Quarterly security report

2022 Q2

Asset 2@2x
Robinett Consulting
Asset 3@2x

Robinett Consulting knows having a proper defense against cyber security threats is critical to preventing potential loss to your business. To keep your company safe, we take a layered approach by first assessing your risks and then providing the proper protections best suited for your situation. Whether you are a small business or an enterprise company, we customize the solution to your specific security needs. This report outlines just three security layers and some of the solutions we offer that you should know about for properly protecting your business: Edge Protection, Multi-Factor Authentication, and Dark Web monitoring.

Edge Protection

Proactive Protection

The perimeter of an organization is a common vector for attacks. Attackers must get through the edge to get to valuable assets: proactive security here mitigates risks and reduces your exposure.

Perimeter Security

Edge Protection acts like a guard post and patrols along the perimeter of a secured area. This security deters attackers and is a major proactive defense for protecting your environment.

Asset 17@2x
Asset 18@2x

Solutions:

The following Edge Protection solutions are Cisco firewalls backed by Talos. Talos backs all Cisco products and is comprised of world-class researchers, analysts, and engineers; they are one of the largest threat intelligence teams and an industry-leader in threat intelligence.

Meraki Firewall

  • KEY METRICS

    • Simplified management within a seamless single pane on a web browser.

    • Tailored for SoHo and Branch sites.

    • Next Generation Firewall and IPS.

    • Can be managed by web browser in the cloud.

Adaptive Security Appliance

  • KEY METRICS:

    • Traditional/Stateful Firewall.

    • Multi-context Firewall

    • Remote Access VPN Headend.

    • Upgradable to Next Generation capabilities.

    • Can be managed by CDO or ASDM.

Firepower
Threat Defense

  • KEY METRICS

    • Next Generation IPS.

    • Next Generation Firewall.

    • Advanced Network Visibility and Threat Analytics.

    • Incident response and threat investigation.

    • Can be managed by CDO, FMC, or FDM.

What Edge Protection Keeps Out

Phishing Campaign Infects Users with Snake Keylogger: 

A recent phishing campaign exploits a two-decade old Microsoft bug to infect victims with the Snake Keylogger. Victims receive an email with a PDF allegedly regarding a remittance invoice. After opening the PDF, the document prompts users to open a .docx file. Opening the file without Protected View enabled connects victims to a web address that ultimately loads the Snake Keylogger to the victim’s device.

*https://threatpost.com/snake-keylogger-pdfs/179703/

ATTACK TYPE

Phishing

ATTACK TYPE

Data Breach

Trojan Exploits Internet Explorer Flaw:

Malicious actors are exploiting an Internet Explorer flaw from 2021 to steal user data. Victims who visit a compromised website can receive an exploit kit that delivers the RedLine Stealer trojan. The trojan then scans a victim’s system and leverages additional malware to steal information. RedLine Stealer is heavily encrypted and difficult to detect.  Recent campaigns are targeting several countries, especially Brazil and Germany.

*https://thehackernews.com/2022/04/new-rig-exploit-kit-campaign-infecting.html

Microsoft Windows Support Diagnostic Tool Allows for Remote Code Execution:

A zero-day vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT), referred to as ‘Follina,’ allows attackers to run malicious code on a user’s machine when MSDT is called by an application’s URL protocol. It took a while for Microsoft to patch this vulnerability, but users could workaround it by disabling MSDT URL protocol and using Windows Defender, which has been updated to defend against the malware typically used in these attacks. A Patch Tuesday in June patched this vulnerability.

*https://blog.talosintelligence.com/2022/06/msdt-follina-coverage.html?utm_source=feedburner&utm_medium=email

ATTACK TYPE

Vulnerability

ATTACK TYPE

Exploit

Zero-Day Flaw Threatens Microsoft Office Users

As early as April 2022, Microsoft experienced a zero-day flaw that allows threat actors to exploit Microsoft Office. Threat actors can use the “ms:msdt:” URI scheme to gain privileges and carry out follow-up attacks on users. The vulnerability affects Microsoft Office 2013 through 2021, including Professional Plus. On April 21, 2022, Microsoft claimed to have fixed the issue. However, the company has also issued workaround guidance and noted that opening documents in Protected View will stop attacks. 

*https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html

Multi Factor Authentication

Strengthened Security

Having a reliable Multi-Factor Authenticator (MFA) is important because even if you have strong passwords, your credentials are still at risk.

Your passwords for third party sites might be encrypted, but they must be stored somewhere, and the security of that storage can be compromised without you being immediately aware.

Asset 19@2x
Asset 8@2x

To add a layer of security that allows your company to easily meet compliance for access and user authentication controls, Robinett Consulting offers Duo, Cisco’s Multi-Factor Authenticator.

Easy Implementation

  • KEY METRICS

    Duo protects many programs your business implements and provides secure access to your applications.

    Once you have gotten started with Duo, your users will have a variety of authentication options that allow for security without interrupting their individual workflow.

Scalability

  • KEY METRICS:

    Duo’s self-enrollment feature for company members makes deploying and implementing Duo easy and worry free.

    This also means that as your company grows, Duo enrollment will easily scale with your growth.

Control and Monitoring

  • KEY METRICS

    Duo allows you to differentiate personal and business devices, assess the security of all devices, and identify then monitor potentially risky devices.

    In addition to this, you can implement role-based access to control which devices can access applications based on hygiene or ownership.

