STATE, LOCAL, FEDERAL CYBERSECURITY EXECUTIVES CONFER ON 2022 THREATS, ATTACK LANDSCAPE 

Inaugural Cybersecurity in Government Virtual Summit to include CISO Public Sector Discussion Forums this week.

WASHINGTON, D.C. – OCTOBER 18, 2021 Data Connectors, representing the largest cybersecurity community in North America, has announced a first-of-its-kind online event. Over 50,000 professionals focused on information security, risk, and governance have been invited for a Virtual Summit that will debate key issues.

The 2021 Cybersecurity in Government Virtual Summit will fuel a discussion among attendees and invited executive guests that have been wrangling with a continued deluge of cyber-attacks over the past 18 months (SolarWinds, Kaseya, Colonial Pipeline, etc.), alongside increased focus related to the most recent Executive Order on Cybersecurity.

Keynote presentations include John Felker, Former Assistant Director of the Department of Homeland Security’s (DHS) Cyber Infrastructure Security Agency (CISA), as well as Mark McIntyre, Chief Security Advisor from Microsoft Federal.

“The reality for cybersecurity leaders in the public sector can be more challenging than it is for their commercial business counterparts,” said Dawn Morrissey, CEO and Founder at Data Connectors. “The Summit this week will focus on important collaboration to help them overcome the issues they face with regard to ransomware, cyber skills and staffing concerns, as well as the changing threat landscape,” she concluded.

The summit will feature four expert panel discussions with well-known Chief Information Security Officers (CISOs) from state, federal, local government organizations as well as higher education. Community members in attendance are also executives at those same concerns, from across the US and Canada.

Some of the invited panelists include:

• Shane Barney, CISO at USCIS-Department of Homeland Security
• Dr. Brian Gardner, CISO, City of Dallas
• James Wolff, Associate Administrator, CIO at U.S. Department of Energy
• Nathan Shiflet – Former CISO, State of Florida
• Aaron Verdell Call, CISO, WPS Health Solutions & Former CISO at State of Minnesota
• Jeffrey Brown, CISO of State of Connecticut
• Lester Godsey, CISO, Maricopa County, Arizona
• Scott St. Pierre, Deputy Director, Cybersecurity Division at U.S. Navy
• Shannon Lawson – ACIO/CISO, City of Phoenix

Attendees will ask questions and interact with the experts, as well as each other and the organizations who will feature their solutions at the event. Featured solutions providers at this summit include Attivo Networks, Ivanti, Axio, Cisco and many more.

Registration is FREE for qualified professionals, who can also obtain Continuing Professional Education (CPE) credits for participation. More information for the Summit can be found at dataconnectors.com/cyberingov.

About Data Connectors
Since 1999, Data Connectors (dataconnectors.com) has facilitated collaboration between senior cybersecurity professionals, government/law enforcement agencies, industry luminaries, and solution providers. Today, the community comprises over 650,000 members and 250 active vendor partners across North America. Members enjoy informative education, networking, and support via our award-winning Virtual Summits, live conferences, Web Briefings, and regular communications.

State, Local, Federal Cybersecurity Executi …

Press Releases Posted by Emily Ramsey on Oct 18, 2021

Stay tuned for this update each week. This is a joint cybersecurity weekly product from the Missouri Information Analysis Center, St. Louis Fusion Center, Kansas City Regional Fusion Center and the Missouri Office of Homeland Security.

FBI Shares Technical Details for Hive Ransomware

The Federal Bureau of Investigation (FBI) has released some technical details and indicators of compromise associated with Hive ransomware attacks. In a rare occurrence, the FBI has included the link to the leak site where the ransomware gang publishes data stolen from companies that did not pay. Hive ransomware relies on a diverse set of tactics, techniques, and procedures, which makes it difficult for organizations to defend against its attacks, the FBI says. Among the methods that the gang uses to gain initial access and to move laterally on the network, there are phishing emails with malicious attachments and the Remote Desktop Protocol (RDP).

How to Stay Secure from Ransomware Attacks this Labor Day Weekend

Labor Day weekend is just around the corner and, believe it or not, cybercriminals are likely just as excited as you are! Ransomware gangs have nurtured a nasty habit of starting their attacks at the least convenient times: When computers are idle, when employees who might notice a problem are out of the office, and when the IT or security staff who might deal with it shorthanded. They like to attack at night and on weekends, and they love a holiday weekend. Indeed, while many people are looking forward to catching up with friends and family this Labor Day weekend, cybercrime gangs are likely huddling, too, planning to attack somebody. On the last big holiday weekend, Independence Day, attackers using REvil ransomware celebrated with an enormous supply-chain attack on Kaseya, one of the biggest IT solutions providers in the US for managed service providers (MSPs). Threat actors used a Kaseya VSA auto-update to push ransomware into more than 1,000 businesses.

How Ransomware Runs the Underground Economy

The unwanted attention attracted by ransomware attacks recently has caused several of the top cybercrime forums to ban ransomware discussions and transactions on their platforms earlier this year. While some hoped this might have a significant impact on the ability of ransomware groups to organize themselves, the bans only pushed their activity further underground, making it harder for security researchers and companies to monitor it. If anything, the attacks in the months that followed the forum bans then have been more potent and audacious than ever. The truth is that ransomware is the lifeblood of the cybercrime economy and it will take extraordinary measures to put an end to it. The groups coordinating the attacks are highly professionalized and in many ways resemble modern corporate structures with development teams, sales and PR departments, external contractors, and service providers that all get a cut from the illegal proceeds. They even use business lingo in their communications with victims, referring to them as clients who buy their data decryption services.

