As a valued subscriber, we'd like to better understand your needs and challenges. Complete our 15 minute survey for a chance to win a $100 gift card and to allow us to learn how we can better serve you.
A TrickBot warning. LockBit's fail. Unclaimed domains. Tax season fraud.
At a glance.
- TrickBot is back.
- A welcome fail for LockBit.
- The risk of unclaimed domains.
- Tax season unpleasantness (we mean the fraud, not the taxes).
US government warns about Trickbot malware campaign.
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation have issued an advisory warning of a Trickbot traffic infringement scheme via phishing emails. As Dark Reading explains, Trickbot is a Trojan that was initially designed to steal financial data from banking institutions, but has since evolved into a multistage malware used to distribute other malware or to serve as an Emotet downloader. The advisory recommends “implementing the mitigation measures...which include blocking suspicious Internet Protocol addresses, using antivirus software, and providing social engineering and phishing training to employees.” We also received some comments from Saryu Nayyar, CEO of Gurucul:
“Malicious actors usually look for the easy route which leads to them using social engineering and phishing to target users. Their preferred hook for the last year was often Covid related, and recently tax related with tax season starting in the US, but the recent alert from the FBI and CISA is a reminder that threats will use whatever they think will work. In this case it is related to supposed traffic violations, and what driver wouldn't be concerned about a potential photo ticket?
“The attack relies on a series of technical steps to bypass the target's defenses, but at heart is still a social engineering attack. That makes user education the first line of defense. A solid security stack including security analytics can help stop the spread once a victim has taken the bait, but a well educated user base goes a long way to avoiding the threat in the first place.”
LockBit bug accidentally gives away the goods for free.
A bug in LockBit’s ransomware-as-a-service operation is allowing victims to decrypt their files for free, The Record reports. After an attack, LockBit victims are directed to a dark web payment portal for ransom negotiations. The portal also gives the victim access to a one-time free decryption mechanism to prove the decryption key works, a free sample of sorts. However, a cybercriminal who calls himself 3xp0rt discovered that, due to a glitch in the system, LockBit’s one-time decryption was actually allowing for an unlimited number of free decryptions. The LockBit portal is currently inactive, indicating they’re likely already working on a fix.
Privacy risks of unclaimed domains.
KrebsOnSecurity details how Fiserv, a Fortune 500 financial tech firm providing banking technology solutions to thousands of financial institutions, accidentally shipped code referencing an unregistered domain name. Security researcher Abraham Vegh noticed an email from his bank directed recipients to send all replies to an email address with an unusual domain: defaultinstitution.com. Curious, he purchased the domain, and after receiving emails from several of Fiserv’s clients, Vegh determined that the domain was a default placeholder from boilerplate text meant to be swapped out for a real email address. Clearly some clients didn’t get the memo. Fiserv responded, “Upon being made aware of the situation we immediately conducted an analysis to locate and replace instances of the placeholder domain name. We have also notified the clients whose customers received these emails.” Vegh has graciously agreed to hand over control of the domain name to Fiserv.
We heard from Reesha Dedhia, security evangelist at PerimeterX, who reminds developers not to let the pressure to deliver overshadow the requirement to preserve customers' privacy:
“Financial institutions are responsible for protecting their customers’ personally identifiable information (PII). Oftentimes, web application and software developers make mistakes as they hasten to keep pace with evolving business needs and to innovate faster. One area where we see this a lot is when web application developers heavily rely on open source libraries and third-party scripts. These libraries and third-party scripts in turn call other scripts, creating a digital supply chain of fourth-, fifth- and Nth-party scripts powering web applications and websites. Industry estimates show that up to 70% of the scripts running on a typical website are third-party, and only 8% of organizations have full insight into this code. This creates an opportunity for malicious Shadow Code to enter the application.
