May 30, 2019
You’ve Been Breached: Now What?
So you’ve been breached. Now what? Once the dust has settled use it as a learning opportunity & tune up your cybersecurity plan. We can help.
Read MoreCategory: Cybersecurity
April 19, 2019
All the Cyber Revelations from The Mueller Report
The long-awaited Mueller Report was published yesterday – a 488-page document outlining Russian interference in the 2016 election, possible ties to the Trump campaign and subsequent efforts to obstruct justice. While the report leaves political conclusions up to interpretation, one fact is very clear from its findings – Russian state-sponsored hackers deployed a variety of techniques to infiltrate not only the Clinton campaign, but also election-adjacent entities as well. Below, we recap all the cyber-related revelations found in the report. Spearphishing: The Path of Least Resistance Beginning in March 2016, units of the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) hacked the computers and email accounts of organizations, employees, and volunteers supporting the Clinton campaign, including the email account of campaign chairman John Podesta. They did so by sending hundreds of spearphishing emails to the work and personal email accounts of Clinton campaign employees and volunteers. Between March 10, 2016 and March 15, 2016, Unit 26165, more commonly known as “Fancy Bear,” appears to have sent approximately 90 spearphishing emails to email accounts at hillaryclinton.com. Starting on March 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of dnc.org email accounts. By no later than April 12, 2016, the GRU had gained access to the Democratic Congressional Campaign Committee (DCCC) computer network using the credentials stolen from an employee who had been successfully spearphished the week before. Over the following weeks, the GRU traversed the network and stole network access credentials along the way (including those of IT administrators with unrestricted access to the system). In total, the GRU compromised approximately 29 different computers on the DCCC’s network. Approximately six days after first hacking into the DCCC’s network, on April 18, 2016, GRU officers gained access to the Democratic National Committee (DNC) network via a virtual private network (VPN) connection between the DCCC and DNC networks. Over the next 2 months, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server. In addition to infiltrating the networks of the DNC, DCCC and Clinton campaign, Russia also utilized advanced spearphishing attacks to compromise public officials involved in election administration and personnel at companies involved in voting technology. In August 2016, GRU officers targeted employees of a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network. Similarly, in November 2016, the GRU sent spearphishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election. The spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer. Malware: Credential Harvesting and Document Transfer Unit 26165 implanted on the DNC networks two types of customized malware known as “X-Agent” and “X-Tunnel”. They also employed Mimikatz, a credential-harvesting tool and rar.exe, a tool used in these intrusions to compile and compress materials for exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers (file directories, operating systems, etc.) These sessions were captured as GRU officers monitored work on infected computers regularly between April 2016 and June 2016. Data captured in these keylogging sessions included passwords, internal communications between employees, banking information, and other sensitive personal information. X-Tunnel was a hacking tool that created a connection between the infected computers and GRU-controlled computers outside the DNC networks that was capable of large-scale data transfers. GRU officers then used X-Tunnel to exfiltrate stolen data from the Victim computers – just short of 400 gigabytes of private data in total. The stolen documents included internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees – these materials were ultimately released by Wikileaks in July 2016. SQL Injections By at least the summer of 2016, GRU officers sought access to state and local computer networks by exploiting known software vulnerabilities on websites of state and local governmental entities. They targeted state and local databases of registered voters using a technique known as SQL injection, by which malicious code is sent to the state or local website in order to run commands (such as exfiltrating the database contents). In one instance, in approximately June 2016, the GRU compromised the computer network of the Illinois State Board of Elections by exploiting a vulnerability in the website. The GRU then gained access to a database containing information on millions of registered Illinois voters and extracted data related to thousands of U.S. voters before the malicious activity was identified. GRU officers continued to scan state and local websites for vulnerabilities. For example, over a two-day period in July 2016, GRU officers scanned for vulnerabilities on websites of more than two dozen states. Key Takeaways Human vulnerability and compromised credentials remain the easiest techniques for compromising an organization’s information systems. The attacks on the various victims demonstrate a continuing trend in state-sponsored actors engaging in cyber-espionage – another example can be found in the recent Wipro breach. Organizations should emphasize security awareness training for their employees in order to prepare them to identify and recognize phishing attempts. Properly trained personnel are far less likely to acquiesce to fraudulent requests or open malicious attachments in e-mail communications – the most commonly employed tactic identified in the Mueller Report. This type of vigilance remains a challenge as hackers gain access to legitimate e-mail accounts of colleagues – highlighting the importance of credential monitoring to detect and react when an organization’s usernames and passwords have been compromised. ID Agent provides a robust suite of services to address the risks highlighted in the Mueller Report. BullPhish ID™ delivers security awareness training and phishing simulations created specifically to help employees recognize and avoid phishing traps like those used by Russian hackers to infiltrate systems. Dark Web ID™ monitors the dark web for employee and supply chain credential exposure, which most often results from using those credentials on third-party websites. SpotLight ID™ provides comprehensive personal identity protection and restoration services for employees and customers, mitigating risk and providing peace of mind.
