Cyber Risk News

Global Cybersecurity Spending to Soar 10% in 2021

Info Security - Thu, 01/21/2021 - 12:15
Global Cybersecurity Spending to Soar 10% in 2021

The worldwide cybersecurity market is set to grow by up to 10% this year to top $60bn, as the global economy slowly recovers from the pandemic, according to Canalys.

The analyst firm clarified that double-digit growth from $54.7bn in 2020 would be its best-case scenario. However, even in the worst case, cybersecurity spending would reach 6.6%, it predicted.

That would factor in a deeper-than-anticipated economic impact from lockdowns, although the security market has proven to be remarkably resilient thus far to the pandemic-induced global economic crisis, Canalys said.

That said, SMB spending was hit hard last year, along with certain sectors like hospitality, retail and transport.

However, while spending is set to soar, so are data breaches and ransomware attacks. Human error continues to be a major factor, via misconfigurations of cloud infrastructure and susceptibility to phishing attacks, the analyst argued.

Mass remote working and learning in 2021 and the ongoing pressure placed on healthcare services will continue to expose these organizations to threats, it said.

Chief analyst, Matthew Ball, claimed the recent SolarWinds attacks highlight the continued unpredictability of the threat landscape. Amidst this volatile backdrop, organizations will need to adopt multi-layered approaches combining staff awareness training, data protection and threat detection and response, he said.

“Cybersecurity professional services engagements in response to this latest issue will be one of many factors contributing to sustained investment this year, especially in newer solutions to mitigate emerging threats,” Ball noted. “Growth in add-on subscriptions providing new features, products to secure the cloud and delivered from the cloud, and upgrades to existing solutions will be key drivers for expansion.”

The Canalys report covered shipments of endpoint security, network security, web and email security, data security, vulnerability and security analytics, and identity access management (IAM).

Web and email security (12.5%) will grow the most in 2021 with vulnerability and security analytics (11%) not far behind. Data security (6.6%) and network security (8%) are set to bring up the rear in terms of growth.

Categories: Cyber Risk News

Security Biggest Barrier to Cloud Adoption for Over Half of UK Firms

Info Security - Thu, 01/21/2021 - 11:20
Security Biggest Barrier to Cloud Adoption for Over Half of UK Firms

Over half (58%) of UK businesses have cited security concerns as the biggest barrier to public cloud adoption, according to a new study from Centrify.

The survey of 200 business decision makers in large and medium-sized enterprises in the UK also found that over a third (35%) who have adopted cloud are less than 80% confident it is completely secure.

Additionally, more than a quarter (28%) of those surveyed revealed that their organization had been targeted by a cloud hacking attempt since the start of the COVID-19 pandemic.

In regard to their companies’ security weaknesses, close to half (45%) of decision makers pinpointed the growth in machine identities and service accounts, such as those used by servers and applications, as their biggest exposure point.

Worryingly, 31% of business decision makers admitted their development teams are more interested in getting around security than building it into the DevOps pipeline, raising concerns over the ability of many companies to combat cyber-attacks in the future.

Kamel Heus, VP EMEA for Centrify, commented: “Adapting to the COVID-19 pandemic has been a bumpy ride for many businesses and, in most cases, companies have had to adopt the public cloud in at least some capacity due to the level of scalability, availability and efficiency it provides for distributed workforces.

“Whilst the common misperception is that cloud security is quite different to that of on-premises infrastructure, it is by no means less secure if common security protocols are followed, and security controls are applied.

“One core challenge posed by digital transformation is accurately verifying human and machine identities before granting access to systems, applications and other high value targets. Therefore, adopting cloud-ready privileged access management software is essential in protecting access to workloads in the public cloud, by granting access only when a requestor’s identity has been properly authenticated.”

While cloud adoption has grown since the shift to remote working as a result of the COVID-19 pandemic, in many cases, security has not adapted. Last year, a survey by Trend Micro revealed that nearly half of UK IT leaders have not updated their security to account for their move to cloud environments.

Categories: Cyber Risk News

Threat Actor Dumps 1.9 Million Pixlr Records Online

Info Security - Thu, 01/21/2021 - 10:33
Threat Actor Dumps 1.9 Million Pixlr Records Online

A notorious threat actor appears to have published 1.9 million user records for the popular online photo editing site Pixlr, putting customers at risk of follow-on attacks.

“ShinyHunters” dumped the files over the weekend for free on an underground forum, claiming the site was breached at the same time as 123RF, which is owned by the same company, Inmagine.

Among the data up for grabs are email addresses, usernames, hashed passwords and users’ countries.

So far there’s been no word from the firm itself, despite the fact that these users could be at risk of phishing attacks, credential stuffing attempts and other fraud if not informed promptly.

ShinyHunters is a prolific actor on the cybercrime underground, having been involved in breaches at Wishbone (40 million records), Heavenly (1.4 million), Dave (7.5 million) and many more.

