New Organization for Sharing Intelligence is a Big Weapon to Fight Cyber Threats

Posted By: Gene Fredriksen | October 19, 2016 | 0 Comments

Intelligence, not mental capacity, but the information and awareness kind, is vital to our operations. It is the information edge that we need to prevent, detect, and respond to events of all kinds. Intelligence is not just cyber, it can be operational or regulatory, or simple benchmarking to compare your commitment of people and funds as compared to your peers. As the world becomes more complex and dynamic, intelligence is becoming more critical. The key is taking the deluge of information and converting it into “actionable” intelligence. On the cyber side alone, literally thousands of alerts and threats are published daily. It is next to impossible for a typically staffed credit union to handle the distilling of the information.

Last year, President Obama authorized the creation of “Information Sharing and Analysis Organizations” or ISAO’s.  The vision is that these organizations, aligned by a specific business focus, will provide actionable intelligence and other information valuable to the business.  To that end, a non-profit organization called the National Credit Union ISAO  (NCU-ISAO) has been formed and will be launching in the next few weeks. PSCU is a primary founding sponsor. More information will be coming, please watch for it.  In the meantime, if you have questions about the NCU-ISAO or would like more information, please contact me.

The stories again this week focus on emerging threats to our member information. Our biggest weapon to fight back is communication and sharing information about this threats to our business. Whether through an ISAO or through personal contacts, make an effort to share. Together we are mightier than apart.

Unsecured Database Lets Hacker Expose 58 Million Plus Records from Data Management Firm    

Modern Business Solutions has suffered a data breach compromising 58M – 258M records. Exposed data includes names, IP addresses, birth dates, email addresses, vehicle data and occupational data. A hacker scanning for unsecured databases was able to compromise at least 58.8 million records – and possibly as many as 258 million – from Modern Business Solutions (MBS), a data management and monetization firm primarily serving the automotive, employment and real-estate industries.

According to an online report by Risk Based Security (RBS), an individual with the Twitter handle @0x2Taylor doxxed the stolen data twice last weekend on the file-sharing site MEGA – both times it was removed –  and then again on a smaller file-sharing website. In a subsequent series of communications with RBS, the perpetrator claimed that the vulnerable MongoDB database was initially discovered by an acquaintance who then shared its IP address with him and other friends. @0x2Taylor confirmed to RBS that the original hacker discovered the unprotected, open-source database using the search site “In our experience, given the size of the database and the fact it was clearly from a MongoDB installation, our researchers immediately suspected Shodan was the tool used to identify the open database. This was later confirmed through conversations with the 0x2Taylor,” said Inga Goddijn, executive vice president and managing director of insurance services at RBS, an in email interview with

Leaked information included names, IP addresses, birth dates, email addresses, vehicle data and occupations. At first, it was unclear who this data belonged too. However, “Our researchers were able to identify administrative records within the database. This information was used to link ownership to MBS,” explained Goddijn.

SC Magazine, October 13, 2016

Researchers Spot Uptick in Phishing Cyberattacks Leveraging WSF Files   

Previously, attackers were using Word documents containing macro and earlier this year started using malicious JavaScript attachments. Symantec researchers noted an uptick in phishing email attacks using malicious Windows Script File (WSF) attachments to infect users with Locky, and in some cases Cerber, ransomware. In one day, Symantec reported blocking 1.3 million emails bearing the subject line “Travel Itineraries” that were disguised to appear as though they came from a major airline and contained an attachment that consisted of a WSF file within a .zip archive, according to an Oct. 12 blog post. The next day Symantec blocked another 918,000 similar emails, which purported to have been sent by someone representing a client making complaints “regarding the data file you provided.” “Attackers will frequently change their attack methods in order to be less predictable,” Symantec Senior Information Developer Dick O’Brien told via email content. “We believe WSF files are popular at the moment because attackers believe they’re less likely to be flagged by some anti-spam or anti-virus products.”

