CyberThreat Webinar Notes
Center for Internet Security/Multi-State Information Sharing and Analysis Center (MS-ISAC) is an agency confidence in a connected world. They provide security benchmarks and information sharing and analysis.
MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s State, Local, Tribal and Territorial governments (SLTT).
They operate under a cooperative agreement as a contractor to the Department of Homeland Security (DHS), to serve as this focal point to share this kind of information and support.
MS-ISAC Members include:
- All 50 states and 6 territories
- 78 federally recognized fusion centers
- More than 1200 local governments and tribal nations (includes: police depts., cities, counties, jails, 911 centers, etc).
If you are considered a public government entity, your organization can be (or may already be) an MS-ISAC Member. They also gather information from these members.
Intelligence Data Sources
MS-ISAC monitors 24×7 for cyber intrusions
- 44 State Governments
- 5 territories
- 40 local governments and critical infrastructure
This generates ~750B logs/month
Current CyberThreat Landscape: Top Malware (Feb 2017)
- ZeuS/Zbot – came out in 2006. A revolutionary piece of malware that was a modular keylogger, designed so that the owner could segment and sell it in different configurations. The source code was released in 2010. It is still seen as one of the top malware types. It was most often distributed using Spam. (Banking malware.)
- Kovter – Is a Trojan
- Sundown EK (Exploit Kit) – Exploit Kits are designed to take advantage of vulnerabilities and download other things onto your system.
- Tinba (Banking)
- DNSChanger – In 2012 the FBI took down the original folks behind DNSChanger – a malware that rerouted your DNS for the purposes of click fraud. However, it’s back as a hijacker (DNS Hijacker).
- Ursnif (Banking Trojan)
- Ponmocup (Downloader)
- Fleercivet (Click Fraud Trojan)
- Terdot (Downloader)
Top Malwares come and go – some are in the top 10 for a few months, and others like Zeus has been around for a decade.
Ransomware (2016 – Feb 2017)
- There has been a decrease in ransomware infections since September 2016.
- Ransomware is opportunistic malware. Most of the time (95-98%), agencies are not specifically targeted.
- It’s disseminated through millions of spam emails or malvertising.
Types of Ransomware:
- Krypto ransomware – (The main kind that’s been making news for the last 12-18 months.) It encrypts files on your system. This type of ransomware ranges from encrypting the files on your desktop to working its way through your system and encrypting files in databases, to backups on servers.
- Locker Ransomware – a little more old school. It simply locks the computer screen so you can’t get to what’s behind it. It can be as simple as posting a JPEG image of a screen, and you don’t realize you’re locked out until you try to click on the screen and your computer isn’t reacting. (Less frequent.)
Recommendation: NoMoreRansom.org A site established by a group of cyber security companies to share all the information they are gathering about ransomware – decryption keys, tools to diagnose which variant of ransomware you are infected with.
What to Do When You’ve Been Infected with Ransomware
If you are an SLTT – call Center for Internet Security/Multi-State Information Sharing and Analysis Center
If you are infected and considering paying, do research first to find out more about the people or organization you are dealing with. There are instances where people have paid and not gotten the key to unlock their systems. Some ransomware is known for deleting files or searching for file types and sending those files back to the criminals.
Malware Distribution Methods for Top 10
- Dropped (via “droppers”)
- Spam – Zeus commonly used. Spam has been decreasing
- Multiple Methods
Interesting: Major botnet group, Necurs, typically goes on holiday right before Christmas – into January, and so Spam decreases during that time. This year, they didn’t come back right away (back a few weeks later). These criminals also seem to have a 5-day work week, just like us.
Botnets – groups of infected computers under the control of someone else to spread SPAM or DDoS Attacks.
SPAM and Phishing Campaigns are Getting More Sophisticated
- June 2016 – Campaign Targeting Attorneys (“your membership is past due” or “a complaint was filed against your firm”) went state by state.
- Spring 2016, Returning 2017 – Tax Return/W-2 Related Emails — Credential Harvesting/Phishing Emails involving a legitimate website that has been compromised, getting the person to enter their credentials.
Password reuse is an ever-expanding problem.
2015: Intuit identified that over 40% of accounts taken over by cyber threat actors were accessed through reused credentials.
- Don’t reuse passwords
- Make passwords complex: a combination of upper and lowercase, numbers, symbols and at least 10 characters long
What makes it particularly challenging is that so often we have our accounts linked: email to Facebook, work email. Once they’re in one, they can get into others.
For US Citizens, social media accounts are more valuable to the hackers than a credit card. Once they have your account, they use your account to reach out and compromise all your friends.