Cold Wallet, Hot Wallet, or Empty Wallet? What is the Safest Way to Store Cryptocurrency?

In August of 2021, a thief stole about $600 million in cryptocurrencies from The Poly Network. They ended up giving it back, but not because they were forced to. Slightly more than one week later, Japanese cryptocurrency exchange Liquid was hacked and lost $97 million worth of digital coins. These examples of recent news about hacked cryptocurrency exchanges left many investors wondering whether it was still smart to invest in cryptocurrencies and how to keep them safe. We can’t answer the first question for you. I wish I knew. But we can explain the terminology, the methods, and the risks. So you can decide which would be best for you.

CISA Adds Single-Factor Authentication to the List of Bad Practices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added single-factor authentication to the shortlist of “exceptionally risky” cybersecurity practices that could expose critical infrastructure as well as government and private sector entities to devastating cyberattacks. Single-factor authentication is a method of signing in users to websites and remote systems by using only one way of verifying their identity, typically a combination of username and password. It’s considered to be of low security since it heavily relies on “matching one factor — such as a password — to a username to gain access to a system.” But with weak, reused, and common passwords posing a grave threat and emerging a lucrative attack vector, the use of single-factor authentication can lead to unnecessary risk of compromise and increase the possibility of account takeover by cybercriminals.

Cybersecurity Advisory: Top Routinely Exploited Vulnerabilities

This advisory provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)— routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021. Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management
system.

File Upload Security Best Practices Rarely Implemented to Protect Web Applications

Despite a marked increase in concerns around malware attacks and third-party risk, only 8% of organizations with web applications for file uploads have fully implemented the best practices for file upload security, a report from OPSWAT reveals. Most concerning, one-third of organizations with a web application for file uploads do not scan all file uploads to detect malicious files and a majority do not sanitize file uploads with CDR to prevent unknown malware and zero-day attacks. “The hybrid workspace has been driving digital transformation and cloud migration initiatives for a while now, and the rise of cloud services, mobile devices, and remote workers has driven organizations to develop and deploy web applications that enhance the experience for their customers, partners, and employees,” said Benny Czarny, CEO at OPSWAT. “Web applications for file uploads help to streamline their business by making it faster, easier, and less expensive to submit and share documents. Consequently, this adoption has also introduced new attack surfaces that organizations are not effectively protecting.”

Cyberattackers are Now Quietly Selling Off Their Victim’s Internet Bandwidth

Cyberattackers are now targeting their victim’s internet connections to quietly generate illicit revenue following a malware infection. On Tuesday, researchers from Cisco Talos said “proxyware” is becoming noticed in the cybercrime ecosystem and, as a result, is being twisted for illegal purposes. Proxyware, also known as internet-sharing applications, are legitimate services that allow users to portion out part of their internet connection for other devices, and may also include firewalls and antivirus programs. Other apps will allow users to ‘host’ a hotspot internet connection, providing them with cash every time a user connects to it. It is this format, provided by legitimate services including Honeygain, PacketStream, and Nanowire, which is being used to generate passive income on behalf of cyber attackers and malware developers.

Cybercriminal Sells Tool to Hide Malware in AMD, NVIDIA GPUs

Cybercriminals are making strides towards attacks with malware that can execute code from the graphics processing unit (GPU) of a compromised system. While the method is not new and demo code has been published before, projects so far came from the academic world or were incomplete and unrefined. Earlier this month, the proof-of-concept (PoC) was sold on a hacker forum, potentially marking cybercriminals’ transition to a new sophistication level for their attacks.

China’s Microsoft Hack May Have Had a Bigger Purpose Than Just Spying

NPR’s months-long examination of the attack — based on interviews with dozens of players from company officials to cyber forensics experts to U.S. intelligence officials — found that stealing emails and intellectual property may only have been the beginning. Officials believe that the breach was in the service of something bigger: China’s artificial intelligence ambitions. The Beijing leadership aims to lead the world in a technology that allows computers to perform tasks that traditionally required human intelligence — such as finding patterns and recognizing speech or faces. “There is a long-term project underway,” said Kiersten Todt, who was the executive director of the Obama administration’s bipartisan commission on cybersecurity and now runs the Cyber Readiness Institute. “We don’t know what the Chinese are building, but what we do know is that diversity of data, quality of data aggregation, accumulation of data is going to be critical to its success.”

T-Mobile Hack Involved Exposed Router, Specialized Tools and Brute Force Attacks

T-Mobile’s CEO and an individual who claims to be behind the recent hacking of the mobile carrier’s systems have shared some information about how the attack was carried out. In a statement issued on Friday, Mike Sievert, CEO of TMobile, said that while the company’s investigation into the incident was “substantially complete,” he could not share too many technical details due to the criminal investigation conducted by law enforcement. He did, however, share a high-level summary of the attack. “What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data,” he said. “In short, this individual’s intent was to break in and steal data, and they succeeded.”

