Cyber Risk News

Beijing-Backed Hackers Indicted for #COVID19 Vaccine Attacks

Info Security - Wed, 07/22/2020 - 11:00
Beijing-Backed Hackers Indicted for #COVID19 Vaccine Attacks

Two Chinese state-backed hackers have been issued with an 11-count indictment alleging attempts to steal COVID-19 vaccines as part of a hacking spree lasting more than 10 years.

LI Xiaoyu, 34, and Dong Jiazhi, 33, are accused of targeting IP in high-tech, medical, pharma, engineering, business and other sectors in the US, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden and the UK.

Although sometimes acting for personal gain, such as trying to extort cryptocurrency by threatening to release stolen source code, they are said to have worked with the backing of the Chinese government.

Their targets over the 10+ year period included not only businesses but pro-democracy and human rights activists in the US, Hong Kong, China and elsewhere.

According to the indictment, they exploited vulnerabilities in web servers, web app development suites and software collaboration tools to gain a foothold into networks, sometimes targeting newly announced bugs. Web shells and credential harvesting tools were then deployed to enable remote code execution and persistence.

Data set to be exfiltrated was first packaged into RAR files, but the duo are said to have changed file names and extensions and system timestamps, and hidden documents in recycle bins and other locations, to stay hidden. On some occasions they revisited previously breached organizations years after the event, the DoJ claimed.

The two are charged with conspiring to steal IP from eight companies in the form of technology designs, manufacturing processes, test mechanisms and results, source code and pharmaceutical chemical structures.

Li and Dong would spend decades in prison if caught and convicted, although that’s unlikely to happen as long as they remain in China.

News of the indictment comes in the same week that the UK’s National Cyber Security Center (NCSC) warned that Kremlin hacking group APT29 (aka Cozy Bear) has been attempting to steal vaccine-related IP from organizations in the UK and North America.

Mandiant senior manager of analysis, Ben Read, argued that state-sponsored hackers have put a premium on stealing info on COVID-19 vaccines. He added that the pattern of conducting for-profit and for-government attacks is similar to “China-nexus” groups such as APT41.

“Mandiant has tracked this group since at least 2013, the targeting and description of their TTPs is consistent with what we have observed,” said Read.

“The Chinese government has long relied on contractors to conduct cyber-intrusions. Using these freelancers allows the government to access a wider array of talent, while also providing some deniability in conducting these operations.”

Categories: Cyber Risk News

Women in Cybersecurity Paid 21% Less Than Men

Info Security - Wed, 07/22/2020 - 09:45
Women in Cybersecurity Paid 21% Less Than Men

Almost a third of the global cybersecurity workforce is now female, but discrimination and a major gender pay gap continue to blight the industry, according to newly released findings from (ISC)2.

The security certifications company analyzed data from its (ISC)2 Cybersecurity Workforce Study in order to better understand the role women play in the sector.

Some of the findings were fairly positive: survey respondents estimated that women comprise more than 30% of their teams today, up from around a quarter last year.

What’s more, 63% said they planned a career in the industry from as early on as their university days, a greater proportion than for men (54%). Over half (53%) started their careers in the profession, versus just 38% of men.

Women also see cybersecurity as a long-term career: over two-thirds (68%) said they plan to stay put for the remainder of their working lives. Some 69% of women versus 66% of men said they are either very or somewhat satisfied with their jobs, with women more likely to be “very satisfied” (34% versus 27%).

Yet while this bodes well for the future, there are still major challenges facing women in cybersecurity which could perpetuate gender imbalance in the sector.

Over a fifth (22%) cited discrimination as an issue they’d experienced in their careers, versus just 13% of men.

Women are also being paid significantly less than men, especially in North America and Europe.

The average salary for female cybersecurity employees in North America is just under $80,000, versus an average of around $96,500 for men. In Europe, the average salary for women is about $40,500 compared to $67,000 for men.

Overall, women are paid around 21% less than their male counterparts globally. Although this may reflect much broader societal challenges, the need for parity is particularly urgent in a cybersecurity industry where skills shortages are so acute.

“Women in the field face more discrimination and receive lower compensation than men. If these inequities are corrected, the cybersecurity profession may attract more women,” concluded (ISC)2 community manager, Andrea Moore.

“This would benefit business, by boosting diversity and attracting different points of view, and for the industry, by helping to close the workforce gap of four million workers.”

Categories: Cyber Risk News

MATA Malware Framework Latest Move for North Korean Hackers

Info Security - Wed, 07/22/2020 - 08:30
MATA Malware Framework Latest Move for North Korean Hackers

Kaspersky is alerting SOC teams to a new malware framework it has discovered and linked to the notorious North Korean hacking group known as Lazarus.

Dubbed “MATA,” the framework has apparently been in use since around April 2018, mainly to aid in attacks designed to steal customer databases and distribute ransomware.

Since that time it appears to have been deployed in a wide variety of scenarios, targeting e-commerce firms, software developers and ISPs across Poland, Germany, Turkey, Korea, Japan and India.

The framework itself gives its controllers the flexibility to target Windows, Linux and macOS, and consists of several components including loader, orchestrator and plugins.

Kaspersky tied its use to the Lazarus group, which has been engaged for years in cyber-espionage and sabotage and, via its Bluenoroff subgroup, attempts to accrue illicit funds for its Pyongyang masters. The group was pegged for WannaCry, as well as sophisticated attacks on financial institutions including the infamous $81m raid of Bangladesh Bank.

