NCCIC / US-CERT   
      
   National Cyber Awareness System:   
      
   TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response   
   Recommendations   
   08/01/2015 06:01 PM EDT   
      
      
   Original release date: August 01, 2015   
      
   Systems Affected   
   Microsoft Windows Systems, Adobe Flash Player, and Linux   
      
   Overview   
   Between June and July 2015, the United States Computer Emergency Readiness   
   Team (US-CERT) received reports of multiple, ongoing and likely evolving,   
   email-based phishing campaigns targeting U.S. Government agencies and private   
   sector organizations. This alert provides general and phishing-specific   
   mitigation strategies and countermeasures.   
      
   Description   
   US-CERT is aware of three phishing campaigns targeting U.S. Government   
   agencies and private organizations across multiple sectors. All three   
   campaigns leveraged website links contained in emails; two sites exploited a   
   recent Adobe Flash vulnerability (CVE-2015-5119) while the third involved the   
   download of a compressed (i.e., ZIP) file containing a malicious executable   
   file. Most of the websites involved are legitimate corporate or organizational   
   sites that were compromised and are hosting malicious content.   
      
   Impact   
   Systems infected through targeted phishing campaigns act as an entry point for   
   attackers to spread throughout an organization’s entire enterprise, steal   
   sensitive business or personal information, or disrupt business operations.   
      
   Solution   
   Phishing Mitigation and Response Recommendations   
      
   Implement perimeter blocks for known threat indicators:   
   Email server or email security gateway filters for email indicators   
   Web proxy and firewall filters for websites or Internet Protocol (IP)   
   addresses linked in the emails or used by related malware   
   DNS server blocks (blackhole) or redirects (sinkhole) for known related   
   domains and hostnames   
   Remove malicious emails from targeted user mailboxes based on email indicators   
   (e.g., using Microsoft ExMerge).   
   Identify recipients and possible infected systems:   
   Search email server logs for applicable sender, subject, attachments, etc. (to   
   identify users that may have deleted the email and were not identified in   
   purge of mailboxes)   
   Search applicable web proxy, DNS, firewall or IDS logs for activity the   
   malicious link clicked.   
   Search applicable web proxy, DNS, firewall or IDS logs for activity to any   
   associated command and control (C2) domains or IP addresses associated with   
   the malware.   
   Review anti-virus (AV) logs for alerts associated with the malware.  AV   
   products should be configured to be in quarantine mode. It is important to   
   note that the absence of AV alerts or a clean AV scan should not be taken as   
   conclusive evidence a system is not infected.   
   Scan systems for host-level indicators of the related malware (e.g., YARA   
   signatures)   
   For systems that may be infected:   
   Capture live memory of potentially infected systems for analysis   
   Take forensic images of potentially infected systems for analysis   
   Isolate systems to a virtual local area network (VLAN) segmented form the   
   production agency network (e.g., an Internet-only segment)   
   Report incidents, with as much detail as possible, to the NCCIC.   
   Educate Your Users   
      
   Organizations should remind users that they play a critical role in protecting   
   their organizations form cyber threats. Users should:   
      
   Exercise caution when opening email attachments, even if the attachment is   
   expected and the sender appears to be known.  Be particularly wary of   
   compressed or ZIP file attachments.   
   Avoid clicking directly on website links in emails; attempts to verify web   
   addresses independently (e.g., contact your organization’s helpdesk or sear   
   the Internet for the main website of the organization or topic mentioned in   
   the email).   
   Report any suspicious emails to the information technology (IT) helpdesk or   
   security office immediately.   
   Basic Cyber Hygiene   
      
   Practicing basic cyber hygiene would address or mitigate the vast majority of   
   security breaches handled by today’s security practitioners:   
      
   Privilege control (i.e., minimize administrative or superuser privileges)   
   Application whitelisting / software execution control (by file or location)   
   System application patching (e.g., operating system vulnerabilities,   
   third-party vendor applications)   
   Security software updating (e.g., AV definitions, IDS/IPS signatures and   
   filters)   
   Network segmentation (e.g., separate administrative networks from   
   business-critical networks with physical controls and virtual local area   
   networks)   
   Multi-factor authentication (e.g., one-time password tokens, personal identity   
   verification (PIV cards)   
   Further Information   
      
   For more information on cybersecurity best practices, users and administrators   
   are encouraged to review US-CERT Security Tip: Handling Destructive Malware to   
   evaluate their capabilities encompassing planning, preparation, detection, and   
   response. Another resource is ICS-CERT Recommended Practice: Improving   
   Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.   
      
   References   
   Executive Order 13636: Cybersecurity Framework   
   US-CERT Security Tip: Handling Destructive Malware   
   ICS-CERT Recommended Practice: Improving Industrial Control Systems   
   Cybersecurity with Defense-In-Depth Strategies   
   Revision History   
   August 1, 2015: Initial Release   
      
   ----------------------------------------------------------------   
   -------------- -   
      
   This product is provided subject to this Notification and this Privacy & Use   
   policy.   
      
      
   ----------------------------------------------------------------   
   -------------- -   
   A copy of this publication is available at www.us-cert.gov. If you need help   
   or have questions, please send an email to info@us-cert.gov. Do not reply to   
   this message since this email was sent from a notification-only address that   
   is not monitored. To ensure you receive future US-CERT products, please add   
   US-CERT@ncas.us-cert.gov to your address book.   
   OTHER RESOURCES:   
   Contact Us | Security Publications | Alerts and Tips | Related Resources   
   STAY CONNECTED:   
   Sign up for email updates   
      
   SUBSCRIBER SERVICES:   
   Manage Preferences  |  Unsubscribe  |  Help   
      
      
   ----------------------------------------------------------------   
   -------------- -   
   This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf   
   of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray   
   Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by GovDelivery   
      
   === Cut ===   
      
   --   
   Guardien Fide   :^)   
      
      Ben  aka cMech  Web: http://cmech.dynip.com   
                    Email: fido4cmech(at)lusfiber.net   
                 Home page: http://cmech.dynip.com/homepage/   
              WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1   
      
   --- GoldED+/W32-MSVC   
    * Origin: FIDONet - The Positronium Repository (1:393/68)