Cyber Risk News

Office 365 Admins Singled Out in Phishing Campaign

Info Security - 5 hours 36 min ago
Office 365 Admins Singled Out in Phishing Campaign

Security experts are warning of a newly discovered phishing campaign targeting Office 365 administrators and using legitimate sender domains to bypass reputation filters.

PhishLabs said it saw malicious emails being sent out as part of the campaign across a wide variety of industries and enterprises. Administrators are targeted for several reasons.

“For starters, Office 365 admins have administrative control over all email accounts on a domain. Depending on the current configuration of the Office 365 instance, a compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain,” the vendor said.

“In addition, Office 365 admins often have elevated privileges on other systems within an organization, potentially allowing further compromises to take place via password reset attempts or abusing single-sign-on systems.”

Once an administrator is phished the attackers are able to set up new accounts within the compromised organization, which are then used to send out more legitimate-seeming phishing emails.    

“This is beneficial for attackers because many email filtering solutions leverage the reputation of a sender domain as a major component of determining whether to block an email,” said PhishLabs. “Well established domains with a track record of sending benign messages are less likely to be quickly blocked by these systems. This increases the deliverability and efficiency of phishing lures.”

By setting up new accounts to carry out this phishing activity, the hackers are also more likely to stay under the radar, it added.

The phishing lures themselves are spoofed to appear as if sent by Microsoft — for example a messaging asking the recipient to sign-in to the Office 365 Admin center to update payment information. However, eagle-eyed recipients would be able to spot that the sending domain itself is not Microsoft but other compromised organizations.

Office 365 continues to grow in popularity: for users and therefore also hackers. Barracuda Networks discovered over 1.5 million malicious and spam emails sent from thousands of compromised accounts in the space of just one month earlier this year.

Categories: Cyber Risk News

Booter Boss Banged Up for 13 Months

Info Security - 6 hours 23 min ago
Booter Boss Banged Up for 13 Months

An Illinois man has been sentenced to 13 months behind bars after participating in a DDoS-for-hire scheme which made him over half a million dollars.

Sergiy P. Usatyuk, 21, of Orlando Park, was charged with one count of conspiracy to cause damage to internet-connected computers. He’s said to have owned and managed illegal booter services which were used to launch DDoS attacks on millions of victims in the US and abroad.

As part of the verdict, Usatyuk has been ordered to forfeit $542,925 in proceeds from the scheme, and hand over dozens of servers and other computer equipment used in the operation.

From around August 2015 to November 2017, he’s said to have teamed up with a co-conspirator to run several booter sites including: ExoStress.in; QuezStresser.com; Betabooter.com; Databooter.com; Instabooter.com; Polystress.com and Zstress.net.

As well as the intended targets, some of the attacks also affected other organizations. One Betabooter customer launched DDoS attacks against a school district in Pittsburgh that also impacted 17 organizations that shared the same underlying infrastructure, including other school districts, the county government, career and technology centers and a Catholic Diocese, according to the indictment.

“DDoS-for-hire services pose a malicious threat to the citizens of our district, as well as districts across the country, by impeding critical access to the internet and jeopardizing safety and security in the process,” said US attorney for the Eastern District of North Carolina, Robert Higdon Jr.

“The operation and use of these services to disrupt the operations of our businesses and other institutions cannot be tolerated. Anyone who weaponizes web traffic in this manner will be vigorously pursued and prosecuted by my office.”

Usatyuk and his co-conspirator are said to have made over $550,000 from their DDoS-for-hire services.

Booter or stresser services are a popular way for budding cyber-criminals with little technical know-how to make money from DDoS attacks. One of the most popular, webstresser.org, was taken down by police in 2018 and was responsible for over four million attacks.

Europol recently launched an operation to track down its 150,000 customers.

Categories: Cyber Risk News

Gamers Exposed After Wizards of the Coast Data Leak

Info Security - 6 hours 42 min ago
Gamers Exposed After Wizards of the Coast Data Leak

A US gaming company has admitted accidentally leaking the personal data of countless customers via a cloud storage bucket.

Hasbro-owned Wizards of the Coast specializes in fantasy and science fiction games such as card trading title Magic: The Gathering.

However, it was forced late last week to email an unspecified number of Magic Online and MTG Arena users informing them of the privacy snafu. It’s unclear how many were affected but MTG Arena alone is said to have three million users and makes its owners hundreds of millions in revenue each year.

“Dear Wizards community, we are writing to let you know of a recent security incident at Wizards of the Coast. On Nov. 14, we learned that an internal database file from a decommissioned version of the WotC login had inadvertently been made accessible outside the company,” the email reportedly said.

“We believe this was an isolated incident related to a legacy database and is unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data.”

Reports suggest that the problem stemmed from a back-up file left in an Amazon Web Services (AWS) storage bucket without password protection.

First and last names, email addresses and salted and hashed passwords were apparently exposed in the incident, which is being treated as non-malicious. Despite the application of best practice encryption on log-ins, all MTG Arena and Magic Online users are being asked to reset their passwords.