"Shadow Code is any code introduced into an application without formal approval or security validation. It is the application development equivalent of Shadow IT. It introduces unknown risks into the application and makes it difficult for the business to ensure data security and privacy, and to comply with regulations. These attacks on third-party code are hard to spot because they happen on the client-side, but a successful attack can result in stolen data and regulatory fines for non-compliance with GDPR and CCPA, as well as other SEC rules.
"Financial institutions must continue to monitor the client side of their websites for suspicious activity such as communication with suspicious domains. They should use client-side application protection solutions to ensure malicious code is discovered and removed before it leads to compliance penalties and brand damage.”
Nothing is certain but death, taxes, and identity theft.
The US tax filing deadline is just weeks away, and with the necessary exchange of sensitive documents containing identifying info, tax season means a surge in identity theft. The Internal Revenue Service reported over $2.3 billion in tax fraud operations in 2020 alone. Case in point: Cybersecurity tech company Cybereason has discovered a malware campaign targeting US taxpayers in which the victim receives a tax-themed email containing malicious documents that, when opened, deliver NetWire and Remcos malware, remote access trojans which allow the attackers to take over the target’s machine. As PRWeb explains, the operation evades antivirus detectors by employing a technique called steganography, hiding the malicious code within a jpeg image file.
Besides being wary of suspicious emails like the one described above, PropertyCasualty360 offers tips for keeping your tax data secure from identity theft. This year is expected to be especially treacherous, as the dramatic surge in unemployment claims due to the pandemic means increased opportunity for unemployment claim fraud. Many individual victims won’t even realize they’ve been hit until they begin to process their taxes and discover that someone else has been using their credentials. Keep an eye out for unusual credit card charges, missing bills, and any signs of mail tampering, and be sure to use a secure, fully updated network when filing tax returns online.
Dark Reading focuses on the risks to businesses during tax season. Chief security scientist at Thycotic Joseph Carson explains, "If you have a large target list at a company and many of the victims are unable to tell the difference between a scam and authentic notices, then even if a small number of people fall for such a scam, it's still extremely profitable for the cybercriminals." Thus, a key first step is keeping employees informed. Educate staff about phishing campaigns and business email compromise, and limit the number of employees who are authorized to handle sensitive tax data. Make sure employees know how the organization will be delivering tax documents, and consider using a secure corporate portal that requires authentication.
We heard from several industry sources about staying secure during tax season. Lamar Bailey, senior director of security research at Tripwire, reminds all that phishbait follows the news, because current events are shiny enough to induce victims to bite:
“Attackers use stories in the news to influence targets to click links in phishing attacks. 2020 was the year of COVID and attackers took full advantage by crafting phishing attacks based around the epidemic. They were able to play off the ever changing story to promote cures, treatments, and case numbers to get targets to click malicious links. The trend continues into 2021 by using COVID vaccines as the top story to promote the malicious links. This time of year in the US using phishing emails that appear to originate from the IRS is a very effective way to spread malware.”
In response to a recent Cybereason report that identified an ongoing phishing campaign targeting US taxpayers with NetWire and Remcos malware, an expert at cybersecurity firm KnowBe4 offers perspective.
James McQuiggan, Security Awareness Advocate at KnowBe4, makes two points worth remembering: first, this is a good time to avoid mingling personal information with your work accounts, and second, the IRS isn't going to email you and ask you to open a document or follow a link:
"With the tax season currently active and now being extended to May, this provides more opportunities for cybercriminals to launch phishing and malware attacks against users. By using attachments and cleverly worded emails, they rely on people's fear, curiosity or greed as the trigger to click on links in the emails, open attachments and unknowingly launch the Remote Access Trojan or RAT onto their systems.
"Users want to ensure that they do not open any IRS or tax information on their work email accounts because they should be using their personal email accounts instead.
"If they do receive an email, it is essential to take a moment and question if this email was expected and to verify the source. Suppose it is the IRS or another government agency. In that case, one can easily visit their website through a quick online search to determine if they are sending out these types of requests, alerts or other alarming information.
"The IRS will not contact people to verify their tax returns by sending them an email and asking them to open it for review."
