BlackBox (EN)

Depending upon the product that is being used, the user may be prompted to watch a short video explaining how they can tell the difference between a legitimate message and a phishing message. Subsequent simulations can be used to determine whether or not the training was effective. ✳️ Bring consistency to the password reset process As important as end user training and message filtering may be, there is a third thing that organizations can do to help tip the odds in their favor. Because credential harvesting phishing attacks so often come disguised as password reset messages, it is important to handle password resets in a way that makes it obvious to users that email messages are not part of the password reset process. For example, an organization might use Specops uReset to manage password reset requests. Specops uReset never asks for the Windows password before the user is authenticated with another method first; if users know this to be true, they can be suspicious of any phishing-style email that tries to get them to enter their AD password to reset it. Taking email out of the equation makes it less likely that a user will ever click on a phony password reset message—simulated or not. Ultimately, you can’t depend on filtering to remove all phishing email messages. The technology simply is not good enough to catch 100% of all the phishing attacks. That’s why it’s so important to educate your users on how to identify a phishing message, and potentially assess a user’s ability to identify such messages through subsequent simulated phishing campaigns. It’s arguably more important to standardize the password reset process in a way that will help users to immediately recognize password reset messages as phony, and thus prevent them from clicking on such messages. 📡@cRyPtHoN_INFOSEC_FR 📡@cRyPtHoN_INFOSEC_EN 📡@cRyPtHoN_INFOSEC_DE 📡@BlackBox_Archiv

Consistency in password resets helps block credential theft. Phishing attacks have become a massive problem for organizations of all sizes. According to Expert Insights’ recent study, “almost 20% of all employees are likely to click on phishing email links and, of those, a staggering 67.5% go on to enter their credentials on a phishing website.” This type of credential theft can have far-reaching consequences ranging from data leakage to human-operated ransomware attacks. The most disturbing part of this is knowing that any user can potentially unleash a devastating attack on your organization with a single mouse click. Organizations must therefore take decisive action to prevent users from falling victim to phishing attacks. ✳️ Mail filtering is not enough Unfortunately, there is no one single solution that will effectively stop all phishing attacks. As such, organizations should practice defense in depth. Filtering inbound email and removing phishing messages before they make it into a user’s inbox is a critical first step, but that alone is not enough. Some phishing messages will inevitably slip through even the best filter. ✳️ End user education Since organizations cannot depend on mail filtering to block all attempted phishing attacks, organizations must place a heavy emphasis on end user education. In the past, such efforts were largely ineffective. An organization might, for example, have sent instructive email messages to users in an effort to teach them how to recognize phishing messages. However, it was easy for users to simply ignore such messages. More recently, organizations have begun launching their own simulated phishing attacks to educate users, while also assessing the organization’s vulnerability to such attacks. Microsoft, for example, has created an Attack Simulation tool that is included in Microsoft Defender for Office 365 Plan 2 (a less capable version of the tool is included in Microsoft 365 Enterprise E3 plans). Of course, Microsoft is just one of several companies that offer phishing attack simulation tools. Some of the other vendors that offer such tools include Phishing Box, Phished, and Barracuda, just to name a few. Each one of these tools has its own nuances and works in a slightly different way. However, the basic idea is that an administrator can set up their own phishing campaign directed at specific users, or at the company as a whole. The various simulation tools typically allow the administrator to choose the type of phishing attack that they want to perform. For example, an administrator might attempt a credential harvesting attack, in which they try to trick users into entering their password into a simulated malicious website. Similarly, a campaign might be designed to trick users into opening a malicious attachment, clicking on a link within an attachment, or clicking on a malicious URL. In each case, the message that is sent to targeted users is designed to be as realistic as possible. Such messages generally contain all of the usual telltale signs of a phishing attack. Once the message has been generated and sent, the administrator needs only to wait for the results. Again, the actual functionality varies by product, but an administrator will typically receive a report detailing which users have open the message, and what subsequent actions were taken. For instance, an administrator may be able to tell if a user who opened a simulated phishing message clicked on a link within the message, and if they took the extra step of entering their password when prompted. This practice is debated, however, as we want end users to trust their IT departments rather than fear an orchestrated phishing hack—but it can be an effective tool in curbing dangerous online activities. ✳️ When a user gets phished In this simulated attack, if a user does fall for the phishing email, the user will typically see a message telling them that they have fallen for a simulated malicious message.

