Yahoo has a post explaining that Equifax’s data breach was due to them using “admin” as both the username and password to be able to view the contents of the database. Making a password the same strength as a default password seems to be the reason behind the newest suit against Equifax as it claims this practice was, “a surefire way to get hacked”.

Cofense has a post about a threat where an attack has been seen in email phishing attempts in which a user receives an email that shows a sharepoint site. After this one possibility is:

The embedded URL in the email body delivers the recipient to a compromised SharePoint site where a malicious OneNote document is served. The document is illegible and invites the recipient to download it by clicking on yet another embedded URL, which leads to the main credential phishing page.

Cofense

We definitely suggest reading Cofense’s full post to get an in-depth view, though we will end with their explanation on how this attack gets pass security measures, ” SharePoint, the initial delivery mechanism…allow[s] the threat actor to circumvent just about any email perimeter technology.

When it comes to users and security, the tactic of restricting users’ access can help make systems more secure. TechTarget does a great job outlining the categories of this tactic. A quick Google search will pump out myriads of articles in regards to the dangers of not limiting administrative access to business devices. The city of Germantown has taken this one step further where they placed an alderman’s email in a restricted status; the article found on infosecurity-magazine.com explains that the neighboring city of Collierville was hit with a ransomware attack which prompted the 45 minute training to be mandatory which the alderman still has not taken.

ZDNet published an article about how “99% of email attacks rely on victims clicking links”. The ProofPoint report supports the idea that these attacks prey on VAPs:

-Very Attacked People™ (VAPs) aren’t usually VIPs – The most attacked people are often easily discovered identities or “targets of opportunity.”
-Social engineering is pervasive, whether in rampant sextortion schemes, business email compromise (BEC), credential phishing, or other attacks that prey on human nature – and human error.
-Domain fraud plays a key role in lending a sense of legitimacy to attacks.

ProofPoint

ZDNet has sound advice on how to remedy this attack, “If a user is suspicious of a supposed login URL, they can bypass the link by going direct to the provider itself and entering their details there. “

There is a Forbes article that unravels a vulnerability that has been well known since 2017. Forbes puts the attack in plain and simple language, “Google Calendar allows anyone to schedule a meeting with you…whereby the threat actor can use this non-traditional attack vector to bypass the increasing amount of awareness amongst average users when it comes to the danger of clicking unsolicited links.” Ways to combat the attack are below:

This includes delving into Calendar settings and changing the “Event” configuration from “Automatically add invitations” to “No, only show invitations to which I have responded.” Users are also advised to remove the automatic adding of events function from Gmail by configuring the “Events from Gmail” option so that the “Add automatically” box is unchecked.

Forbes

TechCrunch has a great summary of the in depth security research done by Google. In it TechCrunch summarizes the attack as follows, “The five separate attack chains allowed an attacker to gain “root” access to the device”.

Google said based off their analysis, the vulnerabilities were used to steal a user’s photos and messages as well as track their location in near-real time. The “implant” could also access the user’s on-device bank of saved passwords.

TechCrunch

Cyberscoop has a fantastic article on how hackers boost viewer numbers on ads.

The two main methods discussed are hiding ads on websites via “pixel stuffing, when an ad is hidden in a picture. Then there’s ad stacking, which occurs when multiple ads are hidden under a single banner or display. ”

The other common technique is using a botnet, ” The hackers who control that malware use it to call up an invisible web browser on that user’s machine without their knowledge, and visit junk websites or click on advertisements. “

Microsoft has a blog post about Russian hackers who accessed corporate networks via IoT devices. The reason they infiltrated the network via the IoT devices was because their default passwords were not changed. The devices in question were a video decoder, a VoIP phone, and an office printer.

The blog goes on to list some great advice on how to protect a network with IoT devices

Require approval and cataloging of any IoT devices running in your corporate environment.
Develop a custom security policy for each IoT device.
Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.
Use a separate network for IoT devices if feasible.
Conduct routine configuration/patch audits against deployed IoT devices.
Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device traffic, and capture of device images for forensic investigation.
Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.
Monitor IoT device activity for abnormal behavior (e.g. a printer browsing SharePoint sites…).
Audit any identities and credentials that have authorized access to IoT devices, users and processes.
Centralize asset/configuration/patch management if feasible.
If your devices are deployed/managed by a 3rd party, include explicit Terms in your contracts detailing security practices to be followed and Audits that report security status and health of all managed devices.
Where possible, define SLA Terms in IoT device vendor contracts that set a mutually acceptable window for investigative response and forensic analysis to any compromise involving their product.

Microsoft Security Response Center

An organization’s mail room is now also a platform for hackers to an attack called “warshipping”. Essentially for around 100 dollars an attacker could build a device (with cell service) and have it shipped to a mail room where it can not only be remotely controlled but also could scan the networks of the organization.

Once the warship locates a Wi-Fi network from the mail room or the recipient’s desk, it listens for wireless data packets it can use to break into the network.

TechCrunch

Techcrunch has a great article about warshipping and cites IBM’s research as well as provides a really informative video with examples of devices.examples.

Steganography attack last seen in 2013 is being brought back to attack PHP sites that allow images to be uploaded. As Threatpost explains, “PHP has a built-in function for extracting that image EXIF metadata and reading it — for instance, as an accessibility feature for the visually impaired. ” So an attacker can put PHP code in the image file’s EXIF fields to have the malware upload to the website.

The Threatpost article goes on to state that the EXIF reading functionality of PHP is so common place with website tool kits that this attack is an easy task for the PHP savvy.

To protect themselves, website owners can first and foremost scan for PHP tags in image files; if present, the images should be examined. Disabling image uploads if they’re not strictly necessary would also of course mitigate the threat.

Threatpost