Kaspersky senior researcher, Seongsu Park, argued that the latest attacks linked to Lazarus show it is willing to invest serious resources to develop new malware toolsets in the hunt for money and data.

“Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups” he added.

“We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected.”

The security vendor urged SOC teams to access the latest threat intelligence feeds, install dedicated security on all Windows, macOS and Linus endpoints, and to back-up regularly.

Categories: Cyber Risk News

Vodafone Partners with Accenture to Offer Cybersecurity Services

Info Security - Tue, 07/21/2020 - 19:44
Vodafone Partners with Accenture to Offer Cybersecurity Services

Vodafone Business is joining forces with professional services company Accenture to help European businesses bring their cybersecurity up to date.  

The strategic partnership was formed with the mission to give national corporate customers and small to medium enterprises (SME) in Europe access to world-class security services in the form of simple, prefabricated packages. Each package will be specifically designed by a trusted provider to meet the needs of the client. 

In a statement released today, Vodafone described the new agreement with Accenture as "a key step forward in Vodafone Business’ strategy to offer enterprise-grade cybersecurity to businesses of all sizes."

As well as helping even the most petite of businesses, the partners have pledged to help all organizations regardless of where they fall on the spectrum of cybersecurity experience. 

Vodafone said it will "bring enterprise-grade cybersecurity along with access to leading cyber talent and expertise to organizations that do not have the experience, time or resources to keep up with the rapidly evolving threat landscape." 

Accenture and Vodafone Business have further revealed plans to jointly invest in security innovation in an effort to protect organizations from emerging cyber-threats. 

Vinod Kumar, CEO of Vodafone Business, said the partnership will allow smaller companies to protect themselves with advanced solutions that may otherwise be beyond their grasp. 

“We are committed to better support small and medium enterprises and national corporate sized businesses as they transform and ‘future ready’ their organization," said Kumar.

"Working with Accenture, we will leverage our combined capabilities and global experience to deliver modular security solutions, offering access to technologies that until now were only available to companies with large IT budgets."

Vodafone Business managed security services will launch later this year to SME and national corporate-sized businesses, initially in Italy and Spain, with the United Kingdom and Germany to follow. 

Kelly Bissell, who leads Accenture Security globally, said the dangers of cybercrime to businesses everywhere should not be underestimated.

“The distinct nature of cybercrime makes it borderless and anonymous. Cybercriminals can come from anywhere and as they take advantage of the COVID-19 situation, they pose a significant threat to businesses of all sizes with costly consequences,” said Bissell.

Categories: Cyber Risk News

Fortinet Acquires OPAQ Networks

Info Security - Tue, 07/21/2020 - 18:47
Fortinet Acquires OPAQ Networks

American multinational corporation Fortinet today announced the acquisition of OPAQ Networks. Financial terms of the deal were not disclosed.

OPAQ is a Secure Access Service Edge (SASE) cloud provider based in Herndon, Virginia. The company is known for its Zero Trust Network Access (ZTNA) cloud solution, designed to protect all kinds of distributed networks, including data centers, branch offices, remote users, and Internet of Things (IoT) devices.

Since being founded in 2017, OPAQ has opened office in 8 states across America and now employs around 50 people. Prior to its own acquisition, the company acquired Bat Blue Networks and Drawbridge Networks in 2017 and FourV Systems in 2018.

With Fortinet's acquisition of the company now complete, OPAQ's patented ZTNA solution has been combined with Fortinet’s existing SASE offering in a bid to form the best-in-class SASE cloud security platform. 

According to Fortinet, this new platform will boast the industry’s only true zero trust access and security by providing industry-leading next-generation firewall and SD-WAN capabilities, web security, sandboxing, advanced endpoint, identity/multi-factor authentication, multi-cloud workload protection, cloud application security broker (CASB), browser isolation, and web application firewalling capabilities.

Fortinet is headquartered in Sunnyvale, California. The company was founded in 2000 by brothers Ken and Michael Xie. 

Commenting on the acquisition, CEO and Chairman of the Board Ken Xie said: “The recent SASE market momentum further validates our Security-driven Networking approach and underscores what we’ve been saying for years. In this era of hyperconnectivity and expanding networks; with the network edge stretching across the entire digital infrastructure, networking and security must converge."

Xie said acquiring OPAQ would help Fortinet's SASE platform become the most comprehensive one in existence. 

"The Fortinet SASE platform delivers the broadest security and industry-leading SD-WAN and networking offerings that can all be delivered to customers and partners through a flexible, cost efficient and patented zero-trust cloud architecture," said Ken.

"The acquisition of OPAQ actually further enhances our existing SASE offering enabling Fortinet to deliver the most complete SASE platform on the market."

In 2018, Fortinet purchased threat analytics company ZoneFox for $18m and IoT-focused security firm Bradford Networks for $17m. 

Categories: Cyber Risk News

Texas College to Improve Cybersecurity of Smart Buildings

Info Security - Tue, 07/21/2020 - 17:35
Texas College to Improve Cybersecurity of Smart Buildings

A Texas college project to improve the cybersecurity and energy efficiency of commercial buildings is being supported by the United States Department of Energy (DOE).

The Securing Grid-Interactive Efficient Buildings through Cyber Defense and Resilient System project designed by Texas A&M University College of Engineering has received $3.5m from the DOE’s Building Technologies Office.

Over the next three years, the project aims to research, develop, and demonstrate a real-time, advanced, building-resilient platform through multi-layer prevention and adaption mechanisms. 

