Cyber Risk News
Yahoo has been fined £250,000 by UK privacy regulator the Information Commissioner’s Office (ICO) following a 2014 Russian state-sponsored attack which resulted in the compromise of 500 million accounts.
The incident, which was only reported two years later by the internet pioneer, led to the compromise of over 500,000 Yahoo UK accounts.
The personal data involved included names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.
According to reports the accounts were co-branded with Sky but Yahoo UK was the data controller and so had responsibility for their security under previous data protection laws.
The lengthy ICO investigation found that Yahoo UK “failed to take appropriate technical and organizational measures” to protect the data and ensure it complied with data protection standards. It also failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo employees who had access to customer data.
These deficiencies were present in the company “for a long period of time” without being addressed, the ICO argued.
ICO deputy commissioner of operations, James Dipple-Johnstone, argued that organizations not only need to shut the door but also lock it and “check the locks.”
“Since our investigation, the law has changed. Under the General Data Protection Regulation and the new Data Protection Act 2018, individuals have stronger rights and more control and choice over their personal data,” he added. “If organizations, especially well-resourced, experienced ones, do not properly safeguard their customers’ personal data, they may find customers taking their business elsewhere.”
Last year the Department of Justice charged two Russian FSB officers and hacker-for-hire Alexsey Belan for conspiring to break into Yahoo to obtain information on persons of interest to the Kremlin.
Also in 2017, Yahoo admitted that a previous 2013 breach of one billion accounts actually affected three times that amount.
Banco de Chile publicly disclosed on 28 May that it had detected a virus, presumably from international networks, that affected thousands of its workstations. Now the bank has learned that the cyber-attack was malware and resulted in attackers transferring approximately $10m via the bank's SWIFT international money transfer systems.
Most of the money has been traced to locations in Hong Kong, and it is believed that a criminal group from Eastern Europe or Asia is responsible for the attack.
In its public declaration, Banco de Chile wrote, "Although these measures affected the quality of our services, they made it possible to ensure the integrity of the information and data at all times, so that the security of the transactions, funds and records of our clients will never be affected. "
As the investigation unfolded, though, it learned that the user accounts were never the target of the attack. The cyber-attack corrupted the master boot records (MBRs) of 9,000 PCs and servers, leaving them unable to be rebooted. Multiple branch computer systems were inoperable, though online systems remained up and running, according to Computing.
What appeared to be a virus was actually MBR Killer malware, according to Trend Micro. Presumably the malware was used as a distraction, and the bank responded as the attackers had hoped: It acted to protect customer accounts. Last weekend, the general manager of Banco de Chile, Eduardo Ebensperger, told La Tercera Pulso, "The event was intended to harm the bank, not the customers."
Because the bank took measures to safeguard customer accounts by disconnecting approximately 9,000 workstations believed to be infected, attackers were able to steal millions of dollars from the bank.
"We found some strange transactions in the SWIFT system (where banks internationally remit their transactions to different countries). There we realized that the virus was not necessarily the underlying issue, but apparently they wanted to defraud the bank, " Ebensperger said in an interview with El Pulso.
Calling the attack the first of this magnitude, Ebensperger said it comes as a harbinger of the changing threat landscape and that institutions like Banco de Chile must now rethink how they approach cybersecurity.
“We banks have turned to innovation, it seems that we have to go a little more carefully because the issue of cybersecurity must be untransferable. For us it was, it still is, but we must advance in more sophisticated things that we have not seen before, like this attack,” Ebensperger said.
Nefarious actors who successfully exploit a newly discovered vulnerability in Apple code signing can potentially deceive third-party tools into believing their code is Apple approved. Today, the Okta Research and Exploitation (REX) researcher who uncovered the security issue publicly disclosed the vulnerability that could allow threat actors to bypass a core security function to impersonate Apple.
Once researcher Josh Pitts contacted Apple, the CERT Coordination Center and all third-party developers, he recommended that a public blog post was the best means of reaching third parties that use code signing application programming interfaces (APIs) in a private manner.
