Tag

phishing

Browsing

According to a report released Wednesday by the endpoint-to-cloud security company, nearly 50% of all phishing attacks targeted at government personnel in 2021 were taking away the credentials of federal, state and local government employees.

Phishing attacks on civil servants increased 30% from 2020 to 2021, with one out of every eight workers exposed to phishing threats during this period, a report prepared by Lookout and 200 million devices and 175 million apps Based on the analysis of unknown data from The company deals with federal, state and local government customers.

While malware delivery is dominated by mobile phishing attacks outside the public sector, credential theft is on the rise, a 47% increase in 2021 compared to the previous year, as malware delivery declined by 12% during the same period .

Compromised credentials provide an easy way for those threatened to get their hands on the valuable data that governments hold.

“The first thing that comes to mind is nation-state actors trying to establish a presence on government networks,” said Mike Fleck, senior director of sales engineering at cloud-based security provider Siren in McLean, Va.

“Fraudsters will also be interested in access – think fake unemployment claims and “cleaning up” of stolen vehicles,” he told TechNewsWorld.

“When it comes to government,” said Lookout Senior Manager for Security Solutions Steve Banda, “there is going to be some highly confidential information available that is going to be valuable to some party somewhere, either a malicious person or nation state.”

Expansion in BYOD Government

The report also noted that all levels of government are increasing their reliance on unmanaged mobile devices. The use of unmanaged devices in the federal government increased by about 5% from 2020 to 2021 – and closer to 14% for state and local governments during the same period.

“We’ve seen a lot of change in what organizations are starting to do with mobile devices,” Banda told TechNewsWorld. “There is a big shift toward unmanaged, especially as agencies become more comfortable adopting BYOD strategies.”

“Remote work has certainly accelerated BYOD,” he said.

While the increased use of unmanaged equipment suggests an expansion of remote working, it may also be a recognition of the benefits of BYOD for employees and agencies.

“I’ve had separate work and personal phones before, and it’s very easy to do everything on one device,” Fleck said.

“Covid forced remote work faster than any government procurement cycle,” he explained. “It is understandable that agencies were forced to adopt BYOD policy faster than their ability to purchase and deploy mobile device management platforms.”

Greater Phishing Exposure

Permitting the use of unmanaged equipment also indicates that agencies are finding that employees can work effectively remotely, maintained a safety awareness advocate at KnowBe4, a safety awareness training provider in Clearwater, Fla. .

“Modern software and tools allow for unprecedented collaboration capabilities, and the tools being used are more capable than ever,” he told TechNewsWorld.

“With the onset of Covid forcing many organizations that were resistant to working remotely to implement the strategy, a lot of organizations have seen benefits in allowing this to continue,” he said.

More than a third of state and local government employees are using personal devices for work in 2021, the report said, adding that these agencies are leading the adoption of BYOD.

While this offers employees more flexibility, it acknowledged that these unmanaged devices are more frequently exposed to phishing sites than managed devices, as unmanaged personal devices connect to a wider range of websites and more diverse types. use of apps.

“My experience shows that remote workers may be more vulnerable to phishing because they are working in an environment that blurs the line between job and home life than they are in the office. become more comfortable and less alert,” Krone said.

Ray Stein, CSO of Mainspring, a provider of IT-managed services in Frederick, MD, said remote workers are no more likely to fall for a phishing scam than other employees.

“But without the supervision or protection of an enterprise firewall, it’s easy to reach them through different channels,” he told TechNewsWorld. “This increases the number of phishing scams they are exposed to, leaving them more vulnerable than long-term office workers.”

old android version

The report had good and bad news about government employees running older versions of Android on their phones.

The bad news was that nearly 50% of state and local government employees are running the older Android operating system, exposing hundreds of device vulnerabilities to them.

The good news is that this is a marked improvement in 2021, when 99% of mobiles were running older versions of the operating system.

The report states that keeping the mobile operating system up to date is the best form of cyber security. However, government agencies or departments may choose to delay the update until their proprietary app is tested, it continued. This delay creates a vulnerability window during which a threat actor can use a mobile device to access an organization’s infrastructure and steal data.

“New releases or versions of the OS build on their previous releases, including all security enhancements and improvements,” said Stuart Jones, director of the CloudMark division at Proofpoint, an enterprise security company in Sunnyvale, Calif.