Underground Market, Retail Prices:
- Social Media Accounts: $10/account
- Email Account: $1 at most
- Work Accounts: more valuable because of the potential information behind them.
Definition – when information is compromised from a database.
The number of data breaches, in general, have grown 500-600% from 2015 to 2016.
MS-ISAC specifically tracks data breaches for SLTT’s. 2017 is looking to be a record year. By the end of 1Q 2017, 2017 already has more SLTT data breaches than 2015. This is due to the increase of successful Phishing efforts.
Campaign: BEC Scam
(The Business Email Compromise) – many schools and local governments are falling for this. This campaign is one of the biggest threats to SLTT. There are several variants to this scam:
- W2s: The email from a senior executive requests W2 information for all employees.
- The info is sent back to a spoofed account or a compromised account
- Very sophisticated- often sent from an iPhone/android and they knew which kind of phone the executive had.
- Wire Transfer – the email requests for a wire transfer to be initiated.
- Purchase Order – the hacker sends a purchase order for payment or to purchase a product that they can sell.
Recommendation: A great source to learn more about this is The Internet Crime Complaint Center (IC3.gov)
Campaign: Hoax DDoS Extortion Scheme (2016)
While it’s an older scheme, it’s evidence of how the cybercriminals are getting more sophisticated.
- Known CyberThreat Actors: DD4BC (DDos 4 BitCoin), Armada Collective, Lizard Squad, LulzSec, New World Hacking (Targeted Law Enforcement)
- Extortion – send a series of emails, threatening people with a DDoS Attack if they did not pay.
- Target one entity
- Start with a short-term, low-level attack, but not enough to stop you from working.
- Stop the attack, demand bitcoin payment or they would strike with a worse attack
- Late 2015-2016: news broke out about this style of attack, and other groups realized it was a great way to make money, so they started replicating the attacks, and even trying to pass themselves off as more successful groups.
Recommendation: Look beyond the surface in these attacks.
Campaign: Mirai Botnet and IOT
Took down/slowed down the internet in October 2016. The Mirai source code was released Dec 2016.
The Mirai Botnet was made-up of the IOT – your smart home, Smart TV, FitBit, camera, etc. and used to attack other entities. It used the Mirai source code, connected DVRs and other devices.
Most recently, a Mirai Botnet attacked a US university for 54 hours, March 29, 2017.
These attacks are incredibly successful and profitable. Hackers using botnets for DDoS attackers usually get to keep about 90% of the payout.
- Schools get targeted around exam season.
- Businesses get targeted around the holidays.
Mirai is on the decline because SLTT governments took the time to secure their devices.
Campaign: Apache Struts File Upload Vulnerability
- Patching is one of the most effective ways to prevent becoming part of a botnet.
- Microsoft Patch Tuesday –if you are responsible for patching in your organization, Microsoft is changing patching soon.
Who are the Cyberthreat Actors Targeting among SLTTs? (2016)
- State Government
- Local Law Enforcement – have to worry the most
- Local Government – have to worry the most
- Public Universities
- Private Universities
- K-12 Education
- State Law Enforcement
Hacktivist Motivations (2016)
- Alleged Use of Force by LEO
- Perceived injustice
- Attention Seeking
- Anti-US Government
Recommendation: If you are concerned about fallout from a first responder/use of force incident, as you plan for other potential responses, don’t forget to protect your network from hacktivist attack.
Website Defacements are the electronic equivalent of graffiti.
- WordPress announced 4 vulnerabilities and provided patches (Jan- Feb 2017)
- 2017 has already reached 50% of all the 2016 defacements for the year.
- Education and local governments were targeted
SHA-1 End of Life
- If you are not in charge of your site, discuss it with your webmaster.
- SHA1 – Hashing algorithm for digital certificates – shows that the site is encrypted, vetting the website to ensure the site’s identity is authentic.
- SWI Amsterdam and Google proved SHA1 can be beaten.
Recommendation: Sha1affected.com – visit this URL to see if your website certificate needs to be updated.
What Can You Do?
- Patch – use auto-patching where possible
- Use defensive software – antivirus
- Back-up – test that the backups work AND take the back-ups offline
- Train your users to recognize these scams, do telephone checks to ensure emails requesting info/transfers
- Enforce strong, complex, unique passwords
- Have contingency plans
- It may take days to get your system back (if you’re lucky. It can take much longer)
- Discuss what a ransomware infection would cost your agency and make decisions before infections occur
- Keep in mind – in 15% of the cases the decryption key does not work
- Prepare and test protocols for multiple scenarios and have recovery plans in place.