Code signing is the process by which public key infrastructure is used to digitally sign compiled code and scripting languages in order to validate that the code has not been modified. Pitts discovered a vulnerability that breaks the trust in code signed by Apple used in MacOS security.
Recognizing that code signing has had a slew of security issues, Pitts wrote in his public disclosure, "Unlike some of the prior work, this current vulnerability does not require admin access, does not require JIT’ing code, or memory corruption to bypass code signing checks. All that is required is a properly formatted Fat/Universal file and code signing checks return valid."
If exploited, all third-party security, forensic, and incident response tools that use the code-signing API would be affected, along with the millions of consumers and businesses that use Mac machines.
"By exploiting this vulnerability, threat actors can trick even the most security-savvy people and bypass a core security function that most end users don’t know or think about as they go about their digital activities. And, with the proliferation of apps for the workplace and personal use in everybody’s daily lives, bad actors can easily abuse this vulnerability," Matias Brutti wrote in an Okta REX blog post today.
On 22 February 2018, Pitts submitted a proof of concept that was able to bypass third-party security tools, and Apple responded on 1 March advising the researcher to use kSecCSCheckAllArchitectures and kSecCSStrictValidate with SecStaticCodeCheckValidity, adding that API and developer documentation will be updated.
Despite additional information submitted on 6 March and 16 March to it, Apple stated on 20 March that it did not see this as a security issue that needed to be directly addressed. According to Pitts, on 29 March, "Apple stated that documentation could be updated and new features could be pushed out, but: '[…], third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.'”
While mobile app security is an issue across all sectors, 50% of apps that come from media and entertainment businesses are putting users at risk. New research from BitSight found that a significant percentage of mobile apps across multiple industries have high-severity vulnerabilities.
“Mobile apps pose significant risks, such as data leakage, credential theft and unencrypted personally identifiable information when not properly secured,” Dan Dahlberg, technical director, Bitsight, said in an email.
Analyzing data from over 10,000 companies across the categories of business services, finance, tech, education and media, BitSight learned that more than half of the music, news, media, publishing and entertainment companies failed their high-severity tests. Over 10% of those media and entertainment apps that failed have unencrypted location data, which could allow attackers to access a user’s GPS location.
In addition, the research suggested that because one in four finance companies offers risky mobile apps, there is potentially higher risk of bank accounts being accessed without proper authorization.
“The Finance industry had the highest rate of broken SSL configurations (invalid TLS/SSL certificates): over 34% of applications that failed high severity tests in the Finance industry could be vulnerable to man-in-the-middle (MITM) and other attacks that can compromise data,” BitSight wrote in today’s blog post.
In the business services and education industry, 32% of the mobile apps BitSight tested are not encrypting end-user data, including the devices' IP addresses.
"Businesses need comprehensive, objective visibility into the security performance of the third and fourth parties they do business with. This includes understanding whether they offer apps that are predisposed to vulnerabilities, which could be detrimental to the entire vendor network, if compromised," Dahlberg wrote.
In related news, despite the woes of mobile app security the market is swiftly burgeoning. Today ABNewsWire announced that the global mobile application security market forecasts a compound annual growth rate (CAGR) of 25.96%. The new report, Application Security Market 2018 Global Analysis, Growth, Trends and Opportunities Research Report Forecasting to 2023, looks at what is both driving and restricting the demand of application security.
The US government has slapped sanctions on a further five Russian organizations and three Russian nationals in response to recent Kremlin-sponsored cyber-attacks including NotPetya.
The Treasury Department took action under Executive Order 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, and Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), which was passed last year despite protests from President Trump.
It claimed that one of the “designated entities” named in the order, Kvant Scientific Research Institute (Kvant), is controlled by and has provided material and technological support to Russia’s Federal Security Service (FSB).
Two others, Divetechnoservices and Digital Security, are said to have provided the FSB with material and technological support. The other two organizations, Embedi and ERPScan, are apparently owned by Digital Security.