Misconfiguration of cloud services like AWS S3 are to blame for an increasing number of data leaks. Although many are found and locked down quickly, like this one, it’s not always the case. The longer exposed infrastructure is left unprotected and online, the more chance hackers have of finding and stealing/holding to ransom linked data.

Just last month, personal data belonging to 250,000 US and UK jobs seekers was leaked after two online recruitment companies failed to make their AWS buckets private.

Categories: Cyber Risk News

Holiday Shopping on Company Devices a Worry for Executives

Info Security - Fri, 11/15/2019 - 18:01
Holiday Shopping on Company Devices a Worry for Executives

New research published today by Zix-AppRiver has revealed that 61% of US executives feel powerless to stop employees holiday shopping on company devices, despite knowing that the practice poses a cybersecurity threat to the business.

Researchers asked 1,049 cybersecurity decision-makers within American SMBs across a diverse range of industry sectors about the holiday shopping habits of their employees. 

According to the report, 82% of all SMB executives estimated that “many” of their company employees will shop online this holiday season using a computer at work or a device used for conducting business, on which business data is also stored and transmitted.

Among those interviewed, 61% admit they know this poses cybersecurity risks to their business and customers, but they believe it is "a fact of life; and there is not much I could do about it."

At larger-sized SMBs, executives were more likely to make the assumption that employees would use a company device for holiday shopping this year. At medium-sized SMBs with 50–149 employees and at larger-sized SMBs with 150–250 employees, 88% and 90% of executives respectively anticipated this behavior from many of their employees.

Nearly half of the executives surveyed estimate most of their employees would not be able to spot an illegitimate link posing as an online retailer in potential phishing attempts. Many were equally pessimistic about whether they could do likewise.

"Among IT decision-makers who lack confidence that most employees would be able to spot an illegitimate link posing as a fake retailer, many think they themselves could be vulnerable also. Four out of ten who lack confidence in their employees also lack confidence that they themselves could spot a fake link," Troy Gill, senior cybersecurity analyst at Zix-AppRiver, told Infosecurity Magazine. 

Asked if any of the executives who thought their employees couldn't distinguish between a fake link and a genuine link had plans to implement any cybersecurity training, Gill said: "Yes, and that was one piece of really important good news from this survey. 57% of SMB IT decision-makers plan to invest more in 2020 dedicated toward security awareness training for employees. That figures jumps to 68% among larger SMBs with 150–250 employees."

Describing where cybersecurity vulnerabilities are present in a typical company hierarchy, Gill said: "Anyone with access to the network, from the board chair to the newest hire, can pose a threat. Training and awareness—not job title or department—are the best indicators and mitigators of individual risk."  

Categories: Cyber Risk News

Ransomware: Still Going Strong 30 Years On

Info Security - Fri, 11/15/2019 - 17:19
Ransomware: Still Going Strong 30 Years On

Next month marks the 30th anniversary of the first ever ransomware attack, and according to new research this particular form of malware is still going strong. 

According to the "Mid-Year Threat Landscape Report" published yesterday by Bitdefender, ransomware increased 74.23% year on year in the first six months of 2019. 

Researchers noted a change in the ransomware landscape following the fall of GandCrab earlier this year. In roughly 18 months of activity, this particular piece of ransomware generated more than $2bn. 

"The fall of GandCrab, which dominated the ransomware market with a share of over 50 percent, has left a power vacuum that various spinoffs are quickly filling. This fragmentation can only mean the ransomware market will become more powerful and more resilient against combined efforts by law enforcement and the cybersecurity industry to dismantle it," wrote researchers. 

A notable player stepping into the space left by GandCrab's exit is Sodinokibi (aka REvil or Sodin), which has quickly gained popularity in recent ransomware campaigns, focusing on specific industry verticals. 

To help educate businesses about the threat posed by ransomware, Sophos yesterday published a report titled “How Ransomware Attacks.” In addition to detailing how the threat has evolved over the past three decades, Sophos’ report also takes an in-depth look at the largest ransomware families and highlights the most common types of attacks.

Included in the report are the characteristics and file system activity of ten ransomware variations. Alongside classics such as WannaCry, Ryuk, and SamSam, the report delves into newer strains like RobbinHood, Sodinokibi, and LockerGoga. 

While ransomware continues to wreak havoc, Bitdefender researchers identified coin-mining malware used in cryptojacking campaigns, exploits leveraging unpatched or previously unknown vulnerabilities and fileless attacks, and banking trojans as the top three threats facing businesses and consumers. 

Underlining just how serious the consequences of cyber-attacks can be, the researchers found that the European Union economy could face up to €2.5bn in financial losses, should internet infrastructures be taken offline for a single hour by IoT botnets causing DDoS attacks. The losses for an eight-hour workday reach around €20bn.

Categories: Cyber Risk News

Japan's Largest Messaging App Launches Bug Bounty Hunt

Info Security - Fri, 11/15/2019 - 16:27
Japan's Largest Messaging App Launches Bug Bounty Hunt

Ethical hackers from around the world have been invited to discover and fix vulnerabilities in Japan's largest messaging app. 

LINE Corporation today launched a public bug bounty program (BBP), offering hackers financial rewards for identifying glitches throughout LINE's web domains and core messenger application.

