A Review of the Best News of the Week on Cyber Threats & Defense

IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts (Krebs on Security, Feb 19 2018)
Identity thieves who specialize in tax refund fraud have been busy of late hacking online accounts at multiple tax preparation firms, using them to file phony refund requests. Once the Internal Revenue Service processes the return and deposits money into bank accounts of the hacked firms’ clients, the crooks contact those clients posing as a collection agency and demand that the money be “returned.”

2018 Worldwide Threats Briefing: 5 Takeaways, From Russia to China (Wired, Feb 13 2018)
In a Senate hearing Tuesday, the heads of the three-letter intelligence agencies detailed their greatest concerns.

Evolving to Security Decision Support: Data to Intelligence (Securosis Blog, Feb 19 2018)
“Though enterprise visibility is necessary, but not sufficient. You still have to figure out if/how you are being attacked and if/how data and/or apps are being misused. Ultimately no one gets any credit for knowing where you can be attacked. You get credit for stopping attacks and protecting critical data. Ultimately that’s all that matters.”

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Better Security Analytics? Clean Up the Data First! (Dark Reading, Feb 12 2018)
Better data tiers exist, but they aren’t bolt-ons to existing silos; they are replacements for them. While that may be hard to swallow, we need to adapt to the new reality, and a bolt-on approach won’t get us there.

Making Light of the “Dark Web” (and Debunking the FUD) (Troy Hunt’s Blog, Feb 14 2018)
what does a hacker look like? Or perhaps more specifically, what do people think a hacker looks like? It’s probably a scary image, one that’s a bit mysterious, a shady character lurking in the hidden depths of the internet. People have this image in their mind because that’s what they’ve been conditioned to believe

Fileless Malware: Not Just a Threat, but a Super-Threat (Dark Reading, Feb 14 2018)
Exploits are getting more sophisticated by the day, and cybersecurity technology just isn’t keeping up.

Coinherder Campaign Nets $50 Million from Bitcoin Phishing (Infosecurity Magazine, Feb 14 2018)
The campaign was unique because adversaries leveraged Google AdWords to poison user search results in order to steal users’ wallets.

Hackers sentenced for SQL injections that cost $300 million (Naked Security – Sophos, Feb 19 2018)
On Wednesday, the US Attorney’s office of New Jersey announced that two Russians belonging to the hacking ring that gutted Heartland, other credit card processors, banks, retailers, and other corporate victims around the world have been sent to federal prison.

Attackers Use Infected Plug-In to Install Cryptomining Tool on Over 4200 Websites (Dark Reading, Feb 12 2018)
Over 4,200 websites were infected last weekend with a tool that quietly used the computers of people visiting the sites to mine for the Monero cryptocurrency.

Top Malware in 2018: What to watch for (Skybox Security Blog, Feb 14 2018)
The new Vulnerability and Threat Trends Report released by Skybox includes security analyst research of the vulnerabilities, exploits and threats that in play today. The report includes the a list of the top malware in 2018 that businesses and critical infrastructure organizations should watch out for, including ransomware, OT malware and banking Trojans.

Fake News: Could the Next Major Cyberattack Cause a Cyberwar? (Dark Reading, Feb 13 2018)
In the way it undercuts trust, fake news is a form of cyberattack. Governments must work to stop it.

Back to Basics: Indispensable Security Processes for Detection and Response (Gartner Blog Networ, Feb 08 2018)
For our new research project focused on starting your detection and response effort, we are thinking about an essential bundle of security operations processes needed for such effort. Sort of “security operations processes you must get right in the beginning”…

Dynamic Data Exchange (DDE): Detection and Response, Part 1 (LogRhythm, Feb 13 2018)
Malicious actors have begun using Microsoft’s Dynamic Data Exchange (DDE) mechanism to deliver payloads via Microsoft Office documents instead of the traditional embedded macros or VBA code. Specially crafted Microsoft Office documents sent via email can be used to carry out an attack, exploiting end users.

Dispel Launches Election Security Platform (SecurityWeek, Feb 15 2018)
Dispel, a U.S.-based company that specializes in secure communication and collaboration systems, on Thursday announced the launch of a new product designed to help protect elections against malicious cyber actors.

Two Billion Files Leaked in US Data Breaches in 2017 (Infosecurity Magazine, Feb 16 2018)
The most targeted and vulnerable industry was healthcare, which recorded 328 leaks (nearly 60% of all leaks in 2017).

Hackers pilfered $6M from Russian central bank via SWIFT system (SC Magazine, Feb 19 2018)
Hackers nicked $6 million from the Russian central bank last year via the SWIFT messaging system, according to report from the bank.

Cybersecurity Plagued by Insufficient Data: White House (SecurityWeek, Feb 18 2018)
Cyberattacks cost the United States between $57 billion and $109 billion in 2016, a White House report said Friday, warning of a “spillover” effect for the broader economy if the situation worsens.

Pair of WordPress plug-ins inject malicious scripts to deliver unwanted ads (SC Magazine, Feb 13 2018)
Two malicious plug-ins were recently discovered injecting obfuscated JavaScript into WordPress websites, in order to generate advertisements that appear if a visitor clicks anywhere on the page.

Encrypted Attacks Continue to Dog Perimeter Defenses (Dark Reading, Feb 14 2018)
Attacks using SSL to obfuscate malicious traffic finding fertile ground for growth.

Cryptominer campaign leveraging Oracle bug spreads worldwide via multiple infection tactics (SC Magazine, Feb 16 2018)
A malicious campaign that’s been exploiting a vulnerability in Oracle’s WebLogic application servers in order to install a Monero cryptominer on victims’ machines has reportedly used at least four different infection chain tactics to spread the threat worldwide, across virtually all industry sectors.