The Treasury notice drew attention to recent Russian attempts to destabilize its geopolitical rivals in the West including the NotPetya ransomware campaign, attacks on the US energy grid and the VPNFilter campaign to compromise network devices around the world.
It also called out Russian efforts to track the underwater communication cables that carry most of the world’s telecommunications data.
“The United States is engaged in an ongoing effort to counter malicious actors working at the behest of the Russian Federation and its military and intelligence units to increase Russia’s offensive cyber capabilities. The entities designated today have directly contributed to improving Russia’s cyber and underwater capabilities through their work with the FSB and therefore jeopardize the safety and security of the United States and our allies,” said Treasury secretary Steven Mnuchin.
“The United States is committed to aggressively targeting any entity or individual working at the direction of the FSB whose work threatens the United States and will continue to utilize our sanctions authorities, including those provided under CAATSA, to counter the constantly evolving threats emanating from Russia.”
The move comes as Donald Trump continues to advocate closer ties with the Putin administration. This week he called for Russia to be re-admitted to the G7 group of leading nations and blamed his predecessor Barack Obama for the country’s annexation of the Crimea.
Four in five EMEA organizations faced an email-borne attack over the past year, with the frequency and cost of attacks increasing, according to new research from Barracuda Networks.
The security vendor polled 145 IT security leaders in small, mid-sized and enterprise businesses across the region as part of a wider global study into the email threat.
While 80% said they’d been hit by an attack in the past year, 73% claimed the frequency of attacks is increasing and 72% said the cost of email-related breaches is rising.
Those costs can sometimes be indirect: 65% claimed attacks distract IT teams from more pressing strategic priorities, over half (52%) said they impact staff productivity and over two-fifths (44%) claimed reputation and remediation can be expensive.
Unsurprisingly, 70% are more concerned about email security now than they were five years ago.
The findings chime with other industry figures: phishing represented 93% of all breaches investigated by Verizon in its 2018 Data Breach Investigations Report, and email-borne attacks accounted for 85% of the 66.4 billion online threats blocked by Trend Micro last year.
What’s more, the FBI claimed in its most recent IC3 report for 2017 that Business Email Compromise incurred the highest losses of any threat category, at over $676m.
Email threats increasingly aim to socially engineer the victim into clicking on malicious links, opening malware-laden attachments, divulging sensitive info or making unsanctioned bank transfers. So it was understandable to see 79% of respondents to the Barracuda report claim poor employee behavior is a greater concern than inadequate tools.
Unsurprisingly a large majority (89%) also claimed end-user training and awareness is increasingly important to combat this risk. Of some concern, however, is the fact that over a third (35%) of organizations in EMEA still don’t train employees on how to spot phishing attacks.
Several law enforcement agencies across the globe have announced a joint effort to disrupt Business Email Compromise (BEC) campaigns designed to defraud businesses and individuals.
Operation WireWire saw the FBI work with police in Canada, Mauritius, Indonesia, Poland and Malaysia to arrest 74 suspects, including 42 in the US.
Domestically, the Feds said they teamed up with the Department of Homeland Security, the Department of the Treasury and the US Postal Inspection Service in a six-month program which began in January and resulted in a fortnight of “law enforcement activity.”
The operation also led to the seizure of nearly $2.4m and the “disruption and recovery” of around $14m in fraudulent wire transfers.
Many of these cases involved international criminal organizations which defrauded not only small-to-large sized businesses but also individuals including real estate purchasers and the elderly.
BEC incurred the highest losses of any internet-based crime category in 2017, according to the most recent FBI IC3 report. It made over $676m for the scammers, more than three-times the size of the next category down, confidence/romance fraud.
“This operation demonstrates the FBI’s commitment to disrupt and dismantle criminal enterprises that target American citizens and their businesses,” said FBI Director, Christopher Wray. “We will continue to work together with our law enforcement partners around the world to end these fraud schemes and protect the hard-earned assets of our citizens. The public we serve deserves nothing less.”
Separate research by Proofpoint released in February claimed that by the end of 2017, nearly 89% of all organizations studied were targeted by at least one BEC attack — a large jump from the 75% targeted in Q4 2016.
The average number of people targeted in each organization was 13.
Although there are AI-powered tools which can help to detect these scams, one of the best strategies for defense is improved user education and awareness alongside water-tight processes that forbid the transfer of large volumes of cash outside the organization without certain checks.
In the months that have followed Mark Zuckerberg's testimony before Congress, Facebook has repeatedly found itself in the headlines. Once again, it has come to light the the social media giant has been less than transparent, with the Wall Street Journal reporting that certain companies deemed to provide particular value to Facebook were placed on what was internally dubbed as "whitelists," granting them access to customer data.
Two companies identified as making the whitelist include the Royal Bank of Canada and Nissan Motor Co., a source familiar with the matter reportedly told the Journal. In addition to phone numbers, the information the companies were able to access included a "friend link" metric, which provided data on the degrees of separation among users and their friends.
While no additional names of whitelisted companies have been disclosed, Facebook has justified the deals, reportedly claiming that the access was granted with the intention of both improving the user experience and allowing third parties and partners the time needed to conclude their previously existing data-sharing projects.
Facebook acknowledged the "small group" had been granted extended access beyond 2015 May as part of what Ime Archibong, vice president of product partnerships, Facebook, called the company's consistent and principled approach to working with developers.
“As we were winding down over the year, there was a small number of companies that asked for short-term extensions, and that, we worked through with them,” Archibong reportedly said. “But other than that, things were shut down.”
This newest whitelist revelation is separate from the data-sharing partnerships with device makers that was reported last week. A Facebook spokeswoman is reported to have confirmed that the company has been sharing users’ data with at least 60 different device producers, including Apple, Microsoft and Samsung, since 2007.
Despite its claim to have stopped third-party access to information on users's friends data back in 2015, NordVPN wrote that "Facebook does not internally consider device makers to be third parties, so it did not disclose the fact that it was sharing the same exact data with those companies."
In an attempt to expedite legislation to secure US election systems, senators have introduced a new version of the Secure Elections Act as an amendment to the National Defense Authorization Act (NDAA).
With discussions of the NDAA reportedly on next week's agenda, Sens. James Lankford (R-Olka.) and Amy Klobuchar (D-Minn.) – backed by bipartisan cosponsors – have inserted their legislation as part of the annual defense policy legislation, according to The Hill.
In December of last year, after it was confirmed that Russian hackers had attempted to influence the 2016 election by targeting the election-related systems in 21 states, lawmakers introduced the Secure Elections Act, aimed at fortifying election systems.
Leading the effort to mitigate the risk of any foreign interference in future elections, Sens. Lankford and Klobuchar have since been revising the legislation amid concerns of the federal government taking over control of elections.
“The security of our election systems is a major national security issue, and it is appropriate for this legislation to be included in the National Defense Authorization Act,” Lankford said in a statement. “This legislation will help states prepare our election infrastructure for the possibility of interference from Russia, Iran, North Korea, or a domestic hacktivist group.”
The most recent version of the bill has eliminated a grant program that was originally intended to aid states in updating vulnerable systems; however, a recently approved omnibus package reportedly negated the need for such a grant, as the package includes $380m for states to secure their election systems. That money is to be distributed across all 50 states.
According to John Sebes, co-founder of the OSET Institute and CTO of its TrustTheVote Project, and William Crowell partner at Alsop Louie Partners, “The recent $380 million of federal funding to replace paperless voting machinery and improve cybersecurity is desperately needed, but it is unlikely to ensure the long-term cybersecurity of U.S. election technology.”
As the nation coasts toward the 2018 midterm election, “there are likely a number of vulnerabilities that states may not even be aware of yet,” wrote Sergio Valente, author, OSET Institute, “not to mention budget constraints and a lack of clarity whether states’ allocations of the recent $380 million of federal funding to improve cybersecurity or replace paperless voting machines will have desired impact in time.”
A collective group of stakeholders invested $60m in a Series B funding round for Claroty, a cybersecurity software provider for industrial control networks. With the backing of the collective group, the company's total investment climbed to $93m, making the round unprecedented.
Underscoring the urgency of defending critical infrastructure, this round, led by global investment firm Temasek, comes from venture capitalists that specialize in industrial control system (ICS) security, along with both the major control system vendors and the industrial assets owners and operators, including Rockwell, Siemens and Schneider Electric.
“Our unparalleled investor syndicate, which includes some of the most important industrial companies in the world, is a ringing endorsement of Claroty’s technology and the progress our team has made,” Amir Zilberstein, Claroty co-founder and CEO, said in today's press release.
The investor composition highlights the collective mission to secure the most critical networks against "economic warfare," or those attacks that are more difficult to detect but cause damage to or disrupt supply chains to manufacturing systems on underappreciated critical infrastructure.
“The recent increase in scale, scope and frequency of cyber-attacks on critical infrastructure has led to an uptick in demand for new solutions from companies around the world,” said T.J. Rylander, partner at Next47.
The rising geopolitical tensions with Iran and North Korea affirms the volatility of ICS. When coupled with warnings from DHS/CERT and the discovery of successful campaigns targeting critical infrastructure in the manufacturing industry, the need to address the risks in critical global infrastructures grows more critical.
“A perimeter defense to cybersecurity in today’s connected world is not enough. An end-to-end approach, with solutions that provide deep visibility into operational technology and industrial control systems, is critical for the security of heavy processing environments,” said Hervé Coureil, chief digital officer at Schneider Electric.
Chinese state hackers have stolen a huge trove of sensitive data from a US navy contractor, which could help the nation close the gap further with its rival superpower on the high seas.
The 614GB of material appears to have been focused on submarine-related military projects.
It was stolen from a contractor with the Naval Undersea Warfare Center and included “signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library,” according to the Washington Post.
Perhaps most alarming is the theft of information on a top secret $300m Sea Dragon project which is set to introduce a “disruptive offensive capability” to underwater battle.
Experts the paper spoke to believe that although China is investing huge sums to gain parity with the US on the high seas, it currently falls behind in anti-submarine technology, giving the US a theoretical advantage underwater.
Unnamed officials claimed that the material stolen was stored on the contractor’s unclassified network, but that if aggregated it could be considered as “classified”.
The incident is a reminder that while Russian hackers have become a staple feature of the news over the past couple of years, China’s fearsome intelligence apparatus remains a serious threat to Western governments.
The unit responsible for this raid is thought to have come from a Ministry of State Security (MSS) division in Guangdong.
Although the US struck a non-hacking agreement with China back in 2015, that only covered economic cybercrime and not cyber-espionage attempts focused around national security.
China’s continued militarization of the South China Sea remains a serious threat to US dominance in the region and a long-term strategic failure on the part of Washington, which has largely sat by and watched as the country builds out infrastructure on the islands, shoals and rocky outcrops that dot the area.
A South Korean crypto-currency exchange has lost virtual coins with a reported value of $37m after a cyber-attack on the company.
Coinrail explained in a statement earlier today that the attack came at dawn on Sunday.
“At present, 70% of your coin rail total coin / token reserves have been confirmed to be safely stored and moved to a cold wallet and are in storage,” it claimed.
“Two-thirds of the coins confirmed to have been leaked are covered by freezing / recalling through consultation with each coach and related exchanges. The remaining one-third of coins are being investigated with investigators, relevant exchanges and coin developers.”
It’s unclear how many of the ‘stolen’ coins will ultimately be recovered by the exchange. However, it revealed that some of those ‘leaked’ include some of the less popular virtual currencies including Fundus X (NPXS), Aston (ATX), and Enper (NPER).
Coinrail said it is still working out “the exact damage” resulting from the attack. However, local reports suggest the figure is in the region of 40 billion won ($37m).
The firm is co-operating with investigators, although reports suggest the exchange was likely targeted because it did not impose the same high self-regulatory security standards that several counterparts in South Korea have implemented.
The attack has already had a major impact on the market, with the value of Bitcoin apparently falling over 10%.
It’s just the latest in a long line of crypto-currency exchanges targeted by hackers over the past few years.
Ernst & Young warned in January that nearly $400m has been stolen from initial coin offerings (ICOs).
North Korean hackers have been particularly prolific, flagged by researchers as targeting virtual currencies to swell the coffers of the Kim Jong-un regime.
A man credited with helping to prevent the spread of WannaCry has been hit by more hacking charges in the US.
Marcus Hutchins, the “MalwareTech” researcher who helped to find a kill switch for the infamous ransomware, was arrested on his way home from a security conference last August.
At the time he was accused of helping to author the Kronos banking Trojan.
Now he’s been charged with also developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools.
“UPAS Kit allowed for the unauthorized exfiltration of information from protected computers,” court documents claim. “UPAS Kit used a form grabber and web injects to intercept and collect personal information from a protected computer.”
In response to the new charges, Hutchins struck a typically dogmatic tone on Twitter.
“While this all sucks a lot, I can't stop laughing at the irony of the superseding indictment coming exactly on the 1 year anniversary of me receiving an award for stopping WannaCry,” he said.
“Wonder how long until I get indicted for conspiracy to commit jaywalking after my parents carried me while crossing the road in 1995.”
The cybersecurity researcher, who is unable to work whilst in the US but also unable to leave the country, is asking for more money to help support his legal case.
“Spend months and $100k fighting this case, then they go and reset the clock by adding even more bullshit charges like ‘lying to the FBI’,” he said.
WannaCry infected hundreds of thousands of computers in 150 countries around the world when it struck in May 2017, causing widespread damage to the NHS where an estimated 19,000 appointments and operations were cancelled.
Experts believe the impact could have been far worse had the “kill switch” domain not been registered, effectively curtailing the worm.
Open jobs in both the private and public sectors have increased to 301,873 over the 12-month period from April 2017 to March 2018, according to new data from CyberSeek, a free cybersecurity career and workforce resource.
According to CyberSeek, there were 109,000 openings for cybersecurity's largest role – information security analysts – but only 105,000 workers currently employed in those positions, reflecting an annual talent shortfall of 5,000 workers.
On 30 May, the Department of Commerce and Department of Homeland Security responded Executive Order 13800: Growing and Sustaining the Cybersecurity Workforce, with a report that called for improvements in the cybersecurity workforce. To that end, CompTIA and Burning Glass Technologies jointly developed CyberSeek, which is also supported by the National Initiative for Cybersecurity Education (NICE), which is a part of the National Institute of Standards and Technology (NIST).
The CyberSeek data found that "across all jobs, there were 6.5 employed workers per opening from April 2017 through March 2018. In cybersecurity, there are only 2.5 employed workers per opening." The largest job openings (194,224) are in the "operate and maintain" category, which includes roles related to the support, administration and maintenance of IT systems.
While employers struggle to find qualified candidates to fill a variety of cybersecurity-related jobs, open positions that require cloud security skills reportedly go unfilled for an average of 96 days, which is longer than positions for which any other IT skills are a prerequisite.
Part of the CyberSeek project includes a career pathway, which identifies 10 core cybersecurity roles – four of which advertise salaries over $100,000. In addition there are five "feeder" roles considered to be gateways into a cybersecurity career. Currently, the greatest demand within the core roles is for cybersecurity engineers.
“The cybersecurity talent shortage is widespread, impacting all 50 states,” said Matthew Sigelman, chief executive officer at Burning Glass Technologies, in a press release. “In every state, the employed cybersecurity workforce would have to grow by over 50 percent to align with the market average supply and demand ratio.”
