Penetration tests help organizations gain a better understanding of how protected they are against cyber-attacks, and when Kaspersky Lab’s performed several dozen cybersecurity assessment tests on corporate networks, it found that the overall level of protection against external attackers was low or extremely low for almost half of the analyzed companies.
The report, Security Assessment of Corporate Information Systems in 2017, found that three-quarters (73%) of successful perimeter breaches in 2017 were achieved using vulnerable web applications.
Using weak or default credentials to attack publicly available management interfaces was also a common vector threat actors employed to penetrate the network perimeter. Experts gained administrative access to IT infrastructure in 29% of the external penetration tests performed, but the success rate soared to 86% of the analyzed companies when testing against internal attackers. In 42% of those cases, it took penetration testers only two steps to gain the highest privileges granting them access to important business systems.
“An extremely low level of protection corresponds to those cases where we were able to penetrate the network perimeter and gain access to the critical resources of the internal network,” the report stated.
While the level of protection against internal threats – a threat actor inside the corporate network – was low or extremely low for 93% of the analyzed companies, the analysis showed that organizations are better protected against external threats. The overall level of protection against external threats – an outside intruder from the internet – was low or extremely low for 43% of organizations.
“Qualitative implementation of the simple security measures like network filtering and password policy would significantly increase the security stance,” said Sergey Okhotin, senior security analyst of security services analysis at Kaspersky Lab in a press release. “For example, half of the attack vectors could have been prevented by restricting access to management interfaces.”
The Obama Presidential Policy Directive 20 (PPD-20) that outlined the interagency communications required for the US to deploy cyber-weapons was reversed by President Trump, according to a report from the Wall Street Journal Wednesday 15 August.
Infosecurity Magazine contacted the White House for comment, but the Trump administration reportedly has not issued an official statement on the decision to reverse PPD-20. A National Security Council spokesman told Inside Cybersecurity that the administration was not planning on issuing a public statement.
Cyber-threats and cyber-attacks from nation-state actors require action, but planning and executing offensive actions necessary to protect US interests and assets from foreign aggressions can take months or years, said John Gunn, chief marketing officer at OneSpan. “With proper safeguards, this is a positive initiative that will raise our security.”
The US is not the first country to permit offensive techniques in order to prevent cyber-attacks from reaching its borders. Many experts, including Joseph Carson, chief security scientist at Thycotic, are in favor of cyber-offensive capabilities. Yet challenges exist in cyberspace.
“The biggest problem we have is absolute attribution to knowing who exactly carried out the cyber-attack and is it possible that it was a misdirection to put political pressure on two or more countries,” Carson said.
“We have AI and other techniques, but cyber-criminals have the ability to make it look like someone else committed the crime," Carson continued. "With cyber-mercenaries on the increase, the only way to get attribution is to go back to the old methods of having human spies who can confirm the attack happened and was initiated by aggressive cyber-countries. Many countries are already committing cyber-attacks on a large scale, and the US has been poor at responding to such attacks. For example, the attack on the DNC and OPM. My personal stance is that cyber-offensive should only be carried out by government agencies and not permitted by citizens.”
The reversal of PPD-20 also sends a global message at a critical time for the US. "The change in the US government stance on cyber weapons being used for cyber-offensive against adversaries comes just ahead of the US midterm elections. This is very likely a public indication that any nation-state who tries to hack or manipulate the upcoming elections, the US government has taken the gloves off and will respond," Carson said.
The increased number of firewalls within security infrastructures has created challenges, leaving many organizations struggling with basic firewall management, according to a new report from FireMon.
In its fourth annual State of the Firewall report, FireMon polled 334 C-suite executives, IT practitioners and security professionals at global companies of all sizes to understand both the state of firewall management and the impact of emerging technologies.
The report found that companies planning to adopt hybrid cloud models face the potential of increased risk with network security policy management if they are not practicing basic firewall hygiene. For the vast majority of participating organizations, the firewall remains a critical tool in their overall security ecosystem. In fact, 94% said firewalls are either as critical as or more critical than they have ever been and believe the firewall will still be as critical or more critical over the next five years.
That 24% of companies invest more than 25% of their total network security budget and 39% of companies allocate 10% to 24% of it in firewall technologies confirms that firewalls will remain a signature tool in the overall security architecture.
