Links 

https://www.latimes.com/california/story/2022-09-30/hackers-set-monday-deadline-for-lausd-to-pay-up-or-have-private-data-posted-on-dark-web

https://www.darkreading.com/attacks-breaches/solarmarker-attack-wordpress-fake-chrome-browser-updates

https://www.esentire.com/blog/popular-info-stealing-malware-solarmarker-is-using-watering-hole-attacks-and-fake-chrome-browser-updates-to-infect-business-professionals-warns-esentire

https://www.darkreading.com/threat-intelligence/cybercriminals-see-allure-bec-attacks-ransomware

https://arcticwolf.com/resources/blog/incident-response-insights-from-arctic-wolf-labs-1h-2022/

https://www.justice.gov/usao-hi/pr/honolulu-man-pleads-guilty-sabotaging-former-employer-s-computer-network

https://krebsonsecurity.com/2022/09/fake-ciso-profiles-on-linkedin-target-fortune-500s/

Vice Society sets a deadline for LA School District to pay ransom 

• deadline was posted on web site maintained by Vice Society 

• On Tor network 

• Also confirmed they were responsible to three different journalists 
• Amount of Ransome not disclosed. 
• “The papers will be published by London time on Oct. 4, 2022, at 12 a.m.,” the webpage states.  
• Midnight in London would translate to 4 p.m. Monday in Los Angeles. 
• claim to have stolen 500 gigs of data 

• District staff believes confidential information of employees was not stolen 

• They are less certain about information related to students, which could include names, grades, course schedules, disciplinary records and disability status. 

• School District and law enforcement haven’t attributed the attack 

• CISA did put out a warning to educations about the group. 
• School Superintendent did acknowledge the attack came from a group that is familiar to law enforcement and known to attack school systems. 

• School District not negotiating 

• “What I can tell you is that the demand — any demand — would be absurd,” Supt. Alberto Carvalho said. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.” 
• Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.” 

• Attack 

• Happened on Sept 3^rd 

• Labor Day 
• Holiday’s often when hackers target. 
• Once detected by district staff all systems were shut down. 

• Everything was back online by the scheduled Tuesday return date. 
• 600,000 users had to reset passwords and systems were gradually screened for breaches and restored 

• Left Trip Wires in system 

• Possible to damage more systems or data or access when accidentally tripped. 

• Hackers this year have attacked at least 27 U.S. school districts and 28 colleges 

• 36 of those organizations had data stolen and released online 
• at least two districts and one college paid the attackers 

• Typical Extortion 

• Pay or Release 

SolarMarker Makers uses spamdexing to target tax consulting organization 

• Group behind “SolarMarker” found targeting a global tax consulting company 

• Company has a presence in US, Canada, UK and Europe 
• Using fake “Chrome browser updates” 

• SolarMarker 

• multistage malware attacking browsers 

• exfil autofill data 
• exfil saved passwords 
• exfil saved credit card info 

• First seen in 2020 

• .Net malware 

• Powershell installer 

• Attack 

• Detected exploiting WordPress sites 

• Medical manufacturers website 

• End User on Tax consulting agency 

• Searched for manufacturer by name on Google 
• Disguised as a Chrome update. 

• But is based upon victim, could be Firefox or Edge 

• Tricked them into download and running SolarMarker 
• Group is known for using SEO techniques to raise their malware pages up in ranking 

•   

BEC Attacks on the Rise 

• Research on ransomware all over the place 

• Some reports higher 

• Some reports lower 

• Undisputed champion 

• BEC 

• Business Email Compromise 

• 2022 

• according to Arctic Wolf’s “1H 2022 Incident Response Insights 

• More than doubled in April, May and June 
• 17% to 34% 

• Abnormal Security 

• Reports of BEC attacker per mailbox up 84% this year 

• Why? 

• Crypto fluctuations 
• Easier to get away with 
• 2021, BEC attacks accounted for 35%, or $2.4 billion, of the $6.9 billion in potential losses tracked by the FBI’s Internet Crime Complaint Center (IC3) 

• Protection 

• Multifactor 
• Network segmentation 
• Data segmentation 
• Zero-trust 
• Security awareness 

Former IT Administrator Criples Company 

• Casey K. Umetsu, Sr 

• Age 40 

• IT Professional with company for 2 years 

• Administering Network, Helpdesk like stuff 

• Hawaii-Based Financial Company 
• Contract Terminated 

• Pled Guilty 

• accessed his former employer’s website and made configuration changes to redirect web and email traffic to external site 

• Crippled the company 

• Used his own credentials 
• Then locked out the IT department from fixing changes 

• End Game 

• All to be hired back at a higher salary 
• Backfired when the FBI investigated 
• January 19, 2023 sentencing 

• maximum of 10 years of prison time 
• fine of up to $250,000. 

LinkedIN CISO Struggles 

• Krebs on Security Blog Reports 

• Creation of a number of fake CISO accounts. 
• No attribution yet 

• Big Companies 

• These are made to appear to be CISO at major 500 companies 

• Chevron 
• ExxonMobile 

• Even search results will bring up the fake accounts, near the real ones 

• Some are well crafter, some rushed and some copy pieces from other CISOs 

• Cybercrime Magazine’s CISO 500 

• Fell for the fake CISO 

• Listing one as a person on the listing 

• Madiant 

• Thinks its North Korean hackers trying to get jobs at crypto companies 

• LinkedIN 

• Battling the fakes 

• In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam