Threat Intelligence Blog

This weekly brief highlights the latest threat intelligenceThreat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far... news to provide insight into the latest threats to various industries.

Insurance

“The Internal Revenue Service today alerted tax professionals and their clients to a fake insurance tax form scam that is being used to access annuity and life insurance accounts.

Cybercriminals currently are combining several tactics to create a complex scheme through which both tax professionals and taxpayers have been victimized.

There may be variations but here’s how one scam works: The cybercriminal, impersonating a legitimate cloud-based storage provider, entices a tax professional with a phishingPhishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait. email. The tax professional, thinking they are interacting with the legitimate cloud-based storage provider, provides their email credentials including username and password.”

IRS

Information Security

“Security researchers have spotted a new type of low-and-slow brute-force attack — which they nicknamed KnockKnock Identified by Skyhigh Networks, the attacks have been going on since May 2017, and have gone through two very distinct phases, both devilishly clever in their approach.

The second phase of these attack is the one that stands out the most. Instead of attacking employee accounts, hackers decided to try and crack system email accounts, like the ones below:

  • Service accounts — used for user provisioning in larger enterprises
  • Automation accounts — used to automate data and system backups
  • Machine accounts — used for applications within data centers
  • Marketing accounts — used for marketing and customer communication
  • Internal tools accounts — used with JIRA, Jenkins, GitHub, etc.
  • Other system accounts — used for distribution lists, shared and delegated mailboxes.

Skyhigh says attackers attempted to guess the passwords for these accounts. The reasoning is simple, as these accounts do not use two-factor authentication (2FA) and have higher access and privileges than regular employee accounts.”

Bleeping Computer

Retail

“A newly detailed malwareMalware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs. targeting automated teller machines (ATM) allows attackers to completely drain available cash, Kaspersky Lab researchers have discovered.

Dubbed ATMii, the threat was first spotted in April this year, featuring an injector module (exe.exe) and the module to be injected (dll.dll). Actors using the malware need direct access to a target ATM (either over the network or physically) to install it.

During analysis, the security researchers discovered that the injector, an unprotected command line application, was written in Visual C with a fake compilation timestamp of four years ago. The malware features support for a Windows version more recent than Windows XP, which is the platform most ATMs run.”

– Security Week

Defense

“A hacker stole non-classified information about Australia’s Joint Strike Fighter program and other military hardware last year after breaching the network of a defense contractor, the defense industry minister said on Thursday.

About 30 gigabytes of data was stolen in the cyber attack, including details of the Joint Strike Fighter warplane and P-8 Poseidon surveillance plane, according to a presentation on the hack by a government official.

“Fortunately the data that has been taken is commercial data, not military data … it’s not classified information,” Defence Industry Minister Christopher Pyne told Australian Broadcasting Corporation (ABC) Radio.”

– Reuters

 


Additional Posts

Stewart Curley of LookingGlass Cyber nominated as one of 2017’s Trending 40 CFOs

This week we announced the 2017 Trending 40 CFOs and it’s my pleasure to congratulate ...

Weekly Phishing Activity: October 16, 2017

The following data offers a snapshot into the weekly trends of the top industries being targeted by ...