Those firewall technologies do present challenges, though. For nearly a third (30%) of the responding companies, rule complexity is a top challenge. Policy compliance and audit readiness is problematic for 17% of companies and 14% are pained by firewall rule optimization.
With more than 26% of companies managing over 100 firewalls on their network, organizations are challenged with firewall management. A third of participating companies said they have 10 to 99 firewalls on their network. The increased number of firewalls companies are managing produces overwhelming numbers of change requests each week, leaving 40% of companies processing 10 to 99 requests.
“Many companies are still trying to manage firewall rules manually, but in this era of next-gen architectures and sophisticated malware, this is no longer an effective way to enforce access policies and mitigate risk,” said FireMon CEO Satin Mirchandani in a press release.
“With more than half of survey respondents stating that three or more teams are involved in change management, the high number of change requests alone can drain valuable time, resources and budget from any security program. Factor in new technology adoption, and the stage is set for further policy management problems.”
Security experts are warning of another major smart home security threat after revealing that as many as 32,000 businesses and homes have failed to protect systems exposed via the internet.
The issue resides in the lightweight Message Queuing Telemetry Transport (MQTT) protocol, favored in IoT networks to transfer data between machines.
When implementing it at home, users are required to set-up a server, usually on a PC or mini-computer like a Raspberry Pi, that the devices can communicate with.
Unfortunately, security vendor Avast found 49,000 such MQTT servers publicly visible on the internet via a simple Shodan search, with 32,000 featuring no password protection. This global figure might seem rather low, but the vendor clarified to Infosecurity that the protocol is used mainly by more "advanced tech users."
This could be creating cybersecurity, privacy and even physical security risks for users, according to Avast researcher, Martin Hron.
“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” he argued. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”
Hron painted several scenarios where these MQTT issues could be exploited by attackers.
With access to MQTT data, they could read the status of smart window and door sensors and locks and smart lighting, and even insert their own commands into the data to open doors, he claimed.
If the server is protected, hackers could try the smart home dashboard running on the same IP address, as these are often either not password protected or easily crackable. If that avenue fails, they could try open and insecure SMB shares running on the popular Home Assistant platform, including passwords and keys stored in plaintext, which could give them complete control over the smart home, the vendor claimed.
Avast also warned that hackers could track users’ location if they use the MQTT-compatible OwnTracks app.
Cybersecurity experts have welcomed the greater numbers of students taking the Computing A-level exam in the UK this year but warned more is needed to fill the talent pipeline for workplace roles.
A-level results were announced on Thursday and revealed an increase in numbers taking the IT course, from 8299 last year to 10,286 in 2018.
Grades were also up slightly. Some 3.3% gained an A*, up from 3%, while 18.2% got an A-grade, up from 16.9%. The number gaining B-grades also jumped slightly (1.7%) to reach a total of 39.3% while Cs jumped 1.3% to 62.5%.
Although the vast majority taking the course (88%) were male students, they were outperformed again by their female counterparts.
Although these figures are slightly improved from the 90% of male students who took the course last year, the gender imbalance is an ongoing challenge which is mirrored in university courses, explained Ivanti director and UK Women in Tech ambassador, Sarah Lewis.
“The digital skills gap is a massive issue in the UK and globally, as technology — including malevolent technology such as the tools used by cyber-criminals — evolves at a rapid pace. Bring the number of women working in computing up so that it is equal to men and you've doubled the talent pool,” she argued.
“It sounds simple in theory, but in practice it requires businesses and governments to invest in programs and schemes to break down barriers stopping young women from viewing a career in computing, and technology more widely, as viable. The future must be female in order to bridge the digital skills gap.”
Trend Micro principal security strategist, Bharat Mistry, also argued that more work is needed to build a stronger pipeline of talent to enter the workforce.
“Closing this gap isn’t just a challenge for the public sector to solve, businesses have their role too,” he said.
“Whether that’s through hosting hacking competitions aimed at students and young professionals, or offering up their experts to help train school leavers, businesses can help those interested in cybersecurity build on their technical skills and learn how to solve real-world problems in a dynamic environment — making them workplace-ready.”