The program will run through HackerOne, which LINE has been using since July 2019 to run a private bug hunt in tandem with the company's own self-managed BBP. 

Since starting its permanent bug bounty program in June 2016, the company has received more than 1,000 reports and has paid over $300,000 in bounties through both self-run and HackerOne bug bounty initiatives.

From today, LINE will be transitioning its entire bug bounty ecosystem to the HackerOne platform. The hacker-powered platform has over 570,000 registered hackers. 

"We are thrilled to be moving to the HackerOne platform as it allows us to increase our visibility and thereby increase the amount of high-quality reports we receive as well," said Naohisa Ichihara, head of the cybersecurity department at LINE. "As being transparent about security issues is very important to us, we wanted a convenient way to disclose such information. Our original platform did not have an easy way of achieving this, so it was also a contributing factor in deciding to move to HackerOne."

Participation in the LINE bug bounty program is open and encouraged for all hackers worldwide. Bounty awards range from $500 to $30,000 for eligible valid vulnerabilities. Assets in scope include the main LINE application (for iOS, Android, Chrome, MacOS, and Windows) as well as the web domains https://store.line.me/, https://news.line.me/, https://music.line.me/, and https://live.line.me/

"With 164 million global monthly average users across their top four countries, LINE knows it’s imperative to protect user information around the clock," said Attley Ng, HackerOne’s VP, Asia Pacific (APAC). "By adding the largest community of ethical hackers in the world as an extension of their cybersecurity team, LINE enhances their global approach to security and improves the safety of their customers."

APAC continues to be one of the fastest-growing regions for hacker-powered security. According to HackerOne’s 2019 Hacker Powered Security Report, the number of hacker-powered security programs grew by 30% in the region year over year between 2018 and 2019. 

HackerOne opened its APAC headquarters in Singapore earlier this year, and now counts Ministry of Defence Singapore (MINDEF), GovTech Singapore, Xiaomi, Zomato, Toyota, Nintendo, Grab, and Alibaba among its customers.

Categories: Cyber Risk News

LA Warns Travelers of Juice Jacking Scams

Info Security - Fri, 11/15/2019 - 11:15
LA Warns Travelers of Juice Jacking Scams

Travelers in Los Angeles have been urged by officials not to use public USB charging points for fear they might infect their devices with malware.

LA County district attorney, Jackie Lacey, posted an official fraud alert warning of USB charging scams, also known as “juice jacking.”

“Travelers should avoid using public USB power charging stations in airports, hotels and other locations because they may contain dangerous malware,” it read.

“In the USB charger scam, often called ‘juice jacking,’ criminals load malware onto charging stations or cables they leave plugged in at the stations so they may infect the phones and other electronic devices of unsuspecting users. The malware may lock the device or export data and passwords directly to the scammer.”

The DA’s office urged travelers instead to use AC power outlets and car chargers to charge their devices, and to consider buying portable chargers.

It also urged anyone suspecting they’ve been caught out by this kind of attack to contact their local police.

Juice jacking is nothing new — in fact, attendees at security conference Black Hat all the way back in 2011 were warned about the dangers of plugging their devices into public charging kiosks.

However, the public announcement in LA is illustrative of the elevated threat level today: presumably hackers are stepping up these attacks to capitalize on the sheer number of smartphone and tablet users in need of extra power on the go these days.

It’s one more thing to add to corporate security policies, which should also prohibit employee use of public Wi-Fi if they are logging on to work accounts, unless using a VPN to do so.

Even office rental company WeWork’s Wi-Fi security was recently called out for potentially exposing its customers.

Categories: Cyber Risk News

Alleged Crypto-Stealing SIM Swap Duo Charged

Info Security - Fri, 11/15/2019 - 10:30
Alleged Crypto-Stealing SIM Swap Duo Charged

Two men have been arrested and charged in connection with a major SIM swap campaign designed to steal cryptocurrency and hijack high-value social media accounts.

Eric Meiggs, 21, of Brockton, Massachusetts, and Declan Harrington, 20, of Rockport, Massachusetts, face an 11-count indictment, charging them with one count of conspiracy, eight counts of wire fraud, one count of computer fraud and abuse, and one count of aggravated identity theft.

After using classic SIM swap techniques to gain control of victims’ phone numbers, they targeted cryptocurrency company executives and others, intercepting two-factor authentication reset codes to hijack their Coinbase and Block.io wallets and drain them of digital funds.

They allegedly stole or attempted to steal over $550,000 in cryptocurrency from around 10 victims across the US, according to the indictment.

In addition, Meiggs is accused of hijacking two high-value social media accounts, in one case threatening to kill the wife of a victim if they didn’t give up their Instagram handle. In another case he allegedly convinced a victim to give him his handle in return for his phone number.

These so-called “OG” or “Original Gangster” accounts are typically registered soon after social media platforms are launched, giving them an extra cachet which means they can be highly sought-after online.

SIM swapping is a increasingly common threat to mobile users, and there’s little victims can do about it. The problem stems from the mobile carriers themselves: it is their staff who are tricked into believing the hacker is a legitimate customer. Sometimes insiders at these firms are part of the conspiracy.

