Threat Intelligence Brief – April 2017

THIS MONTH’S THREAT:

Authentication Attacks

Despite the increasing sophistication of threat actor tactics, authentication attacks still remain the most successful attack vector – fueled by the prevalence of weak passwords. It’s hard to believe weak passwords are so prevalent given the intense focus on data breaches. In fact, the most common passwords in the 2016 Top 25 list released by Keepersecurity.com are the same most common passwords seen a decade ago (e.g. 123456, qwerty, password).

“Keyboard walk” passwords remain very popular as they are easy for the user to remember; unfortunately, they’re well known and used in almost every password attack. The most common password attack is a dictionary attack, which quickly tries all the common passwords.

Should the dictionary attack fail, the next step is a brute force attack. Brute force attacks try all possible permutations of keys within a set length. This is why the recommended password length continues to grow, hoping to outpace this tactic. However, with today’s powerful CPUs and GPUs set up in clusters, longer passwords are not a sure-fire way to protect against being cracked.

It’s not enough to rely entirely on lengthy and complex passwords; other measures are needed to minimize the likelihood of compromise. There’s no silver bullet for preventing account compromise; the best we can do is to simply make it harder for the attacker.

Threat Remediation

Here are recommended steps to minimize the likelihood of compromise:

  • Enforce strong password creation and reuse policies – Weak passwords are only used because users can get away with keyboard walk or simple dictionary word passwords are not acceptable, nor is simply appending a number onto your old password when it’s time to update it. A strong password should consist of at least 16 characters containing a mix of upper and lowercase, special characters and numbers. Password history should be set to 24 and a number of characters changed needs to be greater than half of the password.
  • Don’t reuse passwords across accounts – After a breach or password dump, attackers quickly use the email or account name against various other sites hoping to expand their access to your data. Keep your account passwords unique to each account, as even sharing words between accounts makes it easier to crack.
  • Use a password manager – Managing unique and strong passwords for each account at work and at home can be a daunting task, but password managers make it manageable. It’s important to note that your master password should be robust and never enable the password manager to keep you logged in or remember your master password, as this would defeat the security benefits a password manager can provide.
  • Enable Two-Factor Authentication (2FA) – If your account supports 2FA, enable it. This makes it much more difficult for attackers to gain access to your account. Examples of 2FA are security tokens that generate a key and soft tokens from Google and other 2FA providers that you can install on your phone. A newer form of 2FA can now place a call to a phone registered with the account; this method provides a code you must enter to complete your login.
  • Block brute force attackers – Don’t allow threat actors the chance to try every possible password combination on your account. Establishing a login attempt threshold will block the IP of the attacker, limiting their chances of success. There are many solutions that monitor and proactively block multiple failed logins from the same IP, such as:
    • Linux: Denyhost, fail2ban
    • OSX: fail2ban
    • WordPress Plugins: Wordfence, Sucuri

Malicious IPs Targeting WordPress

Every day brings new threat actors to our environment and we remain steadfast in our dedication to protecting our customers and community. We’ve seen these IPs involved in various malicious activity, and have taken steps to block them from our environment. We highly recommend blocking these IPs until they can be remediated. It’s prudent to heavily scrutinize any communications from your network to these IPs, especially C2 nodes.

IP Attack Signature IP Address Geo Location
195.22.28.222 Phishing Host Portugal
204.11.56.48 Phishing Host British Virgin Islands
62.149.128.151 Phishing Host Italy
62.149.128.157 Phishing Host Italy
62.149.128.163 Phishing Host Italy
209.99.40.222 Phishing Host United States
62.149.128.154 Brute Force Italy
62.149.128.74  C2 Node Italy
54.72.9.51 Phishing Host United States
162.255.119.249 Malware Host United States
62.149.128.166 Phishing Host Italy
77.73.66.227 C2 Node Russia
62.149.128.72 Phishing Host Italy
62.149.128.160 Phishing Host Italy

Security Trends and Insights

20-YEAR-OLD MALWARE STILL IN USE

First appearing during a 1996 attack against a U.S. government department, the Moonlight Maze malware is as deadly as ever. Researchers at Kings College in London and at Kaspersky labs revealed that the 20-year-old malware is still in use. It’s both impressive and concerning that updates and enhanced security controls continue to keep this ancient malware relevant.

Read more

RANSOMWARE VARIANT EVADING MACHINE LEARNING

The security industry has made great strides against ransomware, increasing awareness and developing decryption tools. Unfortunately, threat actors are fighting back to evade detection by the malware developers. TrendMicro discusses a new variant of the Cerber ransomware that is avoiding detection from machine learning. It now relies on a separate loader to install itself, bypassing the protection offered by static machine learning.

Learn more

PROTECTING THE U.S. POWERGRID

A dire warning was issued during a hearing before the Senate Energy and Natural Resources Committee on the threat posed to the U.S. electric grid by cyber attack. The president of the grid operators group, North American Electric Reliability Corporation, noted that the potential for an attack against our grid was at an all-time high. He pointed to the large outage in the Ukraine that left more than 200,000 people without power. This scenario
could play out within the U.S. unless more steps are taken to secure our infrastructure.

Read more