SC Magazine, October 13, 2016

Brazil Hotbed of Financial Fraud, Report

Threat actors in Brazil are going after targets both within and outside the country, with much of their focus on U.S. businesses. Brazil has emerged as a primary center of financially motivated e-crime threat activity, according to a just released report from FireEye. Threat actors in the South American country are going after targets both within and outside the country, with much of their focus on U.S. businesses. For instance, FireEye examined one Brazilian cybercrime group that specializes in payment card fraud operations which puts to use a number of strategies to take advantage of already compromised payment card credentials. These actors share or purchase data dumps online, hack merchant websites and compromise payment card processing devices. They then use this material to generate further card information and launder and monetize their illicit gains with online purchases of goods and services, as well as ATM withdrawals.

SC Magazine, October 13, 2016

Staying Ahead of Threats: Growing Dangers

Today’s onslaught of cyberattacks can be difficult to analyze, let alone take immediate action to prevent data exfiltration. Larry Jaffee reports.  You receive an email from your CEO to “wire $80,000 from this account immediately.” Forensic analyses show most cyberattacks come via social-engineering trickery, as employees unwittingly leave their organizations susceptible to severe damage. Adversaries usurp pertinent information from company websites and LinkedIn. “We get five or six a week of those CEO or accounts payable schemes,” Marshall Wolf, senior IT officer for Gigamon, a Santa Clara, Calif. networking company, whose solutions are deployed across vertical markets including over 75 percent of the Fortune 100. “It’s not just malware, riskware and the constant barrage of known threat hackers from China and Russia; it’s your own people potentially doing harm to your network without [their] knowledge,” Wolf says.

SC Magazine, October 3, 2016

Cards at Risk as Online Skimming Jumps 69%

Security researchers are warning that the number of e-commerce stores infected with credit card stealing malware has risen 69% over the past year, with many site owners failing to take action.  Dutch researcher Willem de Groot found 3501 online retail sites last year were infected with malicious JavaScript, allowing cybercriminals to siphon off card details to sell on the dark web.  However, the figure has now jumped to 5929, with hundreds of the stores having failed to spot or take action since November 2015.  Victim organizations vary from car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse) and even NGOs (Science Museum).  The malware in question apparently uses multi-layer obfuscation to stay hidden, and scans for popular payment plugins like PayPal and URLs featuring the word “checkout.”  De Groot has actually found three distinct malware families and nine separate variants, indicating that multiple groups are involved. He traced some of the campaigns back to Russia.

InfoSecurity, October 14, 2016

Hackers Target SWIFT-Using Banks With Odinaff Malware

Now a second gang – not Bangladesh Bank’s attackers – is gunning for banks. A malware-wielding gang has been targeting financial firms’ SWIFT software to inject fraudulent money-moving messages since at least January in “discreet campaigns” not tied to the Bangladesh Bank hack, security firm Symantec warns.  The emergence of the targeted attacks, which rely on malware called Odinaff, is bad news for banks that rely on the SWIFT network to send money-moving messages. Symantec reports that the malware includes the ability to alter client-side logs used by SWIFT software. It says the attackers appear to be seeking high-value targets and attempting to avoid discovery, rather than pursuing mass-infection campaigns.

CU Info Security, October 13, 2016


Gene Fredriksen

Gene Fredriksen

Chief Information Security Officer at PSCU
Responsible for the development of information protection and technology risk programs. Gene has over twenty five years of Information Technology experience, with the last twenty focused specifically in the area of Information Security. He served as the Chair of the Security and Risk Assessment Steering Committee for BITS, as well as serving on the R&D committee for the Financial Services Sector Steering Committee of the Department of Homeland Security.He also served as an advisor on various cyber security steering committees for the administrations of George W. Bush and Bill Clinton, assisting in the preparation of the president’s Cyber Security Position Paper. Gene is a member of the SC Magazine Editorial Advisory Board.

He has published numerous papers and books and maintains a close working relationship with both local and federal law enforcement agencies.
Gene Fredriksen




Leave a Reply