Dragoon Security Group

01/05/2020

I don’t care for FUD, I do however support due care and diligence to address an organization’s service and reputational risks.

A small federal agency’s website has been defaced tonight, allegedly by Iranian Threat Actors though the attack has not been validated to have originated from Iran.

Regardless of the source, this should serve as an advisory to harden public facing servers and web applications.

Hardening is the management of configuration, access control, network settings and server environment, including applications, in order to improve the overall security of an organization’s IT infrastructure and mitigation of inherent risk to the organization.

Nine basic hardening actions to consider include:
• Ensure default credentials are removed and use a unique, complex password
• Activate Multi-Factor Authentication
• Validate configurations against vendor and industry standards
• Remove or disable unnecessary services, especially remote access
• Scan for vulnerabilities and push security updates
• Deploy firewalls to create a DMZ from internal systems
• Monitor logs for intrusions
• Create and protect data backups
• Implement load balancers and Denial of Service Protection

12/13/2019

After a chaotic summer of coordinated ransomware attacks against municipal governments, resulting in disruption of critical services to citizens, some refreshing news from Rhode Island of a small town whose hard work and infrastructure investments have paid off.

East Greenwich suffered an attack last week but was able to activate their Incident Response Plan and limit the infection propagation. Despite 75% of the town’s servers being impacted by the attack, the IT department was able to quickly notify all town departments to disconnect computers and systems from the internal network and begin recovery operations through the data backup solution implemented last year.

We applaud the technology team in East Greenwich for their preparation efforts and hope other municipal governments follow their lead.

A Rhode Island town is restoring access to parts of its municipal computer network following a ransomware attack.

08/26/2019

While I’m glad this issue is gaining national attention, this piece was very defeatist. Companies wouldn’t accept a thief walking in and taking tens of thousands of dollars from the register. Yet because a computer is involved, the expectation is to comply?

I do agree and have also referred to these attacks as the worst day of an executive’s personal life.

There are measures to prevent and protect against this crime. Atlanta’s $20MM bill has not just data recovery costs. It also involves modernizing their very large IT infrastructure, that had been neglected, to prevent future attacks.

Taking a proactive approach to digital attack will always be more cost efficient than a reactive one. Proactive allows for budgeting and planning as opposed to depleting cash reserves to overcome a major business disruption.

Paying merely emboldens these criminals to continue with these campaigns. Not determining root causes and remediating the vulnerability only leaves companies susceptible to ongoing attacks.

Targets have included hospitals and municipalities, but the FBI says anyone on the internet should expect to be attacked by cybercriminals

08/21/2019

Record $2.5MM Ransom Demand for 23 Texas Local Governments

All impacted governments received outsourced IT support from the same provider.

Investigators haven't identified who or what is behind the attack that took systems offline, but the Texas Department of Information Resources says the evidence points to "one single threat actor."

08/20/2019

Information Security on the Factory Floor

Information Security is typically associated with the corporate office, with its role in an industrial environment often overlooked.

In many cases, industrial systems qualify as DHS Critical Infrastructure, sectors include chemicals, communications, dams, energy, food and agriculture, manufacturing, nuclear, and water systems.

SCADA networks and Industrial Control Systems are experiencing an increasingly higher rate of attacks, with half of these environments believed to have experienced some level of disruption by malicious threat actors.

Poor security maturity is most often the result of legacy infrastructure that is no longer supported, typically equipment running on systems with an unsupported OS such as Windows XP. These systems are vulnerable to attacks if they are in anyway, directly or indirectly, connected to the Internet or by compromised removable media.

Investing in an updated software license for industrial equipment can aid in preventing at-risk system compromise and reduce larger financial impacts. Compromised industrial equipment also creates a safety risk for employees.

Secondary issues are a lack of segregation between the corporate and industrial infrastructure. An unsegmented network means malware introduced by accounting can disrupt floor operations.

Asco, Maersk, Mondelez, and Norsk Hydro are some of the larger companies who have suffered from significant attacks despite having the resources to proactively protect themselves. As Industry 4.0 gains traction, those advantages bring increased risk of attack.

It’s time to protect both the IT and the OT side of your organization. Industrial systems should be prioritized based on their criticality to business operations. Most executives are surprised to see the disparity between the level of protection the receptionist receives over their critical business systems.

.0

08/17/2019

Texas Local Governments Under Siege

At least 20 local governments have been struck with coordinated ransomware attacks.

State officials have stood up the Emergency Operations Center to coordinate response efforts of InfoSec teams and identify additional communities impacted by this campaign.

