Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been serving the Swanzey area since 2002, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Of Course, Scammers Exploit Fears of Iranian Hacking


A new phishing campaign is attempting to frighten people into handing over their credentials by claiming Microsoft was hacked by Iran, BleepingComputer reports. The campaign is capitalizing on recent warnings from the US Department of Homeland Security and others about the possibility of Iranian state-sponsored cyberattacks in the wake of Qasem Soleimani’s death last week.

The phishing emails in this campaign contain the subject line “Email users hit by Iran cyber attack,” and they purport to come from “Microsoft MSA.” They claim Microsoft’s servers experienced a cyberattack from Iran, and the company had to lock down users’ data in order to protect it. Recipients of the emails are instructed to click a link that says “Restore Data” in order to regain access. Clicking this link will take them to a fairly convincing imitation of Microsoft’s login page, which is designed to steal their credentials.

Many modern phishing campaigns have polished spelling and grammar, making them very hard to spot. This isn’t one of those cases, however.

“Microsoft servers have been hit today with an Cyber Attack from Iran Government,” the emails say. “For your seifty and security we had to take extra measures to protect your account and your personal data. Some emails and files might still be locked on our servers, in order to get full access to your emails and files you have to signin again. If you still have problems receiving emails please be patient, our support team is working on this issue and we will fix this as soon as possible.”

The campaign isn’t particularly sophisticated, but the emails did manage to make it past spam filters, so it’s possible some recipients could have fallen for it.

Iranian state-sponsored cyberattacks are a real concern as well, and they often begin with phishing attacks. Sophisticated threat actors, including Iranian APTs, generally use much more convincing phishing emails that are tailored to their specific targets. New-school security awareness training can enable your employees to recognize low-grade phishing attempts like this one as well as more sophisticated spear phishing attacks.


Continue reading

True North Networks becomes employee-owned!


SWANZEY — A local company is now employee-owned, turning to its workers as an investment in its future.

True North Networks handles information technology for clients in 35 states, typically financial service businesses, according to owner and President Steven Ryder of Keene. Essentially an outsourced IT company, True North has 40 employees, most of whom are in its Swanzey office off Old Homestead Highway, with other branches in Chichester; Scarborough, Maine; and Pittsburgh, Pa.

Ryder said he’s been considering an employee-ownership model for the past couple of years. Though he isn’t quite ready to retire, he said he’s been thinking ahead and wants a succession plan in place. He’s fielded calls from people interested in acquiring True North.

“I really don’t have any interest in selling it and having my company gutted,” he said. “I don’t believe I’ve been successful on my own.”

Rather than choosing to “walk away with a big paycheck, thank everybody and walk out the door” at his retirement, he wanted to share the wealth with the team that built the company since its founding in 2002. So Ryder began researching employee ownership.

The company started the transition this month and will gradually make the shift throughout 2020, he said. Employees now get stock in the company that will go toward their retirement, in addition to an existing 401k plan. Ryder stressed the switch doesn’t cost employees anything, since the program is entirely company-funded.

From a technical aspect, he said, nothing changes. But employees have ownership in their workplace, which is a morale and productivity booster, Ryder said.

“They don’t feel they’re making me rich,” he said. “… It’s about how to make more money collectively together.”

Having a clear succession plan that doesn’t involve selling the company and potentially shaking up the operation also puts minds at ease for both staff and clients, he said.

Ryder said he hopes other businesses will see this model as a win-win situation.



Continue reading

Ransomware-stricken firm tells laid-off employees to seek new jobs amid stymied recovery efforts


The Heritage Company, a telemarketing firm that laid off 300 employees just days before Christmas after a devastating cyber-attack, has now advised the former employees to look for new jobs as the company can’t seem to recover.

Two months ago, Arkansas-based The Heritage Company suffered a ransomware attack but kept it secret as it worked to restore the data. In a letter to employees, CEO Sandra Franecke admitted the company paid hackers the ransom in exchange for the decryption keys. However, recovery didn’t go as planned and the firm ended up losing “hundreds of thousands” of dollars.

As the company could no longer pay employees, Franecke made the tough decision to let everyone go just days before Christmas. In an apologetic letter, she instructed employees to check back on January 2 to see if they can get their jobs back. Local news station KATV confirms that employees calling in for an update were greeted by a recorded message informing them that they should seek new jobs.

The Heritage Company also issued a formal statement to employees, saying, “Hello Team Heritage. We have been working diligently over the past two weeks to reorganize in an effort to recover from the cyber incident. Though we have made progress, there is still much work to be done. With that in mind, we do not prevent you from searching for other employment. Please take care of yourselves, your loved ones, and have a happy New Year.”


Continue reading

Tricky Phish Angles for Persistence, Not Passwords


Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password.

