Posted October 17, 2017
This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.
“The Internal Revenue Service today alerted tax professionals and their clients to a fake insurance tax form scam that is being used to access annuity and life insurance accounts.
Cybercriminals currently are combining several tactics to create a complex scheme through which both tax professionals and taxpayers have been victimized.
There may be variations but here’s how one scam works: The cybercriminal, impersonating a legitimate cloud-based storage provider, entices a tax professional with a phishing email. The tax professional, thinking they are interacting with the legitimate cloud-based storage provider, provides their email credentials including username and password.”
“Security researchers have spotted a new type of low-and-slow brute-force attack — which they nicknamed KnockKnock Identified by Skyhigh Networks, the attacks have been going on since May 2017, and have gone through two very distinct phases, both devilishly clever in their approach.
The second phase of these attack is the one that stands out the most. Instead of attacking employee accounts, hackers decided to try and crack system email accounts, like the ones below:
- Service accounts — used for user provisioning in larger enterprises
- Automation accounts — used to automate data and system backups
- Machine accounts — used for applications within data centers
- Marketing accounts — used for marketing and customer communication
- Internal tools accounts — used with JIRA, Jenkins, GitHub, etc.
- Other system accounts — used for distribution lists, shared and delegated mailboxes.
Skyhigh says attackers attempted to guess the passwords for these accounts. The reasoning is simple, as these accounts do not use two-factor authentication (2FA) and have higher access and privileges than regular employee accounts.”
“A newly detailed malware targeting automated teller machines (ATM) allows attackers to completely drain available cash, Kaspersky Lab researchers have discovered.
Dubbed ATMii, the threat was first spotted in April this year, featuring an injector module (exe.exe) and the module to be injected (dll.dll). Actors using the malware need direct access to a target ATM (either over the network or physically) to install it.
During analysis, the security researchers discovered that the injector, an unprotected command line application, was written in Visual C with a fake compilation timestamp of four years ago. The malware features support for a Windows version more recent than Windows XP, which is the platform most ATMs run.”
“A hacker stole non-classified information about Australia’s Joint Strike Fighter program and other military hardware last year after breaching the network of a defense contractor, the defense industry minister said on Thursday.
About 30 gigabytes of data was stolen in the cyber attack, including details of the Joint Strike Fighter warplane and P-8 Poseidon surveillance plane, according to a presentation on the hack by a government official.
“Fortunately the data that has been taken is commercial data, not military data … it’s not classified information,” Defence Industry Minister Christopher Pyne told Australian Broadcasting Corporation (ABC) Radio.”