Information Security News 3-27-2023

Journalist Hurt by Exploding USB Bomb Drive

Article Link: https://www.theregister.com/2023/03/22/usb_bomb_journalist/

• Police in Ecuador are investigating attacks on media organizations across the country after a journalist was minorly injured by an exploding USB flash drive, which the journalist received in the mail.
• The article discussed a proof-of-concept video that has existed on YouTube since 2018. In the video, a hacker, named MG, shows a wire connected to a USB heat up and glow red after being connected to a laptop. With the right materials, it is believed that this energy could ignite explosive chemicals.
• While there aren’t any immediate threats to organizations in the United States, it is encouraged to review mail receiving procedures to scan for potential threats.

Emotet Malware Distributed as Fake W-9 Tax Forms From the IRS

Article Link: https://www.bleepingcomputer.com/news/security/emotet-malware-distributed-as-fake-w-9-tax-forms-from-the-irs/

• A new Emotet phishing campaign is targeting U.S. taxpayers by impersonating W-9 tax forms allegedly sent by the IRS and companies you work with. The phishing attempts have switched between sending out zipped malicious Word documents and sending out malicious OneNote documents.
• In the campaign seen by Malwarebytes, the threat actors send emails titled ‘IRS Tax Forms W-9,’ while impersonating an ‘Inspector’ from the Internal Revenue Service. However, instances observed by Unit42 have seen Emotet operators using reply-chain emails to spread malware.
• If you receive any emails claiming to be W-9 or other tax forms, first scan the documents with your local antivirus software. However, due to the sensitive nature of these forms, it is not suggested that you upload them to cloud-based scanning services like VirusTotal. Additionally, most tax forms are sent as PDF documents and receiving a different file type should be a red flag.

Microsoft Warns of Stealthy Outlook Vulnerability Exploited by Russian Hackers

Article Link: https://thehackernews.com/2023/03/microsoft-warns-of-stealthy-outlook.html

• Microsoft shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability, CVE-2023-23397, which allows privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction.
• Microsoft encourages organizations to review SMBClient event logging, Process Creation events, and other available network telemetry to identify potential exploitation.
• Link to Microsoft’s Guidance: https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
• Link to Additional Project Hyphae Guidance and Detection Script: https://projecthyphae.com/threat/the-sound-of-silence-critical-microsoft-outlook-vulnerability/

New CISA Tool Detects Hacking Activity in Microsoft Cloud Services

Article Link: https://www.bleepingcomputer.com/news/security/new-cisa-tool-detects-hacking-activity-in-microsoft-cloud-services/

• CISA has released a new open-source incident response tool, dubbed Untitled Goose Tool, that helps detect signs of malicious activity in Microsoft cloud environments. Specifically, it can dump telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments.
• In addition to a variety of other functions, the tool can export and review AAD sign-in and audit logs, M365 unified audit logs (UALs), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity. Additionally, it can query, export, and investigate AAD, M365, and Azure configurations, and extract artifacts from AAD, M365, and Azure without performing additional analytics.
• Link to CISA’s Announcement of the Tool: https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet

Even After Armed with Defense Tools, CISOs say Successful Cyberattacks are ‘Inevitable’: New Study

Article Link: https://www.techrepublic.com/article/even-with-cybersecurity-tools-deployed/

• In Cisco’s new Cybersecurity Readiness Index which surveyed 6,700 security leaders, only 15% of respondents to the global survey said their organizations have implemented security programs mature enough to defend against current cybersecurity risks.
• While most enterprises have some collection of cybersecurity measures deployed, a full 82% of the 6,700 chief information security officers and other cybersecurity leaders in the 27 global markets Cisco examined, said they expect to be successfully attacked in coming months.
• Cisco’s study also shows that 85% of security leaders plan to increase their cybersecurity budget by at least 10% over the next 12 months, but not on a piecemeal collection of tools. In other words, many security leaders are striving to use tools that do more instead of more tools with specific functionality.
• Link to Cisco’s Full Report: https://investor.cisco.com/news/news-details/2023/New-Cisco-Study-Finds-Only-15-of-Companies-Surveyed-are-Ready-to-Defend-Against-Cybersecurity-Threats/default.aspx

The Board of Directors Will See You Now

Article Link: https://www.darkreading.com/risk/the-board-of-directors-will-see-you-now

• It is often encouraged for security leaders to present to their board of directors. However, security leaders rarely have the opportunity to interact with the board and often lack a way to effectively measure the return on investment that security provides.
• Likewise, there is a low chance board members have a significant understanding of cybersecurity. Specifically, the Wall Street Journal investigated the background of all S&P 500 board members and found that less than 2% “had relevant professional experience in cybersecurity in the last 10 years.”
• The article highlights using time with the board to paint a complete picture of the threat landscape, show cybersecurity as a business enabler, and identify key risks and how they are being addressed as opposed to educating the board on the nuances and nitty-gritty details of cybersecurity.

How Training and Recognition can Reduce Cybersecurity Stress and Burnout

Article Link: https://www.csoonline.com/article/3691649/how-training-and-recognition-can-reduce-cybersecurity-stress-and-burnout.html

• Many security teams are understaffed, overburdened, and lack resources, which can compound stress levels, while the need to meet deadlines, remain informed of the latest security risks, and manage intricate security systems and incident reporting can contribute to burnout. However, recognition of problem areas and access to training can alleviate the negative effects of job demands, improve employee well-being and job performance, and reduce stress and burnout.
• Training and recognition can help to prevent stress and burnout by reducing job demands and ensuring that cybersecurity professionals have the necessary skills, professional resources, and support needed to manage their workload effectively. Likewise, research suggests training and recognition boost the psychological capital of employees and provide a sense of control.
• Beyond training and recognition, the article highlighted the importance of a culture of well-being and support and consistent acknowledgement of a job well done.

How to Keep Incident Response Plans Current

Article Link: https://www.darkreading.com/attacks-breaches/how-to-keep-incident-response-plans-current

• All businesses, regardless of size, should have a set of incident response plans that take into consideration a variety of situations. As tactics evolve, so should readiness plans.
• While not all organizations have the resources to plan for every potential scenario, the goal is to get to a place of satisfaction.
• Four key considerations when developing an incident response plan include identifying a knowing your assets, taking the time to review and learn following events and incidents, planning for and practicing a variety of scenarios, and then continuing to practice the plans and review them annually.

ESF Partners, NSA, and CISA Release Identity and Access Management Recommended Best Practices for Administrators

Article Link: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3336001/esf-partners-nsa-and-cisa-release-identity-and-access-management-recommended-be/

• As part of the Enduring Security Framework (ESF), the NSA and CISA published the Recommended Best Practices Guide for Administrators to provide system administrators with actionable recommendations to better secure their systems from threats to Identity and Access Management (IAM).
• IAM is a framework of business processes, policies, and technologies that facilitate the management of digital identities. It ensures that users only gain access to data when they have the appropriate credentials.
• The paper provides best practices on identity governance, environmental hardening, identity federation/single sign-on, multi-factor authentication, and IAM auditing and monitoring.