Message: US-CERT alert

Home Message Groups Fidonet Anti-Virus Discussion & NewsReading Messages
Who's Online Login New User Message Groups
Main DOVE-Net BattlNet GatorNet Fidonet ILink DoRENET League 10 CombatNet
File Libraries
Subject:
US-CERT alert
Date:
Sat Aug 01 2015 10:24 pm
From:
Ben Ritchey
To:
All
NCCIC / US-CERT

National Cyber Awareness System:

TA15-213A: Recent Email Phishing Campaigns û Mitigation and Response
Recommendations
08/01/2015 06:01 PM EDT


Original release date: August 01, 2015

Systems Affected
Microsoft Windows Systems, Adobe Flash Player, and Linux

Overview
Between June and July 2015, the United States Computer Emergency Readiness Team 
(US-CERT) received reports of multiple, ongoing and likely evolving,
email-based phishing campaigns targeting U.S. Government agencies and private
sector organizations. This alert provides general and phishing-specific
mitigation strategies and countermeasures.

Description
US-CERT is aware of three phishing campaigns targeting U.S. Government agencies 
and private organizations across multiple sectors. All three campaigns
leveraged website links contained in emails; two sites exploited a recent Adobe 
Flash vulnerability (CVE-2015-5119) while the third involved the download of a
compressed (i.e., ZIP) file containing a malicious executable file. Most of the 
websites involved are legitimate corporate or organizational sites that were
compromised and are hosting malicious content.

Impact
Systems infected through targeted phishing campaigns act as an entry point for
attackers to spread throughout an organizationÆs entire enterprise, steal
sensitive business or personal information, or disrupt business operations.

Solution
Phishing Mitigation and Response Recommendations

Implement perimeter blocks for known threat indicators:
Email server or email security gateway filters for email indicators
Web proxy and firewall filters for websites or Internet Protocol (IP) addresses 
linked in the emails or used by related malware
DNS server blocks (blackhole) or redirects (sinkhole) for known related domains 
and hostnames
Remove malicious emails from targeted user mailboxes based on email indicators
(e.g., using Microsoft ExMerge).
Identify recipients and possible infected systems:
Search email server logs for applicable sender, subject, attachments, etc. (to
identify users that may have deleted the email and were not identified in purge 
of mailboxes)
Search applicable web proxy, DNS, firewall or IDS logs for activity the
malicious link clicked.
Search applicable web proxy, DNS, firewall or IDS logs for activity to any
associated command and control (C2) domains or IP addresses associated with the 
malware.
Review anti-virus (AV) logs for alerts associated with the malware.  AV
products should be configured to be in quarantine mode. It is important to note 
that the absence of AV alerts or a clean AV scan should not be taken as
conclusive evidence a system is not infected.
Scan systems for host-level indicators of the related malware (e.g., YARA
signatures)
For systems that may be infected:
Capture live memory of potentially infected systems for analysis
Take forensic images of potentially infected systems for analysis
Isolate systems to a virtual local area network (VLAN) segmented form the
production agency network (e.g., an Internet-only segment)
Report incidents, with as much detail as possible, to the NCCIC.
Educate Your Users

Organizations should remind users that they play a critical role in protecting
their organizations form cyber threats. Users should:

Exercise caution when opening email attachments, even if the attachment is
expected and the sender appears to be known.  Be particularly wary of
compressed or ZIP file attachments.
Avoid clicking directly on website links in emails; attempts to verify web
addresses independently (e.g., contact your organizationÆs helpdesk or sear the 
Internet for the main website of the organization or topic mentioned in the
email).
Report any suspicious emails to the information technology (IT) helpdesk or
security office immediately.
Basic Cyber Hygiene

Practicing basic cyber hygiene would address or mitigate the vast majority of
security breaches handled by todayÆs security practitioners:

Privilege control (i.e., minimize administrative or superuser privileges)
Application whitelisting / software execution control (by file or location)
System application patching (e.g., operating system vulnerabilities,
third-party vendor applications)
Security software updating (e.g., AV definitions, IDS/IPS signatures and
filters)
Network segmentation (e.g., separate administrative networks from
business-critical networks with physical controls and virtual local area
networks)
Multi-factor authentication (e.g., one-time password tokens, personal identity
verification (PIV cards)
Further Information

For more information on cybersecurity best practices, users and administrators
are encouraged to review US-CERT Security Tip: Handling Destructive Malware to
evaluate their capabilities encompassing planning, preparation, detection, and
response. Another resource is ICS-CERT Recommended Practice: Improving
Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.

References
Executive Order 13636: Cybersecurity Framework
US-CERT Security Tip: Handling Destructive Malware
ICS-CERT Recommended Practice: Improving Industrial Control Systems
Cybersecurity with Defense-In-Depth Strategies
Revision History
August 1, 2015: Initial Release

------------------------------------------------------------------------------- 
-

This product is provided subject to this Notification and this Privacy & Use
policy.


------------------------------------------------------------------------------- 
-
A copy of this publication is available at www.us-cert.gov. If you need help or 
have questions, please send an email to info@us-cert.gov. Do not reply to this
message since this email was sent from a notification-only address that is not
monitored. To ensure you receive future US-CERT products, please add
US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences  |  Unsubscribe  |  Help


------------------------------------------------------------------------------- 
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of: 
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW
Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery

=== Cut ===

--
Guardien Fide   :^)

   Ben  aka cMech  Web: http://cmech.dynip.com
                 Email: fido4cmech(at)lusfiber.net
              Home page: http://cmech.dynip.com/homepage/
           WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1

--- GoldED+/W32-MSVC
 * Origin: FIDONet - The Positronium Repository (1:393/68)
Section One BBS