“Without the latest version of the OS,” he told TechNewsWorld, “the benefits of these enhancements are not available on the device or for the user.”

Stein said that in 2021, Google’s Threat Analysis Group (TAG) discovered at least nine zero-days affecting its products, including Android devices.

“Patches for those vulnerabilities were included in Android updates, but users stuck on older OS versions may not benefit from them,” he said.

need for extreme caution

Banda said it can be challenging to keep pace with Android due to its fragmented environment.

“To update to a certain level, you must have the correct combination of mobile operator and device manufacturer’s firmware,” he explained. “There are a number of factors that determine whether you can take on release.”

Not only does this make it difficult for the user to keep their Android version running, but it also makes it difficult for employers to keep the devices secure. “A company needs to know who is running which version of Android,” Banda said. “They have to figure out how to get that visibility and create policies so everyone can get up to speed on the latest version available to them.”

After working in the federal space for most of his career, Sami Allini, a biometrics specialist at Contrast Security, a maker of self-protecting software solutions in Los Altos, Calif., said he’s tormented about how long adversaries will exploit and infiltrate government institutions.

“As an activist in this field, one must be vigilant about all interactions, including those with colleagues,” he told TechNewsWorld. “As this report shows, phishing, a form of social engineering, is on the rise, and for good reason. Social engineering is one of the most effective ways to gain access to information or property that someone has access to. Shouldn’t have passed.”

Nearly 50% of all phishing attacks in 2021 were aimed at taking away the credentials of federal, state and local government employees, according to a report released Wednesday by the endpoint-to-cloud security company.

Phishing attacks on civil servants increased 30% from 2020 to 2021, with one out of every eight workers exposed to phishing threats during this period, a report prepared by Lookout and 200 million devices and 175 million apps Based on the analysis of unknown data from The company deals with federal, state and local government customers.

While malware delivery is dominated by mobile phishing attacks outside the public sector, credential theft is on the rise, a 47% increase in 2021 compared to the previous year, as malware delivery declined by 12% during the same period .

Compromised credentials provide an easy way for those threatened to get their hands on the valuable data that governments hold.

“The first thing that comes to mind is nation-state actors trying to establish a presence on government networks,” said Mike Fleck, senior director of sales engineering at cloud-based security provider Siren in McLean, Va.

“Fraudsters will also be interested in access – think fake unemployment claims and “cleaning up” of stolen vehicles,” he told TechNewsWorld.

“When it comes to government,” said Lookout Senior Manager for Security Solutions Steve Banda, “there is going to be some highly confidential information available that is going to be valuable to some party somewhere, either a malicious person or nation state.”

Expansion in BYOD Government

The report also noted that all levels of government are increasing their reliance on unmanaged mobile devices. The use of unmanaged devices in the federal government increased by about 5% from 2020 to 2021 – and closer to 14% for state and local governments during the same period.

“We’ve seen a lot of change in what organizations are starting to do with mobile devices,” Banda told TechNewsWorld. “There is a big shift toward unmanaged, especially as agencies become more comfortable adopting BYOD strategies.”

“Remote work has certainly accelerated BYOD,” he said.

While the increased use of unmanaged equipment suggests an expansion of remote working, it may also be a recognition of the benefits of BYOD for employees and agencies.

“I’ve had separate work and personal phones before, and it’s very easy to do everything on one device,” Fleck said.

“Covid forced remote work faster than any government procurement cycle,” he explained. “It is understandable that agencies were forced to adopt BYOD policy faster than their ability to purchase and deploy mobile device management platforms.”

Greater Phishing Exposure

Permitting the use of unmanaged equipment also indicates that agencies are finding that employees can work effectively remotely, maintained a safety awareness advocate at KnowBe4, a safety awareness training provider in Clearwater, Fla. .

“Modern software and tools allow for unprecedented collaboration capabilities, and the tools being used are more capable than ever,” he told TechNewsWorld.

“With the onset of Covid forcing many organizations that were resistant to working remotely to implement the strategy, a lot of organizations have seen benefits in allowing this to continue,” he said.

More than a third of state and local government employees are using personal devices for work in 2021, the report said, adding that these agencies are leading the adoption of BYOD.

