Don't Let Spear Phishers Harpoon Your Data!

By Robert Brown

Security researchers recently uncovered the work of “Rocket Kitty” (sounds like a gang from a cheesy sci-fi movie). This Iranian hacker group gained access to dozens of accounts on a secure messaging platform called Telegram. Known for its high-end encryption, Telegram is used by many journalists and activists.

The fear of sensitive communications becoming compromised is warranted. Collin Anderson, who helped in the discovery of this security breach, said, “We have more than a dozen cases in which Telegram accounts have been compromised, through ways that sound like basic coordination with the cellphone company.”

Rumor has it that telecoms companies, working closely with governments, are intercepting messages and passing them on to hackers. Once an account is set up on a second device, the hackers infiltrate other users’ accounts using an attack vector called “spear phishing.” A Telegram spokesman said, “This is hardly a new threat. We have been increasingly warning our users in certain countries about it.”

What Is Spear Phishing?

The purpose of spear phishing is to trick people into handing over sensitive information through a spoofed email that appears to be from an individual or business in their contact list. Spear phishing is a more targeted attack vector than phishing, which involves bulk emailers in blanket attacks against thousands of random users.

Spear phishing is a more haphazard approach to hacking. However, it’s important to note that research revealed that 23 percent of the recipients studied opened phishing mail. Spear phishing potentially increases a hacker’s success rate to more than 50 percent! The danger it poses to IT security is significant.

These attacks highlight the importance of locking down devices by using every viable means available. Had two-step authentication, which was launched last summer, been implemented, none of this would have happened!

A word from the wise: Verismic Service Manager James Rowney says, “I always lock down my devices using the highest possible encryption and strongly advise anyone reading this to do the same. Another recommendation, which I feel is as if not more important, is keeping applications and operating systems up to date. There is no better-protected system than a fully patched system.”

This month, Microsoft released nine bulletins. Five are rated Critical, and four are rated Important. Microsoft also released 26 KB updates covering …

{vpipagebreak}

… Office version 2007 (another junk mail filter update) all the way up to 2016.

IT security officers should prioritize the following updates featured in the recent Patch Tuesday. This recommendation is based on evidence from industry experts (including our own), anticipated business impact, and most importantly, the independent CVSS score for the vulnerability.

MS16-095 – If the current user is logged on with administrative user rights, an attacker could take control of an affected system. The attacker could install programs, change or delete data, or even create new accounts with full user rights.

MS16-096 – The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-102 – The vulnerability could allow remote code execution if a user views specially crafted PDF content online or opens a specially crafted PDF document. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. The attacker could then install programs, as well as view, change or delete data, or even create new accounts with full user rights.

The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 are Medium and those in the range 0-3.9 are Low.

UPDATES

MS16-095 – Cumulative Security Update for Internet Explorer (3177356)

Impact: Remote Code Execution; Restart Requirement: Requires Restart; Severity: Critical; CVSS Score: 9.3

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of …

{vpipagebreak}

… an affected system. An attacker could then install programs, as well as view, change or delete data, or create new accounts with full user rights.

MS16-096 – Cumulative Security Update for Microsoft Edge (3177358)
Impact: Remote Code Execution; Restart Requirement: Requires Restart; Severity: Critical; CVSS Score: 9.3

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-097 – Security Update for Microsoft Graphics Component (3177393)

Impact: Remote Code Execution; Restart Requirement: May Require Restart; Severity: Critical; CVSS Score: 9.3

This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS16-098 – Security Update for Windows Kernel-Mode Drivers (3178466)

Impact: Elevation of Privilege; Restart Requirement: Requires Restart; Severity: Important; CVSS Score: 7.2

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

MS16-099 – Security Update for Microsoft Office (3177451)

Impact: Remote Code Execution; Restart Requirement: May Require Restart; Severity: Critical; CVSS Score: 9.3

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be …

{vpipagebreak}

… less impacted than those who operate with administrative user rights.

MS16-100 – Security Update for Secure Boot (3179577)

Impact: Security Feature Bypass; Restart Requirement: Does Not Require Restart; Severity: Important; CVSS Score: 1.7

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker installs a policy affected by the vulnerability onto a target device.

MS16-101 – Security Update for Windows Authentication Methods (3178465)

Impact: Elevation of Privilege; Restart Requirement: Requires Restart; Severity: Important; CVSS Score: 4.3

This security update resolves multiple vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a domain-joined system.

MS16-102 – Security Update for Microsoft Windows PDF Library (3182248)

Impact: Remote Code Execution; Restart Requirement: May Require Restart; Severity: Critical; CVSS Score: 9.3

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views specially crafted PDF content online or opens a specially crafted PDF document. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs, as well as view, change or delete data, or create new accounts with full user rights.

MS16-103 – Security Update for ActiveSync Provider (3182332)

Impact: Information Disclosure; Restart Requirement: Requires Restart; Severity: Important; CVSS Score: 5.0

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when Universal Outlook fails to establish a secure connection.

Robert Brown is the director of services at Verismic, a global leader in cloud IT management technology, green solutions and business network software systems.