DMARC 101: How to Keep Phishing Attacks Out of Your Inbox

You have the latest antivirus program. The firewall is turned on. Passwords are strong and frequently updated. Now you can sleep at night knowing your organization is safe from cyberattacks, right? Well, at least until John from HR decides to log in from a link he received in an email. He probably knew not to click on suspicious emails, but what is considered suspicious? That email could have arrived from your own domain. Attackers can spoof your domain to trick employees or your customers into divulging confidential information or downloading a malicious file attachment. Phishing emails are arriving with smarter baiting tactics, becoming harder to identify. Defenses need to catch up as well. Security teams, especially those responsible for domain integrity, should make sure to correctly implement the three anti-phishing standards: SPF, DKIM, and DMARC.

Increase in Credential Phishing and Brute Force Attacks Causing Financial and Reputational Damage

Abnormal Security released a report which examines the escalating adverse impact of socially engineered and never-seen-before email attacks and other advanced email threats—both financial and reputational—to organizations worldwide. The report surveyed advanced email attacks across eight major industry sectors, including retail and consumer goods; manufacturing; technology; energy and infrastructure services; medical; media and television; finance; and hospitality. 32.5% of all companies were targeted by brute force attacks in early June 2021; 137 account takeovers occurred per 100,000 mailboxes for members of the C-suite; 61% of organizations experienced a vendor email compromise attack this quarter; 22% more business email compromise attacks since Q4 2020; 60% chance of a successful account takeover each week for organizations with 50,000+ employees; 73% of all advanced threats were credential phishing attacks; 80% probability of attack every week for retail and consumer goods, technology, and media and television companies.

See Something/Say Something

The three Missouri Fusion Centers: the St. Louis Fusion Center, the Missouri Information Analysis Center, and the Kansas City Regional Fusion Center have teamed up with the Missouri Office of Homeland Security and P3 to create a Suspicious Cyber Activity Reporting Tool. The Suspicious Cyber Activity Reporting Tool is accessible on the SafeNation App.

Your Weekly DHS/CISA Threat Assessment (Sep …

Press Releases Posted by Data Connectors Newsroom on Sep 3, 2021

Intrusive relatives, major storm systems, and never-ending traffic have all been accredited to the ruin of our most beloved holidays; don’t let a ransomware attack be the most devastating party crasher of all.

With Labor Day weekend rapidly approaching, DHS – CISA released an alert regarding an observed increase in highly impactful ransomware attacks over the holidays and on weekends; strategically when businesses are closed and at their most vulnerable. The exponential rise of ransomware in the last few years continues to be a consistent threat. Protect yourself and your business by reading the Ransomware Awareness for Holidays and Weekends

Summary

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run-up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.

Click here for a PDF copy of this report.

Threat Overview

Recent Holiday Targeting

Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cybercriminals, however, may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.

• In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
• In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.
• In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.

Ransomware Trends

The FBI’s Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime—a record number—from the American public in 2020, with reported losses exceeding $4.1 billion. This represents a 69 percent increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.1   The following ransomware variants have been the most frequently reported to FBI in attacks over the last month.

• Conti
• PYSA
• LockBit
• RansomEXX/Defray777
• Zeppelin
• Crysis/Dharma/Phobos

The destructive impact of ransomware continues to evolve beyond encryption of IT assets. Cybercriminals have increasingly targeted large, lucrative organizations and providers of critical services with the expectation of higher value ransoms and increased likelihood of payments. Cybercriminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption, to further encourage payment of ransom. (See CISA’s Fact Sheet: Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches.) Malicious actors have also added tactics, such as encrypting or deleting system backups—making restoration and recovery more difficult or infeasible for impacted organizations.

Although cybercriminals use a variety of techniques to infect victims with ransomware, the two most prevalent initial access vectors are phishing and brute-forcing unsecured remote desktop protocol (RDP) endpoints. Additional common means of initial infection include deployment of precursor or dropper malware; exploitation of software or operating system vulnerabilities; exploitation of managed service providers with access to customer networks; and the use of valid, stolen credentials, such as those purchased on the dark web. Precursor malware enables cyber actors to conduct reconnaissance on victim networks, steal credentials, escalate privileges, exfiltrate information, move laterally on the victim network, and obfuscate command-and-control communications. Cyber actors use this access to:

• Evaluate a victim’s ability to pay a ransom.
• Evaluate a victim’s incentive to pay a ransom to:
  • Regain access to their data and/or
  • Avoid having their sensitive or proprietary data publicly leaked.
• Gather information for follow-on attacks before deploying ransomware on the victim network.

Threat Hunting

The FBI and CISA suggest organizations engage in preemptive threat hunting on their networks. Threat hunting is a proactive strategy to search for signs of threat actor activity to prevent attacks before they occur or to minimize damage in the event of a successful attack. Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems.

• Understand the IT environment’s routine activity and architecture by establishing a baseline. By implementing a behavior-based analytics approach, an organization can better assess user, endpoint, and network activity patterns. This approach can help an organization remain alert on deviations from normal activity and detect anomalies. Understanding when users log in to the network—and from what location—can assist in identifying anomalies. Understanding the baseline environment—including the normal internal and external traffic—can also help in detecting anomalies. Suspicious traffic patterns are usually the first indicators of a network incident but cannot be detected without establishing a baseline for the corporate network.
• Review data logs. Understand what standard performance looks like in comparison to suspicious or anomalous activity. Things to look for include:
  • Numerous failed file modifications,
  • Increased CPU and disk activity,
  • Inability to access certain files, and
  • Unusual network communications.
• Employ intrusion prevention systems and automated security alerting systems—such as security information event management software, intrusion detection systems, and endpoint detection and response.
• Deploy honeytokens and alert on their usage to detect lateral movement.

Indicators of suspicious activity that threat hunters should look for include:

• Unusual inbound and outbound network traffic,
• Compromise of administrator privileges or escalation of the permissions on an account,
• Theft of login and password credentials,
• Substantial increase in database read volume,
• Geographical irregularities in access and log-in patterns,
• Attempted user activity during anomalous log-on times,
• Attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and
• Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.

See the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. Also, review the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide.

Cyber Hygiene Services

CISA offers a range of no-cost cyber hygiene services—including vulnerability scanning and ransomware readiness assessments—to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors.

Ransomware Best Practices

The FBI and CISA strongly discourage paying a ransom to criminal actors. Payment does not guarantee files will be recovered, nor does it ensure protection from future breaches. Payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of malware, and/or fund illicit activities. Regardless of whether you or your organization decide to pay the ransom, the FBI and CISA urge you to report ransomware incidents to CISA, a local FBI field office, or by filing a report with IC3 at IC3.gov. Doing so provides the U.S. Government with critical information needed to help victims, track ransomware attackers, hold attackers accountable under U.S. law, and share information to prevent future attacks.

Information Requested

Upon receiving an incident report, the FBI or CISA may seek forensic artifacts, to the extent that affected entities determine such information can be legally shared, including:

• Recovered executable file(s),
• Live memory (RAM) capture,
• Images of infected systems,
• Malware samples, and
• Ransom note.

Recommended Mitigations

The FBI and CISA highly recommend organizations continuously and actively monitor for ransomware threats over holidays and weekends.2   Additionally, the FBI and CISA recommend identifying IT security employees to be available and “on-call” during these times, in the event of a ransomware attack. The FBI and CISA also suggest applying the following network best practices to reduce the risk and impact of compromise.

Make an offline backup of your data.

• Make and maintain offline, encrypted backups of data and regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete or encrypt accessible backups.
• Review your organization’s backup schedule to take into account the risk of a possible disruption to backup processes during weekends or holidays.

Do not click on suspicious links.

• Implement a user training program and phishing exercises to raise awareness among users about the risks involved in visiting malicious websites or opening malicious attachments and to reinforce the appropriate user response to phishing and spearphishing emails.

If you use RDP—or other potentially risky services—secure and monitor.

• Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA. If RDP must be available externally, it should be authenticated via VPN.
• Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts, log RDP login attempts, and disable unused remote access/RDP ports.
• Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389).
• Disable or block Server Message Block (SMB) protocol outbound and remove or disable outdated versions of SMB. Threat actors use SMB to propagate malware across organizations.
• Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
• Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
• Open document readers in protected viewing modes to help prevent active content from running.

Update your OS and software; scan for vulnerabilities.

• Upgrade software and operating systems that are no longer supported by vendors to currently supported versions. Regularly patch and update software to the latest available versions. Prioritize timely patching of internet-facing servers—as well as software processing internet data, such as web browsers, browser plugins, and document readers—for known vulnerabilities. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which network assets and zones should participate in the patch management program.
• Automatically update antivirus and anti-malware solutions and conduct regular virus and malware scans.
• Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices. (See the Cyber Hygiene Services section above for more information on CISA’s free services.)

Use strong passwords.

• Ensure strong passwords and challenge responses. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.

Use multi-factor authentication.

• Require multi-factor authentication (MFA) for all services to the extent possible, particularly for remote access, virtual private networks, and accounts that access critical systems.

Secure your network(s): implement segmentation, filter traffic, and scan ports.

• Implement network segmentation with multiple layers, with the most critical communications occurring in the most secure and reliable layer.
• Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
• Scan network for open and listening ports and close those that are unnecessary.
• For companies with employees working remotely, secure home networks—including computing, entertainment, and Internet of Things devices—to prevent a cyberattack; use separate devices for separate activities; and do not exchange home and work content.

Secure your user accounts.

• Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.
• Regularly audit logs to ensure new accounts are legitimate users.

Have an incident response plan.

• Create, maintain, and exercise a basic cyber incident response plan that:
  • Includes procedures for response and notification in a ransomware incident and
  • Plans for the possibility of critical systems being inaccessible for a period of time.

Note: for help with developing your plan, review available incident response guidance, such as the Public Power Cyber Incident Response Playbook and the Ransomware Response Checklist in the CISA-MS-ISAC Joint Ransomware Guide.

If your organization is impacted by a ransomware incident, the FBI and CISA recommend the following actions.

• Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless.
• Turn off other computers and devices. Power off and segregate (i.e., remove from the network) the infected computer(s). Power off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering off and segregating infected computers from computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.
• Secure your backups. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.

Immediate Actions You Can Take Now to Protect Against Ransomware

• Make an offline backup of your data.
• Do not click on suspicious links.
• If you use RDP, secure and monitor it.
• Update your OS and software.
• Use strong passwords.
• Use multi-factor authentication.

Additional Resources

For additional resources related to the prevention and mitigation of ransomware, go to https://www.stopransomware.gov as well as the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. Stopransomware.gov is the U.S. Government’s new, official one-stop location for resources to tackle ransomware more effectively. Additional resources include:

• • CISA Insights: Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses
  • CISA: Cyber Essentials
  • NIST SP 800-83 Rev. 1: Guide to Malware Incident Prevention and Handling for Desktops and Laptops
  • NIST SP 800-46 Rev. 2: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security

CISA Alert: Ransomware Awareness for Holida …

Hot Topics in Cybersecurity Posted by Michael Hiskey on Sep 1, 2021

Stay tuned for this update each week. This is a joint cybersecurity weekly product from the Missouri Information Analysis Center, St. Louis Fusion Center, Kansas City Regional Fusion Center and the Missouri Office of Homeland Security.