Before delving into the details, it’s important to note two things. First, while the most recent versions of this stealthy phish targeted corporate users of Microsoft’s Office 365 service, the same approach could be leveraged to ensnare users of many other cloud providers. Second, this attack is not exactly new: In 2017, for instance, phishers used a similar technique to plunder accounts at Google’s Gmail service.

Still, this phishing tactic is worth highlighting because recent examples of it received relatively little press coverage. Also, the resulting compromise is quite persistent and sidesteps two-factor authentication, and it seems likely we will see this approach exploited more frequently in the future.

In early December, security experts at PhishLabs detailed a sophisticated phishing scheme targeting Office 365 users that used a malicious link which took people who clicked to an official Office 365 login page — Anyone suspicious about the link would have seen nothing immediately amiss in their browser’s address bar, and could quite easily verify that the link indeed took them to Microsoft’s real login page. Read on for more: 



Continue reading

Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad


The Cybersecurity and Infrastructure Security Agency (CISA) is sharing the following information with the cybersecurity community as a primer for assisting in the protection of our Nation’s critical infrastructure in light of the current tensions between the Islamic Republic of Iran and the United States and Iran’s historic use of cyber offensive activities to retaliate against perceived harm. Foremost, CISA recommends organizations take the following actions:

  • Adopt a state of heightened awareness. This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.
  • Increase organizational vigilance. Ensure security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTPs) for immediate response.
  • Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see link below for further details).
  • Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.

Iranian Cyber Threat Profile

Iran has a history of leveraging asymmetric tactics to pursue national interests beyond its conventional capabilities. More recently, its use of offensive cyber operations is an extension of that doctrine. Iran has exercised its increasingly sophisticated capabilities to suppress both social and political perspectives deemed dangerous to Iran and to harm regional and international opponents.

Iranian cyber threat actors have continuously improved their offensive cyber capabilities. They continue to engage in more “conventional” activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks.

The U.S. intelligence community and various private sector threat intelligence organizations have identified the Islamic Revolutionary Guard Corps (IRGC) as a driving force behind Iranian state-sponsored cyberattacks–either through contractors in the Iranian private sector or by the IRGC itself.

Iranian Cyber Activity

According to open-source information, offensive cyber operations targeting a variety of industries and organizations—including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base—have been attributed, or allegedly attributed, to the Iranian government. The same reporting has associated Iranian actors with a range of high-profile attacks, including the following:

  • Late 2011 to Mid-2013 – DDoS Targeting U.S. Financial Sector: In response to this activity, in March 2016, the U.S. Department of Justice indicted seven Iranian actors employed by companies performing work on behalf of the IRGC for conducting DDoS attacks primarily targeting the public-facing websites of U.S. banks. The attacks prevented customers from accessing their accounts and cost the banks millions of dollars in remediation. [1] 
  • August/September 2013 – Unauthorized Access to Dam in New York State: In response, in March 2016, the U.S. Department of Justice indicted one Iranian actor employed by a company performing work on behalf of the IRGC for illegally accessing the supervisory control and data acquisition (SCADA) systems of the Bowman Dam in Rye, New York. The access allowed the actor to obtain information regarding the status and operation of the dam. [2]
  • February 2014 – Sands Las Vegas Corporation Hacked: Cyber threat actors hacked into the Sands Las Vegas Corporation in Las Vegas, Nevada, and stole customer data, including credit card data, Social Security Numbers, and driver’s license numbers. According to a Bloomberg article from December 2014, the attack also involved a destructive portion, in which the Sands Las Vegas Corporation’s computer systems were wiped. In September 2015, the U.S. Director of National Intelligence identified the Iranian government as the perpetrator of the attack in a Statement for the Record to the House Permanent Select Committee on Intelligence. [3]
  • 2013 to 2017 – Cyber Theft Campaign on Behalf of IRGC: In response, in March 2018, the U.S. Justice Department indicted nine Iranian actors associated with the Mabna Institute for conducting a massive cyber theft campaign containing dozens of individual incidents, including “many on behalf of the IRGC.” The thefts targeted academic and intellectual property data as well as email account credentials. According to the indictment, the campaign targeted “144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.” [4]

Recommended Actions

The following is a composite of actionable technical recommendations for IT professionals and providers to reduce their overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will likely have the highest return on investment. In general, CISA recommends two courses of action in the face of potential threat from Iranian actors: 1) vulnerability mitigation and 2) incident preparation.

  1. Disable all unnecessary ports and protocols. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
  2. Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms.  
  3. Patch externally facing equipment. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.
  4. Log and limit usage of PowerShell. Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
  5. Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.

For additional informaiton on Iranian Cyber Activity and Patterns of Publically Known Iranian APTs (including mitigations and detection recommendations), please view the full alert details at


Continue reading