In response to the new data, Tim Herbert, senior vice president for market intelligence, CompTIA, said, "There are a number of encouraging signs, such as a greater focus on the human element of cybersecurity. But even with this enhanced focus cybersecurity will likely to get worse before it gets better. That’s why it’s incumbent on us to close the gap between the supply and demand for trained and certified cybersecurity workers.”
Yet another patch has been released with security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS addressing multiple critical vulnerabilities. On 7 June, Adobe Security Bulletin announced that the exploits exist in the wild.
Used to target Windows users, the exploit leverages Office documents with embedded malicious Flash Player content distributed by email in the Adobe Flash Player 126.96.36.199 and earlier versions.
The update patched several vulnerabilities in Adobe Flash, and Adobe acknowledge all of those who disclosed the different flaws, expressing thanks to the individuals who worked to protect Adobe customers.
Trend Micro's Zero Day Initiative anonymously reported two vulnerabilities, CVE-2018-5000 and CVE-2018-5001. In collaboration with Trend Micro's Zero Day Initiative, Jihui Lu of Tencent KeenLab and willJ of Tencent PC Manager, reported vulnerability CVE-2018-4945.
"This is a confusion vulnerability, which means that the code does not properly inspect input data," said Allan Liska, threat intelligence analyst at Recorded Future. "When successfully exploited, this vulnerability allows for remote code execution."
The second critical vulnerability (CVE-2018-5002), reported by multiple sources, is a buffer overflow vulnerability that also allows for remote code execution. Liska noted that this is currently being exploited in the wild as part of several phishing campaigns.
"The exploit takes advantage of a Flash file embedded in a Microsoft Office document," said Liska. "When the victim opens the Office Document the Trojaned Flash code automatically runs and executes shell code, which calls out to the attackers command-and-control servers."
To protect themselves users should immediately upgrade their Adobe Flash and disable macros in Microsoft Office. Adobe recommends accessing the About Flash Player page in order to verify which version of Flash is installed on the system. Users who have selected the option to allow updates in Adobe Flash Player Desktop Runtime for Windows, macOS and Linux should automatically receive the most recent security updates.
New research found that cyber-criminals are using social engineering tactics to trick job seekers into replying to phony listings. According to a 7 June Flashpoint research blog, threats to job listing sites and recruitment portals are on the rise in the deep and dark webs.
Attackers target job listings and recruitment portals because they are ripe with all sorts of personal information. In addition to uploading resumes and cover letters – which include the obvious details of name, address, phone number, and email address – job seekers often are asked to provide additional personal information, such as their race and veteran status. Some online job applications also ask whether applicants have a disability or require a work-visa status.
Analyst David Shear, who researches cybercrime communities, actors and threats, found that cyber-criminals are looking to do more than steal personally identifiable information. When the unsuspecting job seekers reply to phony job listings, they are inadvertently recruited as money mules or lured into money laundering operations.
Recruitment portals also become direct targets when attackers send malicious "job applications" documents – usually a PDF attachment. If the documents are able to slip through weak or nonexistent scanning tools, they can grant an attacker access to data stored on the portal, leaving applicants vulnerable to identity theft.
Noting a marginal increase in the number of mentions on deep and dark web forums related to such activity around recruitment portals, Flashpoint analysts found that many of the mentions involve "advertisements for the availability of compromised accounts, or criminals soliciting business accounts in order to list jobs on the platforms."
"Attackers want access to business accounts in order to leverage their phony job listings and recruit people who would ultimately participate in fraud without their knowledge," Shear wrote. Drafting these unwitting mules is a tactic that is growing in prominence on job recruitment portals.
Phishing campaigns have proven widely successful for the criminals, who target recruitment professionals rather than the recruitment portals.
According to Shear, one interesting nuance about the recruitment fraud schemes, is that enterprise organizations are at higher risk for targeting than small to mid size organizations.
"Not only is there more financial benefit to targeting enterprises, but threat actors can actually remain undetected for longer due to the complexity of large scale organizations and lack of communications between different locations of most of these enterprises," said Shear in an email.