Fraud Management & Cybercrime
,
Ransomware

Information Security Media Group •
November 23, 2020    

The session is focused on the ways DNS can be used to improve protection against ransomware campaigns and speed up investigations of such incidents. We will cover fresh tactics, techniques, and procedures (TTPs) used by ransomware actors which actively adopt advanced persistent threat (APT)-style tactics and evasion techniques.

These actors’ goals have shifted from deploying ransomware on a few vulnerable machines to achieving persistence in the network and causing maximum damage to push victims into paying the ransom.

We will share DNS-based classifiers developed by the Cisco…

Read More…

BlackBerry researchers are tracking what they believe to be a mercenary cyberespionage group whose campaign they’re calling “CostaRicto.” BlackBerry doesn’t speculate about who CostaRicto’s paymasters might be, but they offer four reasons for thinking it a mercenary operation. It uses bespoke malware; it shows systematic, continual development; it may share some network infrastructure with APT28 (Fancy Bear, Russia’s GRU), and its highly diversified target list suggests more than one customer.

Dragos finds that industrial control systems (ICS) are increasingly being subjected to the attentions of cyber threat actors. The researchers are following five distinct threat groups:

• CHRYSENE (APT34 or Helix Kitten) targets the petrochemical, oil and gas, manufacturing, and electric generation sectors. It’s expanded its interests beyond the Persian Gulf.
• MAGNALLIUM (APT33 or Elfin) is active against the energy and aerospace sectors, including their supporting sectors.
• PARISITE (Fox Kitten or Pioneer Kitten) works against electric utilities, aerospace, manufacturing, oil and gas entities, and governmental and non-governmental organizations.
• WASSONITE, associated with the Lazarus…

Read More…

Often, in the world of information security and risk management, the question facing threat intelligence teams is amidst this sea of vulnerability disclosures, which ones matter the most to my organization? Which can impact us the most? And, how do I best explain threats to internal stakeholders in a way that helps minimize risk?

Reducing risk through proper patch management is not always simple. Not all common vulnerabilities and exposures (CVEs) are equally important. In July 2020, for example, the U.S. Department of Homeland Security released multiple top-priority advisories. One covered known exploits against certain application delivery systems (CVE-2020-5902) and another covered detected vulnerabilities in a domain name system (DNS) server (CVE-2020-1350). While both are top priorities, how do they apply to the network you use? Which threats are the most likely to impact your core business?

To better answer this, we must be able to identify relevant threats before beginning to address patching or manage risks. Enter threat identification: a necessary process that has become increasingly complicated.

Why Is Spotting Threats More Complex…

Read More…

Most businesses rely on third-party entities to outsource certain functions, save on costs, and strengthen their cybersecurity capabilities. While working with external providers makes perfect business sense, it also poses cyber risks. For instance, a global record label’s websites hosted by a third-party service provider became the latest victim of Magecart, a web skimming attack. The company is not alone to suffer such misfortune, however, as many data breaches are connected to third-party use.

Third parties usually need to access company networks and data to make these accessible to their contractors and employees. Hence, the chances of a data breach and other cybercrimes are magnified. But organizations can minimize risks through robust third-party risk management. As part of this, Reverse DNS Search can help by:

• Identifying hosts and domains related to a third-party website, IP address, or DNS record
• Determining if any of the domains associated with third parties are malicious and, therefore, pose risks

Let’s take a closer look.

Identify Domains Associated with a Third Party

Associations with malicious actors is among the telltale signs of third-party risk….

Read More…

Privacy management company DataGrail analyzed how many CCPA data subject requests went across its platform in the first half of 2020 and found that organizations should expect to process hundreds of CCPA data subject requests (DSRs), with do-not-sell requests being the most popular requests from consumers.

Highlights from the report include:

• Do-not-sell (DNS) requests are the most common type of DSR by 2x
• One-third of every DSR will go unverified, confirming the need for a robust and scalable verification method
• 40 percent of access requests were NOT verified, validating concerns that fraudulent requests could be made to steal data
• In 2020, companies manually processing DSRs should expect to pay $240,000 per one million records to fulfill requests
• B2C companies should prepare to process approximately 170 total DSRs per one million consumer records each year

Download the report below to read the full findings.

Подробнее…

Service providers are increasingly using ingress filtering to block access to vulnerable protocols on customers’ devices or for blocking badly-routed data packets.

In June, for example, Telstra started rolling out Resource Public Key Infrastructure (RPKI) Route Origin Authorisations (ROAs) to certify the truth of routing messages transmitted by the Border Gateway Protocol (BGP).

The telco has since completed that deployment across all IP addresses in Autonomous System Number AS1221, and work is underway on AS4637.

“This basically means we have now deployed RPKI Origin Validation into Telstra’s domestic network … dropping invalids [incorrectly routed packets] from our upstream, peer and customer networks,” a Telstra spokesperson told ZDNet.

“Deployment activities continue in our International networks,” they said.

Telstra has also been working on its Cleaner Pipes initiative, which uses DNS filtering to block malware communications across its network.

Such active cyber defence programs have been gaining increasing support in Australia.

Read More…

Agencies face a quick turnaround to address a known vulnerability in Windows Domain Name System servers.

The Cybersecurity and Infrastructure Security Agency, under an emergency directive, is giving agencies until 2 p.m. Friday, July 17, to apply a patch released Tuesday — or a “temporary registry-based workaround” — for Windows Servers running DNS.

“CISA has determined that this vulnerability poses unacceptable significant risk to the federal civilian executive branch and requires an immediate and emergency action,” the agency wrote in its emergency directive.

CISA issued the emergency directive “based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise.”

CISA Director Chris Krebs wrote in a separate blog post that this marks the third emergency directive he’s approved during his tenure.

In January, CISA required “emergency action” from agencies on Microsoft’s Windows operating system vulnerability, giving…

Read More…