Canada Cops Arrests Teen Cyber-Attack Suspect. Police in Manitoba, Canada, have arrested an 18-year-old man on suspicion of carrying out cyber-attacks on victims across North America. Dayne Parrott-Jones, of Brandon, was taken into custody on March 8 by members of the Brandon Police Service Crime Suppression Unit following an 11-month investigation by the Federal Bureau of Investigation (FBI) and police forces in America and Canada. The teen is suspected of carrying out distributed denial of service (DDOS) attacks with a co-conspirator based in San Antonio, Texas. It is alleged that third parties paid the pair to perform the attacks. Parrot-Jones' girlfriend, 24-year-old Rolanda Chaske, who shares his home on Pacific Avenue, was also arrested, but not in connection with the alleged cyber-crimes. Sergeant Brian Partridge said: "In April of 2021, Brandon Police Service was contacted by the FBI in Los Angeles about a pair of co-conspirators that were conducting cyber-attacks both in Canada and in the United States. "One of the suspects was identified as residing in Brandon while the other one was in Texas." When arresting Parrott-Jones, police discovered a large quantity of marijuana at his residence along with a 3D printer which they believe was in the process of printing what appeared to be the lower receiver of a handgun. "The Brandon Police Service currently has a member attached to the National Weapons Enforcement Support Team, who attended the scene to provide his expert opinion and advice," said Brandon Police Service in a March 9 statement. "As a result, a second search warrant was drafted and authorized to search for both weapons and drugs." During the second search of Parrot-Jones' residence, police recovered four pounds of cannabis, 4 grams of cocaine, gun parts, bullets, gun powder, primers, casings and magazines. Police said it appeared that the defendant was manufacturing Glock firearms with no serial number using a 3-D printer and manufacturing high-capacity magazines and ammunition. Parrot-Jones was charged with 12 offenses, including unauthorized use of a computer, mischief to data, possession of illegal drugs and manufacturing a prohibited device and a restricted firearm. Chaske faces five charges relating to drugs and handguns. 📡@cRyPtHoN_INFOSEC_FR 📡@cRyPtHoN_INFOSEC_EN 📡@cRyPtHoN_INFOSEC_DE 📡@BlackBox_Archiv

PressReader Suffers Cyber-Attack. A cyber-attack on the world’s largest digital newspaper and magazine distributor left readers around the world unable to access more than 7000 publications. PressReader, headquartered in Vancouver, Canada, and has offices in Dublin, Ireland and Manila, Philippines, began experiencing a network outage affecting its Branded Editions website and apps and its PressReader site on Thursday. The global outage impacted all PressReader’s local, regional and international newspapers and magazines online on mobile devices and in print. Users in countries including Australia, Canada, the UK and the US were blocked from accessing titles, including The Guardian, Vogue, Forbes, and the New York Times. By Friday night, the company’s security teams had classified the outage as “a cybersecurity incident.” In a statement released March 4, PressReader said it was working to restore services and make content available to users. The company added that its investigation into the cyber-attack had not found any evidence that customer data had been compromised. “PressReader’s technical teams have been working around the clock to address the recent disruptions to services,” said the statement. “Our security teams have now classified this as a cyber security incident. This situation comes as companies across North America have seen an increase in security incidents over the past several weeks.” With operations restored in the early hours of Sunday morning, PressReader has begun the process of restoring editions of titles that were disrupted. “Our teams have been working relentlessly on restoring operations and we are now able to process and release current newspapers and magazines, however, we continue to scale these systems back to their full capacity,” said Press Reader in a user update posted March 6. The cyber-attack came days after the company removed dozens of Russian titles from its catalog and publicly stated that it would help the Ukrainian citizens access the news following Russia’s invasion of their country. On February 25, the company said on social media: “In order to assist those in Ukraine with accessing up-to-date information, we are opening all PressReader content in the country without charge to individuals. PressReader will absorb the cost paid to publishers until further notice.” 📡@cRyPtHoN_INFOSEC_FR 📡@cRyPtHoN_INFOSEC_EN 📡@cRyPtHoN_INFOSEC_DE 📡@BlackBox_Archiv