Alex Hinchliffe, a threat intelligence analyst at Palo Alto Networks' Unit 42, argued that even those not taking IT-related courses at school should be encouraged to consider a career in cybersecurity.
“People who studied humanities, for example, are often better at predicting malware patterns based on previous information,” he claimed. “Threat research degrees have also recently become available as the industry booms, and while maths may be necessary for certain roles, humanities and social science graduates are just as valuable to a threat intelligence team.”
A British researcher has published details of a serious WordPress flaw left unfixed for over a year which could allow for complete system compromise.
By uploading a specially crafted file to the targeted app, attackers can trigger a file operation through the "phar://" stream wrapper. That in turn triggers eXternal Entity (XXE – XML) and Server Side Request Forgery (SSRF) flaws which force the app to "unserialize" metadata contained in the file, potentially resulting in execution of malicious code.
Secarma claimed its research reveals that a category of vulnerabilities previously not considered critical can in fact have a major impact on victim systems.
“This research continues a worrying recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages,” said Thomas. “We must constantly be aware of the security impact of such mechanisms being exposed to attackers.”
WordPress is used by millions of web owners around the world including 30% of the world’s top 1000 websites, according to Secarma, meaning hackers could reach a potentially huge number of victims.
The popular open source CMS platform was notified in February 2017 but has yet to fully resolve the issue, according to the UK research firm.
“WordPress is an incredibly popular platform, widely used across the globe by bloggers, news outlets and all manner of businesses. It’s not uncommon to uncover vulnerabilities in systems and it’s important that organizations react quickly to protect their customers when something like this is discovered,” said Secarma CEO Lawrence Jones.
“Penetration testing is very accessible nowadays and it’s so important that businesses are proactive and regularly test any applications they put online.”
A campaign that began weeks ago and targeted approximately 2,700 Fortune 100 banking institutions in the US and around the world with a widespread botnet attack came to a sudden halt as of 15:37 EST on 15 August, according to researchers at Cofense. The phishing emails appeared to be coming from India and contained the subject lines “Request BOI” or “Payment Advice.”
Malware analysts had been tracking the Necurs botnet for the last several months and observed the highly targeted phishing campaign as an attempt to go after the financial sector for the first time. The threat actors were reportedly attempting to get a foothold on the banks’ infrastructure and set the stage for potential further attacks.
First observed in 2012 and famed for sending Locky a few years ago, Necurs rootkit couples multiple Domain Generation Algorithms (DGAs) with .bit domain names and P2P communications.
After studying the increased botnet campaigns over the last several weeks, researchers found that all of the recipients were employed at banks. In addition, researchers noted a new file extension .pub, which belongs to Microsoft Publisher, attached to the phishing campaigns.
This unexpected change in file extension happened at 7:30 am on 15 August. “Like Word and Excel, Publisher has the ability to embed macros. So just when you are feeling confident about a layered defense protecting you from malicious Word docs, Necurs adapts and throws you a curve ball,” researchers wrote.
“The banks range from small regional banks all the way up to the largest financial institutions in the world. We have not yet determined the actor(s) behind this specific campaign or the final goal.”
The .pub extension contained an embedded macro that, when executed, downloaded from a remote host, resulting in the FlawedAmmyy remote access Trojan (RAT). With this final payload, the attackers gained full remote control of the compromised host, enabling both credentials theft and the potential of future lateral movement within the banking institution.
Cyber-criminals are leveraging on the shift from pen and paper to electronic signatures in real estate transactions. According to new research from Proofpoint, fraudulent real estate transactions are being used to steal people’s credentials.
Attackers are capitalizing on the number of unfamiliar parties and documents involved in a typical real estate transaction to lure unsuspecting homebuyers into clicking on fake landing pages.
Researchers have identified schemes employed by attackers targeting homebuyers with DocuSign lures and fake Office 365 login pages associated with bogus real estate documents. In addition, the computer networks of real estate firms have been directly attacked with remote access Trojans (RATs) to obtain confidential information.
The electronic signature has proven to be an effective target for threat actors, and click rates for DocuSign lures are averaging five times higher than click rates for the top 20 lures, according to a 15 August blog post.
