The world’s largest meat processing company says it paid the equivalent of $11 million to hackers who broken into its computer system late last month.

Brazil-based JBS SA said on May 31 that it was the victim of a ransomware attack, but Wednesday was the first time the company’s U.S. division confirmed that it had paid the ransom.

“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, the CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

JBS said the vast majority of its facilities were operational at the time it made the payment, but it decided to pay in order to avoid any unforeseen issues and ensure no data was exfiltrated.

The FBI has attributed the attack as REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months. The FBI said it will work to bring the group to justice and it urged anyone who is the victim of a cyberattack to contact the bureau immediately.

The attack targeted servers supporting JBS’s operations in North America and Australia. Production was disrupted for several days.

Earlier this week, the Justice Department announced it had recovered most of a multimillion-dollar ransom payment made by Colonial Pipeline, the operator of the nation’s largest fuel pipeline.

Colonial paid a ransom of 75 bitcoin–then valued at $4.4 million -in early May to a Russia-based hacker group. The operation to seize cryptocurrency reflected a rare victory in the fight against ransomware as U.S. officials scramble to confront a rapidly accelerating threat targeting critical industries around the world.

It wasn’t immediately clear if JBS also paid its ransom in bitcoin.

JBS said it spends more than $200 million annually on IT and employs more than 850 IT professionals globally.

The company said forensic investigations are still ongoing, but it doesn’t believe any company, customer or employee data was compromised.

Curtesy: securityweek.com

Introduction

In a nutshell, email spoofing is the creation of fake emails that seem legitimate. This article analyzes the spoofing of email addresses through changing the From header, which provides information about the sender’s name and address.

SMTP (Simple Mail Transfer Protocol, the main email transmission protocol in TCP/IP networks) offers no protection against spoofing, so it is fairly easy to spoof the sender’s address. In fact, all the would-be attacker needs is a tool for choosing in whose name the message will arrive. That can be another mail client or a special utility or script, of which there is no shortage online.

Email spoofing is used in both fraudulent schemes and targeted attacks against organizations. Cybercriminals use this technique to convince victims that a message came from a trusted sender and nudge them into performing a specific action, such as clicking a phishing link, transferring money, downloading a malicious file, etc. For added credibility, attackers can copy the design and style of a particular sender’s emails, stress the urgency of the task, and employ other social engineering techniques.

Legitimate Domain Spoofing

The simplest form of the technique is legitimate domain spoofing. This involves inserting the domain of the organization being spoofed into the From header, making it extremely difficult for the user to distinguish a fake email from a real one.

To combat spoofing, several mail authentication methods have been created that enhance and complement each other: SPF DKIM and DMARC. By various means, these mechanisms verify that the message was actually sent from the stated address.

  • The SPF (Sender Policy Framework) standard allows a mail domain owner to restrict the set of IP addresses that can send messages from this domain, and lets the mail server check that the sender’s IP address is authorized by the domain owner. However, SPF checks not the From header, but the sender’s domain specified in the SMTP envelope, which is used to transmit information about the email’s route between the mail client and the server and is not shown to the recipient.
  • DKIM solves the problem of sender authentication by means of a digital signature generated on the basis of a private key stored on the sender’s server. The public key for authenticating the signature is placed on the DNS server responsible for the sender’s domain. If in reality the message was sent from a different domain, the signature will be invalid. However, this technology has a weakness: an attacker can send a fake email without a DKIM signature, and the message will be impossible to authenticate.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) is used to check the domain in the From header against a DKIM/SPF-validated domain. With DMARC, a message with a spoofed legitimate domain fails authentication. However, if the policy is strict, DMARC can also block wanted emails.

Naturally, with the widespread implementation of the above-described technologies, attackers faced a tough choice: to hope that the company they are impersonating did not configure mail authentication properly (still common, sadly), or to use From-header spoofing methods that bypass authentication.

Display Name Spoofing

The display name is the name of the sender that gets shown in the From header before the email address. In the case of corporate mail, it is usually the real name of the relevant individual or department.

Example of a display name

To make the email less cluttered for the recipient, many mail clients hide the sender’s address and show only the display name. This allows cybercriminals to substitute the name, but leave their real address in the From header. And this address is often protected by a DKIM signature and SPF, so the authentication mechanisms see the message as legitimate.

Ghost Spoofing

The most common form of the above method is known as ghost spoofing. Here, the attacker specifies as the name not only the name of the person or company being spoofed, but also the address of the supposed sender, as in the example in the screenshot below.

Example of ghost spoofing

In actual fact, the message comes from a completely different address.

Real sender address in ghost spoofing, and mail authentication.

AD Spoofing

AD (Active Directory) spoofing is another form of display name spoofing, but unlike the ghost version, it does not involve specifying the spoofed address as part of the name. What’s more, the address from which the cybercriminals send messages features the name of the person being imitated.