Partnering with Texas A&M on the project are Raytheon Technologies Research Center, Drexel University, Arizona State University, Pacific Northwestern National Laboratory, and Northwestern University, among others. 

To facilitate the project, a local testbed will be developed in Texas. There, a team led by Associate Professor Zheng O'Neill will use a hardware-in-the-loop simulation technique to explore and demonstrate potential approaches to cybersecurity and energy efficiency.  

O'Neill's team is currently on the lookout for potential building partners who can help them to field test their cyber-defense and resilient system (CYDRES) in the third year of the project.

“The proposed CYDRES system will accurately identify cyber threats in real-time and offer immediate defense against malicious network activity,” O’Neill said. 

“In addition, the fault detection, diagnostics, and prognosis and cyber-resilient control scheme will enhance grid-interactive efficient building tolerance to both cyber-related and physical faults while maximizing the potential energy savings and load flexibility and maintaining occupant satisfaction. CYDRES will be prototyped and tested in a hardware-in-the-loop and real building environment. The resulting test data will be used to inform the building community and support the technology transfer to the industry.”

O'Neill said current building automation systems (BAS) leave smart buildings vulnerable to attack as they are often designed and operated with little consideration of cybersecurity.

“Current physical behavior-based anomaly detection methods employed by building automation systems fail to differentiate cyber-attacks from equipment or operational faults,” she said. “Such distinction is critical in ensuring the appropriate automated mitigation, via control response, of cyber threats and providing actionable recommendations to facility managers.”

According to O'Neill, CYDRES should be effectively monitoring, detecting, and responding to cyber-attacks and physical system faults by the project's conclusion.

Categories: Cyber Risk News

#COVID19 Provides Unique Opportunities for Fraudsters

Info Security - Tue, 07/21/2020 - 15:20
#COVID19 Provides Unique Opportunities for Fraudsters

The COVID-19 crisis has created a ripe environment for fraudsters to operate, a recent online panel discussion held by security firm Kaspersky has outlined. This is primarily due to increased reliance of individuals on digital services as a result of lockdown restrictions.

In the session, it was revealed that online shopping fraud has risen by 55% compared to 2019 due to the substantial rise in eCommerce and home deliveries during the pandemic.

Additionally, since June, 2500 instances of COVID-19-related fraud have been reported, with losses totalling £7m. Other data highlighted in the discussion included a 35% increase in dating fraud, as more people turn to dating apps, and a 16% rise in courier fraud.

The panellists were David Emm, principal security researcher at Kaspersky, Claire Hatcher, global head of fraud prevention solutions at Kaspersky and detective superintendent Neil Jones of Greater Manchester Police in the UK.

As well as much greater use of the internet, the ongoing nature of the crisis and its health, economic and social implications has provided a unique opportunity for fraudsters to scam and trick people. Emm noted: “Consider Valentine’s Day, Black Friday, the Olympics, the World Cup; they are ‘here today, gone tomorrow’ topics that cyber-criminals can latch onto.

“Frankly, who in the world is not keenly interested in what’s going on with this pandemic? Everybody is, and therefore, fraudsters have a persistent topic that they can milk, week after week. It’s made people even more vulnerable than seasonal events.”  

While attacks have primarily revolved around COVID-19 themes, the actual tactics used haven’t been especially novel; just increased and more targeted. Hatcher said: “It’s always a process of, get in through phishing, download some malware, then exploit the human aspect of social engineering to use those credentials. Essentially, the newness is just the context. The attack itself is the same one re-envisaged in the new world we live in, but naturally it has increased a lot, because we are more susceptible now.”

In regard to organizations protecting themselves effectively at this time, doubling down on already established best practices is critical, especially for those without the resources to invest in the most sophisticated cybersecurity software.

Emm added: “Many organizations are going to read about these threats and think, ‘oh my goodness, what can we do?’ Sometimes, it’s the basic things. Protecting all devices, including mobiles – updating them and backing up data. Just trying to give staff some basic information about not replying to unsolicited texts, using unique passwords and using a password manager helps.”

Categories: Cyber Risk News

Trusted Connectivity Alliance Announces New Chair and Expanded Board

Info Security - Tue, 07/21/2020 - 13:00
Trusted Connectivity Alliance Announces New Chair and Expanded Board

The Trusted Connectivity Alliance (TCA) – a global, non-profit industry association that brings together SIM ecosystem participants to work towards enabling a secure, connected future – has announced the election of Claus Dietze as chair. Dietze succeeds Remy Cricco who steps away from the TCA following a successful three-year tenure in the role.

The TCA has also announced the expansion of its board, increasing the number of available board seats from five to seven. The TCA board is responsible for defining the organization’s focus and strategic direction and will be made up of the following members for 2020/21:

  • Chair: Claus Dietze – senior director global standardization, Giesecke+Devrient Mobile Security
  • Jean-Philippe Betoin – director, strategic marketing IoT platform, Arm
  • Benoît Collier – vice-president of mobile operator product line and MVNO IoT, IDEMIA
  • Cyril Caillaud – head of eSIM, product management and marketing, NXP Semiconductors
  • Michele Scarlatella – strategy technology and systems architecture, STMicroelectronics
  • Stephane Quetglas – director of marketing for embedded products, Thales
  • Bertrand Moussel – R&D director, smartcard & platforms, Valid

Commenting on his appointment, Dietze said: “I look forward to working with my board colleagues, wider membership and association partners in our shared goal to enable a secure, connected future.

“As we look towards the opportunities and challenges that lie ahead in an increasingly connected future, the ability of SIM technology to deliver trusted connectivity and dynamic security is extending its applicability across new sectors.”

