assumption within Code42 was that the employee’s actions were not a result of malicious intent. The facts directed the investigation, and they would learn that such was not the case and that the employee had in fact intended to take the customer lists to his next employer.

The employee availed his devices to the mitigation team, which allowed the recovery of the pilfered data. Then when the internal aspects of the incident concluded, Wojtasiak shared how the CEO of Code42 shared directly with the CEO of the company which was hiring the departing Code42 employee what had transpired, how it was handled internally.

Pfizer threat monitoring identifies data theft

Pfizer had beefed up its insider threat monitoring capability when it implemented a technology that monitored employee uploads to devices in October 2021. On October 29, they discovered that between October 23 and 26 an employee transferred over 12,000 files “from her Pfizer laptop to an online Google Drive.”

The insider risk mitigation team’s efforts are detailed within their court filings. Immediately upon discovery of the October 2021 download of the 12,000 files, the team initiated a “digital review of the employee’s emails, file access and internet activity on her Pfizer-issued laptop.” This investigation showed, “that she had been interviewing with and had received an offer of employment from Xencor.”

With this information in hand, the mitigation effort brought together HR, security, and IT (forensics). The team met and then spoke with the employee, twice on October 29. One of those interviews occurred over a video teleconference where the employee “logged onto her Google Drive account and deleted all of the files saved there.” On November 1, the employee came into Pfizer’s offices and provided her company laptop and provided access to her personal laptop for forensic review.  

The employee was placed on administrative leave and the subsequent investigation showed that the laptop provided was not the laptop which contained the 12,000 documents, and that the company’s data, data which included COVID-19 research was no longer in their control.

Pfizer acknowledges in their court filings the detection of the theft, and resulting investigation confirmed their findings, and that this employee attempted to dupe them into thinking that their internal documents were not at risk. Pfizer believes its former employee and others continue to possess Pfizer’s information.

Importance of an insider risk playbook

Those who eschew the idea of having a playbook in place will find themselves reinventing the wheel with each insider incident. When it comes to reacting to the discovery that a colleague may have mishandled data, having a process takes the emotion out of the equation.

While the makeup of the mitigation team may vary from company to company including HR, legal, security, IT, and the business unit are table stakes. Equally important to identifying elements of the mitigation team is ironing out defined roles and expectations when an incident percolates to the top and requires handling.

What’s in your playbook?  

Copyright © 2022 IDG Communications, Inc.

Source link

Cyber Security

Cybercriminals are increasingly using info-stealing malware to target victims



Cybercriminals are increasingly shifting from automated scam-as-a-service to more advanced info stealer malware distributors as the competition for resources increases, and they look for new way to make profits, according to a report by Group-IB. 

The cybersecurity company has identified 34 Russian-speaking groups distributing info-stealing malware under the stealer-as-a-service model.

Info stealer malware collects users’ credentials stored in browsers, gaming accounts, email services, social media, bank card details, and crypto wallet information from infected computers, and sends the data to the malware operator. This data is then sold or used for fraud on the dark web. 

The identified threat actors coordinate via Telegram groups to conduct their operations. The low entry barrier and a fully automated process makes the scheme popular among beginners. 

“Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it,” Group-IB noted. 

Substantial malware increase in 2022

Telegram groups and bots designed to distribute info stealers first appeared in early 2021, according to Group-IB Digital Risk Protection team. However, a substantial increase was observed in the first seven months of this year, with more than 890,000 devices infected across 111 countries. This is almost twice the number of infected devices in 2021, when 538,000 devices were compromised. 

In the first seven months of this year, threat actors stole over 50 million passwords, 2 billion cookie files, details of 103,150 bank cards, and data from 113,204 crypto wallets. 

“The underground market value of just the stolen logs and compromised card details is around $5.8 million,” Group-IB estimates. 

Paypal and Amazon were the most targeted services, with Paypal accounting for more than 16% and Amazon for more than 13% of the attacks. 

However, cases of stealing passwords for gaming services such as Steam, EpicGames, Roblox have increased almost five-fold, the report noted.  

The top 5 most attacked countries are United States, Brazil, India, Germany, and Indonesia. 

RedLine and Racoon stealer used the most

Among the 34 groups examined, the most used stealer was RedLine, which was used by 23 groups, while the second most used tool was Racoon, used by eight groups. Custom stealers were found to be used by three groups, Group-IB noted. 

The group members are provided with both the tools in exchange for a share of the stolen data, or money. 

“However, the malware in question is offered for rent on the dark web for $150-$200 per month. Some groups use 3 stealers at the same time, while others have only one stealer in their arsenal,” the report said. 

On an average, the 34 identified info stealer distributor groups on Telegram have 200 active members. The task of the members of the group is to drive traffic to bait scam websites impersonating well-known companies and convince victims to download malicious files. 

