Welcome to our blog

Keep up to date on all our news and events, and share the Red Virtual Administration Services

Support Services news with your colleagues

RedVAS CRM is secured by Armor so you can use our services with confidence

 

  Amor_Logo_Newsletter.png RedVAS CRM is secured by Armor INTELLIGENCE BRIEFING | JULY

Welcome to Armor’s monthly Threat Intelligence Briefing.
This newsletter provides in-depth research and analysis from our security experts about the current threat landscape
 All data stored in RedVAS has Armor Security

TECH TALK

Threat Actor Phishing Reconnaissance

The Shadow Brokers showed no signs of slowing down in June. In fact, it was quite the opposite as they launched the “Data Dump of the Month Club.” So, not only are they not slowing down, they’ve created a profitable subscriber-based business model.

We attempted to highlight several key items of note in our security news for this release.

  1. Old vulnerabilities still exist with new ones constantly uncovered.
  2. Paying a ransomware demand is no longer a viable option for disaster recovery planning.
  3. Threat levels remain high even while developers continue to patch vulnerabilities and create security mechanisms to stop, or at least slow, attacks.

So, what can you do in the face of this unrelenting, ever-evolving attack? Last month we highlighted defense-in-depth. This month we focus on one of the most successful attack vectors, phishing. Phishing is accomplished via reconnaissance, social engineering an

Malicious web content.

Phishing Reconnaissance

Outside of mass marketing and spam campaigns, most phishing campaigns begin with reconnaissance. Adversaries will always take the path of least resistance first. To find an easy opening, their first step is gathering all of your publicly available information. Often, corporate websites are a rich resource for them. It’s understood that a good corporate persona is part of a successful marketing campaign, even if the risk of exposing data is often overlooked.

Recommendations include:

  • Carefully curate profiles of executives on public facing web sites.
  • Posting only phone numbers and email addresses that are intended for open public use.
  • Keeping feeds and press releases free of personally identifiable information and intricate details that could be used to craft an authentic looking phishing email.

Social Engineering 

By now, we all know or think we know what social engineering is. In simple terms, it’s gathering data from someone through social interaction. It occurs via all means of communication, i.e. face-to-face, telephone, e-mail and social media. Human beings are social creatures, so preventing social interaction is not a viable strategy. Therefore, we’re left protecting people from themselves. This is accomplished or at least attempted through increasing phishing awareness and reducing exposure. Awareness training for users, while a widely implemented and auditable item for many, is only as effective as the support from management. Reports of detected phishing and malware attempts should be published for the consumption of all personnel in the organization. Warning personnel of current spam activity, malware detection events and additions to the web filtering program is an effective way to emphasize security. In short, people pay attention when bad things happen.

Malicious Web Content

Phishing through malicious web content involves redirecting targets to a phishing site or compromising them through man-in-the-middle tactics. The most widely used techniques for this are cross-site scripting on watering hole websites, malicious hyperlinks and malware.

Common solutions to prevent phishing include:

  • Antivirus
  • Web filtering
  • Spam filters
  • Email HTML filters
  • Email link disabling

These solutions catch most unsophisticated mass phishing. The next level of prevention is behavioral monitoring and watering hole (a high-traffic external website reconnaissance). Behavioral monitoring requires a learning period where you identify a baseline of web activity for your users.

This activity can be broken down into multiple categories that offer a snapshot of what normal looks like for your organization, including:

  • Time of day
  • User roles
  • Bandwidth usage

With a baseline identified, anomalies can be detected. An anomaly can indicate a new watering hole, data theft, browser compromise and a multitude of other issues that should be investigated.

Security personnel should review new watering holes to determine the potential for cross-site scripting and other malicious content. Spikes in connections to specific sites or IP addresses could indicate that browsers redirecting to a man-in-the-middle or an email-delivered malware is being launched. Also, spikes in bandwidth at odd times of the day may indicate that a compromise is underway or that data is being exfiltrated.

Malicious IPs

We’ve seen the following IPs involved in various malicious activity and have taken steps to block them from our environment. We highly recommend blocking these IPs until they can be remediated and no longer pose a threat. It’s prudent to heavily scrutinize any communications from your network to these IPs, especially C2 nodes.

IP Attack Signature IP Address Geo Location
91.247.38.59 Attacking Web Application Ukraine
129.174.188.216 Command and Control United States
122.117.112.106 Attacking MySQL Taiwan
41.46.178.187 Command and Control Egypt
195.68.233.248 SSH Brute Force Poland
185.44.78.235 Attacking Web Application United Kingdom
185.7.213.18 Attacking Web Application France
78.139.230.162 Command and Control Russia
219.238.170.136 Malware Host China
74.64.43.38 SSH Brute Force United States
93.182.172.139 Command and Control Sweden
182.160.154.136 Attacking Web Application Australia
86.108.41.36 Command and Control Jordan
108.214.236.50 Malware Host United States

Security Trends and Insights

SYSTEMS RESOLVED BUG WAS POTENTIALLY EXPLOITED VIA MALICIOUS DNS SERVER

The last week of June saw the release of patches for a high-severity vulnerability that exists in several popular Linux distributions. The vulnerability, CVE-2017-9445, is exploited using malformed DNS payloads to execute arbitrary code on the target system. The vulnerability emerged June 2015 and was discovered in January 2017 by a security researcher. Exploits haven’t been published for this vulnerability yet, but it’s recommended that affected Linux systems are patched immediately.

Read more

IT DOESN’T PAY TO PAY
Petya victims paid $10,000 for encryption keys even though the attack wasn’t likely financially motivated and affected files may not be recoverable. This is a PSA: paying the ransom is never worth it. You may get your files back, but there’s no guarantee. Additionally, any payments received further incentivize perpetrators while also funding future ransomware campaigns. The only recommended method for recovering affected files is to restore from a known, reliable backup.
EVERY LITTLE BIT HELPS AS REACTION TO RANSOMWARE DRIVES DEVELOPMENT
Microsoft continues to take heat as the number of variants and incidents of ransomware that specifically target the Windows OS increase. In response, the Windows 10 insider preview program is introducing Windows Defender features specifically designed to mitigate ransomware attempts. The “Controlled Folder Access” feature is set for release as part of the Windows 10 Creator Update (Redstone 3) later this fall. This EMET-like feature monitors and blocks unauthorized applications from making unexpected changes to files in protected folders.
MICROSOFT FINALLY KILLS SMBV1
Microsoft has finally decided to retire its 30-year-old file sharing protocol. After a series of high profile attacks utilized SMBV1 as a main infection vector, the company decided to remove (partially or fully – depending on SKU) it from the upcoming Windows 10 Fall Creators Update. In the meantime (or if you aren’t going applying this update), it’s advised that you manually disable SMBV1 on your systems.
avatar

About Yvonne Cherrington

Red Virtual Administration Services (RedVAS) is a concept that was developed whilst Yvonne was in her twenties. At that time the name was to be Dots and Commas. Yvonne and Mike are both senior professionals within their professions. Both have vast knowledge and experience in-respect of business administration.
This entry was posted in Business, Efficiency, Professional, Relationships, Technological, Time Management, Trades, Work-life Balance and tagged . Bookmark the permalink.

Get a Trackback link

No Comments Yet

You can be the first to comment!

Leave a comment

You must be logged in to post a comment. Please click here to register or login.