In May this year, nine men including three former employees of mobile phone companies were charged for their roles in a SIM swap campaign which is said to have netted them around $2.4m in cryptocurrency.

Meanwhile, AT&T is set for a courtroom showdown with a cryptocurrency exec whose account was drained of $24m in funds after criminals persuaded an AT&T agent in a Connecticut store to transfer his mobile phone number to a new SIM.

Michael Terpin is suing the telco giant for $224m.

Categories: Cyber Risk News

UK Government Brexit App Riddled with Security Issues

Info Security - Fri, 11/15/2019 - 09:45
UK Government Brexit App Riddled with Security Issues

A Home Office app intended for EU citizens to apply for UK residency lacks basic security, potentially exposing the passport and biometric information of over one million users, according to experts.

Norwegian security firm Promon tested the EU Exit: ID Document Check application against common attack tools and tactics, and found it came up short in a number of areas.

First, it found the Android app lacks functionality to prevent malware reading and stealing sensitive user info.

“Attackers may modify or add malicious elements to the app, repackage and re-distribute the app, without the app noticing such changes or foreign elements,” Promon continued. “The app is [also] not resilient against code being injected while the app is running, allowing hijacking the app from the inside, by the use of basic and widely spread tools.”

In addition, there are no protections against the app being used in a hostile environment like a rooted device, and it can’t detect if an attacker is using debugging tools in runtime.

It doesn’t use obfuscation and is vulnerable to even basic spyware designed to harvest text entered into the app, the researchers explained.

That means it falls far short of OWASP best practices, exposing countless EU citizens who are using the application to apply to stay in the UK post-Brexit.

“At this time of political uncertainty, the last thing that people who are applying to remain in the United Kingdom need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers,” argued Promon CTO Tom Lysemose Hansen.

“As the app will continue to grow in popularity and demand, with more people fearful of what will happen to them if the UK does leave [the EU], it means that it will become increasingly attractive to attackers, with the potential subsequent fallout devastating.”

Categories: Cyber Risk News

Capture the Flag Competition Aims to Trace Missing Persons

Info Security - Thu, 11/14/2019 - 18:58
Capture the Flag Competition Aims to Trace Missing Persons

Cyber professionals will compete to find leads in real missing persons cases in a competition in Washington, DC, next month. 

SANS Institute has teamed up with non-profit organization Trace Labs to host the Open-Source Intelligence (OSINT) Missing Persons Capture the Flag (CTF) in partnership with local, state, and federal law enforcement agencies.

Participants, working in teams of up to four people, will gather fresh intelligence on several specific missing persons cases from publicly available data on social media, forums, government records, and even the dark web.

Points will be awarded in exchange for each piece of data uncovered that was previously unknown to law enforcement. 

At the end of the contest, Trace Labs will generate an intelligence report from the OSINT, which will be passed to the law enforcement agencies responsible for these cases.

Up to seventy-five ethical hackers and information security professionals from within the SANS community are expected to compete at the event, which will take place December 13–14. 

The first ever crowdsourced OSINT for Missing Persons CTF event was held in Toronto on July 28, 2018. Since then, Trace Labs has partnered with law enforcement, not-for-profits, and industry conferences to run over 25 similar events across five countries, bringing together over 2,000 industry professionals to work on over 200 missing persons cases.

Explaining how missing persons cases are selected for the competitions, Adrian Korn, director of OSINT operations & strategic initiatives at Trace Labs, told Infosecurity Magazine: "When we take on missing cases, we look for ones that have a significant digital footprint available. These are cases where a person has been reported missing in the past 10 years as this is the time period where social media and smartphone usage has grown the most.

"We do our best to include cases of different backgrounds and from different regions in our events. Since our efforts are all focused on looking at the public online activity of a missing person, we work with law enforcement to take on cases where they have seen significant online activity from the missing person."

Korn said the details of which cases would feature at December's event would remain secret until the day of the competition; however, he was able to confirm that the cases involve a combination of missing youths and adults from across the US who went missing within the past decade.  

Asked how he would respond to comments that gamifying the search for missing persons could be construed as disrespectful, Korn said: "The Trace Labs model was built to attract as many skilled cyber professionals as possible to expedite the collection of OSINT on the missing persons cases we work. With so many of these cyber professionals possessing valuable skills and using them on 'simulated' hacking competitions called 'CTFs' we saw an opportunity to refocus their efforts to do real social good. 

"With this in mind, the decision to gamify these events is solely a motivating factor for participants that we then turn into interest to continue helping with the search after the contest is over through our Trace Labs community."

Categories: Cyber Risk News

Boom in Lookalike Retail Domains

Info Security - Thu, 11/14/2019 - 18:40
Boom in Lookalike Retail Domains

New research into domains registered with a trusted TLS certificate has found lookalike domains outnumber legitimate retails sites by more than 2:1.

In a study conducted by researchers at Venafi, suspicious domains targeting 20 major retailers in the US, UK, France, Germany, and Australia were analyzed. Researchers found over 100,000 lookalike domains that use valid TLS certificates to appear safe and trustworthy. 

Threat actors use fake domains, cunningly rendered to appear legitimate, to steal personal data and financial information from unsuspecting online shoppers. The domains are created using URLs that vary by only a few characters from the addresses used by the genuine stores they are imitating.   

According to Venafi’s research, growth in the number of lookalike domains has more than doubled since 2018. Among the top 20 online German retailers, researchers detected almost four times more lookalike domains than authentic domains.

In America, just one of the country's top 20 retailers had over 12,000 lookalike domains being used to con its customers. 

Researchers tied the increase in lookalike domains to the availability of free TLS certificates, such as the ones available from Let's Encrypt, which were used by 84% of the lookalike domains. 

Jing Xie, senior threat intelligence analyst for Venafi, said: "No organization should rely exclusively on certificate authorities to detect suspicious certificate requests. For example, cyber attackers recently set up a lookalike domain for NewEgg, a website with over 50 million visitors a month. The lookalike domain used a trusted TLS certificate issued by the CA who followed all the best practices and baseline requirements. This phishing website was used to steal account and credit card data for over a month before it was shut down by security researchers."

Researchers urged online retailers to protect their customers by searching for suspicious domains and reporting them to the anti-phishing service Google Safe Browsing and to the Anti-Phishing Working Group (APWG). 

Researchers see no end to the profitable practice of domain spoofing. 

"Ultimately, we should expect even more malicious lookalike websites designed for social engineering to pop up in the future," concluded Xie. "In order to protect themselves, enterprises need effective means to discover domains that have a high probability of being malicious through monitoring and analyzing certificate transparency logs. This way they can leverage many recent industry advances to spot high-risk certificate registrations, crippling malicious sites before they cause damage by taking away their certificates."

Categories: Cyber Risk News

Apple Employee Texts Himself Customer's Nude

Info Security - Thu, 11/14/2019 - 16:36
Apple Employee Texts Himself Customer's Nude

A California woman has issued a warning on Facebook after discovering that an Apple store employee texted himself an intimate photo from her phone. 

Gloria Fuentes took her phone into the Valley Plaza Apple store in Bakersfield, California, on November 4 to get the screen repaired.

Before handing her phone over to a man on the tech team, Fuentes had taken the precaution of removing social media apps and financial information from the device. 

On November 5 on Facebook, Fuentes wrote that she had intended to delete all the photos from her phone too but had forgotten to do so in her haste to make it to the store after her original appointment time was unexpectedly brought forward. 

"So I go in, I give the guy my phone he’s messing around with it for quiet [sic] a while and I didn’t really pay any mind to it because I just figured he’s doing his job, looking into my insurance info or whatever," wrote Fuentes.

The employee asked Fuentes for her passcode twice before eventually handing her phone back to her unfixed and advising her to contact her phone company to arrange a repair. 

Fuentes wrote: "I walk in my house turn on my phone about to text someone and realize there’s a message to an unsaved number!!!!! I open it and instantly wanted to cry!!! This guy went through my gallery and sent himself one of my EXTREMELY PERSONAL pictures that I took for my boyfriend and it had my geolocation on so he also knows where I live!!!"

The intimate shot had been taken a year earlier and was one of around 5,000 photos on Fuentes' phone. 

"He had to have scrolled up for a while to get to that picture," wrote Fuentes.

Disgusted by her discovery, Fuentes returned to the Apple store to speak to the man. 

Fuentes wrote: "I went back to the store and confronted him and he admits to me that this was his number but that 'he doesn't know how that pic got sent!!' The manager just said he’d look into it."

Not knowing the full extent or ramifications of the incident was of great concern to Fuentes. 

"I have no idea if he sent more than the picture that he forgot to delete and I have no clue what he's going to do with them," wrote Fuentes.

"This makes me cry thinking about it but I think he needs to be held accountable and anyone else that has had him work on their phone should be aware of the fact that there’s a possibility that he’s done this to them!!" 

In an emailed statement, Apple told The Washington Post, "We are grateful to the customer for bringing this deeply concerning situation to our attention. Apple immediately launched an internal investigation and determined that the employee acted far outside the strict privacy guidelines to which we hold all Apple employees. He is no longer associated with our company."

Categories: Cyber Risk News

Shamoon-Slingers APT33 in Secret New Operations

Info Security - Thu, 11/14/2019 - 11:50
Shamoon-Slingers APT33 in Secret New Operations

Security researchers are warning oil and aviation industry organizations to be on their guard after spotting a notorious Iranian APT group using private VPNs to keep its activity hidden.

APT33 has been linked to the infamous Shamoon destructive malware which knocked out tens of thousands of PCs at Saudi Aramco in 2012 and has been deployed across Europe and the Middle East since.

Now Trend Micro has observed the group using a dozen command and control (C&C) servers in a highly obfuscated attack targeting a narrow group of organizations in the US, Asia and Middle East.

The group has been ramping up operations since 2018 with attacks on a UK and European oil company as well as supply chain organizations, the vendor claimed in a new blog post.

Already infected this year are a private American company that offers national security-related services, US universities, a military-linked US organization and several victims in the Middle East and Asia.

Although the malware linked to the small botnets used by the group is limited mainly to downloading and running additional malware, APT33 is going to great lengths to stay hidden.