Looking ahead at the next 12 months, the TCA board has identified the following activities as key roadmap priorities:

  • Ensuring eSIM interoperability
  • Expanding eSIM benefits to more IoT use-cases
  • Leveraging SIM technology for IoT security, including continued collaboration with GSMA on IoT SAFE
  • Addressing fragmentation across integrated SIM technologies
  • Evolving and optimizing 5G SIM technology to enhance 5G network services and maximize investments, while promoting and protecting mobile subscriber privacy

Dietze concluded: “On behalf of the membership, I would also like to thank Remy Cricco for his valued contribution over the past three years. Under his leadership, our organization underwent a significant transformation which strongly positions it to support the future advancement of the SIM industry.”

Categories: Cyber Risk News

ISC Attributes Cyber-Attacks and Election Interference to Russia

Info Security - Tue, 07/21/2020 - 11:45
ISC Attributes Cyber-Attacks and Election Interference to Russia

Russia has been named as a “highly capable cyber-actor” by the UK government’s Intelligence and Security Committee.

Claiming that “the UK is one of Russia’s top Western intelligence targets,” particularly given the UK’s firm stance against recent Russian aggression and the UK-led international response to the 2018 Salisbury attack, the ISC warned that Russia’s intelligence services are disproportionately large and powerful and are able to act without constraint. This has allowed a fusion between state, business and serious and organized crime making Russia an all-encompassing security threat.

In terms of the cyber-threat, the ISC report stated that Russia employs organized crime groups to supplement its cyber-skills and carries out malicious cyber-activity in order to assert itself aggressively with democratic interference having “undertaken cyber pre-positioning on other countries’ Critical National Infrastructure.”

The report claimed: “Given the immediate threat this poses to our national security, we are concerned that there is no clear coordination of the numerous organizations across the UK intelligence community working on this issue; this is reinforced by an unnecessarily complicated wiring diagram of responsibilities amongst Ministers.”

The report acknowledged the work of former chair Dominic Grieve MP, and did welcome the government’s increasingly assertive approach when it comes to identifying the perpetrators of cyber-attacks. The ISC, chaired by Dr Julian Lewis MP, encouraged the UK to encourage other countries to adopt a similar approach to ‘naming and shaming’ cyber-adversaries.

The report also addressed the issues of democratic interference, saying “protecting it must be a ministerial priority, with the Office for Security and Counter-Terrorism taking the policy lead and the operational role sitting with MI5.” It also said while social media companies hold the key they are “failing to play their part,” so the government must establish a protocol with these companies to ensure that they take covert hostile state use of their platforms seriously, with agreed deadlines within which such material will be removed.

In particular, it accused the government of being slow to recognize the existence of the threat of democratic influence, stating it was only understood after the Democratic National Committee email breach. “As a result, the government did not take action to protect the UK’s process in 2016.”

Acknowledging an “obvious inherent tension between the government’s prosperity agenda and the need to protect national security,” particularly with political business interests with Russian organizations, the ISC said Russia “poses a tough intelligence challenge and our intelligence agencies must have the tools they need to tackle it.”

This should lead to new legislation to tackle foreign spies, with the Official Secrets Act declared “not fit for purpose."

“More broadly, we need a continuing international consensus against Russian aggressive action,” the ISC said. “Effective constraint of nefarious Russian activities in the future will rely on making sure that the price the Russians pay for such interference is sufficiently high: the West is strongest when it acts collectively, and the UK has shown it can lead the international response.

Ray walsh, digital privacy expert at ProPrivacy, said: “The Russia report finally published today by the UK government confirms what cybersecurity experts have been calling attention to for many years; that the Russian government and its state-employed hackers are engaging in active cyber-warfare against the West, which includes phishing attempts against government agencies, the deployment of covert exploits designed to steal top-secret information and activities designed to influence the democratic elections of other nations.

“The release of the Russia report – and its direct allegations against the Kremlin – indicate a shift by the UK government towards actively identifying and assigning blame to state-sponsored cyber-warfare performed by Russia, a move that reveals the urgency of the problem and the immediate threat it poses to the UK's national security.

“Now that the UK has attributed blame, it will be interesting to see how exactly the government proceeds and what it can do to prevent those activities and produce actual changes in light of the findings.”

Cath Goulding, CISO at Nominet, said: “One of the main recommendations of the report is to establish a central responsibility for a coordinated response to these threats, rather than a ‘hot potato’ approach with no one government body taking the lead. This is aligned with our recommendations for government security – which requires large-scale, national protective interventions, to bring their citizens, businesses and economies a more secure environment.

“This means that there needs to be a breadth of security across government, all the way down to the local level, which is consistent, cohesive and coordinated. This is critical to ensure a high level of security across all departments, with no weak spots for threat groups to exploit, and greater awareness of the threats facing the UK. Not only will this facilitate a stronger security posture, but also more opportunities for international collaboration to mitigate attacks against governments.”

Categories: Cyber Risk News

Experts Predict Record 20,000 CVEs for 2020

Info Security - Tue, 07/21/2020 - 11:00
Experts Predict Record 20,000 CVEs for 2020

This year could see a record breaking 20,000 vulnerabilities reported, with major increases in mobile bugs already in 2020, according to Skybox Security.

The security vendor’s midyear update to its 2020 Vulnerability and Threat Trends Report contains some concerning findings for organizations as they struggle to manage cyber-risk at a time of mass remote working.

