Quarterly security report
2022 Q2



Edge Protection
Proactive Protection
The perimeter of an organization is a common vector for attacks. Attackers must get through the edge to get to valuable assets: proactive security here mitigates risks and reduces your exposure.
Perimeter Security
Edge Protection acts like a guard post and patrols along the perimeter of a secured area. This security deters attackers and is a major proactive defense for protecting your environment.


Solutions:
The following Edge Protection solutions are Cisco firewalls backed by Talos. Talos backs all Cisco products and is comprised of world-class researchers, analysts, and engineers; they are one of the largest threat intelligence teams and an industry-leader in threat intelligence.
KEY METRICS
• Simplified management within a seamless single pane on a web browser.
• Tailored for SoHo and Branch sites.
• Next Generation Firewall and IPS.
• Can be managed by web browser in the cloud.
KEY METRICS:
• Traditional/Stateful Firewall.
• Multi-context Firewall
• Remote Access VPN Headend.
• Upgradable to Next Generation capabilities.
• Can be managed by CDO or ASDM.
KEY METRICS
• Next Generation IPS.
• Next Generation Firewall.
• Advanced Network Visibility and Threat Analytics.
• Incident response and threat investigation.
• Can be managed by CDO, FMC, or FDM.
What Edge Protection Keeps Out
Phishing Campaign Infects Users with Snake Keylogger:
A recent phishing campaign exploits a two-decade old Microsoft bug to infect victims with the Snake Keylogger. Victims receive an email with a PDF allegedly regarding a remittance invoice. After opening the PDF, the document prompts users to open a .docx file. Opening the file without Protected View enabled connects victims to a web address that ultimately loads the Snake Keylogger to the victim’s device.
ATTACK TYPE
Phishing
ATTACK TYPE
Data Breach
Trojan Exploits Internet Explorer Flaw:
Malicious actors are exploiting an Internet Explorer flaw from 2021 to steal user data. Victims who visit a compromised website can receive an exploit kit that delivers the RedLine Stealer trojan. The trojan then scans a victim’s system and leverages additional malware to steal information. RedLine Stealer is heavily encrypted and difficult to detect. Recent campaigns are targeting several countries, especially Brazil and Germany.
Microsoft Windows Support Diagnostic Tool Allows for Remote Code Execution:
A zero-day vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT), referred to as ‘Follina,’ allows attackers to run malicious code on a user’s machine when MSDT is called by an application’s URL protocol. It took a while for Microsoft to patch this vulnerability, but users could workaround it by disabling MSDT URL protocol and using Windows Defender, which has been updated to defend against the malware typically used in these attacks. A Patch Tuesday in June patched this vulnerability.
ATTACK TYPE
Vulnerability
ATTACK TYPE
Exploit
Zero-Day Flaw Threatens Microsoft Office Users
As early as April 2022, Microsoft experienced a zero-day flaw that allows threat actors to exploit Microsoft Office. Threat actors can use the “ms:msdt:” URI scheme to gain privileges and carry out follow-up attacks on users. The vulnerability affects Microsoft Office 2013 through 2021, including Professional Plus. On April 21, 2022, Microsoft claimed to have fixed the issue. However, the company has also issued workaround guidance and noted that opening documents in Protected View will stop attacks.
Multi Factor Authentication
Strengthened Security
Having a reliable Multi-Factor Authenticator (MFA) is important because even if you have strong passwords, your credentials are still at risk.
Your passwords for third party sites might be encrypted, but they must be stored somewhere, and the security of that storage can be compromised without you being immediately aware.


