PHONE 800-258-3190
Email info@associatedbrc.com
www.associatedbrc.com
Associated Benefits and Risk Consulting - Cyber Liability

The question is not if your company will experience a cyberattack, but when.

As the number of cyberattacks increase across all industry segments, so does the importance of cybersecurity for all businesses — regardless of size or reliance on technology. A breach can result from a variety of factors, including attacks on networks, employee negligence, malware-infected emails or social engineering scams. You can be left paying thousands of dollars.

Cyber Liability coverage protection can extend beyond standard liability coverage from cyber-related lawsuits. There are a variety of coverage options available for organizations of all types and sizes. These solutions can include reimbursements for loss of income, notification costs, cyber extortion/ransomware, network security, third-party interruptions, regulatory defense costs and more.

To help ensure you have the right coverage we offer the following:

  • Proprietary risk and exposure analysis
  • Benchmarking analytics
  • Contract review
  • On-staff law degreed compliance specialist
  • Claims advocacy
  • Placement and program analysis
Associated Benefits and Risk Consulting – Cyber Risk Survey

CYBER RISK SCORECARD

Identify where you may have gaps.

Cybercrime is constantly evolving and cybersecurity is hard-pressed to keep up. You’ve taken steps to protect your business against cyber threats, but your best efforts may not be enough. Take the Cyber Risk Scorecard survey to see where your business excels and where you face exposure.


 
Associated Benefits and Risk Consulting – Cyber Threat Intelligence Highlights

THREAT INTELLIGENCE HIGHLIGHTS

Threat Intelligence highlights from January

Thursday, February 14, 2019 - Jake Omann, CIC, CPCU

Threat Intelligence highlights from January

Thursday, February 14, 2019 - Jake Omann, CIC, CPCU

Hacker group threatens to retaliate against law firm for reporting first ransomware attack to law enforcement

A hacker group by the name of Dark Overlord threatened to release files it claims were stolen from a law firm — believed to have advised the insurance company responsible for handling claims related to the September 11 terrorist attack — unless the firm paid ransom in the form of bitcoin. According the group’s own announcement, stolen data includes:

  • Emails, voicemails, and confidential communications
  • Retainer agreements, non-disclosure agreements and settlements
  • Litigation strategies, defense formations, and liability analysis
  • Testimonies, including that of expert witnesses, AND
  • Communications with international government officials, as well as U.S. federal agencies like the FBI, Department of Justice and the Department of Defense

The threat to release stolen information stems from a prior ransomware attack, where the law firm paid the initial ransom, but breached the hacker group’s “terms of agreement” by reporting the incident to law enforcement. The hacker group is now threatening to “bury” the law firm, unless they pay a second ransom. 

This is not the first appearance of Dark Overlord — the group is also responsible for leaking stolen episode content of the popular Netflix series, Orange is the New Black, after Netflix refused to pay ransom.

Source: SC Magazine

Emotet malware evolving into a significant cyber threat

A botnet and popular family of malware by the name of Emotet has emerged as an increasingly dangerous cyber threat to organizations over the past year as its operators beef up their tactics

Starting out as a bank Trojan, Emotet, when first deployed in 2014, was designed to steal banking credentials and other sensitive data. Emotet was frequently spread via phishing emails including malicious documents or links. Emotet has evolved rapidly, now utilizing business email compromise as a delivery mechanism, and arming the software with the ability to drop additional payloads.

  • Emotet operators, a group by the name of Mealybug, has evolved its business model over time from a banking Trojan to a means of delivering its other threat vectors.
  • Mealybug has joined other malware-as-a-service operators, selling its malware to other users.
  • Combined with other strains of ransomware, Emotet becomes more difficult to protect against, making it an even more dangerous threat vector.
  • The United States Computer Emergency Readiness Team (US-CERT) has taken notice, issuing an alert on Emotet in July 2018, calling it “an advanced modular banking Trojan that mainly functions as a downloader or dropper of other banking Trojans.”
  • Trend Micro, a cybersecurity firm, picked up on an Emotet campaign this past summer, in the form of a spam email designed to look like a legitimate bank email address. Emails contained a link to download a .doc filecontaining a  macros that, when run, downloads and runs the Emotet malware.

