The Hurricane Labs Foundry: Volume 12, Season’s Greetings Edition

The goal of this publication is to serve as a sort of newsletter containing information about the latest cybersecurity trends and news that you may want to be aware of. These could be threat intel reports, high-profile vulnerabilities, newly released tools and resources, information regarding the latest Splunk and/or information security trends, news on the latest security breaches to be aware of, along with a host of other subjects.

’Tis the Season

Most of time, I try to make the Foundry a collection of stories about IT and information security news. Be that new vulnerabilities, new threat actors, new trends, and so on and so forth. I wanted to do a bit of a longer story this time around, with more of an overarching focus, so things will be a little different with this issue than what you normally see.

With November comes the onset of winter, and the beginning of the holiday season. That also means increased spending, holiday production freezes for a lot of IT operations, and an increased volume of attacks in various forms — malware, phishing, social engineering, blackmail — targeting both individuals and enterprises as a whole. So, I am wanting to remind you of the threats you may face this holiday season and what can be done to combat them.

Increased Volume of Malware

As has been recently reported by Proofpoint, banking trojans are dominating the malware landscape, and phishing is the primary method of malware delivery these days — either with attached macro-enabled documents, PDFs, scripts, or links to said documents users are encouraged to download then execute in order to deliver the actual banking trojan.

As the name implies, banking trojans are going for your financial information — account numbers, credentials to banking sites, etc.

The most prominent banking malware observed by both Proofpoint, and malware sandboxing company any.run, is Emotet. Emotet does more than steal banking credentials, it can steal email, client, and web browser passwords, drop other malicious payloads, and as of recently can collect the contents of e-mail messages, in addition to other features (see Symantec’s Analysis of Emotet here, as well as the BleepingComputer report about the new email collection module here).

The Bad Guys Don’t Care About Your Production Freezes

A lot of businesses in the lead up to the holiday season (most especially payment card processing providers and/or most retailers) begin to implement “production freezes”. As the name implies, production freezes are established to prohibit changes to production computing environments, and business critical systems (e.g. payment processing systems, manufacturing systems, public-facing websites, etc.).

The goal of a production freeze is ensure stability and availability of the system for the period of time the freeze is in effect. For some companies, production freezes span the entire holiday season from Thanksgiving through New Years Eve. This is because the holiday season is where a lot of companies earn a large portion of their revenue, and the fear is that enabling changes during this time will affect availability of systems that customers interact with – which will in turn impact sales.

The problem with production freezes is that adversaries know about them too and use them as a golden opportunity to launch attacks.

Think about it like this: If you were a bad guy sitting on top of a web application vulnerability, service vulnerability, or even a zero-day, you would probably want to drop the vulnerability and use it to establish a foothold at a time and date that benefits you. Like, say for instance, a holiday season in which most staff will probably be out of the office for vacation, and the skeleton staff that is left – even if they somehow manage to determine that something is wrong, will have an uphill battle contacting and coordinating others in their organization to make necessary changes to contain the attack and/or remediate it. They may be unresponsive, out of town, have limited communication options, etc.

Blackmail and “Sextortion” schemes Are on the Rise

Another threat that is nothing particularly new, are blackmail schemes.

While extorting people for money over secrets – those which they may not want out in the public – is nothing new, there are some interesting things going on in light of recent breaches. Most particularly sites like Ashley Madison, opportunistic attackers have combed through the breach data, found email addresses and usernames of people who registered to the site, and then sent those people emails threatening to expose them if they don’t pay up some amount of money, usually in bitcoin or other digital currencies.

The number of blackmail style phishing emails have been on the rise since then, claiming that the attacker has knowledge of a matter that the victim would rather keep private, and threatening to expose them, if they don’t cooperate and pay up.

Sometimes, they provide proof in the form of a username and/or password to a website, other times they’ll show objectionable pictures, claim to have webcam footage, etc. The attacker may, or may not have this information, but the attacker is banking on the victim being paranoid enough to believe them and pay up, in either case.

Hypothetically, individuals aren’t the only ones being blackmailed. Let me paint a picture for you in the form of a hypothetical story that may or may not have happened.

An organization experiences a massive breach. The attacker chooses to notify the executives of the organization over email with evidence in the form of screenshots that he has compromised their network and collected all sorts of sensitive information — screen captures from sensitive file shares, database tables, etc. The attacker claims that if he does not receive some amount of money by Christmas day, that all of the information he has received will be plastered all over the internet.

This organization hires incident response services. The IR team finds the attacker’s persistence and eventually removes it, but confirms that the data the attacker had exfiltrated was the real deal. The organization elects to settle with the attacker — the risk to their reputation, plus the value of the data, is too high to accept the risk that the attacker is willing to follow through with his threat.

Of course, in this scenario, there is no guarantee that the attacker won’t simply have his cake and eat it too, by releasing the data regardless of payment. But having this data posted was too much of a risk, and not to mention, at an extremely inopportune time, as most of the IT staff were out for the holiday.

Defending Yourself

With all these threats on the rise, what can be done to defend yourself, your users, and your organization against the increased volume of threats? Don’t worry, I got your back.

Malware Defense

Two years seems like ages ago, but a while back, I wrote a set of guides on ransomware defense.

Unsurprisingly, not much as changed since then, and also unsurprisingly, the same things that could be used to defend against ransomware can help protect you against other types of malware effectively.

The recommendations in the guides I wrote are a wonderful starting point for leveling the playing field against malware and phishing emails. Security controls, empowering your users, and jumpstarting their ability to think critically are timeless pieces of advice, and will serve you again and again.

Thawing out of Production Freezes

The root of the production change freeze comes from the concept that reliability above all must be achieved. However, with how fast the IT and infosec world moves, change freezes can overall be detrimental to the availability of services that are core to your business.

Meet with different branches of your organization. Find out what their fears are and work to address them. At a minimum, fight to get a policy to rapidly test and roll-out critical security vulnerabilities during change freezes, because the attackers aren’t going to wait for your change freeze to be over.

Countering Blackmail/Extortion Schemes on an Individual and Enterprise Level

A lot of the blackmail and extortion schemes targeting individuals rely on the existence of breach information being readily available, and end users being entirely unaware that their username/password credentials have been compromised. Therefore, a lot of the advice I’m going to offer here is going to be advice for countering breaches, and what you should do if you are the victim of a breach.

First and foremost, I recommend being aware of breaches and compromises when they occur with services you subscribe to.

Now, I’m not telling you to be clairvoyant and see into the future, but I am telling you to keep an ear out and listen to security news. If Brian Krebs says that he’s working on a story/breach involving a large company, then its in your best interest to follow along as news develops to see who was compromised, when, and what data was leaked so that you can keep your private information in control.

In addition to following the news, I highly recommend taking advantage of “Have I Been Pwned” – search for email addresses you have used to register accounts to various services, change passwords as necessary, then sign up for the “Notify Me” feature that will email you if/when your e-mail address has been found on paste sites (such as Pastebin), or in publicly available data dumps.

If your credentials have been leaked as a part of a breach, change the password for that site or service immediately. Additionally, you will absolutely want to change the password for any services you utilize in which you reused that password.

Password reuse in large-scale breaches has resulted in secondary account and/or entire company breaches, so be sure to avoid reusing passwords where possible. If generating a unique password for every website or service you use sounds tedious or overwhelming, I highly recommend utilizing a password manager, such as 1Password, LastPass, or KeePassXC.

It should go without saying in this day and age, but if the services you subscribe to offer two-factor authentication of any sort (yes, even if its two-factor auth over SMS) then you should consider using it to further protect your accounts.

Last but not least, avoid using your work email address to register for services and/or websites that are not specifically related to your job. Not only does this help to compartmentalize your work life from your private life, but if attackers managed to get a hold of a database stuffed with e-mail addresses and unhashed/unsalted passwords, and if by chance your account, with your work email happens to reuse the SAME password (or an easily guessed variant, let’s say), then the bad guys can easily pivot off of that data breach and attack your workplace next (or as mentioned above, another account/service you use). Avoid using work email addresses to sign up for services you don’t use at work, but if you want to or feel that you have to, NEVER reuse passwords.

If you as an individual follow these instructions, blackmailers will have no power over you, and no leverage whatsoever. Not only that, it significantly reduces the risks of the bad guys using your account credentials to compromise the place where you work.

It is often said that users are the weakest link in the chain that is security, so doing these things will ensure that yours is the link that will not break.

Now in regard to the hypothetical situation of an entire enterprise being blackmailed or extorted, the best and really, only advice I can offer is that an ounce of prevention is a lot cheaper than paying out an extortion. In the hypothetical situation I laid out above, systems weren’t being monitored, endpoint logs weren’t being collected, NSM solutions (behavioral and/or signature-based) were not being used. The attacker, once they established initial access, had free reign to pivot across the network, and sustained access to the network to exfiltrate data as they saw fit.

The harder a target you make yourself, the less likely attackers will be to poke and prod at your network, preferring to go after juicier low-hanging fruit instead.

Look into solutions like LAPS to ensure that local admin credentials can’t be used for pivoting across networks. Look at the Top 20 Security Controls. They’re difficult to implement, but they are timeless. Once again, take a look at some of the suggestions from the ransomware defense series I wrote, for further recommendations to help harden your network.

Make Good Decisions So You Can Enjoy Your Holidays

While there is no security solution that is 100% reliable, implementing these recommendations, and being aware of the threats you and your organization face, will reduce your chances of being a victim and help you successfully manage those risks. There are no silver bullets in security, and even if there were, werewolves don’t exist.

Be mindful, be aware, make good decisions. Happy holidays, from Hurricane Labs!