The goal, however, is not to steal users’ DocuSign credentials. Rather, the lure is to have victims log in to fake DocuSign landing pages with third-party credentials such as Microsoft Office 365 or other generic email credentials.
“These landing pages are linked in phishing emails; the URLs for the links suggest targeting for homebuyers and generally reside on compromised sites, the administrators of which have all been notified,” Proofpoint wrote.
In addition to abusing the DocuSign brand to harvest credentials on phishing pages, attackers have used other phishing templates specific to mortgage closings. The phishing landing page – complete with national realtor and Norton logos – tricks users into thinking they are opening documents containing their closing disclosure.
Though less frequent than real estate phishing, attackers are also targeting real estate businesses, including realtors and homeowner insurance agencies, using RATs. “Because of the nature of the transactions in which these business engage, RATs and information stealers offer additional opportunities for threat actors to steal a range of personal and banking information.”
Small businesses will soon receive help implementing voluntary cybersecurity frameworks as defined by the National Institute of Standards and Technology (NIST) after President Trump signed the “NIST Small Business Cybersecurity Act” S. 770 on 15 August.
In addition to providing resources to small businesses, the bill, which requires NIST develop and disseminate resources for small businesses to help reduce their cybersecurity risk, also states that future NIST standards consider the needs of small businesses.
The bill represents a step forward for both the cybersecurity industry and for SMBs struggling to be in accordance with the NIST standards. “This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain,” said Dr. Bret Fund, founder and CEO at SecureSet.
Widely seen as a step in the right direction toward cybersecurity compliance and readiness for SMBs, Fund said the bill also signals President Trump's intent to improve cybersecurity overall.
“With the increase in cyber-attacks, it is great to see the administration continue to invest in cybersecurity initiatives. Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks,” said Dirk Morris, chief product officer at Untangle.
Small businesses have long been at risk of cyber-attacks as nefarious actors know that SMBs are limited in both budgets and staff, making it difficult for most small businesses to implement strong security strategies. “Recent reports show that smaller businesses lose proportionately more to cyber-attacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures,” said Anupam Sahai, vice president of product management at Cavirin.
“This is a very positive step, as smaller enterprises may not have the skills or budget to implement a broad-based program. The Act will help with focus. The proof will be how the necessary resources are actually made available.”
A US entrepreneur and cryptocurrency investor has filed a $223m lawsuit against AT&T after a store employee allegedly facilitated SIM swap fraud.
Lawyers acting on behalf of Michael Terpin filed 16 counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and other charges in a US District Court in Los Angeles yesterday.
On January 7, an AT&T agent in a Connecticut store is alleged to have agreed to transfer Terpin's mobile phone number to a new SIM, which an “international criminal gang” then used to commit major identity fraud.
Specifically, they were able to circumvent 2FA security on his cryptocurrency accounts by intercepting one-time SMS passcodes to access them and then transfer funds to the tune of $24m elsewhere.
“Even after AT&T had placed vaunted additional protection on his account after an earlier incident, an imposter posing as Mr Terpin was able to easily obtain Mr Terpin’s telephone number from an insider cooperating with the hacker without the AT&T store employee requiring him to present valid identification or to give Mr. Terpin’s required password,” the complaint alleges.
“It was AT&T’s act of providing hackers with access to Mr Terpin’s telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur. What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewellery in the safe from the rightful owner.”
The complaint further alleges that AT&T’s 140 million customers are at a similar risk of SIM swap fraud “because it has become too big to care.”
AT&T is disputing the allegations and claims to be looking forward to “presenting our case in court.”
Identity fraud in the UK has fallen for the first time in four years but the number of online scams continue to rise, especially in the retail sector, according to Cifas.
The not-for-profit fraud prevention organization claimed a drop in identity fraud of 5% in the first six months of 2018 compared to the same period last year.
However, identity fraud still comprises over half of all fraud reported by Cifas, with online accounting for 87%. That figure is up from the last time Infosecurity contacted the non-profit in April, when a spokesperson said that 84% of identity fraud occurs through online channels.
Identity fraud against online retail accounts has risen by 24% (1232 cases), while there has been a steep rise in fraudulent applications for credit and debit cards (12%).