To add a layer of security that allows your company to easily meet compliance for access and user authentication controls, Robinett Consulting offers Duo, Cisco’s Multi-Factor Authenticator.
KEY METRICS
Duo protects many programs your business implements and provides secure access to your applications.
Once you have gotten started with Duo, your users will have a variety of authentication options that allow for security without interrupting their individual workflow.
KEY METRICS:
Duo’s self-enrollment feature for company members makes deploying and implementing Duo easy and worry free.
This also means that as your company grows, Duo enrollment will easily scale with your growth.
KEY METRICS
Duo allows you to differentiate personal and business devices, assess the security of all devices, and identify then monitor potentially risky devices.
In addition to this, you can implement role-based access to control which devices can access applications based on hygiene or ownership.
What Multi-Factor Authentication Helps Mitigate
Mailchimp Hack Leads to Phishing Attacks:
A malicious actor gained unauthorized access to Mailchimp employee information, which in turn comprised user data. This data breach allowed the actor to launch phishing campaigns via user mailing lists. One known phishing attack was levied against Trezor, a cryptocurrency company. However, the extent of the hack’s damage is still uncertain. Mailchimp recommends that customers enable two-factor authentication to ward against future takeover attacks.
ATTACK TYPE
Phishing
ATTACK TYPE
Data Breach
Azure Vulnerability Permitted Unauthorized Access:
Microsoft noted a permissions bug that threatened the data integrity of Azure customers. The bug could have allowed malicious actors to bypass standard authentication steps and gain unauthorized access to customer databases. A cloud security company, Wiz, discovered the vulnerability is connected to changes to the PostgreSQL database. Microsoft claims that no evidence exists of malicious actors using the flaw against its customers.
BlackCat Group Found Stealing Information and Performing Ransomware Attacks:
A group of malicious actors known as BlackCat have been found exploiting unpatched Exchange servers to steal sensitive information and deploy ransomware. The group will steal user credentials to get into a network before accessing as much information as possible. They then steal intellectual property information and other sensitive data before deploying ransomware on the attacked network. Their attacks leverage varying Exchange Server exploits, so no two attacks have been identical thus far.
ATTACK TYPE
Exploit

Dark Web Monitoring (DWID)
Credentials for accounts can be found on the Dark Web for less than a small coffee. Once bought, access to these credentials can cause a business to close their doors.
What is the Dark Web?
The area of the internet that you access every day is just the surface of the internet. Underneath is the deep web and the Dark Web; it is in the Dark Web that a wealth of stolen data circulates for sale.
How would your credentials end up on the Dark Web?
• Your credentials can be keylogged or phished when entered on a fake website or stolen by malicious software.
• 3rd Party Data Breaches will leak a large amount of information when an outside website or data base that holds information related to your credentials is hacked.
• Accidental and Malicious Exposure are also risks as your data may inadvertently or intentionally be shared on the internet.


You can’t control a data breach, but you can control if that data is still valid. To monitor and mitigate the threat of stolen credentials, Robinett Consulting offers 24/7 monitoring with Dark Web ID.
What does DWID do?
DWID alerts you when your information is found on the Dark Web. The earlier you know what information is out there, the sooner you can secure your credentials.
You may not be aware that your credentials are on the Dark Web, but, if they are, we will let you know and inform you of any personal information that has been leaked along with those credentials.
Dark Web ID scours the Dark Web to find your information on:
- Dark Web Chatrooms
- Hacking Sites
- Hidden Theft Forums
- Peer-to-Peer file sharing networks
- Other Black Market Sites
What Monitoring the Dark Web Helps Mitigate
Hackers Evolve Methods to Combat Microsoft Changes:
Hacking group TA542, responsible for Emotet phishing campaigns, is testing new tactics on narrowed audiences. Following Microsoft’s decision to disable Visual Basic for Applications (VBAs) macros, the actors are replacing macro-enabled Excel and Word attachments with OneDrive links that ultimately execute the Emotet payload. Experts warn that TA542 might soon bolster its efforts and use these new tactics alongside its previous high-volume campaign.
ATTACK TYPE
Malware
(Ransomware)
ATTACK TYPE
Malware
(Ransomware)
Verizon Report Reveals Data Breach Details
Verizon’s annual data breach investigation showed how company action may not save a business from ransomware attacks. According to the report, over 80% of breaches involve some form of human element. Additionally, 62% of intrusions occur because an organizational partner was compromised. One business’ actions can compromise a partner, even if the partner acted safely. Verizon’s chief executive noted that ongoing education and a robust security framework are critical to stay protected.
U.S. Educational Institutions Target of PII Theft:
In May 2021, an FBI investigation found over 30,000 instances of stolen login credentials for “.edu” email accounts. Malicious actors use tactics, such as spear-phishing or ransomware, to collect and sell data to secondary actors. Secondary actors then use credential data to access a user’s accounts across other websites. These activities jeopardize both an individual user’s Personally Identifiable Information (PII) and any organizations affiliated with the account.
ATTACK TYPE
Data Breach
Conclusion
Proactively protecting your business can be challenging and complicated, but it is a necessity in today’s world of tenacious and creative attackers. Do not be another statistic, do not be low hanging fruit, and do not be a victim to cyber-attacks. Please contact Robinett Consulting for more information.