Gurucul's Saryu Nayyar points out that criminals know the human attack surface:
“Malicious actors know that users are the weak link in the security chain. They know that a timely and relevant hook can be all it takes to get a victim to reveal their credentials or download a malicious application. For much of the last year, they used Covid 19 as the hook. Now that it's tax season in the US, they're shifting to tax related hooks.
"The technical methods attackers have adopted to bypass anti-virus and anti-malware applications is evolving, but it still comes back to the Human element. Which means user education remains the first line of defense against malicious actors. A complete security stack can help, but well trained users are less likely to become victims.”
Brad Keller, Shared Assessments' Chief Strategy Officer, gives the obvious, Willie Suttonesque but worth-stating, reason why criminals continue to phish during tax season. It works:
“Phishing continues to be a major threat because it remains a very successful method for obtaining credentials and other information directly from a user’s system. Having run the anti-phishing programs at two major US financial institutions I understand how difficult it is to create meaningful employee awareness and training to identify phishing emails. Taking those awareness programs to customers is an even more daunting task.
“While most major companies have initiated robust anti-phishing programs, smaller companies do not have the resources to develop and maintain these initiatives making them ideal targets for phishing campaigns. Most individuals are unaware of phishing methods and are not able to identify them, unless they work for a company that provides robust anti-phishing training.”
And, finally, SCYTHE's CTO Jorge Orchilles has some thoughts for businesses during tax season:
“We have invested heavily in preventing malware from running in out environments and that is clearly not working as advertised. Organizations need to operate in “assumed breach mode”, where they know they will eventually be compromised. How they detect and respond to the inevitable is what is differentiating victims. We need to work together to improve people, process, and technology.
“All users must remain cautious and vigilant to all types of scams, from emails to text messages and phone calls. Scammers will use any current event to take advantage of the most vulnerable to make a quick profit. It is unfortunate but that is the online world we live in today.”
Cybereason Exposes Malware Campaign Targeting US Taxpayers Just Weeks (PRWeb) Cybereason, the leader in future-ready attack protection, today announced the discovery of a new campaign targeting U.S. taxpayers with documents that purport to con
Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware (Cybereason) Cybereason researchers have discovered a new campaign targeting US taxpayers with documents that purport to contain tax-related content but ultimately deliver NetWire and Remcos malware - two prolific remote access trojans.
Now You See It, Now You Don’t: CopperStealer Performs Widespread Theft (Proofpoint) On Jan 29th, 2021, a Twitter user, "TheAnalyst", shared a sample which caught our attention after being notified it triggered an Emerging Threats Network Intrusion Detection System (NIDS) rule.
Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign (Varonis) Our team has recently led several high-profile investigations of attacks attributed to an up-and-coming cybercrime group, Darkside.
Fraudsters jump on Clubhouse hype to push malicious Android app (ZDNet) The BlackRock Trojan is lurking in the malicious, fake Android version of Clubhouse.
Fintech Giant Fiserv Used Unclaimed Domain (KrebsOnSecurity) If you sell Web-based software for a living and ship code that references an unregistered domain name, you are asking for trouble. But when the same mistake is made by a Fortune 500 company, the results can range from costly to disastrous. Here's the story of one such goof committed by Fiserv [NASDAQ:FISV], a $6…
Douglas County targeted as part of international cyber attack (The Wenatchee World) Douglas County was one of thousands of servers targeted in a cyberattack by a group out of China.
Atascadero State Hospital reports data breach; employee accessed 2,000 COVID test results (Sacramento Bee) A state employee improperly accessed more than 2,000 Atascadero State Hospital patient and employee records in a data breach identified in late February, Department of State Hospitals said.
Now Available! Draft NIST SP 1800-22 Mobile Device Security: Bring Your Own Device (BYOD) (National Institute of Standards and Technology (NIST)) We are excited to announce that the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Practice Guide Special Publication (SP) 1800-22 Mobile Device Security: Bring Your Own Device (BYOD) today.