“The C&C domains are usually hosted on cloud hosted proxies. These proxies relay URL requests from the infected bots to backends at shared webservers that may host thousands of legitimate domains,” said Trend Micro.

“The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are changed frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN connections.”

The setting up of private VPNs is easily done via open source software such as OpenVPN, plus rented servers. However, by using this technique, the group’s efforts have actually become easier to track once the researchers discovered which exit nodes the VPNs are using.

They’re apparently being used to hide reconnaissance of possible future victims including oil company suppliers, and other research.

“APT33 used its private VPN network to access websites of penetration testing companies, webmail, websites on vulnerabilities, and websites related to cryptocurrencies, as well as to read hacker blogs and forums,” said Trend Micro. “APT33 also has a clear interest in websites that specialize in the recruitment of employees in the oil and gas industry.”

The vendor urged regular patching, employee security training, least privilege access policies and multi-layered protection for oil and utilities firms.

Categories: Cyber Risk News

Healthcare Malware Infections Soar 60% from 2018

Info Security - Thu, 11/14/2019 - 10:30
Healthcare Malware Infections Soar 60% from 2018

Cyber-criminals are increasingly focusing data stealing and ransomware attacks on healthcare organizations (HCOs), with detected infections increasing by 60% from 2018 to the first three quarters of this year, according to Malwarebytes.

The security vendor’s Cybercrime tactics and techniques: the 2019 state of healthcare report makes for concerning reading for IT security professionals in the sector.

It claimed that hackers are attracted by the high ROI offered by patients’ PII, and the large number of endpoints and connected devices, which offers an extensive attack surface. They also know that cybersecurity is often treated as an afterthought, with legacy systems, poor patch management, staff with little security know-how and unprotected devices all serving to make hospitals even more attractive targets.

Threat detections grew 45% between Q2 and Q3 2019, with Trojan malware the most popular type, increasing 82% over the period thanks mainly to the activity of Emotet and TrickBot.

These are often used to drop ransomware onto victim networks, Malwarebytes claimed.

Top attack methods noted by the firm included exploiting unpatched flaws in third-party software and using social engineering such as phishing emails to deliver malicious links and attachments.

Malwarebytes also warned that innovative new IoT devices could expand the average HCO's attack surface even further if security is not built-in from the very start.

It goes without saying that the impact of cyber-attacks on HCOs could be severe.

A new report out last week claimed that data breaches at hospitals led to an increase in the 30-day mortality rate for heart attacks that translated to 36 additional deaths per 10,000 heart attacks per year. This was mainly due to the period of remediation and clean-up required following an incident, which may have impeded the work of doctors, the authors said.

The report warned that “ransomware attacks might have an even stronger short-term negative relationship with patient outcomes than the long-term remediation efforts studied here.”

Categories: Cyber Risk News

Alleged $20M Carding Forum Mastermind Faces US Charges

Info Security - Thu, 11/14/2019 - 09:49
Alleged $20M Carding Forum Mastermind Faces US Charges

A Russian national is facing charges of running a $20m carding forum after being extradited from Israel to the US.

Aleksei Burkov, 29, arrived at Dulles International Airport on Monday after being arrested initially at Ben-Gurion airport in December 2015, and failing in his appeal attempts over subsequent years to avoid being shipped to the States.

According to an unsealed indictment, he is alleged to have run the Cardplanet site which sold mainly hacked payment card numbers, including those of many Americans. The Department of Justice claimed that fraudsters made over $20m from purchases using the stolen details.

Burkov is also charged with running a separate members-only site where sellers could advertise personally identifiable information (PII), malware, money laundering, hacking services and more. To keep the site under the radar of law enforcers and researchers, prospective members needed three existing members to vouch for them and around $5000, the DoJ claimed.

The Russian has been charged with wire fraud, access device fraud, and conspiracy to commit wire fraud, access device fraud, computer intrusions, identity theft and money laundering. He faces a maximum of 80 years in prison if convicted on all counts.

Law enforcers appear to be getting better at disrupting the activity of cybercrime marketplaces.

In February last year, global police swooped on 13 individuals arrested on suspicion of involvement in notorious carding forum 'Infraud' which is thought to have led to losses of over $530 million.

However, cyber-criminals are always one step ahead. News from McAfee last year revealed an increasing trend for downsizing from major dark web forums to smaller operations in order to build trust with buyers and stay under the radar.

Dark web sites also offer budding fraudsters all the tools and knowledge they need to get started.

Categories: Cyber Risk News

Multi-Party Cyber-Incidents Cost 13x More Than Single-Party Incidents

Info Security - Wed, 11/13/2019 - 19:29
Multi-Party Cyber-Incidents Cost 13x More Than Single-Party Incidents

A new study has found that the financial losses caused by cyber-incidents affecting multiple parties are vastly more devastating than those that stem from any single-party incident. 

According to the Ripples Across the Risk Surface study, published today by Cyentia Institute, when compared to losses triggered by a single-party incident, the ripple effect costs that occur following multi-party incidents result in a total loss that is a whopping 13 times greater. 

Extreme losses, which sit above the 95th percentile, show an even larger discrepancy, with a loss of $16m for single-party incidents versus $417m for multi-party incidents.