With 9000 vulnerabilities reported in the first half of the year, the firm is predicting the final total for 2020 could top twice as much as that. The figure for new CVEs in 2019 was 17,304. Without risk-based automated patch management systems, organizations struggle to mitigate these issues, leaving them exposed to attacks.

Part of this increase is due to a surge in Android OS flaws: these increased 50% year-on-year, according to Skybox.

“This rise has come at the same time as home networks and personal devices increasingly intersect with corporate networks as a result of the move towards a mass, remote workforce,” the report claimed.

“These trends should focus the need for organizations to improve access controls and gain visibility of all ingress and egress points to their network infrastructure.”

The report also revealed an increase in new ransomware variants of 26% year-on-year in the first half of 2020, leading the way ahead of Trojans (23%), botnets (21%), backdoors (15%) and RATs (15%).

The firm claimed to have monitored 77 new ransomware campaigns in the first few months of the pandemic as cyber-criminals sought to take advantage of unpatched systems, distracted workers and overwhelmed IT teams.

“COVID-19 has completely reshaped the way that organizations and their employees work. With the majority of the workforce now working remotely, the network perimeter has significantly widened – securing this perimeter now needs to be a top strategic priority,” argued Ron Davidson, VP of R&D and CTO of Skybox Security.

“Organizations need to be able to identify the flaws that sit within both personal and professional devices. They also need to be able to model their expanded network so that they can understand all potential attack vectors.”

Categories: Cyber Risk News

Telecom Argentina Has Tuesday Deadline to Pay $7.5m Ransom

Info Security - Tue, 07/21/2020 - 09:45
Telecom Argentina Has Tuesday Deadline to Pay $7.5m Ransom

A major Argentinian ISP has become the latest organization to be hit by a serious ransomware attack, with cyber-criminals demanding millions in payment by today.

Telecom Argentina is thought to have been compromised last week. One insider posted the purported ransom note to Twitter, as well as what appears to be an online placeholder from the firm.

The firm’s official website is currently down and local reports suggested that employees started having trouble accessing internal VPNs and databases as early as last Wednesday.

As most employees are working from home, the incident appears to be causing major disruption to productivity at the firm with staff being told not to log-on to corporate resources.

Reports on social media suggest the REvil (Sodinokibi) group may be behind the attack. If the firm has not paid by the end of today, the attackers are threatening to double the ransom, to be paid in Monero.

The group is known to have targeted vulnerabilities in Citrix and Pulse Secure remote access systems in the past, although it’s not clear at this stage how they compromised Telecom Argentina.

REvil also often steals data belonging to victim organizations, with the now-common strategy of threatening to release sensitive details unless a ransom is paid. It even claimed to have obtained incriminating details on Donald Trump earlier this year after an attack on New York lawyers Grubman Shire Meiselas & Sack.

However, that doesn’t seem to be the case with Telecom Argentina.

Founded in 1990, the Buenos Aires-headquartered firm has over 16,000 employees and owns one of only three mobile phone operators in the country.

Mark Bagley, VP of product at AttackIQ, argued that this could be one of the most expensive ransomware attacks of the year.

To mitigate the risk of such attacks, organizations must focus on detecting lateral movement inside networks, combat credential stuffing and conduct regular testing, he added.

“A security program that included network segmentation, preventing the lateral movement of an adversary would have been decisive in mitigating this situation,” Bagley argued.

“Legacy approaches that focus on stopping an adversary at their initial attempts to access targets of interest will continue to fail. Companies must design their security programs to minimize the impact when an adversary successfully infiltrates their network.”

Categories: Cyber Risk News

Genealogy Software Maker Exposes Data on 60,000 Users

Info Security - Tue, 07/21/2020 - 08:37
Genealogy Software Maker Exposes Data on 60,000 Users

A US tech company that manages popular family tree software has exposed tens of thousands of its users’ personal information online via a misconfigured cloud server, according to researchers.

A team from WizCase led by Avishai Efrat discovered the unsecured Elasticsearch server leaking 25GB of data linked to users of the Family Tree Maker software.

First released in 1989, it has had numerous corporate owners, including Broderbund, The Learning Company, Mattel and, prior to Software MacKiev which is currently in charge of the code.

WizCase informed the US software company of the incident and, although it didn’t receive a reply, the incident was apparently remediated shortly after.

Among the details leaked to the public-facing internet were email addresses, geolocation data, IP addresses, system user IDs, support messages and technical details.

WizCase warned that a hacker could have used the information to craft convincing follow-on phishing attacks and identity fraud.

It also claimed the leaked comments and complaints could have given MacKiev’s competitors an opportunity to target unhappy customers, while technical details could be utilized in a different way.

“The leak exposed technical details about the system’s backend, which could help attackers leverage multiple cyber-attacks on Software MacKiev and its associated companies,” it was claimed.

“That way cyber-criminals can steal additional user data, infect the system with malware or even take complete control over parts of the systems.”

MacKiev is said to have developed the macOS version of Family Tree Maker since around 2010, and bought the Windows version of the software from Ancestry in 2016.

Some 60,000 users are thought to have been exposed in this privacy snafu.

It’s one of many such incidents resulting from configuration errors on internet-connected computing resources. Last week, WizCase disclosed similar issues in multiple e-learning platforms exposing nearly one million records.

Research from earlier this month found the same misconfigurations put the security and privacy of countless users of global dating apps at risk.

