NCCIC / US-CERT

National Cyber Awareness System:

TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response
Recommendations
08/01/2015 06:01 PM EDT


Original release date: August 01, 2015

Systems Affected
Microsoft Windows Systems, Adobe Flash Player, and Linux

Overview
Between June and July 2015, the United States Computer Emergency Readiness
Team (US-CERT) received reports of multiple, ongoing and likely evolving,
email-based phishing campaigns targeting U.S. Government agencies and private
sector organizations. This alert provides general and phishing-specific
mitigation strategies and countermeasures.

Description
US-CERT is aware of three phishing campaigns targeting U.S. Government
agencies and private organizations across multiple sectors. All three
campaigns leveraged website links contained in emails; two sites exploited a
recent Adobe Flash vulnerability (CVE-2015-5119) while the third involved the
download of a compressed (i.e., ZIP) file containing a malicious executable
file. Most of the websites involved are legitimate corporate or organizational
sites that were compromised and are hosting malicious content.

Impact
Systems infected through targeted phishing campaigns act as an entry point for
attackers to spread throughout an organization’s entire enterprise, steal
sensitive business or personal information, or disrupt business operations.

Solution
Phishing Mitigation and Response Recommendations

Implement perimeter blocks for known threat indicators:
Email server or email security gateway filters for email indicators
Web proxy and firewall filters for websites or Internet Protocol (IP)
addresses linked in the emails or used by related malware
DNS server blocks (blackhole) or redirects (sinkhole) for known related
domains and hostnames
Remove malicious emails from targeted user mailboxes based on email indicators
(e.g., using Microsoft ExMerge).
Identify recipients and possible infected systems:
Search email server logs for applicable sender, subject, attachments, etc. (to
identify users that may have deleted the email and were not identified in
purge of mailboxes)
Search applicable web proxy, DNS, firewall or IDS logs for activity the
malicious link clicked.
Search applicable web proxy, DNS, firewall or IDS logs for activity to any
associated command and control (C2) domains or IP addresses associated with
the malware.
Review anti-virus (AV) logs for alerts associated with the malware.  AV
products should be configured to be in quarantine mode. It is important to
note that the absence of AV alerts or a clean AV scan should not be taken as
conclusive evidence a system is not infected.
Scan systems for host-level indicators of the related malware (e.g., YARA
signatures)
For systems that may be infected:
Capture live memory of potentially infected systems for analysis
Take forensic images of potentially infected systems for analysis
Isolate systems to a virtual local area network (VLAN) segmented form the
production agency network (e.g., an Internet-only segment)
Report incidents, with as much detail as possible, to the NCCIC.
Educate Your Users

Organizations should remind users that they play a critical role in protecting
their organizations form cyber threats. Users should:

Exercise caution when opening email attachments, even if the attachment is
expected and the sender appears to be known.  Be particularly wary of
compressed or ZIP file attachments.
Avoid clicking directly on website links in emails; attempts to verify web
addresses independently (e.g., contact your organization’s helpdesk or sear
the Internet for the main website of the organization or topic mentioned in
the email).
Report any suspicious emails to the information technology (IT) helpdesk or
security office immediately.
Basic Cyber Hygiene

Practicing basic cyber hygiene would address or mitigate the vast majority of
security breaches handled by today’s security practitioners:

Privilege control (i.e., minimize administrative or superuser privileges)
Application whitelisting / software execution control (by file or location)
System application patching (e.g., operating system vulnerabilities,
third-party vendor applications)
Security software updating (e.g., AV definitions, IDS/IPS signatures and
filters)
Network segmentation (e.g., separate administrative networks from
business-critical networks with physical controls and virtual local area
networks)
Multi-factor authentication (e.g., one-time password tokens, personal identity
verification (PIV cards)
Further Information

For more information on cybersecurity best practices, users and administrators
are encouraged to review US-CERT Security Tip: Handling Destructive Malware to
evaluate their capabilities encompassing planning, preparation, detection, and
response. Another resource is ICS-CERT Recommended Practice: Improving
Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.

References
Executive Order 13636: Cybersecurity Framework
US-CERT Security Tip: Handling Destructive Malware
ICS-CERT Recommended Practice: Improving Industrial Control Systems
Cybersecurity with Defense-In-Depth Strategies
Revision History
August 1, 2015: Initial Release

----------------------------------------------------------------
-------------- -

This product is provided subject to this Notification and this Privacy & Use
policy.


----------------------------------------------------------------
-------------- -
A copy of this publication is available at www.us-cert.gov. If you need help
or have questions, please send an email to info@us-cert.gov. Do not reply to
this message since this email was sent from a notification-only address that
is not monitored. To ensure you receive future US-CERT products, please add
US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences  |  Unsubscribe  |  Help


----------------------------------------------------------------
-------------- -
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf
of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray
Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by GovDelivery

=== Cut ===

--
Guardien Fide   :^)

   Ben  aka cMech  Web: http://cmech.dynip.com
                 Email: fido4cmech(at)lusfiber.net
              Home page: http://cmech.dynip.com/homepage/
           WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1

--- GoldED+/W32-MSVC
 * Origin: FIDONet - The Positronium Repository (1:393/68)