Cyber Threats and Federally-funded Cyber Resources Eugene Kipniss
State, Local, Tribal, or Territorial Government Entity 2
Why SLTT Governments? Criminals look for data... and governments have a lot of it! 3 TLP: WHITE
3 CBA 6 CBA 4 2018 NCSR Findings Preview reported a CBA maturity scores (3.33) CBA In 2018. both the state and Local governments continue Tribal governments continue In 2018 the tribal peer group local peer groups reported a to report lower overall to report lower overall 48% increase in decrease in overall maturity maturity scores (3.44) than than overall maturity. (-1% for the state peer group their state counterparts both their state and local and -4% for the local peer (4.70). counterparts. group). This is a reversal of the trend that was reported in 2016 and 2017. where the state and local peer groups reported an increase in 4 2 1 3 overall maturity (3% and 10% respectfully). 2 hain CBA 1 In 2018, S upply C S tate, local and tribal peer In 2018,88% of the 33 All peer groups continue to groups continue to report sub-sector peer groups identify the same top five was added to the Identify overall scores that fall below reported scores below the security concerns over the function of the NIST the recommended minimum recommended minimum past four years: Cybersecurity Framework maturity level (5). maturity level. The following and NCS R question set. • Lack of sufficient funding* sub-sector peer groups met The state and local peer • Increasing sophistication 5 the minimum maturity: groups scored lowest in of threats the supply chain category • Associations • Lack of documented within the identify function. • S tate Hnance/ Revenue processes • S tate Information • Emerging technologies Technology • Inadequate availability of • S tate Museum cybersecurity professionals 8 5 7 6 * In 2018, ire saw a shift one security concern. CBA in the order the top five 5 security concerns were 8 ranked. Lack of sufficient 7 funding became the number 4
Top 10 Malware 2018 January 2018 February 2018 March 2018 April 2018 May 2018 June 2018 Kovter Kovter Kovter Kovter Kovter WannaCry ZeuS ZeuS WannaCry WannaCry Emotet Emotet Emotet NanoCore Emotet Emotet ZeuS Kovter CoinMiner Redyms ZeuS ZeuS Redyms ZeuS NanoCore Mirai CoinMiner NanoCore TinyLoader Mirai Xtrat CoinMiner Gh0st CoinMiner CoinMiner Cerber Redyms WannaCry NanoCore Gh0st NanoCore NanoCore WannaCry Emotet Ursnif Qarallex Gh0st CoinMiner Mirai Gh0st Mirai Latentbot WannaCry Gh0st Gh0st Latentbot Xtrat Redyms Mirai Cerber July 2018 February 2018 September 2018 October 2018 November 2018 December 2018 Emotet Kovter Emotet Emotet WannaCry WannaCry Kovter Emotet WannaCry Kovter Emotet ZeuS ZeuS ZeuS Kovter ZeuS ZeuS Emotet NanoCore CoinMiner ZeuS WannaCry Kovter Kovter Cerber WannaCry CoinMiner NanoCore CoinMiner Qakbot Gh0st NanoCore NanoCore Gh0st Mirai Samsam CoinMiner Mirai Gh0st CoinMiner NanoCore Gh0st Trickbot Gh0st Mirai Mirai Gh0st Mirai WannaCry Cerber Trickbot Ursnif Smoke Loader Brambul Xtrat Ursnif AZORult Smoke Loader Ursnif CoinMiner 5 TLP: WHITE
October November Dropped December January February March Top 10 Malware - Initiation Vectors October November Multiple December January February March October November TLP: WHITE Malspam December January February March October November Network December January February March October Malvertisement November December January February March 6
BEC: CEO Compromise Example Date: From an Executive FROM: CEO TO: Finance Department To Finance SUBJECT: Question Are you available? Wire transfer needs to go out.Also what is the balance of General Funding Account? Let me know when you are ready. Don’t call. Im in a meeting. Formatting error Sense of urgency Social Engineering Sent from my iPhone 7 TLP: WHITE
Ransomware malware that blocks access to a system, device, or file until a ransom is paid; commonly demand that the victim pays $200 - $1,000 in bitcoins, gift cards, etc. Ransomware Cryptos Lockers Wipers Extortion 1. Lockers – blocks access to files or the system 2. Cryptos – encrypts files 3. Wipers – erases files; no recovery 8 TLP: WHITE
Emotet •Emotet is the single most destructive piece of malware currently affecting state, local, tribal, and territorial (SLTT) governments in the U.S. •Highly infectious due to worm-like capabilities •Infostealer •Modular •Business continuity disaster •Potential data breach 9 TLP: WHITE