While this offers employees more flexibility, it acknowledged that these unmanaged devices are more frequently exposed to phishing sites than managed devices, as unmanaged personal devices connect to a wider range of websites and more diverse types. use of apps.

“My experience shows that remote workers may be more vulnerable to phishing because they are working in an environment that blurs the line between job and home life than they are in the office. become more comfortable and less alert,” Krone said.

Ray Stein, CSO of Mainspring, a provider of IT-managed services in Frederick, MD, said remote workers are no more likely to fall for a phishing scam than other employees.

“But without the supervision or protection of an enterprise firewall, it’s easy to reach them through different channels,” he told TechNewsWorld. “This increases the number of phishing scams they are exposed to, leaving them more vulnerable than long-term office workers.”

old android version

The report had good and bad news about government employees running older versions of Android on their phones.

The bad news was that nearly 50% of state and local government employees are running the older Android operating system, exposing hundreds of device vulnerabilities to them.

The good news is that this is a marked improvement in 2021, when 99% of mobiles were running older versions of the operating system.

The report states that keeping the mobile operating system up to date is the best form of cyber security. However, government agencies or departments may choose to delay the update until their proprietary app is tested, it continued. This delay creates a vulnerability window during which a threat actor can use a mobile device to access an organization’s infrastructure and steal data.

“New releases or versions of the OS build on their previous releases, including all security enhancements and improvements,” said Stuart Jones, director of the CloudMark division at Proofpoint, an enterprise security company in Sunnyvale, Calif.

“Without the latest version of the OS,” he told TechNewsWorld, “the benefits of these enhancements are not available on the device or for the user.”

Stein said that in 2021, Google’s Threat Analysis Group (TAG) discovered at least nine zero-days affecting its products, including Android devices.

“Patches for those vulnerabilities were included in Android updates, but users stuck on older OS versions may not benefit from them,” he said.

need for extreme caution

Banda said it can be challenging to keep pace with Android due to its fragmented environment.

“To update to a certain level, you must have the correct combination of mobile operator and device manufacturer’s firmware,” he explained. “There are a number of factors that determine whether you can take on release.”

Not only does this make it difficult for the user to keep their Android version running, but it also makes it difficult for employers to keep the devices secure. “A company needs to know who is running which version of Android,” Banda said. “They have to figure out how to get that visibility and create policies so everyone can get up to speed on the latest version available to them.”

After working in the federal space for most of his career, Sami Allini, a biometrics specialist at Contrast Security, a maker of self-protecting software solutions in Los Altos, Calif., said he’s tormented about how long adversaries will exploit and infiltrate government institutions.

“As an activist in this field, one must be vigilant about all interactions, including those with colleagues,” he told TechNewsWorld. “As this report shows, phishing, a form of social engineering, is on the rise, and for good reason. Social engineering is one of the most effective ways to gain access to information or property that someone has access to. Shouldn’t have passed.”

A new phishing-as-a-service offering on the dark web poses a threat to online accounts protected by multi-factor authentication, according to a blog posted Monday by an endpoint security company.

Called EvilProxy, the service allows threat actors to launch phishing campaigns, with the ability to largely bypass MFAs without the need to hack upstream services, the Resecurity researchers noted in the blog. .

The service uses methods supported by APT and cyber espionage groups to compromise accounts protected by MFA. According to the researchers, such attacks have been discovered against Google and Microsoft customers whose accounts have MFA enabled via SMS text messages or application tokens.

Phishing links produced by EvilProxy lead to cloned web pages that have been compromised by accounts associated with multiple services, including Apple iCloud, Facebook, GoDaddy, GitHub, Dropbox, Instagram, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex. has been prepared to do.

Threat actors using EvilProxy to gain access to their repositories are targeting software developers and IT engineers with the ultimate goal of hacking “downstream” targets, the researchers wrote.

He explained that these tactics allow cybercriminals to capitalize on end users who believe they are downloading software packages from secure resources and do not expect them to be compromised.

faster, faster, better

“This incident poses a threat to software supply chains because it targets developers by giving the service’s cybercriminal customers the ability to launch campaigns against GitHub, PyPI and NPM,” said Avid Gershon, leader of the security research team at Checkmarks. Said, an application security company, in Tel Aviv, Israel.