Read More
April 18, 2019
The Wipro Breach: A Demonstration of Third-party and Supply Chain Risk
Advanced phishing and supply chain vulnerabilities – these seem to be the successful attack vectors that hackers have used to compromise Wipro, an Indian multinational corporation that provides information technology, consulting and business process services. Notable security researcher, Brian Krebs, reports confirmation that a nation-state actor had been inside the company’s systems for months, identifying opportunities to attack its vast customer base – currently, at least a dozen of the firm’s clients have been targeted as a direct result of this breach. Additional sources have claimed that Wipro’s corporate e-mail system had also been compromised for some time, forcing the company to build out a new private system. Who’s the Bad Guy? While the attack has not been attributed to a specific group, security researchers note that it bears a resemblance to those launched by the Chinese hacking group APT10 – almost always beginning with a phishing campaign targeted against a third-party partner. The group has a demonstrated history of attacking Managed Service Providers in order to gain access to a larger swath of targets. Last year, the Australian Cyber Security Center blamed APT10 for attacks on at least nine global service providers, and the UK’s National Cyber Security Centre said it is aware of malicious activity currently affecting UK organizations across a broad range of sectors. Takeaways The Wipro breach seems to be a textbook case of exactly how not to handle a breach. Refusal to acknowledge and inconsistencies in what they will acknowledge have done nothing but increase not only confusion in reporting on the incident, but also mistrust in the company. Additionally, it highlights how critical it is that organizations properly protect their assets and address the vulnerabilities inherent to human error. Companies must extend beyond robust network security and incorporate systematic employee training, supply chain security assessment and ongoing monitoring, and third-party security, among other methods of defense. Last October, the FBI warned Managed Service Providers about the increasing occurrence of Chinese hacking groups targeting them specifically. MSPs have unparalleled access to their clients’ networks, so compromising an MSP can give these groups direct access into dozens, hundreds, or even thousands of businesses and their client data. The number one way attackers penetrate networks is with stolen credentials, according to the alert. ID Agent provides a robust suite of services to address the risks highlighted in the Wipro breach. BullPhish ID™ delivers security awareness training and phishing simulations created specifically to help employees recognize and avoid phishing traps like those used to infiltrate Wipro’s systems. Dark Web ID™ monitors the dark web for employee and supply chain credential exposure, which most often results from using those credentials on third-party websites. SpotLight ID™ provides comprehensive personal identity protection and restoration services for employees and customers, mitigating risk and providing peace of mind.
Read More
November 20, 2018
Stay Cyber-Safe When Shopping Online
We were thrilled to see how many of our MSP Partners utilized the resources we provided to help educate their customers during National Cybersecurity Awareness Month in October.
Read More
September 28, 2018
Update: Facebook Breach Information is Now For Sale on the Dark Web
Update, October 4, 2018: Our cybersecurity division has confirmed that the individual account information associated with the Facebook breach is now being sold on popular Dark Web markets for $3 to $12. In comparison, a database of 2 million users is typically sold on the Dark Web for about $30. This means the infamous hackers could see an unusual payday of $150 to $600 million.
Read More
April 26, 2018
A New Wave of Brute Force Attacks: Here’s What You Should Know
Last month, the United States Department of Justice indicted nine Iranian hackers for a wave of brute force attacks. These attacks resulted in the digital theft of more than 31 terabytes in information worth $3 billion in intellectual property.
Read More
April 12, 2018
Zappos Lawsuit Drives Home Need for Ongoing Credential Monitoring
Pay attention to this one! 6+ years later, Federal appeals court rules that data breach resulting in the theft of PII, even though the PII had not yet been used in any illegal activity, was harm enough to allow lawsuits to proceed against the company whose systems were compromised!
Read More
February 19, 2018
Why You Should Add Dark Web Monitoring to Your Service Offering
A large-scale data breach has the power to cripple any organization, including your customers’ companies. Unfortunately, these data breaches usually start with compromised credentials sold to the highest bidder on the dark web. Right now, all that stands in the way of your customers and a massive, costly breach is a few passwords — unless you’re offering dark web monitoring as a service.
Read More
November 30, 2017
I Now Have Everything I Need to Exploit You.
MSPs should read this, then enroll themselves and every customer in SpotLight ID NOW Chances are, you’ve come across cleverly-crafted ads on sites like CNN.com, Facebook, Yahoo and others that say something like, “Use this site to find out anything… about anyone.” If you are like most good citizens, you probably passed up on the opportunity to use one of these sites to dox, or to search for and publish private or identifying information about an individual on the Internet, typically with malicious intent. Good for you!
Read More
November 20, 2017
Pa$$w0rds, the Dark Web, and a job I love.
Coming up with a strong password gives me a headache. About 3 years ago, I came up with the most (in my mind) brilliant password EV3R. You see, I used an 8 in the first part of the password to make the word Gr8 – great. Great! I could remember that, because it made me grin at my own cleverness every time I typed it. “You sneaky SOBs will never crack my code!”
Read More