“Cybercriminals embed links for downloading stealers into video reviews of popular games on YouTube, into mining software or NFT files on specialized forums and direct communication with NFT artists, and into lucky draws and lotteries on social media,” Group-IB noted. 

Safeguarding against the attacks

To prevent such attacks, Group-IB recommends that users avoid downloading software from suspicious sources, use isolated virtual machines or alternative operating systems for installation, stop saving passwords in browsers, and regularly clear browser cookies. 

It also recommends companies to have a proactive approach towards digital security and using modern technologies for monitoring and response to the attacks. 

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

EPSS explained: How does it compare to CVSS?



The Common Vulnerability Scanning System (CVSS) is the most frequently cited rating system to assess the severity of security vulnerabilities. It has been criticized, however, as not being appropriate to assess and prioritize risk from those vulnerabilities. For this reason, some have called for using the Exploit Prediction Scoring System (EPSS) or combining CVSS and EPSS to make vulnerability metrics more actionable and efficient. Like CVSS, EPSS is governed by the Forum of Incident Response and Security Teams (FIRST).

EPSS definition

EPSS prides itself on being an open and data-driven effort that aims to estimate the probability that a software vulnerability will be exploited in the wild. CVSS focuses on the innate characteristics of vulnerabilities culminating in a severity score. The severity score alone doesn’t indicate a likelihood of exploitation, which is critical information for vulnerability management professionals who need to prioritize their vulnerability remediation and mitigation efforts to maximize their impact on reducing organizational risk.

EPSS has a special interest group (SIG) that is open to the public for those interested in participating in the effort. EPSS is volunteer driven and led by researchers, security practitioners, academics, and government personnel. FIRST can and does own the rights to update the model and the associated guidance as the organization sees fit, despite this industry collaboration driven approach. The group boasts chairs and creators from organizations such as RAND, Cyentia, Virginia Tech, and Kenna Security among many members from a variety of organizations. EPSS has several related papers that dive into associated topics such as attack prediction, vulnerability modeling and disclosure, and software exploitation. 

The EPSS model 

EPSS aims to help security practitioners and their organizations improve vulnerability prioritization efforts. There are an exponentially growing number of vulnerabilities in today’s digital landscape and that number is increasing due to factors such as the increased digitization of systems and society, increased scrutiny of digital products, and improved research and reporting capabilities.

Organizations generally can only fix between 5% and 20% of vulnerabilities each month, EPSS claims. Fewer than 10% of published vulnerabilities are ever known to be exploited in the wild. Longstanding workforce issues are also at play, such as the annual ISC2 Cybersecurity Workforce Study, which shows shortages exceeding two million cybersecurity professionals globally. These factors warrant organizations having a coherent and effective approach to aid in prioritizing vulnerabilities that pose the highest risk to their organization to avoid wasting limited resources and time.

The EPSS model aims to provide some support by producing probability scores that a vulnerability will be exploited in the next 30 days and the scores range between 0 and 1 or 0% and 100%. To provide these scores and projections, EPSS uses data from sources such as the MITRE CVE list, data about CVEs such as days since publication, and observations from exploitation-in-the-wild activity from security vendors such as AlienVault and Fortinet. 

The EPSS team published data to support their approach of using CVSS scores with EPSS scoring data to lead to more effective vulnerability remediation efforts. For example, many organizations mandate that vulnerabilities with a specific CVSS score or higher must be remediated, such as a 7 or above. However, this prioritizes vulnerability remediation based on only the CVSS score, not if the vulnerability is known to be exploited or not. Coupling EPSS with CVSS is more effective because that prioritizes vulnerabilities based on both their severity rating and if they are known to be actively exploited. This lets organizations address CVEs that pose the greatest risk to the organization. 

EPSS focuses on two core metrics  – efficiency and coverage. Efficiency examines how well organizations are using resources to resolve the percentage of remediated vulnerabilities. EPSS points out that it is more efficient for most of an organization’s resources to be spent remediating mostly known-exploited vulnerabilities, as opposed to random vulnerabilities based on only severity scores via CVSS. Coverage is a look at the percentage of exploited vulnerabilities that were remediated. 

To show the efficiency in their proposed approach, EPSS conducted a study in 2021 evaluating CVSS v3 base scores and EPSS v1 and EPSS v2 data over a 30-day period to determine the total number of CVEs, the number of remediated CVEs and the number of exploited CVEs.

Initially, the study showed that most CVEs aren’t remediated. Secondly, the number of exploited CVEs that are remediated is just a subset of the total remediated CVEs. This means that organizations don’t remediate most CVEs, and among those they do, many aren’t actively known to be exploited and potentially don’t pose the greatest risk.

