Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
Your Printer Is Out to Get You
In This Issue:
- Don’t all printers browse SharePoint?
- Scammers steal a school
- That's not ransomware
Don’t All Printers Browse SharePoint?
This is why insecure IoT devices make your authors foam at the mouth. THIS IS WHY: Corporate IoT – a path to intrusion.
Security researchers at the Microsoft Threat Intelligence Center observed an active campaign to gain entry to corporate networks, targeting "popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations."
This wasn't particularly hard for the attackers, since many of the devices were deployed without changing the default manufacturer’s passwords, or had not been patched in several geologic eras.
Once attackers had a toehold in an infected device, they scanned the network for more targets, looking for "higher-privileged accounts that would grant access to higher-value data."
The Microsoft article should be required reading for IT staff, as well as any idiot in purchasing who thinks smart lightbulbs would be nifty. It describes indicators of compromise, and suggests sensible steps to take to protect IoT devices. Our favorite is No. 8: "Monitor IoT device activity for abnormal behavior (e.g. a printer browsing SharePoint sites…)"
Scammers Steal a School. Well, Part of One.
User education about security is never easy, but repeated shouting and beating people about the ears with a large trout has produced a vague awareness of phishing in most people. They have at least heard of the idea that e-mails can contain infected attachments or malicious links. And many security products can detect this kind of phishing attempt: Mimecast Rejected Over 67 Billion Emails. Here's What It Learned.
Much harder to defend against, and much less widely known, are the scam e-mails that contain no links, no malware, no attachments of any kind. Instead, they impersonate someone at the target company, or a supplier or contractor that the company uses. They make what seems like a plausible request. And they can walk away with staggering sums of money.
This is one example: $1.7 million still missing after North Carolina county hit by business email compromise scam. Cabarrus County, North Carolina believed it was paying a contractor when it moved $2.5 million into a fraudulent account. But don't be too quick to sneer at their accounting department—according to the article, "staff followed the correct processes – requesting that forms and documentation (including an electronic funds transfer (EFT) form signed by the bank) were submitted to make the change."
The criminals submitted plausible forged documents, and walked away with the cash. Cabarrus County only realized they had been scammed when the real building contractor contacted them to ask about a missing payment.
The victims had insurance, but it paid out only $75,000. As the article warns, "All organisations need to learn to be exceptionally cautious whenever one of their suppliers says that their bank account details are changing – it may be another scammer trying to make a quick and easy fortune."
If it isn't already, this kind of scam needs to be talked about in your security awareness training. Get as many people as possible to read the article about Cabarrus County; it describes the scam concisely and has added "think of the children" emotional weight. (The stolen money was supposed to pay to build a new school. Ouch.)
For people who hate children or require color-coded bar graphs, you could instead get them to read this: Fraudsters Are Trying to Steal $8.7 Million Every Single Day through Business Email Compromise.
Oh, and review your insurance coverage.
That's Not Ransomware
Sure, it pretends to be ransomware. Actually, first it pretends to be somebody's job application, with a resume and photo attached. Inevitably, someone opens the attachment. Then files start being corrupted, and there's a demand for ransom.
Paying the ransom won't help, though. "The bad guys don’t have a copy of your data, they simply overwrote it with zeroes," says this article: GermanWiper isn’t ransomware. It’s worse than that. "In other words, paying the attacker’s ransom demand is a waste of time (and money)."
Make frequent, secure backups. Store a copy of them offline, where they can't be encrypted or deleted by malware in your network. It’s your only hope.
The author of the article above links to an explainer about backup basics: How to create a robust data backup plan (and make sure it works). Your Countermeasure authors would like to add a few caveats about storing backups in the cloud, if that is a part of your strategy:
- Be aware that cloud providers can be targeted by ransomware, too. Cloud backups can be a part of your strategy, but they should not be the only part.
- Use unique credentials to log in to your cloud backup service—credential re-use here can have nasty consequences.
Thread of the Week
I"Starting tomorrow, vendors will be competing for security $$ at one of the biggest events of the year. They'll make promises about efficacy. I'll give them the benefit of the doubt on their claims. But before saying "ooh, shiny, I NEED one of those" ask yourself some questions." – Jake Williams - @MalwareJake
Tool of the Week
Need to automatically and securely verify a download is legit? You bet rget this new tool.
Podcast of the Week
- Ongoing Campaign Spoofs Walmart, Dating, Movie Sites. This is about scammers creating websites that spoof legitimate company sites. "Imai advises businesses to seek domains that may be attempting to mimic their brands. Many of these malicious domains haven't been blacklisted, meaning customers can still be affected. Organizations should also consider their takedown processes and see whether they can be accelerated."
- Hack-age delivery! Wardialing, wardriving... Now warshipping: Wi-Fi-spying gizmos may lurk in future parcels. Researchers made a small device that can be hidden in a package and mailed to a company. "It can be instructed to scan for vulnerable networks to infiltrate… or spoof nearby legit wireless networks to harvest passphrases from those connecting, or get up to other mischief over the air."
- Revealed: Microsoft Contractors Are Listening to Some Skype Calls
- The Risk of Weak Online Banking Passwords
- What We Can Learn from the Capital One Hack