Businesses Fall Victim to Ransomware Despite Precautions

According to a new survey of 200 decision makers in businesses that had suffered a ransomware attack since 2019, more than half of victims had received anti-phishing training and 49 percent had perimeter defenses in place at the time of attack. The study conducted by Sapio Research for Cloudian finds that phishing continues to be one of the easiest paths for ransomware, with 24 percent of attacks starting this way. Phishing succeeds despite the fact that 54 percent of all respondents and 65 percent of those that reported it as the entry point have conducted anti-phishing training for employees. The public cloud is the most common point of entry for ransomware, with 31 percent of respondents being attacked this way. One an attack is under way things happen quickly, 56 percent of survey respondents report that attackers were able to take control of their data and demand a ransom within just 12 hours, and another 30 percent say it happened within 24 hours.

Success of Ransomware Attacks Shows the State of Cybersecurity

According to a new study of over 1,000 enterprise IT professionals around the world, 40 percent of organizations confirm they have fallen victim to a phishing attack in the last month, with 74 percent experiencing one in the last year. The research from automation platform Ivanti also shows that 80 percent of respondents say they have witnessed an increase in volume of phishing attempts, with 85 percent saying those attempts are getting more sophisticated. In addition, 73 percent of respondents say that their IT staff have been targeted by phishing attempts, and 47 percent of those attempts were successful. Asked about the causes of successful attacks, 37 percent of respondents cite a lack of both technology and employee understanding. However, 34 percent blame successful attacks on a lack of employee understanding. While 96 percent of IT professionals report that their organization offers cybersecurity training to teach employees about common attacks like phishing and ransomware, only 30 percent of respondents say that 80-90 percent of employees have completed the training.

SonicWall: ‘Imminent’ Ransomware Attack Targets Older Products

The attack exploits a known vulnerability that was fixed in new versions of firmware released this year. SonicWall is alerting users to an “imminent” ransomware attack targeting Secure Mobile Access (SMA) 100 series and the older Secure Remote Access (SRA) series running unpatched and end-of-life (EOL) 8.x firmware. The campaign is using stolen credentials, the company reports, and the exploitation targets a known vulnerability that has been patched in newer versions of the firmware. Businesses using a range of EOL SMA and/or SRA devices running firmware 8.x should update their firmware or disconnect their devices, as per guidance SonicWall outlines in an advisory. As an additional mitigation, SonicWall advises organizations using SMA or SRA devices to reset all credentials associated with them, as well as for any other devices and systems that use the same credentials.

Who is Responsible for Guarding Against Software Supply Chain Attacks? Who Knows!

Software supply chain attacks like that on SolarWinds have become more of a threat in recent months. But when it comes to defending against them businesses can’t decide who is responsible according to a new report. The study from machine identity management company Venafi is based on the opinions of over 1,000 information security professionals, developers and executives in the IT and software development industries. It finds that 97 percent agree that the techniques and procedures used to attack SolarWinds software development environment will be reused in new attacks this year. But despite this certainty, there is no agreement between security and development teams on where responsibility for improving security in the software build and distribution environments should lie.

57% of Reported Incidents are Caused by Insiders

Insider data breaches were the top cause of data and cybersecurity incidents reported in the first quarter of 2021, according to the ICO. 57% of reported incidents were caused by insiders, with over 1,000 incidents reported in the first three months of 2021. Misdirected email was behind most of the incidents, with over 400 reports. Phishing was the second-biggest named cause, with over 200 incidents caused by employees falling for malicious emails. For the fourth quarter running, healthcare was the hardest hit, with over 420 reported incidents in just three months, while financial services was the industry targeted with the most phishing attacks.

Half of Organizations are Ineffective at Countering Phishing and Ransomware Threats

Half of US organizations are not effective at countering phishing and ransomware threats, Osterman Research research reveals. The findings come from a study compiled from interviews with 130 cybersecurity professionals in mid-sized and large organizations. “Phishing and ransomware were already critical enterprise security risks even before the pandemic hit and, as this report shows, the advent of mass remote working has increased the pressure of these threats,” said Jon Clay, VP of threat intelligence for Trend Micro. “Organizations need multi-layered defenses in place to mitigate these risks.” The study asked respondents to rate their effectiveness in 17 key best practice areas related to ransomware and phishing, ranging from protecting endpoints from malware infection to ensuring prompt patching of all systems.

Five Critical Password Security Rules Your Employees Are Ignoring

Password security was a problem even before the advent of widespread remote work. So, what happened post-pandemic? Keeper Security’s Workplace Password Malpractice Report sought to find out. In February 2021, Keeper surveyed 1,000 employees in the U.S. about their work-related password habits — and discovered that a lot of remote workers are letting password security go by the wayside. Here are 5 critical password security rules they’re ignoring.

Researchers Warn of Linux Cryptojacking Attackers Operating from Romania

A threat group likely based in Romania and active since at least 2020 has been behind an active cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-forcer written in Golang. Dubbed “Diicot brute,” the password cracking tool is alleged to be distributed via a software-as-a-service model, with each threat actor furnishing their own unique API keys to facilitate the intrusions, Bitdefender researchers said in a report published last week. While the goal of the campaign is to deploy Monero mining malware by remotely compromising the devices via brute-force attacks, the researchers connected the gang to at least two DDoS botnets, including a Demonbot variant called chernobyl and a Perl IRC bot, with the XMRig mining payload hosted on a domain named mexalz[.]us since February 2021.