Categories: Cyber Risk News

Cyprus Extradites Alleged Cyber-Criminal to the US

Info Security - Mon, 07/20/2020 - 17:28
Cyprus Extradites Alleged Cyber-Criminal to the US

An alleged cyber-criminal has become the first Cypriot national to be extradited from the Republic of Cyprus to the United States.

Joshua Polloso Epifaniou, a resident of Nicosia, Cyprus, arrived at John F. Kennedy Airport in New York on July 17. The 21-year-old, who is wanted in two US states, was arrested in Cyprus in February 2018.  

A five-count indictment filed in the Northern District of Georgia charges Epifaniou with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud and identity theft, and extortion related to a protected computer. 

A second 24-count indictment filed in the District of Arizona accuses the Cypriot of conspiracy to commit computer hacking, obtaining information from a protected computer, intentional damage to a protected computer, and threatening to damage a protected computer.

The first indictment alleges that between October 2014 and November 2016, Epifaniou was part of a threat group that carried out ransomware attacks against a free online game publisher based in California, a New York hardware company, an online employment website headquartered in Virginia, and a sports news website based in Atlanta, Georgia, and owned by Turner Broadcasting System Inc.

Epifaniou and his co-conspirators are accused of gaining unauthorized access to each company's personal identifying information (PII) and threatening to publish the data online unless they received a ransom. The entities allegedly targeted by Epifaniou were defrauded of $56,850 in Bitcoin, while two victims incurred additional losses of $530k in remediation costs. 

The second indictment accuses Epifaniou of carrying out a brute force attack against Arizona company Ripoff Report. After compromising the company's system, the Cypriot allegedly threatened to publish the private data it contained unless he received $90k.

It is further alleged that between October 2016 and May 2017, Epifaniou worked with an associate at “SEO Company,” a search engine marketing company based in Glendale, California, to identify companies that might want to pay for the removal of complaints posted about them on Ripoff Report’s website. 

Epifaniou and his co-conspirator are accused of using their unauthorized access to Ripoff Report's database to erase at least 100 complaints, charging SEO Company’s “clients” approximately $3,000 to $5,000 for each removal.

Epifaniou is scheduled to go before US Magistrate Judge Alan Baverman in the Northern District of Georgia today for his arraignment.

Categories: Cyber Risk News

Analysts Detect New Banking Malware

Info Security - Mon, 07/20/2020 - 16:46
Analysts Detect New Banking Malware

A new strain of banking malware dubbed BlackRock has been detected by researchers at Threat Fabric

An investigation into its origins has revealed BlackRock to be derived from the Xerxes banking malware. Xerxes was in turn spawned out of the LokiBot Android banking Trojan, first detected around four years ago.

The source code of the Xerxes malware was made public by its author around May 2019, making it possible for any threat actor to get their hands on it. Despite the code's availability, researchers found that the only Android banking Trojan based on Xerxes' source code that is currently operating appears to be BlackRock.

This malevolent new kid on the malware block steals credentials not only from banking apps but also from other apps designed to facilitate communication, shopping, and business. In total, the team found 337 Android apps were impacted, including dating, social networking, and cryptocurrency apps. 

By throwing their nefarious campaign net so wide, researchers believe the malware's creators are attempting to exploit the increase in online socializing brought about by the outbreak of COVID-19.

"Technical aspects aside, one of the interesting differentiators of BlackRock is its target list; it contains an important number of social, networking, communication and dating applications," noted researchers. 

"So far, many of those applications haven't been observed in target lists for other existing banking Trojans. It therefore seems that the actors behind BlackRock are trying to abuse the growth in online socializing that increased rapidly in the last months due to the pandemic situation."

BlackRock was first spotted back in May 2020. When the malware is launched on a device for the first time, its icon is hidden from the app drawer, making it invisible to the end user. The malware then asks the victim for the Accessibility Service privileges, often posing as a Google update. 

Once the user grants the request, BlackRock starts granting itself the additional permissions required for the bot to fully function without having to interact any further with the victim. When done, the bot is functional and ready to receive commands from the C2 server and perform the overlay attacks.

“Unfortunately, this malware is particularly sophisticated and can camouflage itself as a genuine app to do some damaging spy work in the background,” commented ESET cybersecurity specialist Jake Moore.

“It is vital that users know what apps they are downloading, or they may risk unknowingly downloading something illicit.”

Categories: Cyber Risk News

HelpSystems and GlobalSCAPE to Merge

Info Security - Mon, 07/20/2020 - 16:11
HelpSystems and GlobalSCAPE to Merge

A merger agreement has been signed between American software companies GlobalSCAPE and HelpSystems

The impending move was jointly announced by both companies earlier today, along with the news that HelpSystems will acquire all outstanding shares of GlobalSCAPE for $9.50 per share in cash. This represents a 16% premium to the closing price for GlobalSCAPE stock on July 17, 2020.  

The combined company, whose name has not yet been officially announced, is to focus on providing the most comprehensive collection of trusted security and automation solutions to customers worldwide.

HelpSystems is a Minnesota-based IT software company recognized as the biggest independent IBM software vendor in the world. 

GlobalSCAPE has been creating secure managed file transfer (MFT) solutions from its San Antonio, Texas, headquarters for over two decades. Company CEO Robert Alpert said the upcoming merger between HelpSystems and GlobalSCAPE will be empowering.

“GlobalSCAPE’s offerings are a great fit with HelpSystems’ suite of security products,” said Alpert. “Our strength lies in moving mission-critical files both in and out of the cloud, coupled with our commitment to customer service and in helping organizations meet their cybersecurity and compliance needs. Joining HelpSystems solidifies and strengthens this promise.”

