Dragoon Security Group

I don’t care for FUD, I do however support due care and diligence to address an organization’s service and reputational risks.

A small federal agency’s website has been defaced tonight, allegedly by Iranian Threat Actors though the attack has not been validated to have originated from Iran.

Regardless of the source, this should serve as an advisory to harden public facing servers and web applications.

Hardening is the management of configuration, access control, network settings and server environment, including applications, in order to improve the overall security of an organization’s IT infrastructure and mitigation of inherent risk to the organization.

Nine basic hardening actions to consider include:
• Ensure default credentials are removed and use a unique, complex password
• Activate Multi-Factor Authentication
• Validate configurations against vendor and industry standards
• Remove or disable unnecessary services, especially remote access
• Scan for vulnerabilities and push security updates
• Deploy firewalls to create a DMZ from internal systems
• Monitor logs for intrusions
• Create and protect data backups
• Implement load balancers and Denial of Service Protection

While I’m glad this issue is gaining national attention, this piece was very defeatist. Companies wouldn’t accept a thief walking in and taking tens of thousands of dollars from the register. Yet because a computer is involved, the expectation is to comply?

I do agree and have also referred to these attacks as the worst day of an executive’s personal life.

There are measures to prevent and protect against this crime. Atlanta’s $20MM bill has not just data recovery costs. It also involves modernizing their very large IT infrastructure, that had been neglected, to prevent future attacks.

Taking a proactive approach to digital attack will always be more cost efficient than a reactive one. Proactive allows for budgeting and planning as opposed to depleting cash reserves to overcome a major business disruption.

Paying merely emboldens these criminals to continue with these campaigns. Not determining root causes and remediating the vulnerability only leaves companies susceptible to ongoing attacks.

How cybercriminals hold data hostage... and why the best solution is often paying a ransom Targets have included hospitals and municipalities, but the FBI says anyone on the internet should expect to be attacked by cybercriminals

Capital One Data Theft Expands to Other Companies

Court documents recently submitted by Federal prosecutors allege the suspect in last month’s Capital One breach may have also obtained data from as many as 30 additional organizations.

Servers seized from the suspect’s home contained several terabytes of data storage; one terabyte of storage equates to approximately 75 million pages. The files on these servers appear to have been retrieved from automakers, universities, state agencies, software firms, telecommunications and additional financial institutions.

The good news surrounding these criminal activities, due to reporting by members of the tech community and the swift response by law enforcement, it is not believed any stolen data from Capital One was released to unauthorized parties.

New light on the iNSYNQ ransomware attack

It appears the cloud hosting provider of Quickbooks was initially infected through a phishing email received by a member of the sales department.

Attackers spent 10 days in the company’s infrastructure, spreading the malware to systems and data backup solution.

The firm’s Incident Response Plan allowed them to stop the spread of infections but not until half of their systems had been compromised, including their backup solution which has since been overhauled.

While most customers have been restored and operational, continued recovery efforts are ongoing.

State Farm Insurance experienced a credential stuffing attack with an undisclosed number of policyholder account credentials last month. The company supports over 80 million consumers with both insurance products and financial services.

This attack comes after new compliance regulations have been increasingly adopted by state insurance regulators across the nation.

Credential stuffing involves automated log-in attempts with stolen account credentials, usually obtained through phishing attacks and data breaches. State Farm claims the credentials were purchased from a “Dark Web” marketplace.

It is advised that unique passwords be used for online accounts. If you are a State Farm policyholder, please ensure you change your password to your account. If your State Farm password is also used for other online accounts, those should also be changed. Password Managers make this task simple by creating and storing complex unique passwords for all your accounts.

This incident leaves to question the original source of these stolen credentials and the full extent of the data protection of State Farm consumers.

China based group, APT 10, has been linked to new spear phishing campaigns to deliver malware targeting the utilities sector.

The malware implements many capabilities including an enumeration of services; viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host.

In recent years, this group has been linked to attacks of IT Service Providers and Managed Service Providers to gain access to their client’s systems and data.

Nation-state actor uses new LookBack RAT to target US utilities Experts warn of a phishing campaign targeting US companies in the utility sector aimed at infecting systems with a new LookBack RAT.