National Cyber Awareness System:
08/01/2015 06:01 PM EDT
Original release date: August 01, 2015
Readiness Team (US-CERT) received reports of multiple, ongoing and
likely evolving, email-based phishing campaigns targeting U.S.
Government agencies and private sector organizations. This alert
provides general and phishing-specific mitigation strategies and
countermeasures.
Government agencies and private organizations across multiple sectors.
All three campaigns leveraged website links contained in emails; two
sites exploited a recent Adobe Flash vulnerability (CVE-2015-5119)
while the third involved the download of a compressed (i.e., ZIP) file
containing a malicious executable file. Most of the websites involved
are legitimate corporate or organizational sites that were compromised
and are hosting malicious content.
point for attackers to spread throughout an organization’s entire
enterprise, steal sensitive business or personal information, or disrupt
business operations.
Organizations should remind users that they play a critical role in
protecting their organizations form cyber threats. Users should:
Practicing basic cyber hygiene would address or mitigate the vast
majority of security breaches handled by today’s security practitioners:
For more information on cybersecurity best practices, users and
administrators are encouraged to review US-CERT Security Tip: Handling
Destructive Malware to evaluate their capabilities encompassing
planning, preparation, detection, and response. Another resource is
ICS-CERT Recommended Practice: Improving Industrial Control Systems
Cybersecurity with Defense-In-Depth Strategies.
This product is provided subject to this Notification and this Privacy & Use policy.
Systems Affected
Microsoft Windows Systems, Adobe Flash Player, and LinuxOverview
Between June and July 2015, the United States Computer EmergencyReadiness Team (US-CERT) received reports of multiple, ongoing and
likely evolving, email-based phishing campaigns targeting U.S.
Government agencies and private sector organizations. This alert
provides general and phishing-specific mitigation strategies and
countermeasures.
Description
US-CERT is aware of three phishing campaigns targeting U.S.Government agencies and private organizations across multiple sectors.
All three campaigns leveraged website links contained in emails; two
sites exploited a recent Adobe Flash vulnerability (CVE-2015-5119)
while the third involved the download of a compressed (i.e., ZIP) file
containing a malicious executable file. Most of the websites involved
are legitimate corporate or organizational sites that were compromised
and are hosting malicious content.
Impact
Systems infected through targeted phishing campaigns act as an entrypoint for attackers to spread throughout an organization’s entire
enterprise, steal sensitive business or personal information, or disrupt
business operations.
Solution
Phishing Mitigation and Response Recommendations- Implement perimeter blocks for known threat indicators:
- Email server or email security gateway filters for email indicators
- Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by related malware
- DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames
- Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge).
- Identify recipients and possible infected systems:
- Search email server logs for applicable sender, subject,
attachments, etc. (to identify users that may have deleted the email and
were not identified in purge of mailboxes) - Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked.
- Search applicable web proxy, DNS, firewall or IDS logs for activity
to any associated command and control (C2) domains or IP addresses
associated with the malware. - Review anti-virus (AV) logs for alerts associated with the malware.
AV products should be configured to be in quarantine mode. It is
important to note that the absence of AV alerts or a clean AV scan
should not be taken as conclusive evidence a system is not infected. - Scan systems for host-level indicators of the related malware (e.g., YARA signatures)
- Search email server logs for applicable sender, subject,
- For systems that may be infected:
- Capture live memory of potentially infected systems for analysis
- Take forensic images of potentially infected systems for analysis
- Isolate systems to a virtual local area network (VLAN) segmented
form the production agency network (e.g., an Internet-only segment)
- Report incidents, with as much detail as possible, to the NCCIC.
Organizations should remind users that they play a critical role in
protecting their organizations form cyber threats. Users should:
- Exercise caution when opening email attachments, even if the
attachment is expected and the sender appears to be known. Be
particularly wary of compressed or ZIP file attachments. - Avoid clicking directly on website links in emails; attempts to
verify web addresses independently (e.g., contact your organization’s
helpdesk or sear the Internet for the main website of the organization
or topic mentioned in the email). - Report any suspicious emails to the information technology (IT) helpdesk or security office immediately.
Practicing basic cyber hygiene would address or mitigate the vast
majority of security breaches handled by today’s security practitioners:
- Privilege control (i.e., minimize administrative or superuser privileges)
- Application whitelisting / software execution control (by file or location)
- System application patching (e.g., operating system vulnerabilities, third-party vendor applications)
- Security software updating (e.g., AV definitions, IDS/IPS signatures and filters)
- Network segmentation (e.g., separate administrative networks from
business-critical networks with physical controls and virtual local area
networks) - Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards)
For more information on cybersecurity best practices, users and
administrators are encouraged to review US-CERT Security Tip: Handling
Destructive Malware to evaluate their capabilities encompassing
planning, preparation, detection, and response. Another resource is
ICS-CERT Recommended Practice: Improving Industrial Control Systems
Cybersecurity with Defense-In-Depth Strategies.
References
- Executive Order 13636: Cybersecurity Framework
- US-CERT Security Tip: Handling Destructive Malware
- ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies
Revision History
- August 1, 2015: Initial Release
This product is provided subject to this Notification and this Privacy & Use policy.
No comments:
Post a Comment