Source: DARKreading.com

FBI and AFOSI joint crackdown on the Joanap botnet sparked by WannaCry, Sony Pictures ransomware attacks

In January 2019, the U.S. Department of Justice (DOJ) announced efforts to "map and further disrupt" a botnet tied to North Korea that has spent the last decade infecting computers running Microsoft Windows around the world.

  • The “Joanap” botnet is believed to be part of "Hidden Cobra," an advanced persistent threat (APT) group also known as Lazarus Group and Guardians of Peace, backed by the North Korean government.
  • Hidden Cobra is the same hacking group believed to be associated with the WannaCry ransomware and SWIFT Banking attacks in 2016, as well as the 2014 hacking of Sony Motion Pictures.
  • Joanap-infected computers operate on a peer-to-peer communications infrastructure which effectively makes every infected computer a part of its command-and-control system. Even though malware software picks up Joanap, the peer-to-peer configuration leaves many infected computers connected to the internet.
  • In an effort to identify infected hosts and take down the botnet, the FBI, with the Air Force Office of Special Investigations (AFOSI), obtained search warrants that allowed them to join the botnet using their own "intentionally infected" computers.
  • The intentionally infected computers were designed to mimic its peers, allowing the agencies to collecting technical and limited identifying information in an attempt to map the extent of the botnet’s network.
  • Information collected by the FBI and AFOSI from Joanap-infected computers included IP addresses, port numbers, and connection timestamps.
  • The agencies are now notifying victims of the presence of Joanap on their infected computers via the victim’s internet service providers, going so far as to send personal notifications to users who are not using a router or firewall to protect their systems.
  • The efforts of the FBI and AFOSI to disrupt the Joanap botnet began after charges against a North Korean computer programmer, Park Jin Hyok, were unsealed by the U.S. government last September, revealing his role in masterminding the Sony Pictures and WannaCry ransomware attacks.

Source: The Hacker News

U.S. intelligence officials detail top nation-state threats

The U.S. Director of National Intelligence, Dan Coats, with several of the nation’s top intelligence officials, warned the Senate Intelligence Committee in January of the top nation-state threats facing the country, including China, Russia, Iran and North Korea.

  • In the hearing, U.S. intelligence officials warned that the countries remain a significant threat to the United States’ government and private sectors.
  • The biggest threat vectors highlighted include cyber operations, online influence operations and election interference, as well as the development and proliferation of weapons of mass destruction, terrorism, counterintelligence, space and transnational organized crime, and regional threats.
  • According to the Worldwide Threat Assessment of the U.S. Intelligence Community, presently, “China and Russia pose the greatest espionage and cyberattack threats,” though, the intelligence community anticipates, “that all our adversaries and strategic competitors will increasingly build and integrate cyber espionage, attack and influence capabilities into their efforts to influence U.S. policies and advance their own national security interests.”
  • The report also points to Iran’s online espionage and cyberattacks as a significant threat, noting the nation-state’s use of “increasingly sophisticated cyber techniques to conduct espionage,” as well as its attempts to “deploy cyberattack capabilities that would enable attacks against critical infrastructure in the United States and allied countries." The report also note’s Tehran’s use of social media to target U.S. and allied audiences.
  • North Korea also continues to use cyber capabilities in its efforts to steal from financial institutions as a means of generating revenue, including a successful raid of an account with the New York Federal Reserve that drained an estimated $81 million from Bangladesh’s central bank.

Source: Bank Info Security

Malicious documents linked to apparent cyberattack targeting U.S. banks

In another case of malware-as-a-service, cybersecurity firm, FireEye Intelligence, recently identified two malicious documents capable of delivering Cobalt Strike’s “Beacon” payload, used in what FireEye believes to be a malware campaign targeting U.S. banks.