“Just two weeks ago,” he told TechNewsWorld, “we saw the first phishing attack against PyPI contributors, and now we see the service take it a few steps further by making these attacks accessible to less tech operators and adding capability. To bypass the MFA.”

Checkmarx’s head of supply chain security Tzachi Zorenstein said the nature of supply chain attacks increases the reach and impact of cyber attacks.

“Abusing the open-source ecosystem represents an easy way for attackers to increase the effectiveness of their attacks,” he told TechNewsWorld. “We believe this is the beginning of a trend that will increase in the coming months.”

A phishing-as-a-service platform can also increase attacker effectiveness. “Since PhaS can operate at scale, it enables adversaries to be more efficient at stealing and defrauding identities,” said Resecurity CEO Jean Yu.

“Old-fashioned phishing campaigns require money and resources, which can be overwhelming for one person,” he told TechNewsWorld. “Fas is just faster, faster, better.”

“It’s something that’s very unique,” he said. “It’s very rare to produce a phishing service on this scale.”

well packed

Many illegal services, hacking and malicious intent are solution products, explained Alon Nachmani, field CISO at AppviewX, a certificate lifecycle management and network automation company in New York City.

“By using a PhaS solution malicious actors have less overhead and less to spring an attack,” he told TechNewsWorld.

“Quite honestly,” he continued, “I’m surprised it took so long to become a thing. There are so many marketplaces where you can buy ransomware software and link it to your wallet. Once deployed , you can collect the ransom. The only difference here is that it is completely hosted for the attacker.”

While phishing is often considered a low effort activity in the hacking world, it still requires some work, said Monia Deng, director of product marketing at Bolster, a provider of automated digital risk protection in Los Altos, Calif. You’ll need it to do things like stand up to a phishing site, create emails, automate managers, and nowadays, steal 2FA credentials on top of primary credentials, she explained.

“With Faas,” she continued, “everything is neatly packaged on a subscription basis for criminals who do not require any hacking or even social engineering experience. It Opens the ground for many more threat actors who want to exploit organizations for their own gain.”

bad actors, great software

Security researchers explained that payment for EvilProxy is conducted manually through an operator on Telegram. Once the subscription funds are received, they will be credited to the account in the customer portal hosted on TOR. The kit is available for $400 per month.

EvilProxy’s portal has many tutorials and interactive videos on using the service and configuration tips. “To be clear,” the researchers wrote, “the bad actors did a great job in terms of service usability, and configuration of new campaigns, traffic flow, and data collection.”

“This attack just shows the maturity of the bad actor community,” said George Gerchow, CSO and senior vice president of IT at Sumo Logic, an analytics company focused on security, operations and business information in Redwood City, Calif.

“They are packing these kits nicely with detailed documentation and videos to make it easier,” he told TechNewsWorld.

The service uses a “reverse proxy” principle, the researchers noted. It works like this: Bad actors lead victims to a phishing page, use a reverse proxy to get all the legitimate content the user expects to see, and sniff their traffic through the proxy.

“This attack highlights how low the barrier of entry is for unsophisticated actors,” said Heather Iannucci, a CTI analyst at Tanium, creator of an endpoint management and security platform in Kirkland, Wash.

“With EvilProxy, a proxy server sits between the legitimate platform’s server and the phishing page, which steals the victim’s session cookie,” she told TechNewsWorld. “This can then be used by the threat actor to login to a legitimate site as a user without an MFA.”

“Defending against EvilProxy is a challenge because it combines cheating a victim and MFA bypass,” Yu said. “The real compromise is invisible to the victim. Everything sounds good, but it’s not.”

still in effect

Nachmany warned that users should be concerned about the effectiveness of MFAs that use text messaging or application tokens. “Fas is designed to use them, and this is a trend that will grow in our market,” he said.

“The use of certificates as an additional factor is what I expect to see an increase in use soon,” he said.

While users should be careful when using an MFA, it is still an effective mitigation against phishing, said Patrick Harr, CEO of SlashNext, a network security company in Pleasanton, Calif.

“It increases the difficulty of leveraging compromised credentials to disband an organization, but it is not foolproof,” he said. “If a link leads the user to a counterfeit replica of a legitimate site—which is nearly impossible to identify as not legitimate—the user may be the victim of an adversary-in-the-middle attack, such as this one by EvilProxy.” is used to .”