When ‘Later’ Never Comes: Putting Small Business Cybersecurity First

Small- and medium-sized businesses can be victims of digital attacks as much as global ones can. In fact, 88% of small business owners think they’re open to a cyberattack. In response, startups must allocate time and resources to getting the right small business cybersecurity measures, right? If only business realities were that simple. Let’s talk about startup culture for a second. What do you envision when you hear ‘startup’? Mark Zuckerberg, Silicon Valley, cold brew on tap, standing desks and a race to the finish line? You probably don’t think about late nights obsessing about small business cybersecurity. And therein lies the problem.

FragAttacks: Everything You Need to Know

A cybersecurity researcher discovered a new category of Wi-Fi vulnerabilities recently. But the surprising news is that this new category is actually very old. Called FragAttacks, these 12 Wi-Fi vulnerabilities have existed since the late 90s. But they’re new to the cybersecurity world because people only recently discovered and described them. Researchers unveiled the details on May 12, some nine months after discovery. The researchers will present their work at the USENIX Security conference at Black Hat USA in late July and early August.

Is Cryptocurrency-Mining Malware Due for a Comeback?

The world is now focused on ransomware, perhaps more so than any previous cybersecurity threat in history. But if the viability of ransomware as a criminal business model should decline, expect attackers to quickly embrace something else – but what? We’ve been here before. In late 2017, driven by a surge in bitcoin’s value, many criminals shifted from using ransomware, which at the time was typically spread via drive-by downloads and spam attacks, to using the same tactics to instead spread cryptocurrency-mining malware. Attackers don’t seem to prioritize any given approach over another. Or at least if there was a cult devoted to the first type of ransomware ever seen in the wild – the AIDS Trojan, which in 1989 began spreading via floppy disk – any lingering adherents would be in dire need of a day job.

Toddler Mobile Banking Malware Surges Across Europe

Researchers have provided a deep dive into Toddler, a new Android banking Trojan that is surging across Europe. In a report shared with ZDNet, the PRODAFT Threat Intelligence (PTI) team said that the malware, also known as TeaBot/Anatsa, is part of a rising trend of mobile banking malware attacking countries, including Spain, Germany, Switzerland, and the Netherlands. Toddler was first disclosed by Cleafy following its discovery in January. While still under active development, the mobile Trojan has been used in attacks against the customers of 60 European banks. In a report shared with ZDNet, the PRODAFT Threat Intelligence (PTI) team said that the malware, also known as TeaBot/Anatsa, is part of a rising trend of mobile banking malware attacking countries, including Spain, Germany, Switzerland, and the Netherlands. Toddler was first disclosed by Cleafy following its discovery in January. While still under active development, the mobile Trojan has been used in attacks against the customers of 60 European banks.

Cybercriminals Customizing Malware for Attacks on Virtual Infrastructure

Cyber incidents continue to rise, ransomware accounts for nearly two-thirds of all malware attacks, and more cybercriminals are customizing malware for attacks on virtual infrastructure, Positive Technologies finds. According to the research, the number of attacks increased by 17% compared to Q1 2020, with 77% being targeted attacks, and incidents with individuals accounting for 12% of the total. Cybercriminals attacked government institutions, industrial companies, scientific organizations, and educational institutions the most. Their main targets are personal data and credentials, and attacks on organizations are also aimed at stealing commercial secrets.

IoT Malware Attacks Rose 700% During the Pandemic

Zscaler released a study examining the state of IoT devices left on corporate networks during a time when businesses were forced to move to a remote working environment. The report analyzed over 575 million device transactions and 300,000 IoT-specific malware attacks blocked over the course of two weeks in December 2020 – a 700% increase when compared to pre-pandemic findings. These attacks targeted 553 different device types, including printers, digital signage and smart TVs, all connected to and communicating with corporate IT networks while many employees were working remotely during the COVID-19 pandemic. The research team identified the most vulnerable IoT devices, most common attack origins and destinations, and the malware families responsible for the majority of malicious traffic to better help enterprises protect their valuable data.

CISA Alerts and Announcements for this week:

Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department: Review here

Your Weekly DHS/CISA Threat Assessment (Jul …

Hot Topics in Cybersecurity Posted by Data Connectors Newsroom on Jul 28, 2021

Data Connectors Capital Regional Virtual Cybersecurity Summit to Host USSS Global Investigative Operations Center 

WASHINGTON, D.C. – JUNE 17, 2021 Data Connectors, representing the largest cybersecurity community in North America, will be hosting the US Secret Service’s Global Investigative Operations Center’s (GIOC) Romance Scam Symposium at the Capital Region Virtual Cybersecurity Summit on June 24.

This symposium will draw attention to the record-breaking cash spent in romance scams in 2020; the Federal Trade Commission stated that $304 million was spent last year and nearly $1 billion in the last five years.

For the Secret Service’s GIOC, raising awareness of romance scams is a crucial part of fighting them. Their primary mission in hosting this joint symposium is to shine a light on the massive impact on both the victims and on our country.

“The Secret Service and our many partners across both the private and governmental sectors, work diligently to protect our citizens from criminals who would seek to enrich themselves by extorting the most vulnerable in our society” said Stephen Dougherty, Forensic Financial Analyst for the Secret Service. “These scammers should know that their actions carry real consequences, both for their victims and for themselves, and that there are dedicated agents, analysts and prosecutors who will go above and beyond to find them, identify them and hold them accountable for their crimes.”

This event will feature speakers from the Secret Service, AARP, Lincoln Financial and Agari.

“The cost of romance scams are two-fold  — of course you consider the financial toll on the victims, but there is also a tremendous emotional impact. These criminals are growing trust with vulnerable people, getting their banking passwords and using them for the most nefarious purposes,” said Amy Nofziger of AARP. “And while this is growing in numbers across demographics, retired Americans are among the most common victims of these crimes.”

Leading up to this symposium is the Capital Region Virtual Cybersecurity Summit, which will take place on Wednesday and Thursday, June 23-24, which provides senior executives in the area education regarding new solutions, as well as the latest updates and challenges in the  industry. Leaders from law enforcement agencies team with Chief Information Security Officers (CISOs) from the private sector to offer industry-leading presentations and discussions.

Attendees will ask questions and interact online with the CISOs, as well as each other and the organizations who will feature their solutions at the event. Featured solutions providers at this summit include Cisco, Cloudflare, Proofpoint, Attivo Networks, ActZero and Auth0 and many more.

The Summit will take place over two days, Wednesday and Thursday, June 23-24 at 8:00 a.m. ET on both days, with the GIOC Symposium on the 24th starting at 2 p.m. Registration is free for qualified professionals, who can also obtain Continuing Professional Education (CPE) credits for participation.

More information can be found at dataconnectors.com/romance

About Data Connectors
Since 1999, Data Connectors (dataconnectors.com) has facilitated collaboration between senior cybersecurity professionals, government/law enforcement agencies, industry luminaries, and solution providers. Today, the community comprises over 650,000 members and 250 active vendor partners across North America. Members enjoy informative education, networking and support via our award-winning Virtual Summits, live conferences, Web Briefings, and regular communications.

Secret Service Romance Scam Symposium to Hi …

Press Releases Posted by Jen Greco on Jun 17, 2021

The two countries boast the world’s longest land border, but when it comes to cybersecurity, the United States and Canada share so much more.

In a Q&A session, broadcast on LinkedIn Live on Monday, May 10, I was joined by Special Agent Eric Adams of the U.S. Secret Service from the Vancouver Field Office, where we discussed the agency’s mission in its dealings with Canada.

Adams will be holding a joint keynote session with Sergeant Graeme Sloane of the Calgary Police Service where they discuss the partnership between the agencies to ensure the safety of their citizens. During this special session, the speakers will be live and interacting with the Summit audience by answering your questions.

Have you gotten a chance to claim your spot for this talk? Register for the Canada West Virtual Cybersecurity Summit. Then, be sure to log in on Wednesday, May 12 by 12:20 p.m. PDT so you can catch this informative session.

During yesterday’s livestream, Adams delved into the role of the Secret Service  — beyond the typical mission of protecting the president.

“The mission of the Secret Service, both domestically and abroad, is the same.  And that mission is to safeguard the nation’s payment systems and overall financial infrastructure, which helps us to preserve the integrity of the economy,” Adams said during the live session.  “We’re able to accomplish this in our foreign offices by working with the world’s law enforcement community  by developing and forging partnerships and by providing guidance and expertise to safeguard those financial infrastructures through what we call a cross-border partnership.”

Did you miss the LinkedIn Live session? Catch the recording on the Data Connectors LinkedIn page. And, be sure to follow us so you don’t miss out on more of these live sessions with experts from across the industry.

Sneak Preview: Security Across Borders with …

Virtual Events Posted by Jen Greco on May 11, 2021

Weekly Partner Roundup: The Data Edition

Industry News Posted by Jen Greco on Mar 26, 2021

Cybersecurity professionals are coming up short in their understanding of blockchain and cryptocurrency, according to William Callahan, a retired Special Agent of the United States Drug Enforcement Agency, and one of the Keynote speakers at the Southern California Virtual Cybersecurity Summit on March 10-11.

His presentation is titled “Cryptocurrency and Blockchain Technology in a Public Underground World.”

Callahan, who inspired by watching Miami Vice as a kid growing up in New Jersey, pursued a long career with the Drug Enforcement Agency at various posts across the country, ranging from St. Louis to the D.C. metro and New York. Through his career, he watched the old drug street crime moving out of the dark alleyways and onto the Dark Web. 

THE BRIGHT SIDE OF THE DARK WEB

First Look: Cryptocurrency & Blockchain …

Interviews Posted by Jen Greco on Mar 2, 2021

In the current climate of virtual overload how do you get your voice to be heard above the others? When discussing a topic as important as cybersecurity, how do ensure that the viewer is listening to what you have to say?

As the leading provider for virtual cybersecurity summits, Data Connectors has surveyed both their attendees and Vendor Partners to compile a list of presentation best practices. This quick summary of Dos and Don’ts for how to put forth the most informative and engaging presentation can be easily implemented to ensure the best audience participation.

This series will highlight some video best practices, so you can slam-dunk your next on-screen appearance.

Preparing Your Set: Video Quality and Location

Most of us are still working from home and may not have the best set up for our home offices. Often we are at the kitchen table, or bedrooms or evening hiding in a closet to find some small solitude of quiet. Obviously this is not ideal when you need to record a presentation or attend a session live. 