The study also demonstrates that the EPSS v2 further improves the efficiency of vulnerability remediation efforts by maximizing the percentage of exploited vulnerabilities that are remediated. When organizations have resource challenges with cybersecurity practitioners, it is crucial to maximize their return on investment by having the resources focus on the vulnerabilities that pose the greatest risk to the organization. Ultimately, EPSS is trying to help organizations make more efficient use of their limited resources and improve their effectiveness of driving down organizational risk. 

EPSS shortcomings

Like CVSS, EPSS has its critics from the industry and academia. One article titled Probably Don’t Rely on EPSS Yet comes from Carnegie Mellon University’s Software Engineering Institute’s blog. SEI originally published a paper titled Towards Improving CVSS, which laid out some sharp criticisms of CVSS, from which EPSS originated shortly after the publication. 

The primary criticisms leveled by the article include EPSS’s opacity as well as issues with its data and outputs. The article discusses how it isn’t clear how EPSS dictates the development processes, governance, or its intended audience. EPSS relies on pre-existing CVE IDs, meaning it wouldn’t be helpful for entities such as software suppliers, incident response teams, or bug bounty groups because many of the vulnerabilities these groups deal with don’t have CVE IDs yet and might never receive them. EPSS wouldn’t be helpful when dealing with zero-day vulnerabilities, given they gain visibility as exploitation is underway and have no CVE ID. 

The blog author also raises concerns about the openness and transparency of EPSS. While EPSS dubs itself an open and data-driven effort and has a public SIG, it and FIRST retain the right to change the site and model at any time without explanation. Even SIG members have no access to the code or data the underlying EPSS model uses. The SIG itself has no oversight or governance of the model, and the process by which the model is updated or modified isn’t transparent to the public, let alone SIG members. The article points out that the EPSS model and data could also be pulled back from the public domain given it is governed and managed by FIRST. 

The article notes that EPSS focuses on the probability that a vulnerability will be exploited in the next 30 days, but this requires a few fundamental things to exist for it to be projected. They include an existing CVE ID in the NVD with an associated CVSS v3 vector value, an IDS signature tied to an active attempted exploit of the CVE ID, contribution from AlienVault or Fortinet, and the model itself tied to the next 30 days.

As the author pointed out, only 10% of vulnerabilities with CVE IDs have accompanying IDS signatures, meaning 90% of vulnerabilities with CVE IDs may go undetected for exploitation. This also creates a dependency on Fortinet and AlienVault with regards to IDS sensors and associated data. This could be mitigated to some extent by further involvement from the broader security vendor community. While data from Fortinet and AlienVault is useful, it doesn’t represent the entire threat landscape or perspectives of the other major security vendors that could contribute to vulnerability exploitability probability.

While these are valid critiques, using EPSS gives organizations an opportunity to make the most of their scarce security resources to drive down organizational risk. Focusing on vulnerabilities with the highest probability of exploitation lets organizations make investments that have the highest chance to mitigate malicious actors and minimize friction on development teams.

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading

Cyber Security

DUCKTAIL malware campaign targeting Facebook business and ads accounts is back



A group of attackers, likely based in Vietnam, that specializes in targeting employees with potential access to Facebook business and ads management accounts, has re-emerged with changes to its infrastructure, malware, and modus operandi after being initially outed a few months ago.

Dubbed DUCKTAIL by researchers from WithSecure, the group uses spear phishing to target individuals on LinkedIn who have job descriptions that could suggest they have access to manage Facebook business accounts. More recently, the attackers were also observed targeting victims via WhatsApp. The compromised Facebook business accounts are used to run ads on the platform for attackers’ financial gain.

DUCKTAIL attackers do their research

The account abuse is achieved using a victim’s browser through a malware program delivered under the guise of documents related to brands, products, and project planning. The attackers first build a list of companies that have business pages on Facebook. They then search for employees on LinkedIn and other sources who work for those companies and have job titles that could provide them with access to those business pages. These include managerial, digital marketing, digital media, and human resource roles.

The final step is to send a link to them with an archive that contains the malware masquerading as a .pdf, alongside images and videos that appear to be part of the same project. Some of the file names seen by the researchers include project “development plan,” “project information,” “products,” and “new project L’Oréal budget business plan.” Some of the files included country names, suggesting the attackers customize them for every victim and country based on their reconnaissance. The identified victims were spread around the world, so the attackers don’t target one particular region.

It’s believed the DUCKTAIL group has been operating this campaign since the second half of 2021. After WithSecure exposed their operation in August this year, the operation stopped and the attackers reworked some of their toolset.

Attackers switch to GlobalSign as certificate authority

Malware samples analyzed earlier this year were digitally signed with a legitimate code signing certificate obtained from Sectigo in the name of a Vietnamese company. Since that certificate has been reported and revoked, the attackers have switched to GlobalSign as their certificate authority. While they continued to request certificates from multiple CAs in the name of the original company, they’ve also set up six other businesses, all in Vietnamese, and have obtained code signing certificates using three of them. Code signing certificates require extended validation (EV) where the identity of the applicant is verified through various documents.