Example of AD spoofing

This method looks more primitive than ghost spoofing, but some scammers prefer it for several reasons. First, if the recipient’s mail agent does display the contents of the From header in its entirety, the double sender address will make the user more suspicious than the address on the public domain. Second, ghost spoofing is technically easier to block with spam filters: it is enough to consign to the spam folder emails where the displayed sender name contains the email address. It is not generally feasible to block all incoming emails sent from addresses with the same names as colleagues and contractors.

Lookalike Domain Spoofing

More sophisticated attacks use specially registered domains, similar to the domain of the target organization. This requires a bit more effort, since finding and buying a specific domain, then setting up mail, DKIM/SPF signatures and DMARC authentication on it, is rather more difficult than simply modifying the From header slightly. But it also complicates the task of recognizing a fake.

Primary Lookalike

A lookalike domain is a domain name that looks similar to that of the organization being spoofed, but with a couple of alterations. For example, the email in the screenshot below came from the domain deutschepots.de, which can easily be confused with the domain of the German mail company Deutsche Post (deutschepost.de). If you follow the link in such an email and try to pay for delivery of a parcel, you will not only lose 3 euros, but also hand your card details to the fraudsters.

Example of a message from a lookalike domain

However, with the right level of vigilance, it is possible to spot misspelled domains. But in other cases, simple attentiveness is no longer sufficient.

Conclusion

There are various ways to convince the recipient of an email that it came from a trusted sender. Some of them seem primitive, yet they enable cybercriminals to successfully bypass mail authentication. At the same time, the technique of spoofing is used to carry out various types of attacks, from standard phishing to advanced BEC. They, in turn, can be just one step in a more sophisticated targeted attack. Accordingly, the damage from spoofing, even if restricted to a single attack, can range from identity theft to business downtime, loss of reputation and multi-million dollar losses.

Curtesy: SecureList

In the aftermath of the Colonial Pipeline hack and the increasing damage done by cybercriminals, the U.S. Department of Justice is intensifying investigations into ransomware assaults to the same level of severity as terrorism, according to a senior department official, as Reuters notes.  

Internal instructions provided to U.S. prosecutors across the country on Thursday said that information about ransomware investigations in the field will be coordinated centrally with a newly formed task force in Washington.

John Carlin, principle associate deputy attorney general at the Justice Department stated, “It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain”.

Last month, a cybercriminal organization operating from Russia penetrated the system of pipeline operator East Coast, locked its systems, and demanded a ransom, according to U.S. authorities. The intrusion led to an outage lasting several days, a jump in gasoline prices, panic buying, and localized fuel shortages in the Southeast.

The scenario changed following the attack on the Colonial Pipeline

Colonial Pipeline opted to pay the hackers who broke into its computers about $5 million to restore access, the company said. Colonial is expressly mentioned in the DOJ advisory as an example of the increasing threat that ransomware and digital extortion pose to the nation.

According to US authorities, the decision by Justice Department, to include ransomware in this unique process shows how the issue is prioritized. In effect, this means that investigators in U.S. Attorney’s Offices dealing with ransomware attacks are required to share both current case files and active technical information with officials in Washington. The directive also suggests offices consider and include other investigations that focus on the larger cybercrime ecosystem.

A survey revealed that 48% of organizations don’t have a user verification policy for password resets, which could pave the way for social engineering vulnerabilities among IT help desks.

Despite the rise in identity theft across various sectors globally, some organizations are still not maintaining a robust verification process to secure their employee data. According to a survey from Specops Software, nearly 48% of organizations don’t have a user verification policy in place for incoming calls to IT service desks. The survey, based on the responses from more than 200 security leaders from the private and public sectors in North America and Europe, found that 28% of the companies that are having user verification policies are not satisfied with their current policy due to security and usability issues.

It was also found that most organizations rely on knowledge-based questions like what is employee ID, manager’s name, or HR-based information like what an employee’s date of birth or address is. This data can be easily obtained by cybercriminals.

Despite several self-service password-reset options, most organizations go to the IT help/service desk for resetting passwords. Threat actors often target an unwitting remote workforce with various social engineering attacks by impersonating an IT service desk. Besides, the National Institute of Standards and Technology (NIST) urged organizations to avoid using knowledge-based questions, for which the answers are based on static information pulled from Active Directory or HR systems.

What is a user verification policy?

A user verification or authentication policy is a process to verify a user who is attempting to access services and applications. The verification can be performed via a variety of authentication methods like entering a password, using two-factor authentication (2FA), or multi-factor authentication (MFA) methods. Verifying users helps determine the appropriate access privileges to the users and also minimizes the risk from hacker intrusions. With the spike in digitalization, organizations must ensure that the right users are given access to the critical digital infrastructure.

“Based on our recent findings, password resets at the service desk are a serious vulnerability for organizations of all sizes. In the absence of a self-service password reset solution, it is up to the service desk agent to verify that the caller is the legitimate owner of the account before issuing a new password. Unfortunately, without a secure verification policy in place, service desk agents can provide account access to unauthorized users without even knowing it – exposing businesses to an increased risk of costly cybersecurity breaches,” said Marcus Kaber, CEO of Specops Software.

Curtesy: cisomag.eccouncil.org