The in-depth study, sponsored by RiskRecon, analyzed data from 813 cyber-incidents and closely examined their impact on numerous downstream organizations, described as secondary victims. A cyber-incident is defined in the study as an "event that compromises the confidentiality, integrity, or availability of an information asset."

The objective of this first-of-its-kind study was to raise market awareness of the far-reaching effects an incident such as a data breach can have as a result of the hyper-interdependencies of organizations.

Researchers plumbed historical data relating to 90,000 cyber-events from the cyber-loss database Advisen, finding that since 2008, 813 cyber-incidents had occurred in which at least three organizations were primary victims. 

As a result of these multi-party cyber-incidents, a further 5,437 downstream loss events occurred in which secondary organizations were impacted. In fact, downstream entities affected by multi-party incidents outnumbered primary victims by 850%.

In one single incident examined by researchers, 131 different organizations were affected. 

Researchers found that secondary organizations could be faced with losses equal to those experienced by primary victims. 

"Our analysis reveals little difference between losses reported by primary and secondary victim organizations of a cyber incident. This suggests that another firm’s breach could impact your organization just as much (or worse) than a breach of your own systems," wrote researchers. 

Analysis into the specific industries most severely impacted by ripple events was conducted through Cyentia Institute’s adoption of the North American Industry Classification System. Based on this data, the sectors that possess the highest concentration of personal data and information (credit bureaus, banks, collection agencies, and hotels) account for nearly 60% of all organizations generating ripple effects. 

"Most breach research doesn’t explain the downstream impact of ripple events and that these incidents no longer simply impact a single organization," said Kelly White, CEO and co-founder of RiskRecon.  

"Lacking proper third-party risk controls can contaminate the entire enterprise ecosystem where sensitive data is stored and shared."

Researchers projected that multi-party incidents will increase at an average rate of 20% per year.

Categories: Cyber Risk News

IRS to Mount Epic Cyber-Safety Campaign

Info Security - Wed, 11/13/2019 - 18:19
IRS to Mount Epic Cyber-Safety Campaign

America's Internal Revenue Service is to launch a large-scale cyber-safety campaign to coincide with the busiest shopping period of the year.

According to the website Accountingtoday.com, the campaign by the IRS will begin on the Monday after Thanksgiving, commonly known to bargain hunters as Cyber Monday. 

"The campaign will emphasize to practitioners and taxpayers the potential dangers they face during the holiday shopping season and the filing season ahead," said Stephen Mankowski, national tax chair of the National Conference of CPA Practitioners.

"National Tax Security Awareness Week 2019 is slated to begin on Cyber Monday and run from December 2 through December 6," he continued. "This is the heaviest period of time when people are online and when phishing is most common."

YouTube videos will form a key part of the campaign, which will strongly urge taxpayers to only make purchases from known vendors and to regularly check their bank statements for any suspicious activity. 

Mankowski said that continued widespread ignorance of security best practices had been flagged as a concern during a recent meeting he attended with government officials in Washington, DC.

"During the recent Tax Forums, the IRS noted that a lot of people still are not aware of the basics of data security," he said. "The IRS has been making some headway, but much more is needed."

The news follows last month's efforts by the IRS to raise cybersecurity awareness within families as part of National Work and Family Month. 

On October 22, the IRS urged families and teens to stay vigilant in protecting personal information while connected to the internet. 

An IRS spokesperson wrote: "During National Work and Family Month, IRS is asking parents and families to be mindful of all the pitfalls that can be found by sharing devices at home, shopping online and through navigating various social media platforms. Often, those who are less experienced can put themselves and others at risk by leaving an unnecessary trail of personal information for fraudsters."

Cybersecurity "common-sense suggestions" shared by the IRS on their website include advice to always use a virtual private network when connecting to public Wi-Fi, a recommendation to encrypt sensitive files such as tax records stored on computers, and an admonition not to share personal information such as birthdate, address, age, and Social Security numbers online.

Categories: Cyber Risk News

Facebook Bug Turns on iPhone Cameras

Info Security - Wed, 11/13/2019 - 17:38
Facebook Bug Turns on iPhone Cameras

Users of the Facebook app have complained after discovering a bug that causes their iPhone cameras to activate in the background when they use the app. 

Multiple people have taken to Twitter to report that using the Facebook app on their iPhone has caused the device's rear camera to switch on and run in the background.

Eagle-eyed users noted that the problem seemed to occur as they looked at photos and watched videos that appeared on their newsfeed.

It isn't clear whether the cameras activated by the bug were recording what they observed.

The earliest incident relating to the bug was recounted on Twitter by software tester @neo_qa on November 2. 

The concerned Facebook user wrote: "Today, while watching a video on @facebook, I rotated to landscape and could see the Facebook/Instagram Story UI for a split second. When rotating back to portrait, the Story camera/UI opened entirely. A little worrying . . ."

CNET were able to replicate the bug, and other Facebook users chimed in to say that they had experienced the same issue, with one Twitter user, @selw0nk, quipping that "It's not a bug, it's a feature."

At the beginning of this week, more users of Facebook took to Twitter to report another bug that seems to be affecting the latest version of the iOS. 

