threat landscape &bec · 2018-12-02 · security. ̶. c&c server can send localized or no...

Medical Devices

Medical Insurers

Medical Labs Medical Retail

PharmaceuticalMedical Providers

$200 for Every Record:Cost of the breach,

downtime, reputational damage, litigations,

business loss.

Highest Cost per Stolen Record ( $.50-$1.00)

( Extortion)

Rise in Opportunistic Malware

80% of Cybercrime is from Organized Crime Gangs

#1 Most at Risk Sector

• Make a Statement• Because They Can / Test• Disruption• Money• Headlines• Recognition• Espionage• Revenge

Breaches Equifax – 145.5 million – breach of the century Target: 70 million - 2013 Yahoo – 500 million-2014, 1 Billion-2016*

• largest in history Home Depot – 53+ million UC Davis – 15,000 - Phishing

2018 Breaches Identified by ITRC as of: 4/23/2018•Total Breaches: 319 (93 – 29.2%) (2nd behind Business)•Total Records Exposed: 11,285,403 (980,136– 8.7%)

•Business related – 8,414,651– 74.6%•Identity Theft Resource Center Healthcare related•http://www.idtheftcenter.org

- WannaCry- NotPetya-Crytolocker-CryptoWall-CryptoDefense-Torrent Locker-Darkleech-Locky – Sam Sam (HP)

http://www.marketwatch.com/story/short-seller-muddy-waters-renews-claims-of-st-jude-medical-cyber-vulnerabilities-2016-10-19

Ethical Short Sell?

Carson Block

Ransomware Worm

1-Day 230,000 Computers, 153 Countries

Exploit of Windows Server Message Block Vulnerability

known as EternalBlueUsed by NSA for offensive purposes

@MalwareTech -Marcus Hutchins

327 payments totaling $130,634.77

National Health ServiceHospitals England and Scotland

700,000 devices

Turn Away Non-Critical Emergencies and Diverted

Ambulances

May-12-2017

*Symantechttps://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know

Ukraine

Thou

sand

s of I

nfec

tions

Symantec

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Malware-Exploit KitsDridex EK Neutrino EKMagnitude EKSweet Orange EKFiesta EKAngler EK

Applications – Java, Flash, WordpressWeb Browsers -- IE, Firefox, ChromeServersOperating Systems

Vulnerability Scanning

Port Scans – Open ports Wordpress, Joomla, Java, Flash, Open SSL Infrastructure Building Automation Industrial Control Systems Programmable Logic Controllers

Zero Day and Other Vulnerabilities OpenSSL/Heartbleed

• Old vulnerability• Allows more data than allowed to be read• Website vulnerability• Banks took rap unfairly

GNU Bash/Shellshock• Old vulnerability 1994• Unix based: Linux, Apple Mac OX• Went public Wednesday 9/24• Exploits and scanning seen almost immediately

Krebs Online 2012-13 Op Ababil Las Vegas – Gaming Industry Op Pharma DD4BC Mirai Botnet – DYN attack

Op FunKill

• Court Notice• Credential Resets• Invoice/Statement• Shipping Themes: DHL,

Fedex, UPS• EZ Pass• Bank Phish – Swift

Transfer

• LinkedIn• eFax• Salesforce• Reward themes • Airlines• WhatsApp – You’ve

got a voicemail

BEC Types• The Bogus Invoice Scheme• CEO Fraud

• Account Compromise• Attorney Impersonation

• Data Theft – (Major Healthcare Concern)• Newest Trend ... Computer intrusion

Malicious linksRemote accessRansomware

$5.3 Billion globally since 2013

-IC3 FBI Report

• Subject lines carry a sense of urgency, requiring immediate action Attempting to coerce the recipient to act quickly

• The top subject lines are:1. Payment (18.9%)2. Urgent (10.3%)3. Request (8.6%)

• Goals of BEC scams:• Financial gain• Exfiltrate sensitive data such as tax information

BEC Scams Succeeding Due to Social Engineering

Source: Internet Security Threat Report: Email Threats 2017

• What is Typosquatting? Domains that look similar to official domain emails they impersonate Often known as ‘cousin’ or ‘lookalike’ domains

• Other Forms Use a different domain Add words to the domain

• Examples: Amce_inc.com instead of acme_inc.com Symanlec.com instead of symantec.com Acme_inc_sales.com instead of acme_inc.com

BEC Scammers Are Using Typosquatting to Trick Users

4,000Typosquatted domains for just 100 customers over 90 days


• Malicious emails using social engineering in subject lines & message bodies to trick users

• The top themes are:1. Billing or Invoices2. Package Delivery3. Scanned Documents

• Attackers using downloaders to deliver malware. Why?