  • Hackers created a false bank domain designed to impersonate the website of Florida-based Mercantile Bank, believed to have been the intended recipient.
  • Within two days of each other, two Microsoft Office Open XML spreadsheet files were uploaded to VirusTotal, an online tool used to analyze suspicious files and detect the presence of malware, and notify the security community of any reported instances of malware.
  • Both files contained a vague or blurred photo to lure users into enabling the macro script. The first file resided on the false bank domain, while the second resided on a false digital rewards site.  
  • Upon analysis of the file and host website, evidence was found to suggest that the attackers intended target may have been a financial organization.
  • Beacon malware is a commercially available backdoor that is part of the Cobalt Strike software platform, commonly used for pen testing network environments.
  • Beacon supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
  • Evidence was also found indicating that both payloads were generated by the same user, though no ties have been discovered between the username and known actors in the underground community.

“Anonymous” hacktivist sentenced to 10 years in prison for DDoS attacks

Hacktivist Martin Gottesfeld has been sentenced to over 10 years in prison for launching crippling cyberattacks on two healthcare organizations in 2014, in protest of reported patient mistreatment by both organizations. Gottesfeld’s sentencing is a continuation of efforts by the U.S. government to disrupt the “webstressers” market and punish those responsible for launching distributed denial of service (DDoS) attacks.

  • On behalf of the hacker collective, Anonymous, Gottesfled carried out a DDoS attack against Boston Children's Hospital and a Massachusetts nonprofit home treatment facility, Wayside Youth & Family Support Network, which provides mental health counseling services to children, young adults, and families.
  • The attack was in response to the reported mistreatment of a teenager by the organizations, by which custody was given to the state of Massachusetts.
  • In April 2014, Gottesfeld deployed a botnet of over 40,000 network routers infected with customized malware designed to carry out the attacks and disrupt service to the organizations’ websites.
  • Intended to take Boston Children’s Hospital offline, the attack also affected several other hospitals in the area.
  • The DDoS attacks crippled Wayside Youth and Family Support Network for more than a week. The nonprofit  spent $18,000 on response and mitigation efforts.
  • Gottesfeld, 34, was ordered to serve 121 months in prison and to pay nearly $443,000 in restitution for damages suffered by the targeted facilities.

Source: The Hacker News

Mobile phone giants caught red-handed selling customer location data — again

Major mobile service providers, such as AT&T, T-Mobile, and Sprint, have been actively collecting their customers' location data and selling it to the highest bidder for years — and this is not the first time abuses have been caught out:

  • Phone carriers have been in the practice of selling access to their customers' location data to companies known as location aggregators.
  • The aggregators then provide or sell the location data to their clients, who then provide or sell phone tracking services to outside organizations, such as roadside assistance operations, financial institutions, or even bounty hunters.
  • The problem with this model was the ability for anyone with any mobile phone number to use any service with access to the location data to track down a mobile phone’s location, and presumably its owner, to within a couple of blocks — for just $300 in one instance.
  • Following the report, AT&T, which had previously curtailed its location sharing services to just those that “protect” its customers, announced their decision to end its location data sharing services completely. T-Mobile CEO, John Legere, followed suit, tweeting that his company will also gradually end the practice by March 2019.
  • The Federal Communications Commission (FCC) will be launching an investigation.

Source: Bleeping Computer

North Korea linked to hacking in an attempt to sidestep ongoing sanctions

Under financial strain due to ongoing sanctions, a cash-starved North Korea has turned to other means of generating revenue, namely, backing the exploitation of financial institutions around the world.

A recently disclosed attack on the Chilean interbank network, Redbanc, appears linked to the notorious Lazarus hacking group, a nation-state sponsored group linked to North Korea.

  • The attack involved PowerRatankba, a malware toolkit already associated with the Lazarus Group, and was confirmed to have been installed on Redbanc’s corporate network without triggering antivirus detection.
  • The malware was delivered after an IT professional with Redbanc clicked to apply for a job opening they had discovered through social media. The employee even participated in an interview over Skype, never pausing to question the legitimacy of the position, application, or interview process.
  • Designed to display a fake job application form, when clicked, the PowerRatankba dropper, downloaded and executed in the background. The payload was not available during analysis, but was later recovered from the computer’s security “sandbox.”
  • The malware uses Windows Management Instrumentation (WMI) to obtain information on the system and sends the gathered data, such as system details, process lists, username, proxy settings, etc. to a server. It also checks for open file shares and Remote Desktop Protocol (RDP) ports, a known network and systems vulnerability.
  • PowerRatankba is a first stage reconnaissance tool that can also open the door to further malicious implants. For example, if admin privileges are available, the malware then attempts to download the next stage and register the tool as a service.
  • Lazarus has reportedly been involved in a number of bank intrusions across the world, though they appear to be heavily targeting financial institutions and cryptocurrency exchanges in Latin America.

