CYBER THREAT INTELLIGENCE REPORT - WEEK ENDING 05 SEP 2020

​Due to the global pandemic, nearly two-thirds of companies have moved half or more of their employees to telework. Sixty-two percent of employed Americans, for example, say they have worked from home during the crisis, with the number of remote employees doubling between March 13 and April 2 of 2020. This is not just a temporary change because nearly a third of all organizations expect more than 50% of their current remote workers will continue working from home after the pandemic.

The security implications of such a dramatic transition in such a short period of time cannot be overstated. Under normal circumstances, moving an entire workforce from secure IT environments to home networks with very little cybersecurity would take long-term planning and preparation. But that was not an option in 2020. As a result, 32% of respondents to Fortinet's Securing Remote Work Survey found that setting up and managing secure connectivity to be the most challenging aspect of switching to telework.

Part of the problem was that the devices at the company's core network were not designed to manage the volume of VPN connections required. As a result, many connections were not secure. But the other part of the challenge is that many home networks were not set up to support the bandwidth requirements of VPN, let alone bandwidth-hungry business applications such as videoconferencing. In addition, end-user devices (many workers began working from home using a personal device) were often unpatched and unsecured as were other devices connected to the home network. These challenges made home networks an ideal target for cyber criminals.
 
Read more, including online security risks and tips for remote working here.

The transition to the teleworking / remote working model opens users and companies up to myriad security threats including malware, all forms of phishing attacks, and many more. Ashco cyber security solutions and services addresses remote worker scenarios with three primary levels of connectivity. If you have technical questions or need assistance, contact us at info@ashcosystems.com.

HTTP.Server.Authorization.Buffer.Overflow–CVE-2018-5955 indicates detection of an overly long HTTP Authorization value. HTTP servers that have insufficient sanitizing of HTTP requests field might be prone to such an attack. Successful attacks may allow a remote attacker to execute arbitrary code within the webserver, crash the affected application or deny services to legitimate users. Any unprotected or misconfigured HTTP server is vulnerable to the attack. FortiGuard Labs recommends you apply the appropriate patches or upgrade the system to the latest non-vulnerable version and monitor the traffic from that network for any suspicious activity.

North Korea's BeagleBoyz Robbing Banks – Recently, the United States Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI), and U.S. Cyber Command (USCYBERCOM) released a Joint Technical Alert that has attributed malicious cyber activity to the North Korean government. The Technical Alert provides a detailed analysis of the North Korean government's role in an automated teller machine (ATM) cash-out scheme-referred to by the U.S. government as "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks." "BeagleBoyz " is a newly identified group that is a subset of activity by the threat actors known as HIDDEN COBRA/LAZARUS/APT 38 and has been active since 2014. HIDDEN COBRA has been linked to multiple high-profile attacks that have caused massive infrastructure disruptions, as well as financially motivated attacks in various parts of the world. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that nearly netted close to $1 billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, HIDDEN COBRA would have pulled off a heist unlike any other. Although HIDDEN COBRA failed in their attempt, they were still able to net around $81 million in total. The most recent - and most notable - attack attributed to HIDDEN COBRA was the WannaCry ransomware attack, which resulted in massive disruption and damage worldwide to numerous organizations, especially manufacturers. Various estimates on the impact are in the hundreds of millions of dollars, with some estimates claiming damages to be in the billions. Other verticals that this group has targeted include critical infrastructures, entertainment, finance, healthcare, and telecommunication sectors across multiple countries.
​
AV Signatures:
W32/Alreay.BG!tr W32/KeyLogger.BHFC!tr W32/Banker.ADRO!tr.spy
W32/Alreay.A!tr W32/Agent.0D36!tr W64/Agent.AP!tr W32/Generic!tr
W64/Banker.AX!tr.spy W32/Banker.ADRO!tr.bdr W64/Agent.AP!tr
W32/Alreay.BB!tr Riskware/Banker

Indicator(s):
f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9
a1f06d69bd6379e310b10a364d689f21499953fa1118ec699a25072779de5d9b
0e3552c8232e007f421f241ea4188ea941f4d34eab311a5c2341488749d892c7
d48b211533f37e082a907d4ee3b0364e5a363f1da14f74a81b187e1ce19945a8
f9d29b21bb93004cea6431e79f7aa24b9cc419289ca04c0353d9e3db3c587930
2938200b7c0300c31aa458860b9f4f684f4f3f5893ab0f1d67c9d797168cad17
16251b20e449d46e2b431c3aed229cd1f43f1ff18db67cc5a7fa7dd19673a9bc
d928b1c1096e636463afbd19f40a6b325e159196b4497895748c31535ea503dc
820ca1903a30516263d630c7c08f2b95f7b65dffceb21129c51c9e21cf9551c6
4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756
 
Web Filtering

Box Pages Utilized in Phishing Attack to Trick Victims: Security researchers  have recently discovered a phishing attack that was conducted on the government and security organizations using a legitimate Box page with the branding of Microsoft 365 to manipulate their victims. This newly discovered credential harvesting phishing campaign has been luring the victims by sending them a legitimate Box webpage with Microsoft 365. The attack was conducted by sending phishing emails to the victims. The emails contain messages claiming it came from a third party and asks the victims to read a sensitive financial document. The delivery was made by the attacker so that the mail delivery would only last for 10 days. This would cause a sense of urgency in the victim and thus click the link immediately. After the victim has clicked the link, they will then be redirected to the page hosted in Box, containing another OneDrive document. After the victim has also clicked the OneDrive document, it will then redirect them to the final phishing landing page. They will see the Office 365 login portal and will be asked to log in with their corporate credentials. Once all the credentials have been added, and the victim clicks the submit button, all the credentials will then be sent to the attacker, and the attacker can access it anytime to view the victim's credentials. Thus, the victim is then compromised.

Indicator(s):
Nantuckettravel[.]icu
Tidewaterhomefunding[.]com
 
Our Research & Insights:

Whitepaper: Effective Cyber Security Strategies during the Covid-19 Pandemic

Whitepaper: The Essential Guide to Securing Remote Access​

Secure Devops: Learn how to make security integral into your DevOps process.

​E-Book: Effective Security Strategies for Devops & Application Services

​E-Book: How to Build a Next Generation Security Operations Center