Cyber-Criminals Exploit Invasion of Ukraine. Cyber-criminals are exploiting Russia’s ongoing invasion of Ukraine to commit digital fraud. In a blog post published Friday, researchers at Bitdefender Labs said they had witnessed “waves of fraudulent and malicious emails,” some of which were engineered to exploit the charitable intentions of global citizens towards the people of Ukraine. Since March 1, researchers have been tracking two specific phishing campaigns designed to infect victims with Agent Tesla and Remcos removed access Trojans. Agent Tesla is a malware-as-a-service (MaaS) RAT and data stealer that can be used to exfiltrate sensitive information, including credentials, keystrokes and clipboard data from victims. Remcos RAT is typically deployed via malicious documents or archives to give the attacker full control over their victims’ systems. Once inside, attackers can capture keystrokes, screenshots, credentials and other sensitive system data and exfiltrate it. The first campaign detected by threat researchers was observed targeting organizations in the manufacturing industry via a .zip attachment named ‘REQ Supplier Survey.’ Recipients of the email are asked to complete a survey about their suppliers and backup plans in response to the assault on Ukraine. “According to our threat researchers, the malicious payload is downloaded and deployed from a Discord link directly on the victim’s machine,” said Bitdefender Labs. “Interestingly though, interacting with the malicious file will also download a clean version of Chrome on the users’ device – most likely an attempt at diverting users.” Most of these attacks (86%) appeared to originate from IP addresses in the Netherlands. Targets for the malicious emails were spread all over the world, including South Korea (23%), Germany (10%), the UK (10%), the US (8%), the Czech Republic (14%), Ireland (5%), Hungary (3%), Sweden (3%) and Australia (2%). The second campaign observed by researchers involved attackers impersonating a South Korean-based healthcare company to deliver the Remcos RAT via an Excel attachment (SUCT220002.xlsx). Recipients are asked whether they want to put their orders on hold because shipments have been affected by the largest land invasion Europe has suffered since World War II. Most of these attacks (89%) seemed to stem from IP addresses in Germany, with most intended victims located in Ireland (32%), India (17%), the US (7%) and the UK (4%). 📡@cRyPtHoN_INFOSEC_FR 📡@cRyPtHoN_INFOSEC_EN 📡@cRyPtHoN_INFOSEC_DE 📡@BlackBox_Archiv

Russia Denies Satellite Hacking and Warns of Wider War. Russia has warned that any cyber-attack on its satellite systems will be treated as an act of war, as tensions with the West rise over its invasion of Ukraine. The head of the country’s Roscosmos space agency, Dmitry Rogozin, issued the warning yesterday on a Russian TV channel, according to the country’s news agency Interfax. “I want to warn everyone who tries to do it that it is essentially a crime, which should be toughly punished. Because disabling the satellite group of any country is generally a casus belli, that is, a reason to go to war,” he’s quoted as saying. “We will be looking for those who organized it. We will send all necessary materials to the Federal Security Service, the Investigative Committee, and the Prosecutor General’s Office for relevant criminal cases to be opened.” At the same time, Rogozin is said to have denied reports that Roscosmos satellite control centers had been hacked. Online collective Anonymous, which has launched a campaign against the Kremlin in retaliation for its invasion, claimed this week to have done exactly that. “The Russian Space Agency sure does love their satellite imaging,” it said. “Better yet they sure do love their vehicle monitoring system. The WSO2 was deleted, credentials were rotated and the server is shut down … Have a nice Monday fixing your spying tech. Glory to Ukraine.” In related news, Rogozin reportedly demanded the UK government sell its stake in British satellite connectivity firm OneWeb, or else a planned Soyuz launch of 36 satellites would not go ahead. Roscosmos also asked for “comprehensive legally binding guarantees” that the Low Earth Orbit technology would not be used for military purposes. The government has refused to sell its shares in OneWeb but reportedly is considering its options. The technology is likely to be used by the British and American military. Once the entire constellation of satellites is up and running, it could provide users with an alternative to traditional connectivity. That could be a headache for autocratic regimes like Russia, which like to control the flow of information, especially at times of war. Flying at a lower altitude still than OneWeb’s satellites is Elon Musk’s Starlink. The tech billionaire sent a lorry-load of satellite dishes to Ukraine this week at the government’s request. 📡@cRyPtHoN_INFOSEC_FR 📡@cRyPtHoN_INFOSEC_EN 📡@cRyPtHoN_INFOSEC_DE 📡@BlackBox_Archiv