Alpert said that the achievements attained by GlobalSCAPE to date were derived from the excellence of the company's workforce. 

“Our success is rooted in our people; the men and women of GlobalSCAPE are passionately dedicated to client success," said Alpert. 

"The product and individual awards earned over GlobalSCAPE’s twenty-three-year history testify to our spirit of service. I am proud of our accomplishments, including our ability to return substantial capital to shareholders, with special dividends of $0.50 per share in May of 2019 and $3.35 per share in December of 2019, in addition to the $9.50 per share that holders will receive in the transaction with HelpSystems.”

The planned merger will augment HelpSystems’ data security business, which includes data loss prevention and data classification software.

CEO of HelpSystems Kate Bolseth said: “GlobalSCAPE’s MFT solution and expertise further strengthen HelpSystems’ growing cybersecurity business. Combining this with our data loss protection and data classification technology provides depth to our triple-threat defense against customer cybersecurity risks.”

The transaction is structured as a tender offer followed by a merger, valued at approximately $217m, including debt to be refinanced.

Categories: Cyber Risk News

Data Protection Associations Introduce Survey and Representation Concepts

Info Security - Mon, 07/20/2020 - 14:32
Data Protection Associations Introduce Survey and Representation Concepts

A new initiative intended to represent UK-based data protection officers (DPOs) has been launched to provide insight into the development of the privacy industry.

Managed by the DPO Center and the Data Protection World Forum, the index will aim to cover a range of topics including organizational strategy, resources, budgets, the response to current issues such as the COVID-19 pandemic and the importance of data protection as a single theme.
Rob Masson, chief executive of the DPO Center, said the index is intended to help shape the future of the sector, provide clarity on the key issues and ultimately deliver tangible and ongoing benefit to the industry.

Speaking on a webinar to launch the index, Masson said the intention of the index is to take a “snapshot” of the sector to give a unique picture of how the profession is maturing. Masson called the data protection sector collaborative but admitted that sometimes it is hard to gauge industry-wide opinion, and the events around the invalidation decision of Privacy Shield “show how quickly things can change.”

He said: “The intention of the index is that it is there to serve the industry in being able to give results and very detailed information about what is going on within the sector and where the important issues are, and it is there to act as a consistent and accurate guide and a barometer of opinions that are being expressed across the sector and across industries and organizations.”

He also said there is an intention to understand the issues in a more granular way, and it is “our opportunity to give the industry some sort of definite response and definitive action and guidance to how the issues in the sector are relevant to us and how they are being reacted to.”

Masson also explained that the concept is to provide a wider voice outside of the sector, as the profession continues to grow. “The profession continues to grow and it is because of the requirements and the complexity and the significance of data protection and the role of the DPO that it becomes more and more important,” he said. “We’ve seen a massive change in the last three years and seen how it is absolutely necessary for the role of the DPO to evolve and deliver more and more.”

If you are a data protection officer and you would like to join the anonymous panel that regularly contributes to the UK Data Protection Index, register here.

Categories: Cyber Risk News

UK Government Fails to Meet GDPR Requirement in Test and Trace Program

Info Security - Mon, 07/20/2020 - 13:50
UK Government Fails to Meet GDPR Requirement in Test and Trace Program

The UK government has failed to meet a crucial General Data Protection Regulation (GDPR) requirement in its COVID-19 Test and Trace program, putting people’s privacy rights at risk, according to the Open Rights Group (ORG).

This follows an admission by the UK’s Department of Health to the group that it has not conducted a data protection impact assessment (DPIA) – a GDPR requirement to identify and minimize data protection risks in projects that process personal information.

“The public can’t trust the program because a vital (and legally required) safety step known as a DPIA was dangerously ignored,” said the ORG in a statement.

Test and Trace was introduced in England on May 28 as part of the government’s strategy of easing COVID-19 lockdown restrictions. Under the initiative, the National Health Service (NHS) attempts to trace close recent contacts of anyone who tests positive for the virus, and if necessary, inform them that they need to self-isolate. This involves people being asked to provide sensitive data including their name, date of birth, postcode, who they live with and places they have recently visited, leading to privacy fears.

The ORG added: “The Test and Trace program has been rushed; private contractors have been employed to deliver it with large numbers of new employees. Many systems have been bolted together at short notice.

“We are doing everything we can to ensure the Test and Trace Program is made safe. That’s why we’re threatening legal action unless a proper DPIA is conducted immediately.”

In its letter to the ORG, the government said it was working with the Information Commissioner's Office (ICO) to ensure it is meeting its requirements under the GDPR.

Quoted by the BBC, a Department of Health spokesperson said: “NHS Test and Trace is committed to the highest ethical and data governance standards – collecting, using and retaining data to fight the virus and save lives, while taking full account of all relevant legal obligations.”

Jonathan Armstrong, partner at legal firm Cordery, commented: “A DPIA will be an essential element of any program like this and we know from the Facebook investigation in Ireland that a DPIA is important from a regulatory perspective. 

“It is also important in establishing trust. Failing to do a DPIA becomes all the more important in this context – trust is key and any allegation that processing has taken place unlawfully destroys that trust.”

Darren Wray, CTO at Guardum, added: “The revelation that a DPIA was not performed as part of the track and trace project shows exceedingly poor governance and control. In the private sector, organizations are expected to ensure that data privacy and protection controls are a part of their business as usual processes, not something that is revisited in hindsight.” 