Source: Security Week

Unsecured server left millions of mortgage documents exposed

A server containing more than 24 million financial, banking and credit report documents for tens of thousands of loans and mortgages going back the last 10 years was not password protected, allowing unauthorized users access to the documents.

  • The document cache contained 51GB of  credit and mortgage reports in computer-readable optical character recognition (OCR) format.
  • The vulnerability exposed partial documents containing various sensitive data, including social security numbers, names, phone numbers, addresses, credit history, and other information collected as part of a mortgage or credit report.
  • The instance was taken offline and the data secured, but had been available for an unspecified period of time. 
  • The leak was traced back to Texas-based Ascension, a data and analytics company, providing services such as data analysis and portfolio valuations for the financial industry.
  • One of the services provided by Ascension converts paper documents and handwritten notes into computer-readable OCR files.
  • General counsel for Ascension’s parent company, Rocktop Partners, which owns more than 46,000 loans worth $4.4 billion, confirmed the security incident to TechCrunch.

Sources: Security Discovery and Tech Crunch

Cisco releases patch to prevent router hijackings

Networking giant, Cisco, recently released a patch for significant vulnerabilities in two of its Small Business router models:

  • Cisco informed customers on January 23, 2019 that its Small Business RV320 and RV325 routers were vulnerable to two high-severity flaws.
  • One of the flaws, tracked as CVE-2019-1653, has been described as an “information disclosure” vulnerability allowing an unauthenticated user to remotely obtain sensitive information from the router, including router configuration and detailed diagnostic information.
  • The second flaw, identified as CVE-2019-1652, allows an attacker with admin privileges to execute arbitrary commands as root.
  • Combined, these two vulnerabilities allow an unauthorized user to hijack the router.
  • The United States had the highest number of impacted devices with roughly 4,400 affected routers.

Source: The Hacker News

Additional details revealed about the massive collection of email addresses and passwords for sale

Described by an article in The Guardian as the “the largest collection ever of breached data found,” KrebsOnSecurity went digging for additional details regarding a massive collection of email addresses and plain text passwords, recently posted for sale on the dark web

  • Cyber experts believe the data was first posted to underground forums in October 2018, and that the 87 gigabytes (GB) being advertised is just a subset of a much larger cache of email addresses and passwords the hacker is selling online.
  • Upon further investigation, the data dump, referred to as “Collection #1” by the seller consists of 2-3 year-old data pulled from a huge number of hacked sites, described by the seller as a mix of “dumps and leaked bases.”
  • Additional data for sale totals close to a full terabyte (TB) of data.

Source: Krebs on Security

How safe is your organization? Take the Cyber Risk Scorecard survey to assess your current cybersecurity standing and find additional steps your organization can take to protect against common cyber threats.

Jake Omann, CIC, CPCU

Jake Omann, CIC, CPCU

Jake Omann specializes in providing clients with risk management and executive risk services that cover their liabilities as a corporation, as well as the personal liabilities of their directors and officers. He started his career over 10 years ago in sales at a multinational financial services co

Full biography

Full biography

Jake Omann specializes in providing clients with risk management and executive risk services that cover their liabilities as a corporation, as well as the personal liabilities of their directors and officers. He started his career over 10 years ago in sales at a multinational financial services corporation before beginning his broker career in managing executive risk programs for Fortune 500 companies. Jake currently sits on the board for ACES for Kids.

x

Downtime is the biggest cyber threat to manufacturers

Today’s manufacturers are highly automated and connected. However, with every advancement in technology comes associated risk. IT...

Smart home tech: Are you at risk of being hacked, and what can you do about it?

You might be tired of hearing about new cyber risks, especially around the holiday season with all of its other stressors, but now is...