Zenly Bugs Exposed Users to Data Loss and Account Takeover. Security experts have revealed two vulnerabilities they found in a popular social app which could enable account takeover (ATO) or customer data loss. The now-patched issues were given a medium CVSS rating. They appear in Zenly, a smartphone app that allows users to see where friends and family are on a map. The first bug exposes users’ phone numbers and could therefore be used to craft believable vishing attacks, according to researchers at Checkmarx. “When submitting a friend request to a user, Zenly will allow access to their phone number regardless of whether the friend request is accepted or not. To obtain this information, a malicious actor only needs to know their username,” they explained. “While obtaining a username could be a difficult task by itself, it is made easier by the fact Zenly also exposes an exhaustive list of friends of a user. This means that, for obtaining the phone number of a user, a malicious actor does not need to know their username at the start, but is able to follow a chain of friends until one of them has the victim in their friends list.” Checkmarx warned that the bug could be exploited to target CEOs or senior decision makers in organizations who may be using the app, via other users in the organization. The second ATO vulnerability stems from the way the Zenly API handles session authentication. It typically calls a “/SessionCreate” endpoint with the phone number of the user, which then creates a session token, and sends an SMS verification code to the user. It then calls the “/SessionVerify” endpoint with both the session token and the verification code received by SMS, in order to log the user in. “An attacker can take over a user account by abusing the /SessionCreate endpoint, which will consistently return the same session token (although not yet valid) for the same user. Once the legitimate user validates the SMS code for that session token, the session will become valid for both the legitimate user and the attacker,” Checkmarx explained. “The main point of this issue is that the attacker needs to obtain a session token before the legitimate user calls the /SessionVerify endpoint. This can be done either before or after the legitimate user calls the /SessionCreate endpoint.” However, this isn’t necessarily simple to achieve, hence the CVSS score of 4.7. It would require the attacker to know the victim’s mobile and have knowledge of when the victim will login, sign up, register a new device or go through the authentication flow for other reasons. Checkmarx thanked Zenly for its professionalism, cooperation and prompt ownership in working to fix the issues. 📡@cRyPtHoN_INFOSEC_FR 📡@cRyPtHoN_INFOSEC_EN 📡@cRyPtHoN_INFOSEC_DE 📡@BlackBox_Archiv

Meyer Breach Impacts US Employees' Personal Information. Cookware giant Meyer has revealed a data breach that impacted an undisclosed number of employees. The firm, which is the largest distributor of cookware in the US, revealed the incident in a notification letter to employees posted to the website of the California attorney general’s office. It notes that the attack happened at the end of October 2021, but it wasn’t until December 1 that an investigation revealed employee data might have been taken. The impact on victims could be severe, depending on what was taken, although the firm still doesn’t conclusively know which employees were affected. “The types of personal information that may have been accessed during this incident will depend on the types of information you have provided to your employer, but may include: first and last name; address; date of birth; gender; race/ethnicity; Social Security number; health insurance information; medical condition(s) and diagnoses; random drug screening results; COVID vaccination cards and status; driver’s license, passport, or government-issued identification number; permanent resident card and information regarding immigration status; and information regarding your dependents (including Social Security numbers), if applicable that you may have provided to the company in the course of your employment,” the notice claimed. “Again, at this time, we have no evidence that your specific information was actually accessed or impacted.” Meyer, which is owned by a Hong Kong-based parent company, is offering employees identity protection services for two years. “We have also taken steps to further enhance our security controls, and we continue to investigate and evaluate this matter to prevent a similar occurrence in the future,” it concluded. Identical letters were also addressed to employees of other Meyer companies, including Hestan Commercial Corporation, Hestan Smart Cooking, Hestan Vineyards and Blue Mountain Enterprises. 📡@cRyPtHoN_INFOSEC_FR 📡@cRyPtHoN_INFOSEC_EN 📡@cRyPtHoN_INFOSEC_DE 📡@BlackBox_Archiv

