“... Over the past two years, the Hancitor malware family has been a fairly regular nuisance that defenders ... have to deal with on an almost weekly basis. The malware itself has gone through more than 80 variations during this time...”
“... spoofed known contacts ... mimicked previous conversations ... created mail filters to ensure that communications were conducted only between the attacker and victim ... spoofed supervisor emails to get required approvals ... Without the use of any malware ...”
This kinda malware could be devastating for a company.
“... responsible for destroying (wiping out) files on network shares, making infected machines irrecoverable, and propagating itself with the newly harvested credentials across compromised networks...”
Realize Antivirus alerts don't mean the problem solved. The Antivirus usually just detects a single remnant linked to a bigger problem.
@jepayneMSFT says “... WMI persistence often needs a post detection remediation step ... like rebuilding the WMI database. For attackers this is a great advantage, especially in less informed IT organizations who might think an AV pop up means 'problem solved.'..”
“... The private data was stored in containers provided by cloud provider Rackspace. The hacker found the key and credentials to those containers inside the Android app ... stored in plaintext, meaning the hacker could take them and gain access to the server...”
“...If you rely on detection and response, you'll never be able to keep up. That is why proactive measures like removing admin rights, whitelisting, and isolating web content are essential to building a successful security posture...”
“...We often see companies embark on Least Privilege or Whitelisting projects but leave more complex users (IT, C-levels, mobile workers, developers) out of the project scope because it's too 'hard'... Remove admin rights, remove threats...”
Overall, we learned the number of reported Microsoft vulnerabilities increased by 111% between 2013 and 2017. The biggest takeaway, these can all be mitigated with the removal of administrative rights.
Software development teams should include security and access control testing before every deployment.
“... agency made a technical change aimed at allowing tax agents to better help businesses ... made a mistake somewhere ... any one of their clients could have looked at data from any other of their clients...”
@malwarejake said “... talked to someone who manages an almost 100% remote IR team for a fortune 100 incident response team. Said they moved to remote because they had to in order to fill positions...”
“... someone impersonating a county official requested confidential employee information including W-2 forms compromising employee payroll information, social security numbers and filing addresses ... the information was sent ...”
@curi0usjack says “... One of my favorite tools of all time: Microsoft Security Compliance Manager. MS's hardened security GPOs by OS/role. Need a secure GPO fast? This is the tool you need. Also free...”
“... email scheme pretends to be from company executives and requests personal information about employees, and uses the cover of tax season and W-2 filings to deceive people into sharing personal data...”
Amanda R says “...To use PowerShell, a user can either use the command line interface provided by PowerShell.exe or reference the cached global assembly in C# source code. The GAC assembly name used in both cases is called System.Management.Automation.dll...”
Browser extensions are scarey because they can control any website you visit.
“... Chrome extensions have started embedding Yandex Metrica, which records user actions on all the sites they surf ... the script can log various details such as names, credit card numbers, CVV numbers, email addresses, and phone numbers...”
With breaches becoming commonplace Microsegmentation is one of the best ways to reduce risk by making it harder for attackers to move laterally.
“... Microsegmentation gives companies greater control over the growing amount of east-west or lateral communication that occurs between servers, bypassing perimeter-focused security tools. If breaches occur, microsegmentation limits potential lateral exploration of networks by hackers...”
A sad but common reality. Eventually orgs will have to adapt and find ways to lower risks while still becoming quicker and more agile.
“... Oracle issued updates for this issue earlier this month, but it will take months until the patch lands on affected POS systems. The reason is that POS systems are business critical systems, and sysadmins rarely schedule maintenance and update operations, fearing that an unstable patch might cause further downtime and financial losses to their companies...”
Does your company have a process in place to watch for and apply regular patches from vendors of non traditional systems like these ?
“... Vulnerability could be exploited by an attacker to bypass the authentication mechanism ... Vulnerability could be exploited by an authenticated attacker with a low-privileged account to escalate privileges and perform administrative operations ... Vulnerability could be exploited by an attacker to cause a DoS ...”
“...There's a simple way to mitigate the threat of DNS hijacking attacks: don't allow arbitrary internal IP addresses on your enterprise network to send DNS queries to arbitrary IP addresses on the Internet...only a subset of your DNS servers actually query DNS servers on the Internet...”
I think password re-use risks also apply to internal devices at companies too. If you set multiple servers, databases, devices , service accounts, etc to different accounts but the same password then you're simplifying the attackers life by making it trivial for them to laterally move across your network. Take that extra step and create unique passwords.
“... once fraudsters have managed to guess one password, they’ll have access to your entire online life...”
Why upgrade Powershell? If nothing else just so your security team can see attacks happening !
“... PowerShell 2.0 ... provides very little evidence of attacker activity ... Microsoft has been taking steps to improve the security transparency of PowerShell in recent versions. The most significant improvements, such as enhanced logging, were released in PowerShell version 5.0 ...”
“... The lowest Execution Policy is Unrestricted, which permits all scripts to run ... If you do choose the Unrestricted setting, and a script comes along and clobbers you ... be prepared to own up to your decision when you're explaining how a virus wiped out your environment...”
Hard drive encryption is important. Don't disable it. A password does not protect a hard drive that an attacker has physically stole. If he physically holds an unencrypted hard drive he can access its contents.
@gattaca said ““All the stolen $company laptops were password-protected, although not all were encrypted.” < *facepalm*”
Patch your Flash player. Even if you don't normally rush to patch, this is a good example where you would want to rush and patch. Critical vuln being actively exploited.
“... allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild ... attacks leverage Office documents with embedded malicious Flash content distributed via email...”