CERT mailing list archives

Previous By Date Next
Previous By Thread Next

TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Sat, 01 Aug 2015 21:33:22 -0500
NCCIC / US-CERT

National Cyber Awareness System:

TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations [ 
https://www.us-cert.gov/ncas/alerts/TA15-213A ] 08/01/2015 06:01 PM EDT 
Original release date: August 01, 2015

Systems Affected

Microsoft Windows Systems, Adobe Flash Player, and Linux

Overview

Between June and July 2015, the United States Computer Emergency Readiness Team (US-CERT) received reports of multiple, 
ongoing and likely evolving, email-based phishing campaigns targeting U.S. Government agencies and private sector 
organizations. This alert provides general and phishing-specific mitigation strategies and countermeasures.

Description

US-CERT is aware of three phishing campaigns targeting U.S. Government agencies and private organizations across 
multiple sectors. All three campaigns leveraged website links contained in emails; two sites exploited a recent Adobe 
Flash vulnerability (CVE-2015-5119 [ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119 ]) while the third 
involved the download of a compressed (i.e., ZIP) file containing a malicious executable file. Most of the websites 
involved are legitimate corporate or organizational sites that were compromised and are hosting malicious content.

Impact

Systems infected through targeted phishing campaigns act as an entry point for attackers to spread throughout an 
organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.

Solution

*Phishing Mitigation and Response Recommendations*


  * Implement perimeter blocks for known threat indicators: 
  * Email server or email security gateway filters for email indicators 
  * Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by 
related malware 
  * DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames 

  * Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge). 
  * Identify recipients and possible infected systems: 
  * Search email server logs for applicable sender, subject, attachments, etc. (to identify users that may have deleted 
the email and were not identified in purge of mailboxes) 
  * Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked. 
  * Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) 
domains or IP addresses associated with the malware. 
  * Review anti-virus (AV) logs for alerts associated with the malware.  AV products should be configured to be in 
quarantine mode. It is important to note that the absence of AV alerts or a clean AV scan should not be taken as 
conclusive evidence a system is not infected. 
  * Scan systems for host-level indicators of the related malware (e.g., YARA signatures) 


  * For systems that may be infected: 
  * Capture live memory of potentially infected systems for analysis 
  * Take forensic images of potentially infected systems for analysis 
  * Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an 
Internet-only segment) 

  * Report incidents, with as much detail as possible, to the NCCIC. 

*Educate Your Users*

Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. 
Users should:


  * Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be 
known.  Be particularly wary of compressed or ZIP file attachments. 
  * Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact 
your organization’s helpdesk or sear the Internet for the main website of the organization or topic mentioned in the 
email). 
  * Report any suspicious emails to the information technology (IT) helpdesk or security office immediately. 

*Basic Cyber Hygiene*

Practicing basic cyber hygiene would address or mitigate the vast majority of security breaches handled by today’s 
security practitioners:


  * Privilege control (i.e., minimize administrative or superuser privileges) 
  * Application whitelisting / software execution control (by file or location) 
  * System application patching (e.g., operating system vulnerabilities, third-party vendor applications) 
  * Security software updating (e.g., AV definitions, IDS/IPS signatures and filters) 
  * Network segmentation (e.g., separate administrative networks from business-critical networks with physical controls 
and virtual local area networks) 
  * Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards) 

*Further Information*

For more information on cybersecurity best practices, users and administrators are encouraged to review US-CERT 
Security Tip: Handling Destructive Malware to evaluate their capabilities encompassing planning, preparation, 
detection, and response. Another resource is ICS-CERT Recommended Practice: Improving Industrial Control Systems 
Cybersecurity with Defense-In-Depth Strategies.

References

  * Executive Order 13636: Cybersecurity Framework  [ http://www.nist.gov/cyberframework ] 
  * US-CERT Security Tip: Handling Destructive Malware [ https://www.us-cert.gov/ncas/tips/ST13-003 ] 
  * ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies 
[ http://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf ] 

Revision History

  * August 1, 2015: Initial Release 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: