Assistance
Assistance Program Overview / 2019 Assistance Catalog Two new eLearning modules have been added to the Assistance Catalog.
Grey Energy GreyEnergy is thought to be the successor to BlackEnergy, the strain of malware responsible for the Ukraine attack that successfully took down a portion of their grid in 2015. These strains are directed at the energy sector and other high-value industrial targets. GreyEnergy attacks ICS workstations running Supervisory Control and Data Acquisition (SCADA) software and servers. The group responsible is also related to Telebots, theAdvanced Persistent Threat (APT) group behind NotPetya, and Crash- Override, the strain of malware associated with the second attack on the Ukraine in 2016. The main focus of the group is reconnaissance and cyber espionage. They are also highly dedicated to being stealthy, employing anti-forensic techniques, and leaving a minimal footprint within a system. One of the ways the malware obfuscates is including a large amount of “junk” code intended to throw off analysts. Considering how initial infection occurs, the most effective preventative measure is cybersecurity awareness and training for employees. Training employees on current cyber threats and techniques used by nefarious agents is key. It is also critical that technical staff keep systems up-to-date with the current security and software patches. The security organization F-Secure has outlined the following GreyEnergy attack stages: Initial Access: GreyEnergy gains initial access using Spear Phishing and infected documents. Execution: Malware execution with scripting, service executions, user executions, and PowerShell. Persistence: By altering Registry Keys/start-up folder, the modification of existing services, and WebShell. Privilege Escalation: The exploitation of already existing accounts, credential dumping, input captures, and credentials in files/registry. Moves laterally using Windows admin shares. Obfuscation: Done with code signing, file deletion, indicators removed from hosts, process injection, and timestomp. Collection & Exfiltration: Collects screen and input captures. Exfiltrates over command and control channels using Tor relay servers. Command & Control: Using connection proxies, multi-hop proxies, standard application protocols and ports.
AccordingtoBarracuda’sMarch 2019 Phishing Report, for the 360,000 emails evaluated, the following are the top 12 subject lines used in phishing attacks: • Request • Follow up Twelve Most Common Phishing Email Subject Lines
• Urgent / Important • Are you available? / • Payment Status • Hello • Purchase • Invoice Due • Re: • Direct Deposit • Expenses • Payroll
Are you at your desk?
To avoid falling victim to phish- ing attacks utilizing DMARC authenticationtoavoidspoofing, the deployment of multifactor authentication, and user training would provide an extra layer of security and awareness.
FOR YOUR CALENDAR
May 2019
>
TECHNICAL COMMITTEES
INSIDE SERC
Made with FlippingBook - Online magazine maker