Categories: Cyber Risk News

UK Consumers Targeted by Tesco 4K TV Phishing Scam

Info Security - Mon, 07/20/2020 - 12:00
UK Consumers Targeted by Tesco 4K TV Phishing Scam

UK consumers were targeted by a new phishing scam falsely purporting to be from leading UK supermarket Tesco, litigation firm Griffin Law has discovered.

The scam, which used a fake Facebook page as well as SMS and email communication, aimed to trick consumers into handing over their details and steal confidential and payment data.

The fraud began via an official-looking but fake Facebook page entitled ‘Tesco UK’ which shared images purporting to be from a Tesco warehouse, displaying packed boxes of HD TVs.

According to Griffin Law, the accompanying message said: “We have around 500 TVs in our warehouse that are about to be binned as they have slight damage and can’t be sold. However, all of them are in fully working condition, we thought instead of binning them we’d give them away free to 500 people who have shared and commented on this post by July 18.”

Unsuspecting users who then enthusiastically shared the post helped it to spread before receiving an email offering them the chance to ‘claim their prize.’ A button in the message linked victims to a landing page to enter their name, home address, telephone number and bank account details.

Griffin Law stated that at least 100 consumers have reacted to the Facebook page or received an email. The original fake Tesco Facebook page is now listed as ‘content unavailable.’

Tim Sadler, CEO, Tessian, said: “As the lines between people in our ‘known’ network and our ‘unknown’ networks blur on social media feeds and in our inboxes, it becomes incredibly difficult to know who you can and can’t trust. Hackers prey on this, impersonating a trusted brand or person to convince you into complying with their malicious request and they will also prey on people’s vulnerabilities.

“They know people are struggling financially during this [COVID-19] pandemic, so the offer of a free TV could be very attractive. However, as the saying goes, if it looks too good to be probably is! Question the legitimacy of these messages and always verify the request or offer before clicking on the link.”

Categories: Cyber Risk News

Uber Drivers in GDPR Fight to Unmask Algorithms

Info Security - Mon, 07/20/2020 - 10:45
Uber Drivers in GDPR Fight to Unmask Algorithms

Two Uber drivers are taking the platform to court, arguing that it has failed to meet its GDPR obligations to reveal detailed profiling data about them and how it is used, according to reports.

The case will be launched today by the UK-based App Drivers and Couriers Union in the district court in Amsterdam, where the ride hailing giant’s European operations are headquartered.

The drivers, also based in the UK, want to know how the data and algorithms are used by the firm to make silent automated decisions about their jobs.

It is argued that only with greater transparency can gig economy workers like these challenge potential workplace discrimination and unfair treatment, and exercise important powers of collective bargaining over work and pay.

The kind of data they’re after includes information on any inappropriate driver behavior, late arrivals or missed ETAs, driver cancellations and other info on reliability, behavior and location, according to The Guardian.

“This is about the distribution of power. It’s about Uber exerting control through data and automated decision-making and how it is blocking access to that,” the drivers’ lawyer, Anton Ekker, is quoted as saying.

“The app decides millions of times a day who is going to get what ride: who gets the nice rides; who gets the short rides, but this is not just about Uber. The problem is everywhere. Algorithms and data give a lot of control but the people who are subject to it are often no longer aware of it.”

Uber argued in a statement that it works hard to provide personal data to individuals who request it, but that sometimes it either doesn’t exist or disclosing it would infringe the privacy rights of others.

“Under the law, individuals have the right to escalate their concerns by contacting Uber’s data protection officer or their national data protection authority for additional review,” it added.

Concerns have been raised in the past that national data protection authorities don’t have the in-house technical expertise or legal resources to challenge major tech companies with investigations.

Categories: Cyber Risk News

One Million Online Student Records Exposed by E-Learning Sites

Info Security - Mon, 07/20/2020 - 09:30
One Million Online Student Records Exposed by E-Learning Sites

Nearly one million records containing the personal information of online students have been leaked after cloud misconfigurations by five e-learning platforms, according to WizCase.

The VPN comparison site found four misconfigured and unencrypted AWS S3 buckets and one unsecured Elasticsearch server, compromising the details of countless e-learners, including many children, as well as their parents and teachers.

The personal information (PII) exposed included full names, home and email addresses, ID numbers, phone numbers, dates of birth and course/school information.

WizCase warned users of potential follow-on identity fraud, phishing attacks, stalking and blackmail.

“As many users whose data was leaked aren’t active on the sites anymore, they’re less likely to realize these companies still have their information,” it added.

“However, it’s still possible that their data can be used to aid in various types of online crimes. These dangers are even bigger since many of the users affected by the leaks are children and young people.”

The affected companies include Escola Digital, a Brazilian site that leaked 15MB of data, amounting to 75,000 records, although many came from 2016 and 2017.

South African site MyTopDog exposed over 800,000 records via a misconfigured S3 bucket, including documents related to business partner Vodacom School.

Kazakhstan-based Okoo leaked 7200 records via an Elasticsearch server, while US sites Square Panda (15,000) and Playground Sessions (4100) round-out the affected platforms.

WizCase urged users who may have had their data exposed in this way to regularly check for unusual activity on their accounts, to be extra cautious when receiving unsolicited emails and never to give out PII over the phone.

These incidents are widespread across virtually all industries, although the online learning sector has been booming of late thanks to COVID-related school closures across much of the world.

Earlier this month, WizCase revealed five dating apps in the US and Asia that had exposed millions of customer records through misconfigured Elasticsearch servers, MongoDB databases and AWS buckets.

Categories: Cyber Risk News