On the other side, Cifas recorded a 12% reduction in the volume of bank accounts being targeted by identity fraudsters, and a 34% reduction in attempts to obtain mobile phone contracts.
The most popular ways to obtain the digital identity data needed to make fraudulent applications online are still by buying it off the cybercrime underground, social engineering and ‘hacking’, it said.
Sandra Peaston, director of strategy, policy and insight at Cifas, pointed out that identity fraud hit an all-time-high at the end of 2017, so any reversal of this trend should be viewed positively.
“However, these new figures demonstrate that identity fraudsters adapt quickly to try and circumvent security measures. The re-targeting of plastic cards, following a drop in 2017, is a prime example of this,” she added.
“With identity fraud remaining uncomfortably high, more personal information available online, and increasing numbers of data breaches, the protection of personal data must be viewed as a collective responsibility. Everyone should play their part, from individuals and organizations taking steps to protect personal data to businesses ensuring their fraud prevention practices effectively defend against evolving tactics employed by identity fraudsters.”
An Indian bank has lost nearly 944m rupees ($13.5m) after hackers withdrew the funds from ATMs around the world and made other fraudulent SWIFT transfers.
Pune-headquartered Cosmos Bank claimed the attackers first stole customer information by installing malware on the firm’s ATM server, before conducting the globally co-ordinated withdrawals in 28 countries on August 11.
An alert from the FBI warned unnamed banks on Friday of an imminent “global Automated Teller Machine (ATM) cash-out scheme” but was unable to halt the sophisticated plot.
“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” it noted. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
The self-styled “leading co-operative bank in India” was also hit by three unauthorized transfers via SWIFT to a Hong Kong company’s account worth 139m rupees ($2m).
The lender claimed that the hackers managed to bypass the main switching system used for debit card payments.
“During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system,” it said in a press release seen by Reuters.
The case will bring to mind a series of high-profile raids on financial institutions over the past few years, many of them involving the SWIFT interbank transfer network.
Tamil Nadu-headquartered City Union Bank was targeted in February, when an alleged international group of hackers tried to make $2m worth of illegal transfers, although they only succeeded in getting half of that.
The run of attacks on lenders began with a major $81m raid on Bangladesh Bank back in 2016 which was subsequently blamed on the infamous North Korea-linked Lazarus Group.
It likely comes as no surprise that cyber-criminals are financially motivated, but according to new research, many nefarious actors in the cyber world are also driven to a life of digital crime by ego as well as socioeconomic and psychological factors.
As follow-up to the recent report Under the Hoodie: Lessons from a Season of Penetration Testing published by Rapid 7, Wendy Zamora, malware intelligence at Malwarebytes, set to work on a months-long research piece exploring the psychology, motivations and other underlying factors that drive people to cybercrime.
The results of her work were published today in the long-form article "Under the Hoodie: Why Money, Power, and Ego Drive Hackers to Cybercrime" which includes interviews with reformed and active cyber-criminals as well as research from forensic psychologists, law enforcement officials and professors of criminology.
Zamora's research reveals that the main motivations for cyber-criminals include socioeconomic factors, technical skill and psychological drivers such as revenge and ego. Throughout the article, she breaks down each factor to create a general cyber-criminal persona, pinpointing the various motivations to particular forms of cybercrime, such as social engineering and malware creation.
In reference to interviews with one of her subjects who became enamored by the ease with which he could earn money, Zamora writes, “What’s not to like? Money, popularity, and a quiet 'screw you' to the man. He was proud of his ability to hack into and modify programs built by professionals.”
The results of her research highlight the value of criminal profiling, a psychological assessment that looks at both personality and physical characteristics. Criminal profiles are not as useful in identifying the individual perpetrator as much as they are helpful in narrowing the field of suspects.
Understanding what motivates cyber-criminals can also serve as a pathway to help them transition from cyber-criminals to white hat hackers. “There’s a razor thin line separating the white hats from the black,” Zamora describes.
“Cyber-criminals are equally passionate and skilled at what they do, but the lens through which they view the world may be blurred by socioeconomic circumstances or psychological hang-ups. There are those that may be beyond hope, but there are also those who are simply too young or too insecure to work a system that feels like it’s set up to watch them fail.”