Faith-Based Daily Awareness Post 20 August 2024

These updates are shared to help raise the situational awareness of Faith-Based organizations to best defend against and mitigate the impacts from all-hazards threats including physical security, cybersecurity, and natural disasters.

Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset | Proofpoint US

Starting 22 July 2024, TA453 contacted multiple email addresses for a prominent Jewish figure while pretending to be the Research Director for the Institute for the Study of War (ISW). The lure purported to invite the target to be a guest on a podcast hosted by ISW. After receiving a response from the target (outside of Proofpoint visibility), TA453 replied with a DocSend URL. The DocSend URL was password protected and led to a text file that contained a URL to the legitimate ISW Podcast being impersonated by TA453. It is likely that TA453 was attempting to normalize the target clicking a link and entering a password so the target would do the same when they delivered malware.” Key findings:

• Proofpoint identified Iranian threat actor TA453 targeting a prominent religious figure with a fake podcast interview invitation. 
• The initial interaction attempted to lure the target to engage with a benign email to build conversation and trust to then subsequently click on a follow-up malicious link.
• The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed AnvilEcho by Proofpoint.
• The malware, which uses encryption and network communication techniques similar to previously observed TA453 samples, is designed to enable intelligence gathering and exfiltration.
• AnvilEcho contains all of TA453’s previously identified malware capabilities in a single PowerShell script rather than the modular approach previously observed. 

Analyst Comments:

Members can expect to see a more detailed analysis of this threat in next week’s FB-ISAO Security Advisory.

Phishing occurs when criminals try to get us to open harmful links, emails or attachments that could request our personal information or infect our devices. Phishing messages or “bait” usually come in the form of an email, text, direct message on social media or phone call. These messages are often designed to look like they come from a trusted person or organization, to get us to respond. CISA offers three simple tips to avoid phishing scams.

Recognize: Look for these common signs:

• Urgent or emotionally appealing language, especially messages that claim dire consequences for not responding immediately
• Requests to send personal and financial information
• Untrusted shortened URLs
• Incorrect email addresses or links, like amazan.com

A common sign used to be poor grammar or misspellings although in the era of artificial intelligence (AI) some emails will now have perfect grammar and spelling, so look out for the other signs.

Resist: If you suspect phishing, resist the temptation to click on links or attachments that seem too good to be true and may be trying to access your personal information. Instead, report the phish to protect yourself and others. Typically, you’ll find options to report near the person’s email address or username. You can also report via the “report spam” button in the toolbar or settings.

Delete: Delete the message. Don’t reply or click on any attachment or link, including any “unsubscribe” link. Just delete.

Best Practices for Securing Your Donation Sites

Many Faith-Based Organizations use online donation / giving sites where they can collect dues, tithes and other gifts. These types of tools enable members of the congregation to give securely from anywhere, at any time. They may include features such as secure payment processing to accept donations via credit/debit cards, ACH transfers, and mobile wallets, recurring giving that helps set up automated contributions, customizable donation forms to collect specific information from donors, donation tracking to provide donors with contribution summaries for tax purposes, and communication tools to send thank-you notes to donors.

Analyst Comments:

This new Security Awareness product from the FB-ISAO provides key details that organizations should be considering to fortify their donation sites. Some of the key considerations that are expanded upon in the document are:

• Use a secure payment gateway
• Consider CAPTCHA and MFA when creating donation web forms
• Update website with latest security patches
• Install a website firewall
• Avoid storing Personal Identifiable Information (PII) on your site
• Limit access to sensitive data

Members are encouraged to review the full document for additional insights and best practices.

100,000 Impacted by Jewish Home Lifecare Data Breach

New York City-based nonprofit healthcare organization Jewish Home Lifecare has revealed that a data breach disclosed earlier this year impacts more than 100,000 individuals. Jewish Home Lifecare, which is now called The New Jewish Home and which specializes in providing healthcare services to the elderly, informed customers in February that it had discovered unusual activity on its network on January 7. 

It said at the time that hackers may have gained access to information related to patients and other members of the community, including their name, address, date of birth, Social Security number, financial account information, payment card information, passport number, and medical record and medical treatment details.

Analyst Comments:

The ransomware group known as Alphv and BlackCat took credit for the attack on Jewish Home Lifecare in February 2024. The cybercriminals claimed at the time that they had obtained clinical research databases, financial documents, employee and client documents, and “documents proving misuse of donated funds”. The hackers posted several screenshots in an effort to demonstrate their claims. 

It’s unclear if the stolen files were ever made public on the ransomware group’s website. BlackCat disappeared from the scene in early March in what appeared to be an exit scam, and its website is no longer accessible. 

You can read more from CISA about ALPHV/BlackCat here, and as we shared yesterday, CISA offers many ransomware resources including their Stop Ransomware website.

CISA recommends the following mitigation steps to fight against ransomware:

1. Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
2. Prioritize remediation of known exploited vulnerabilities.
3. Enable and enforce multifactor authentication with strong passwords.
4. Close unused ports and remove applications not deemed necessary for day-to-day operations.