Lose the Virtual Background

However, you don’t need a soundstage in order to put together a good presentation. In fact the home office can often bring a more personal approach and make you more relatable to the audience. We have seen overwhelming stats that people prefer to see a real background to a virtual one. Often virtual backgrounds are loud, obvious and more distracting than what is really behind you. So don’t be afraid to flaunt your personal style! Just ensure that you choose a location where your background is not too busy, as that may be distracting, but don’t be afraid of appearing real in your video. (Everyone loves when a furry animal joins the party for a couple minutes, in fact, bring them into the fun.)

Have an Angle

There are a couple other important features to consider when choosing your recording location. Lighting and camera angle are key elements to elevating your video production quality that are too often overlooked. You could have the best message to share but if no one can see your face, or if they are distracted by looking up your nose because your camera is below eye level, it may all be for nothing. 

Don’t get lost in the dark! Situate yourself to ensure that you have lighting, natural if possible, in front of you (behind the computer / camera). This will guarantee that you are well lit and visible to the audience while presenting. If the video image is too dark, audience members often either spend more time trying to correct your image to see you better or lose interest as they cannot make a personal connection with you on screen. 

Get Framed

Make it all about you. Make sure that you frame your profile within the center to the screen with the camera at eye-level. Properly framing yourself on camera ensures that you are the center of attention, eliminating background distractions. It will also allow for a better link with the audience. When presenting live you have the ability to be animated, emphasize points with your hands or with facial expressions. You want to ensure that you are properly centered on-screen in order for the audience to properly see all this interaction virtually. Having a conversation with the camera is like having a one-on-one discussion with each individual audience member, giving you the ability to really connect with them as if they were in front of you.

At home, connectivity Issues affect us all and we can’t always get around it. Especially when your kids are playing Fornite in the next room and your spouse is watching YouTube videos or catching up on the latest Netflix series. We are at the mercy of our personal wi-fi bandwidth now that we are no longer physically connected to our office LAN. That said there is a quick and easy trick to ensuring the best video quality when you are recording your presentation. Record to Computer – not cloud! Not only is this safer for security reasons but the video product and quality is often much better when recorded directly to your local machine. The default setting on most video recording platforms is set to record to the cloud, you want to go into your setting and change this so that it will record locally. 

Tips and Tricks: Getting Great Video Qualit …

Virtual Events Posted by Jen Greco on Feb 26, 2021

Imagine it: you’re a wide-eyed cybersecurity graduate, feeling like you’ve got the world at your feet. You’ve spent hours pouring over books, completing that capstone project, and finally, with degree-in-hand, you’re ready for the “real world” you’ve been working so hard to join.

But you begin to check out job listings for “entry level” positions in your field of choice, and they’re shockingly hard to come by. An “assistant” role that requires three- to four-years of experience? “Does college count?” you’d wonder.

Unpaid internships are an option, but there are student loan bills that are starting to rack up interest. 

After a few months of getting stood-up after the few interviews you get, working outside your chosen field becomes more and more of a possibility.

It’s not hard to picture, because so many of us have been there. And while it’s often lamented anecdotally, Cybersecurity Expert Naomi Buckwalter put some actual data behind it. It’s now empirically true: entry-level jobs require years of experience that entry-level candidate have not yet gotten.

After a LinkedIn deep-dive on so-called entry-level cybersecurity jobs, Buckwalter was able to shed light on a growing problem in the industry. By pulling 1,000 job listings from the professional networking site, Buckwalter parsed the descriptions for phrases like “years of experience” and found the dirty truth: there are no “true” entry-level jobs. 

“I crunched some of the numbers, and it was eye-opening to me,” Buckwalter said. “You can not get experience without getting a job.” 

This is frustrating for someone like Buckwalter, who got her start in cybersecurity and rose through the ranks to her current title of Chief Information Security Officer — the top of the field — while still considered to be very young compared to her colleagues. Her start was as a software developer, who found her passion after taking a course in hacking.

“I had finally found my purpose in life; I fell in love with it,” she said. She continued to focus on learning, and took opportunities as they came, with the help of some open-minded employers who wanted her success as much as she did.  “Name it, I’ve done it. I just keep learning.”

Her passion extends to finding opportunities and offering mentorship for newly minted cybersecurity grads and job hopefuls. The solution to the skills gap, Buckwalter says, is in education and thoughtful mentorship.

“Every person is different. I think I would find a mentor to really make it personal, not try to create a course for everyone, but for that person and what they want to do. Then, create a curriculum just for them,” she said. “[Many organizations] are not seeing people for the human that they are, they’re just seeing them as a means to an end. We’re not just workers and automatons — we’re human beings.”

Social media is Buckwalter’s medium-of-choice for getting the message out, for a focus on training to ensure a successful industry… even if that means ruffling a few feathers from time to time. “Let’s just tell the truth … I need people to be cynical and question things,” she said. “I wish more of us would challenge each other as an industry.”

Gaps in the industry are becoming incredibly pervasive — including with emerging technologies like artificial intelligence, Buckwalter said.

“We need to find a better way to get people into cybersecurity. We need to get the talent in and then train them,” she said. “I’m trying to scream into the void: train up the people!”

Follow Naomi Buckwalter on LinkedIn to see her insights of the cybersecurity industry first-hand.

Interview: Naomi Buckwalter and the “Dirt …

Interviews Posted by Jen Greco on Feb 17, 2021