TrickBot •Modular banking trojan that targets user financial information and acts as a dropper for other malware. – Man-in-the-browser attacks – Continuously releasing new modules/versions – Malspam campaigns or dropped – Some modules abuse SMB Protocol for lateral movement https://www.cisecurity.org/white-papers/security-primer-trickbot/ 10 TLP: WHITE
Cryptocurrency Miners Malware: Infection Vectors: • CoinMiner – TOP 10 • Malspam •Coinhive • EternalBlue •WannaMine • Exploit Kits •Dark Test • Worms •BrowseAloud • Tech Support Scam • Plugins • Masquerading as Windows/system files, Fake AV, apps • Fileless malware • Infecting: Windows, Mac, smartphones, smartTVs, SCADA systems 11 TLP: WHITE
Insider Crypto-mining 12 TLP: WHITE
Theft of Cryptocurrency Theft of Currency and Wallets SIM Swapping/Jacking Joel Ortiz and the $5 Million SIM heist • Attacker does recon of social media etc. • Next they contact the mobile carrier • Socially engineer a SIM re-issue or change • Reset email accounts using phone verification • Intercept all communication – including 2FA! 13 TLP: WHITE
Hoax Extortion Schemes Emails can include user’s: • Names • Passwords SAMPLE EMAIL TEXT Subject: <username> - <password> • Emails I'm aware, <password> , is your pass word. You do not know me and you are most likely wondering why you are getting this e-mail, correct? • Telephone numbers In fact, I actually placed a malware on the adult videos (porno) web site and guess what, you visited this site to experience fun (you know what I mean). While you were watching video clips, your browser initiated operating as a RDP (Remote Desktop) that has a key logger which provided me accessibility to your display and web cam. Immediately after that, my software gathered all of your contacts from your Messenger, Facebook, and email. Spoofing the victim’s email What exactly did I do? I made a double-screen video. 1st part displays the video you were viewing (you've got a fine taste lol . . .), and next part displays the recording of your cam. What should you do? Well, I believe, <extortion amount> is a reasonable price tag for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google). BTC Address: <address> (It is cAsE sensitive, so copy and paste it) 14 TLP: WHITE
Employee Mistakes 15 TLP: GREEN
Why care? - Employee Mistakes 16 TLP: GREEN
Who We Serve 50 State Governments State, >5,500 Local Governments Local, Tribal, and Territorial 6 Territorial Governments Governments 81 Tribal Governments 79 DHS-recognized Fusion Centers K-12 School Districts, Intermediate Units Law Enforcement, Cities, Public Authorities Local Governments 950 K-12 School Districts across US Any Public Organizations 17 TLP: WHITE
How to access MS-ISAC resources • Register for the MS-ISAC’s services here: https://learn.cisecurity.org/ms-isac-registration • The MS-ISAC Stakeholder Engagement team will provide you with next steps: • Register your HSIN account • Submit public IPs, domains, and subdomains • Register for an MCAP account • Add additional staff to your account 18 TLP: WHITE
24 x 7 Security Operations Center Central location to report any cybersecurity incident • Support: – Network Monitoring Services – Research and Analysis • Analysis and Monitoring: – Threats – Vulnerabilities – Attacks • Reporting: – Cyber Alerts & Advisories To report an incident or – Web Defacements request assistance: – Account Compromises – Hacktivist Notifications Phone : 1-866-787-4722 Email : soc@cisecurity.org 19 TLP: WHITE
Computer Emergency Response Team • Incident Response (includes on-site assistance) • Network & Web Application Vulnerability Assessments • Malware Analysis • Computer & Network Forensics • Log Analysis • Statistical Data Analysis To report an incident or request assistance: Phone : 1-866-787-4722 Email : soc@cisecurity.org 20 TLP: WHITE
Monitoring of IP Range & Domain Space IP Monitoring Domain Monitoring • IPs connecting to • Notifications on malicious C&Cs compromised user credentials, open • Compromised IPs source and third • Indicators of party information compromise from • Vulnerability the MS-ISAC Management network monitoring Program (VMP) (Albert) • Web Profiler • Notifications from • Port Profiler Spamhaus Send domains, IP ranges, and contact info to: soc@cisecurity.org 21 TLP: WHITE
Recommend
More recommend