This is the largest attack seen against a specific geographical area, however this summer many cities and counties in the southern US have found themselves the victims of such extortion attacks.

Everything truly is bigger in The Lone Star State.

08/15/2019

Capital One Data Theft Expands to Other Companies

Court documents recently submitted by Federal prosecutors allege the suspect in last month’s Capital One breach may have also obtained data from as many as 30 additional organizations.

Servers seized from the suspect’s home contained several terabytes of data storage; one terabyte of storage equates to approximately 75 million pages. The files on these servers appear to have been retrieved from automakers, universities, state agencies, software firms, telecommunications and additional financial institutions.

The good news surrounding these criminal activities, due to reporting by members of the tech community and the swift response by law enforcement, it is not believed any stolen data from Capital One was released to unauthorized parties.

08/13/2019

Lawsuit and Investigations After First American Financial Breach

The data breach we discussed in May originating from First American Financial Corp., a national leader in the real estate title insurance industry, has had some traction with regulatory investigations.

Both the US Securities & Exchange Commission and New York Department of Financial Services have committed to inquiries of wrongdoing and negligence by the company.

The regulatory bodies have oversight of the financial industry, to include insurance, under GLBA and the newly created 23 NYCRR 500. Both these regulations enact basic requirements around Information Security to be implemented by financial companies.

The investigations come after a class action lawsuit against First American has been filed in California.

The filing alleges First American failed to implement even rudimentary security measures.

Clients of First American may soon receive letters from investigators requesting they preserve and share any documents or evidence they have related to the data breach.

As regulatory requirements for the financial industry and others become more enforced, companies will come under increasing scrutiny in how they manage and protect customer data.

A comprehensive Information Security & Privacy program provides the evidence of due care and diligence that allows board members and executives the right to hold their heads high after a breach.

# SEC

08/12/2019

New light on the iNSYNQ ransomware attack

It appears the cloud hosting provider of Quickbooks was initially infected through a phishing email received by a member of the sales department.

Attackers spent 10 days in the company’s infrastructure, spreading the malware to systems and data backup solution.

The firm’s Incident Response Plan allowed them to stop the spread of infections but not until half of their systems had been compromised, including their backup solution which has since been overhauled.

While most customers have been restored and operational, continued recovery efforts are ongoing.

08/09/2019

State Farm Insurance experienced a credential stuffing attack with an undisclosed number of policyholder account credentials last month. The company supports over 80 million consumers with both insurance products and financial services.

This attack comes after new compliance regulations have been increasingly adopted by state insurance regulators across the nation.

Credential stuffing involves automated log-in attempts with stolen account credentials, usually obtained through phishing attacks and data breaches. State Farm claims the credentials were purchased from a “Dark Web” marketplace.

It is advised that unique passwords be used for online accounts. If you are a State Farm policyholder, please ensure you change your password to your account. If your State Farm password is also used for other online accounts, those should also be changed. Password Managers make this task simple by creating and storing complex unique passwords for all your accounts.

This incident leaves to question the original source of these stolen credentials and the full extent of the data protection of State Farm consumers.

08/07/2019

A good reminder from the early days of the Internet, you never really know who’s on the the other side of the screen.

It’s social engineering attack we’ve seen for years, con artists using online dating and social media to woo lonely hearts.

Victims have lost their life savings and even their freedom, as some began embezzling from their employer to send money.

There was a significant uptick during the 00s of thieves presenting themselves as deployed military members. They would gain trust and then request money to buy out their contract with the military because they were being sent on a “suicide mission”. Buying out of their enlistment is not a thing and no commander is willing to sacrifice their career by sending a unit on a doomed mission.

A similar short term con is calling the elderly and pretending to be a grandchild in distress. Ploys have included bail, money for school, and stranded by a vehicle breakdown of missed flight.

Be mindful of who you interact with online. Take the time to ensure your loved ones, both young and old, know ways they can be targeted as well.

Confidence/romance fraud occurs when an actor deceives a victim into believing they have a trust relationship—whether family, friendly, or romantic—and leverages the relationship to persuade the victim to send money, provide personal and financial information, or purchase items of value for the ...

08/05/2019

China based group, APT 10, has been linked to new spear phishing campaigns to deliver malware targeting the utilities sector.

The malware implements many capabilities including an enumeration of services; viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host.

In recent years, this group has been linked to attacks of IT Service Providers and Managed Service Providers to gain access to their client’s systems and data.

Experts warn of a phishing campaign targeting US companies in the utility sector aimed at infecting systems with a new LookBack RAT.