Banking World Rocked After Leak Exposes 18,000 Credit Suisse Accounts. Credit Suisse has hit back at allegations of severe due diligence failures exposed by a major new leak of customer account information. Details of 18,000 accounts linked to 30,000 clients containing an estimated £80bn ($100bn) were shared by an anonymous whistleblower with various media outlets, including The Guardian. “I believe that Swiss banking secrecy laws are immoral,” they said in a reported statement. “The pretext of protecting financial privacy is merely a fig leaf covering the shameful role of Swiss banks as collaborators of tax evaders.” The reports allege that Credit Suisse, one of the world’s largest banks, opened and maintained accounts for high-risk clients, including dictators, corrupt politicians and businesspeople and even one human trafficker. They claim that some client accounts were used to launder money, especially from developing world countries. One Vatican-owned account was used to invest €350m (£290m) in an allegedly fraudulent London property currently at the center of a criminal trial. However, Credit Suisse hit back in a strongly worded statement today, claiming most of the ‘revelations’ in the leak are historical, “and the accounts of these matters are based on partial, inaccurate, or selective information taken out of context, resulting in tendentious interpretations of the bank’s business conduct.” It described the allegations as a “concerted effort” to discredit the bank and the entire Swiss banking system. “Following numerous inquiries by the consortium over the past three weeks, Credit Suisse has reviewed a large volume of accounts potentially associated with the matters raised. Approximately 90% of the reviewed accounts are today closed or were in the process of closure prior to receipt of the press inquiries, of which over 60% were closed before 2015,” it continued. “Of the remaining active accounts, we are comfortable that appropriate due diligence, reviews and other control related steps were taken in line with our current framework. We will continue to analyze the matters and take additional steps if necessary.” The bank has also set up an internal task force to investigate the leak. 📡@cRyPtHoN_INFOSEC_FR 📡@cRyPtHoN_INFOSEC_EN 📡@cRyPtHoN_INFOSEC_DE 📡@BlackBox_Archiv

Probation for Medicare Fraudster. A man from Florida will not be serving time in prison for his role in a multi-million dollar Medicare fraud scheme involving the sale of patients' personal and medical data. Boca Raton resident, Nathan LaParl, aged 35, and his 30-year-old accomplice Talia Alexandre, of Palm Springs, worked with foreign call centers to contact Medicare patients and ask if they were interested in purchasing durable medical equipment (DME) such as arm and shoulder braces “at little to no cost.” Demographic data and insurance information collected from the Medicare patients by the call centers was sold by LaParl and Alexandre to 32-year-old Juan Camilo Perez Buitrago of Lighthouse Beach, Florida. Perez Buitrago used the patient data to submit false and fraudulent claims totaling more than $109m. The claims were for DME that the US attorney's office for the District of Massachusetts said was "not prescribed, not necessary, and, in many instances, never requested or received." LaParl and Alexandre were paid handsomely for the data, receiving more than $1.6m from Buitrago. To facilitate the scheme, LaParl improperly accessed a patient eligibility tool and checked the insurance eligibility of more than 350,000 Medicare patients. Access to the tool was provided by 52-year-old Stefanie Hirsch of Los Angeles, California, the owner of Medicare-enrolled wheelchair and scooter repair company, EI Medical, Inc. Hirsch shared her login credentials with LaParl and charged him $0.25 per patient eligibility check. Hirsch pleaded guilty to violating the HIPAA statute and was sentenced in September 2021 to three years of probation and ordered to pay a fine of $2500. Alexandre pleaded guilty to one count of receiving kickbacks in connection with a federal health care program. On December 8 2021, she was sentenced to three years of supervised release with the first year to be spent in home detention. Alexandre was fined $5000 and ordered to pay $1.47m in restitution. On January 21 2021, LaParl pleaded guilty to one count of receiving kickbacks in connection with a federal health care program and one count of violating the HIPAA statute. He was sentenced on Thursday to three years of probation, the first year to be served subject to a curfew, and has to pay a forfeiture of $220,671. 📡@cRyPtHoN_INFOSEC_FR 📡@cRyPtHoN_INFOSEC_EN 📡@cRyPtHoN_INFOSEC_DE 📡@BlackBox_Archiv