This time, users said that when they navigated away from an image they had opened in the Facebook app, they could see a thin slice of the camera's viewfinder. From this, they concluded that whenever the Facebook app is opened, the camera is activated in the background.

Twitter user @JoshuaMaddux wrote on November 10: "Found a @facebook #security & #privacy issue. When the app is open it actively uses the camera. I found a bug in the app that lets you see the camera open behind your feed. Note that I had the camera pointed at the carpet."

The camera-related bugs have added fuel to the fire for people who believe that it's within the realm of possibility that Facebook might deliberately record its users as a way to gather information or target advertisements. 

After a week of silence regarding the first camera bug, Facebook's vice president of integrity Guy Rosen responded on Twitter to Maddux's November 10 tweet about the second bug. 

From his Android device, Rosen wrote: "Thanks for flagging this. This sounds like a bug, we are looking into it."

In a later tweet, Rosen said the camera bug had been created when an earlier bug was fixed.

"We recently discovered our iOS app incorrectly launched in landscape," Rosen wrote. 

"In fixing that last week in v246 we inadvertently introduced a bug where the app partially navigates to the camera screen when a photo is tapped. We have no evidence of photos/videos uploaded due to this."

Rosen later confirmed that nothing was uploaded to Facebook as a result of the camera-related bugs, because the camera was in preview mode. 

A fixed version of the app was submitted to the App Store yesterday.

Dr. Richard Gold, head of security engineering at Digital Shadows, commented: "Bugs such as these erode the already fragile trust between companies and the public, even though their origin might be completely innocuous."

Categories: Cyber Risk News

Airbus Launches Human-Centric Cybersecurity Accelerator

Info Security - Wed, 11/13/2019 - 12:00
Airbus Launches Human-Centric Cybersecurity Accelerator

Airbus has announced the launch of a human-centric cybersecurity accelerator program. It will feature a dedicated team of human factor and cognitive psychology experts that will work in collaboration with the UK’s National Cyber Security Centre (NCSC) and a range of other partners to gain crucial insights into human-centric approaches for improving cybersecurity effectiveness. 

The Accelerator will offer placements for qualifying university students and establish collaboration opportunities with research teams and businesses to help make the UK one of the safest places to do business in cyberspace. 

The launch follows the opening of the Airbus Cyber Innovation Hub, located in Newport, Wales, in April 2019.

Dr Kevin Jones, chief information security officer of Airbus, said: “With increasingly sophisticated attacks being attempted every day, it simply isn’t possible to protect every user against every cyber-attack. We therefore need to think differently and identify ways for security to work with an organization’s people, to better protect against an array of threats.

“With the right tools and approach, employees can be the strongest link in an organization’s cyber-defense. Our work aims to put people-centric thinking at the heart of an organization’s security and we’re keen to hear from likeminded researchers and organizations who are interested in getting involved with our new Accelerator.”

Airbus was recently forced to take action after a possible Chinese state-sponsored hacking operation was detected targeting multiple suppliers over the past year.

Dr Ian Levy, technical director at the NCSC, said the new initiative is a welcome one and recognizes the importance of a multidisciplinary approach that puts people at the center of cybersecurity development.

“At the NCSC, we recognize the vital role employees have to play in an organization’s cyber-resilience and we are pleased to collaborate on this program.”

Categories: Cyber Risk News

Mexican Petrol Giant Pemex Hit by Ransomware

Info Security - Wed, 11/13/2019 - 11:30
Mexican Petrol Giant Pemex Hit by Ransomware

Mexico’s state-owned petroleum giant Petróleos Mexicanos (Pemex) is insisting all operations are running normally after a suspected ransomware attack, despite reports to the contrary.

The firm claimed that operation and production systems remain unaffected and supply of fuel remains guaranteed. However, it admitted that an attack on Sunday did affect around 5% of its personal computers.

Reports, though, suggest the firm has been harder hit, with Pemex billing systems taken offline, forcing staff to rely on manual processes which means payment of staff and suppliers may be disrupted.

Invoices for fuel sent from Pemex storage facilities to gas stations were being filled in manually while some employees in the petrol giant’s refining business couldn’t access emails or get online on Tuesday, with computers running slowly, sources told Bloomberg.

Although an internal memo reportedly suggested Ryuk as the culprit, security experts have seen leaked ransom notes confirming that the attackers used the DoppelPaymer variant.

A Tor payment site revealed a ransom demand of 565 Bitcoins, (£3.9m, $5m).

The same ransomware is thought to have been used in an attack against Canada’s Nunavut territory earlier this month.

Pemex is the latest in a long line of big-name organizations targeted by ransomware this year. Norwegian aluminium giant Norsk Hydro suffered major outages after being struck in March. The firm later admitted that the attack may have cost it as much as $41m after production was disrupted.

German automation giant Pilz was crippled for over a week by ransomware last month, while US mailing technology company Pitney Bowes and French media conglomerate Groupe M6 admitted suffering attacks.

Over a quarter (28%) of UK firms were hit by ransomware over the previous 12 months, according to research from Databarracks published in July.

Categories: Cyber Risk News

Pages