“At the time of writing, the threat actor has adapted to certificate revocations by utilizing timestamping as a countersignature method through DigiCert,” the WithSecure researchers said in a new report released this week.

The DUCKTAIL malware samples seen in late 2021 were written in .NET Core and were compiled using the framework’s single-file feature, which bundles all the required libraries and files into a single executable file, including the main assembly. This ensures the malware can be executed on any Windows computer regardless of whether it has the .NET runtime installed or not. Since August 2022, when the campaign halted, the WithSecure researchers observed multiple development DUCKTAIL samples uploaded to VirusTotal from Vietnam.

One of the samples was compiled using the NativeAOT of .NET 7, which provides similar capabilities as the single-file feature of .NET Core, allowing binaries to be compiled natively ahead of time. However, NativeAOT has limited support for third-party libraries, so the attackers reverted to .NET Core.

The bad actors have been experimenting

Other experimentation was observed as well, such as the inclusion of anti-analysis code from a GitHub project that was never actually turned on, the capability of sending a list of email addresses as a .txt file from the command-and-control server instead of hardcoding them in the malware, and launching a dummy file when the malware is executed in order to make the user less suspicious – document (.docx), spreadsheet (.xlsx) and video (.mp4) dummy files were observed.

The attackers are also testing multistage loaders to deploy malware, such as an Excel add-in file (.xll), which extracts a secondary loader from an encrypted blob and then finally downloads the infostealer malware. The researchers also identified a downloader written in .NET that they associate with high confidence to DUCKTAIL, which executes a PowerShell command that downloads the infostealer from Discord.

The infostealer malware uses Telegram channels for command and control. The attackers have better locked down these channels since they were outed in August and some channels now have multiple administrators, which could suggest they are running an affiliate program similar to ransomware gangs. “This is further strengthened by increased chat activity and the new file encryption mechanism that ensures only certain users will be able to decrypt certain exfiltrated files,” the researchers say.

Browser hijacking

Once deployed, the DUCKTAIL malware scans for browsers installed on the system and the path to their cookie storage. It then steals all the stored cookies, including any Facebook session cookie stored inside. A session cookie is a small identifier set by a website inside a browser after authentication is completed successfully to remember the user has been logged in for a period of time.

The malware uses the Facebook session cookie to interact with Facebook pages directly or to send requests to the Facebook Graph API to obtain information. This information includes name, email, birthday, and user ID for personal accounts; name, verification status, ad limit, pending users and clients from Facebook business pages to which the personal accounts have access; name, ID, account status, ads payment cycle, currency, adtrust DSL, and amount spent for any associated Facebook Ads accounts.

The malware also checks whether two-factor authentication is enabled for the hijacked accounts and uses the active session to obtain backup codes for the 2FA when enabled. “Information stolen from the victim’s machine also allows the threat actor to attempt these activities (as well as other malicious activities) from outside the victim’s machine,” the researchers said. “Information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address and geolocation, as well as general account information (such as name and birthday) could be used to cloak and impersonate the victim.”

The malware aims to attempt to add email addresses controlled by attackers to the hijacked Facebook business accounts with the highest possible roles: admin and finance editor. According to Facebook owner Meta’s documentation, admins have full control over the account, while finance editors have control over credit card information stored in the account as well as transactions, invoices, and spending on the account. They can also add external businesses to stored credit cards and monthly invoices allowing those businesses to use the same payment method.

Impersonating legitimate account manager identities

“In instances where the targeted victims did not have sufficient access to allow the malware to add the threat actor’s email addresses into the intended business accounts, the threat actor relied on the information that was exfiltrated from the victims’ machines and Facebook accounts to impersonate them and achieve their post-compromise objectives via hands-on activity,” the researchers said in their new report.

In one instance that WithSecure incident responders investigated, the victim used an Apple machine and had never logged into Facebook from a Windows computer. No malware was found on the system and the initial access vector could not be determined. It’s unclear if this was related to DUCKTAIL, but the researchers established that the attackers were also from Vietnam.

Facebook Business administrators are advised to regularly review users added under Business Manager > Settings > People and revoke access to any unknown users granted admin access or finance editor roles.

“Across our investigations, WithSecure Incident Response team found that business history logs and targeted individuals’ Facebook data were relevant to analysis of the incident,” the researchers said. “However, for logs relating to the individual’s Facebook account, inconsistencies are widely present between what is visible on the web portal compared to what you would get if you were to download a copy of your data. As a recommendation to other investigators, the WithSecure Incident Response team strongly recommends capturing a local copy of business history logs as soon as possible and requesting a copy of user data for their account.”

Copyright © 2022 IDG Communications, Inc.

Source link

Continue Reading