This Week In Cybersecurity
This week on Between The Hacks: Google used for phishing, the U.K. reveals their National Cyber Force, the state of CISA, ransomware takes over printers, and password managers are needed more than ever.
Google Services Used For Phishing
Phishing campaigns have long used cloud services like Google Docs, Google Forms, and Office 365, to host malicious content. It’s not always malware being hosted on these platforms, often it is just a form that looks like a login page for a bank, a store or other online service, that allows the attacker to harvest login credentials from unaware victims. Once the attacker gets the victim’s login credentials, they can use them in a credential stuffing attack.
According to research by Amorblox, there is “a sharp uptick in attackers using Google services to help them get emails past binary security filters based on keywords or URLs.” As security tools review your incoming email, they might flag a link with a gibberish domain name as potentially malicious but possibly not a link from a well-known and popular domain name. For example, https://5he.biz/dn4n-bb8 might be flagged as malicious but https://docs.google.com/d/forms/27nb4NeJ9l_KJ5Sw likely would not be flagged as potentially malicious.
Credential stuffing is on the rise. In September, the FBI warned of a increase in credential stuffing attacks and stated, “41% of all financial sector attacks between 2017 and 2020 were due to credential stuffing, resulting in the theft of millions of dollars.”
According to a 2019 Google/Harris poll, 65% of respondents reuse passwords on some, or all of their accounts. To reduce your risk of becoming the victim of credential stuffing, never reuse passwords. That means you likely need to use a password manager.
U.K. Reveals the National Cyber Force
The United Kingdom has revealed the existence of the National Cyber Force (NCF), a division of their spy agency, GCHQ and the Ministry of Defece (MoD).
Prime Minister, Boris Johnson stated in a speech on defense spending, “Working alongside the NCSC – a part of GCHQ – which protects the digital homeland, the NCF plays a vital role in enhancing the UK’s world-leading and responsible cyber power.”
“Instead of focussing on defensive measures, the NCF will be involved in proactive attacks. It will look to defend the UK by disrupting the activities of those groups and nations it deems to be sufficient threats” reports Wired.
The agency, “has been secretly up and running since April with several hundred hackers based in Cheltenham and other military sites around the country” according to the Guardian.
CISA Director Fired, Speculation on the Identity of the New Leader
Last week, BTH reported that the Director of CISA, Christopher Krebs, was expecting to be fired. As predicted, President Trump fired Krebs by tweet last Tuesday.
Cybersecurity reporter, Brian Krebs (no relation to Christopher Krebs), reported “Krebs’ dismissal was hardly unexpected. Last week, in the face of repeated statements by Trump that the president was robbed of re-election by buggy voting machines and millions of fraudulently cast ballots, Krebs’ agency rejected the claims as ‘unfounded,’ asserting that ‘the November 3rd election was the most secure in American history.’”
Acting Director, Brandon Wales has been managing CISA since Krebs’ dismissal but speculation is that Sean Plankey, a senior official at the Department of Energy will be appointed to the leadership position. According to Cyberscoop, anonymous sources stated, “Plankey indicated in one conversation that his move to CISA was “imminent.”
Ransomware Prints Ransom Notes
Modern ransomware tends to infect a computer, then exfiltrate data and encrypt the contents of that computer, leaving nothing readable by the computer operator except a ransom note on the screen.
That’s a pretty dramatic approach but at least one ransomware attacker thought that he or she needed an additional method of delivering the ransom note. As reported by Tripwire, the South American retail giant Cencosud was infected by an Egregor ransomware attack which, “stole sensitive files that it found on the compromised network, and encrypted data on Cencosud’s drives to lock workers out of the company’s data.” Then, ”printers at the checkouts of numerous retail outlets in Chile and Argentina were suddenly churning out the ransom demand as well.”
In Bleeping Computer’s review of this malware, they state, “To increase public awareness of the attack and pressure a victim into paying, the Egregor operation is known to repeatedly print ransom notes from all available network and local printers after an attack.”
While this tactic seems like just a novel addition to a ransomware attack, remember that many of our Internet of Things (IoT) devices, such as smart doorbells, light bulbs, cameras and thermostats, do not have display screens so sending the ransom note to a printer on the same network as the target device, gives the attacker a means of communicating with IoT device owners and collecting a ransom for encrypted IoT devices.
Today, much of the responsibility of securing IoT devices falls upon the shoulders of IoT device owners, but legislation and standards are in draft around the world to force IoT manufacturers and developers to meet a minimum set of security standards in their devices. Last week, the U.S. Senate passed the “Internet of Things Cybersecurity Improvement Act of 2020” or the “IoT Cybersecurity Improvement Act of 2020” that asks the “National Institute of Standards and Technology (NIST) to come up with guidelines for Internet-of-Things devices and would require any federal agency to only buy products from companies that met the new rules” reports The Register.
Tip of the Week
As you read earlier in this blog, credential stuffing is on the rise. It is also becoming more automated, with botnets attempting logins from different IP addresses all over the Internet. Now more than ever, we all need to use a password manager to protect us from these rapid, advanced credential stuffing attacks.
The most important feature of your passwords is that they should be unique for every account that you own. Yes, they should be long and strong, but if they are not unique, you not only put one of our accounts at risk of attack, you put every account at risk that reuses a password.
For more information, read Between The Hacks’ article on password managers.