What Multi-Factor Authentication Helps Mitigate

Mailchimp Hack Leads to Phishing Attacks:

A malicious actor gained unauthorized access to Mailchimp employee information, which in turn comprised user data. This data breach allowed the actor to launch phishing campaigns via user mailing lists. One known phishing attack was levied against Trezor, a cryptocurrency company. However, the extent of the hack’s damage is still uncertain. Mailchimp recommends that customers enable two-factor authentication to ward against future takeover attacks. 

*https://thehackernews.com/2022/04/hackers-breach-mailchimp-email.html

ATTACK TYPE

Phishing

ATTACK TYPE

Data Breach

Azure Vulnerability Permitted Unauthorized Access:

Microsoft noted a permissions bug that threatened the data integrity of Azure customers. The bug could have allowed malicious actors to bypass standard authentication steps and gain unauthorized access to customer databases. A cloud security company, Wiz, discovered the vulnerability is connected to changes to the PostgreSQL database. Microsoft claims that no evidence exists of malicious actors using the flaw against its customers. 

*https://thehackernews.com/2022/04/microsoft-azure-vulnerability-exposes.html

BlackCat Group Found Stealing Information and Performing Ransomware Attacks:

A group of malicious actors known as BlackCat have been found exploiting unpatched Exchange servers to steal sensitive information and deploy ransomware. The group will steal user credentials to get into a network before accessing as much information as possible. They then steal intellectual property information and other sensitive data before deploying ransomware on the attacked network. Their attacks leverage varying Exchange Server exploits, so no two attacks have been identical thus far.

*https://thehackernews.com/2022/06/blackcat-ransomware-gang-targeting.html

ATTACK TYPE

Exploit

Asset 10@2x

Dark Web Monitoring (DWID)

Credentials for accounts can be found on the Dark Web for less than a small coffee. Once bought, access to these credentials can cause a business to close their doors.

What is the Dark Web?

The area of the internet that you access every day is just the surface of the internet. Underneath is the deep web and the Dark Web; it is in the Dark Web that a wealth of stolen data circulates for sale.

How would your credentials end up on the Dark Web?

• Your credentials can be keylogged or phished when entered on a fake website or stolen by malicious software.
• 3rd Party Data Breaches will leak a large amount of information when an outside website or data base that holds information related to your credentials is hacked.
• Accidental and Malicious Exposure are also risks as your data may inadvertently or intentionally be shared on the internet.

Asset 11-new
Asset 12-new

You can’t control a data breach, but you can control if that data is still valid. To monitor and mitigate the threat of stolen credentials, Robinett Consulting offers 24/7 monitoring with Dark Web ID.

What does DWID do?

DWID alerts you when your information is found on the Dark Web. The earlier you know what information is out there, the sooner you can secure your credentials.

You may not be aware that your credentials are on the Dark Web, but, if they are, we will let you know and inform you of any personal information that has been leaked along with those credentials.

Dark Web ID scours the Dark Web to find your information on:

  • Dark Web Chatrooms
  • Hacking Sites
  • Hidden Theft Forums
  • Peer-to-Peer file sharing networks
  • Other Black Market Sites

What Monitoring the Dark Web Helps Mitigate

Hackers Evolve Methods to Combat Microsoft Changes:

Hacking group TA542, responsible for Emotet phishing campaigns, is testing new tactics on narrowed audiences. Following Microsoft’s decision to disable Visual Basic for Applications (VBAs) macros, the actors are replacing macro-enabled Excel and Word attachments with OneDrive links that ultimately execute the Emotet payload. Experts warn that TA542 might soon bolster its efforts and use these new tactics alongside its previous high-volume campaign. 

*https://thehackernews.com/2022/04/emotet-testing-new-delivery-ideas-after.html

ATTACK TYPE

Malware

(Ransomware)

ATTACK TYPE

Malware

(Ransomware)

Verizon Report Reveals Data Breach Details 

Verizon’s annual data breach investigation showed how company action may not save a business from ransomware attacks. According to the report, over 80% of breaches involve some form of human element. Additionally, 62% of intrusions occur because an organizational partner was compromised. One business’ actions can compromise a partner, even if the partner acted safely. Verizon’s chief executive noted that ongoing education and a robust security framework are critical to stay protected.

*https://www.msspalert.com/cybersecurity-research/ransomware-breach-rates-what-verizon-research-shows/?mkt_tok=MTg4LVVOWi02NjAAAAGEn4hHtF1_PeVTbLuLTHyfu9_E2YWwMvLtc_ttzkQMDRBojo9rx1-f9nwZbYgo9ON4tXiriptky1BlMjA5uoGFZykJ2x6FXZynMZPypyQ

U.S. Educational Institutions Target of PII Theft:

In May 2021, an FBI investigation found over 30,000 instances of stolen login credentials for “.edu” email accounts. Malicious actors use tactics, such as spear-phishing or ransomware, to collect and sell data to secondary actors. Secondary actors then use credential data to access a user’s accounts across other websites. These activities jeopardize both an individual user’s Personally Identifiable Information (PII) and any organizations affiliated with the account.

*https://thehackernews.com/2022/05/fbi-warns-about-hackers-selling-vpn.html

ATTACK TYPE

Data Breach

Conclusion

Proactively protecting your business can be challenging and complicated, but it is a necessity in today’s world of tenacious and creative attackers. Do not be another statistic, do not be low hanging fruit, and do not be a victim to cyber-attacks. Please contact Robinett Consulting for more information.

Asset 13@2x
Robinett Consulting
Asset 3@2x