Downloading a payload separately helps evade email security

C&C server can send localized or no payloads Easy to change the final payload in case of detection

Attackers Distributing Malicious Attachments Via Email

74%Of malicious emails contained attachments

53%Of attachments were scripts or Office files with macros


Copyright 2017, Symantec Corporation

Building Malicious Email: Social Engineering

2017 Internet Security Threat Report | Volume 22 32

Business Email Compromise Scams Are Preying on Users

Difficult to Block

Low volume emails with generic content

and no malicious code or links

Large Financial Losses

Belgian Bank lost $76M due to Business

Email Compromise

Simple Concept

Email sent from CEO requesting large money

transfer or sensitive data

Source: FBI Public Service Announcement, I-050417-PSA (May 4, 2017)

2400% Increase in BEC attacks since 2015

Anatomy of a Business Email Compromise Scam

From: [email protected]: Finance, Accounting or HR userSubject Line: RequestI need you to process a wire transfer today. Please confirm so that I can forward you the instructions.

RegardsJoe CEOChief Executive Officer

Sent from my iPad

Impersonated User

Simple Subject LineUrgent Request

Social Engineering

Impersonated DomainTargeted User

No Attachment or Link

Real World Example

35

Anatomy of a Targeted Phishing Attack

o The branding looks consistent (Google logo, shield logo)

o The email is addressed to the recipient (not “Dear Sir”)

o The English is not broken

36

http://bitly.com/gblgook

myaccount.google.com-securitysettingpage.tk

37



o The login page looks identical to the actual login page (HTML was cloned)

o Once the user submits the username/password combination, it doesn’t matter what happens next

- Typically, the phishing page redirects users back to Google.com

38


39

John needs to change his password immediately, and ensure that two-factor authentication is turned on his account.

He can go to this link: https://myaccount.google.com/security to do both. It is absolutely imperative that this be done ASAP.

This is a legitimate email.

TLP: WHITE

• From CEO or Senior Executive…by name

• To someone in finance department… by name

• Advanced Social Engineering• Sense of urgency• Abrupt text normal for

an email from a phone• Proper language for

entity being emailed

BEC: CEO Compromise

Are you available? Wire transfer needs to go out.Also what is the balance of General Funding Account? Let me know when you are ready.Reply as soon as possible.

Sent from my iPhone

Date: FROM: CEOTO: Finance DepartmentSUBJECT: Question

BEC Scenario

• It’s Friday late afternoon and you receive an urgent email from the C-Suite

It looks like this…..

Your organization Has Been Hit By BEC!

• The Controller immediately prepares a payment to be made via wire transfer. The CEO has urgently asked for the payment and the Controller is eager to please…..

• $500,000 is wired to an account in China.

What Do You Do?

Who do you call?....Options for recovery of the wire?

Would you stand up a crisis management team after BEC occurs?

Who is on the team?

If BEC does happen…do you report it? Even if it is a failed attempt?

If you do report it, where do you go to do this? FBI, IC3, etc.

Internally – Legal, Public Relations?

If you are a part of NH-ISAC, do you report it to NH-ISAC?

Will cyber insurance cover this situation?

Key Questions - What Are Your Next Steps?

Do you have somewhere to send suspicious emails for research?

Do you keep log data…with timestamps? External email notification system (specific

name?) Actually let LE send money to capture account

data Do you have a third party provider….retainer?

Key Questions - Forensics

When the press gets a hold of the story, what do you do?

When do you tell your constituents/clients?

Staff?

Do you do any kind of awareness training for BEC?

Spoofing email addresses

Phishing training

Exercises?

Who do you feel is liable/held accountable when BEC occurs?

Key Questions - Communications

• Use strong email security to block email impersonation attempts• Train your users to recognize BEC attacks through awareness & education• Register and protect your email domains as well as typosquatted domains

Leverage sender authentication typosquatted domains. Prohibit emails that use these domains via SPF hardfail and DMARC reject policies

• Flag external messages Drawbacks: When every message is being flagged, users may stop paying

attention to these alerts• Use two-factor authentication for initiating wire transfers – or data• Leverage DLP capabilities to prevent sensitive data from being shared over

email with unauthorized users (i.e. W2 information sent to scammers)

Best Practices for IT & IT Security

Question any emails requesting actions that seem unusual…not normal procedures

Do not reply to emails that seem suspicious.Obtain sender’s address from corporate address

book and ask them about the message…verbal? Report suspicious or obviously bogus emails to proper

authorities

Best Practices for Users

Wrap-Up Considerations - Prevention• AV updated/firewall updated/email filtering • Social Engineering Detection Training• Contacts with Law Enforcement bank/financial institutions• Flag external emails with a warning banner• Policy for verifying and issuing transfers of data or monies• Policy for reporting attempts• Ask your cyber insurance provider

You are a target !

Edward Brennan – Operations [email protected]