NIST’s Guidelines to Improving BYOD Mobile Device Security and Privacy (Zimperium Mobile Security Blog) Zimperium has been working closely with the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology on a mobile device security project.
Facebook's ‘Red Team X’ Hunts Bugs Beyond the Social Network's Walls (Wired) The internal hacking team has spent the last year looking for vulnerabilities in the products the company uses, which could in turn make the whole internet safer.
How to reduce remote working cyber security attacks (ITProPortal) Here’s how to keep remote working safe and secure
Why cyber education needs a mobile-centric approach (Silicon Republic) Safe Security’s Vidit Baxi talks about recent trends in the cybersecurity industry and why infosec education needs to change.
Swiss Hacker indicted for conspiracy, wire fraud, and aggravated identity theft (Department of Justice) Seattle – A prolific Swiss computer hacker, TILL KOTTMANN, 21, was indicted today by a grand jury in the Western District of Washington for computer intrusion and identity and data theft activities spanning 2019 to the present.
Verkada Hacker Charged With Wire Fraud, Identity Theft in U.S. (Bloomberg) A Swiss computer hacker who was involved in the intrusion of Verkada Inc., exposing surveillance footage from Tesla Inc., was charged by prosecutors in Seattle with conspiracy, wire fraud and identity theft.
Verkada hacker charged in the US for hacking more than 100 companies (The Record by Recorded Future) The US Department of Justice has charged today a Swiss national for hacking into more than 100 companies and leaking proprietary data online on their personal website.
Russian National Pleads Guilty To Conspiracy To Introduce Malware Into A U.S. Company’s Computer Network (US Department of Justice) A Russian national pleaded guilty in federal court today for conspiring to travel to the United States to recruit an employee of a Nevada company into a scheme to introduce malicious software into the company’s computer network.
Russian who tried to hack Tesla last summer pleads guilty (The Record by Recorded Future) A Russian national who traveled to the US in order to recruit a Tesla employee for a scheme to plant malware on the carmaker's network pleaded guilty today, abandoning a jury trial that was planned for July this year.
Wave of Legal Appeals Challenges How European Regulators Enforce Privacy Rules (Wall Street Journal) Nearly three years after a sweeping privacy law took effect in Europe, regulators are seeing more sanction decisions challenged and overturned as companies file appeals.
ACLU Tells 6th Circ. Robocall Ban Was Unenforceable (Law360) The American Civil Liberties Union and a slew of constitutional scholars are lining up to ask the Sixth Circuit to declare the national robocall ban unenforceable for violations that occurred during the five years that government debt collections were exempt from the law.
NY Department of Financial Services Settles with Mortgage Lender over Data Breach (JD Supra) The New York Department of Financial Services (DFS) recently entered a settlement for $1.5 million with a Maine based mortgage lender over allegations...
The Battle of the Bills Begins: Proposed Federal Data Privacy Legislation Aims to End Patchwork Problem But Increases Enforcement (The National Law Review) After years of advocacy from both sides of the aisle and growing concerns about challenges created by state-based solutions, 2021 is poised to be a bellwether year for Congressional debate over federa
Oklahoma considers adding anti-ransomware laws amid growing threats (Oklahoman) Proposed Oklahoma law would make malicious programs like viruses, spyware, Trojan horses and ransomware a crime.
Counterpoint: Why Fla.’s New Privacy Law Must Have a Private Right of Action (Daily Business Review) Hardly a week goes by where I or a member of my family fail to receive a notification from a company disclosing that its computer systems were compromised and that our private and sometimes immutable personal information—provided to the company based on express promises of adequate, “industry standard” data security—now lies in the hands of criminals due to the company’s reckless handling of that information.
Australian Taxation Office extends national digital identity program with face verification technology from iProov (Herald Chronicle) Millions of Australians will soon be able to access digital government services online after proving their identity using face verification from biometric authentication leaders, iProov.