If this incident is legitimate, as seems the case, Pixlr customers would be advised to be on the look-out for scams and to change their log-ins on the site, and any others they share the same passwords for.

ShinyHunters claimed to have stolen the data from Pixlr’s Amazon Web Services (AWS) S3 bucket late last year.

It’s unclear how, but CloudSphere VP of product, Pravin Rasiah, warned that misconfigured cloud storage is one of the leading causes of data breaches.

“The chances of leaving an S3 bucket exposed are all too high, as inexperienced users can simply choose the ‘all users’ access option, making the bucket publicly accessible. Leaving these S3 buckets open and exposed invites hackers to exploit the personal data entrusted to companies by their customers,” he argued.

“To prevent incidents like this from occurring, awareness within the cloud environment is imperative.” 

Cloud Security Posture Management (CSPM) tools are widely regarded as best practice in this space, as they continuously monitor such environments for configuration errors.

Categories: Cyber Risk News

Interpol: Dating App Victims Lured into Investment Scams

Info Security - Thu, 01/21/2021 - 09:45
Interpol: Dating App Victims Lured into Investment Scams

Interpol has issued a global warning that dating app users are being groomed for investment fraud scams.

The policing body’s Purple Notice claimed that lonely hearts are picked off online, when the fraudsters establish an “artificial romance” with their victims. Once they have built up a level of trust through regular communication, they share investment tips and encourage the victim to join up to a scheme.

“Victims download a trading app and open an account, buy various financial products and work their way up a so-called investment chain, all under the watchful eye of their new ‘friend.’ They are made to believe they can reach Gold or VIP status,” the notice explained.

“As is often the case with such fraud schemes, everything is made to look legitimate. Screenshots are provided, domain names are eerily similar to real websites and customer service agents pretend to help victims choose the right products.”

However, eventually the victims are abruptly locked out of their accounts, having invested significant sums in the financial products.

They’re then left with a double whammy of financial loss and emotional pain.

Investment and romance scams are nothing new: in fact, they’ve thrived under lockdown. The UK’s National Cyber Security Centre (NCSC) revealed in August last year that it had been forced to take down over 300,000 related URLs.

In the UK alone, the period June-August 2020 saw a 26% year-on-year increase in romance scams, with losses for the previous 12 months hitting £66m.

Over 19,400 romance scams were recorded by the FBI in 2019, making it the second highest earner for cyber-criminals after business email compromise (BEC). Scammers took $475m from victims.

Interpol urged dating site users to be vigilant, think twice before transferring money or getting involved with online investment schemes and to do their research to check the reputation of any new apps or services.

Categories: Cyber Risk News

Kentucky Senior Arrested for Identity Theft

Info Security - Wed, 01/20/2021 - 19:38
Kentucky Senior Arrested for Identity Theft

Two women in Kentucky have been arrested in connection with a year-long cybercrime operation involving stolen identities and fraudulent benefit claims. 

An investigation was launched by police in West Buechel at the beginning of January when they received a call from a local branch of the bank BB&T to say that a fraudulently authorized check for nearly $40,000 had just been cashed. 

Police traced the fraudulent check to 57-year-old Lori Davis and subsequently obtained a search warrant for her home. 

West Buechel Detective Robert Monroe told local news source WDRB that a search of Davis' residence led to the discovery of "lots of evidence of stolen mail, stolen identity."

As a result of the search, a second female suspect, 70-year-old Julianna Whobrey, emerged. Upon searching Whobrey's residence, police discovered evidence that included mail addressed to other people at locations all over the country.

Davis was charged with theft by deception and engaging in organized crime. Whobrey was charged on January 18 with trafficking in stolen identities, engaging in organized crime, misuse of computer information, intent to defraud to obtain benefits, receiving goods by fraud, and theft by deception.  

Monroe said that the suspects were work colleagues who used their jobs in a Louisville mailroom to cover up their illegal activity. The pair allegedly bought stolen identities on the dark web then used them to fraudulently obtain unemployment benefits and cards pre-paid with thousands of dollars. 

"These suspects both had other people's unemployment applications from other states, specifically New York State Department of Labor," Monroe said. 

"These envelopes were addressed to different people at different addresses, and what they're doing is collecting all the information out of this mail, and they're actually creating people who either don't exist, are dead, or people who do exist. And what they're doing is they're clogging up the dissemination of these benefits for people who actually need them."

Police believe that the two women have been scamming victims for a year and were acting as money mules for a third suspect who resides in another country. 

Monroe said: "I'm forwarding the case to the FBI with all I've gathered so far, and I'm going to work with them."

Categories: Cyber Risk News

Trump Pardons Google Trade Secret Thief

Info Security - Wed, 01/20/2021 - 18:25
Trump Pardons Google Trade Secret Thief

A former executive of Google subsidiary Waymo, imprisoned in the United States for stealing a trade secret and sharing it with rival company Uber, has been pardoned by outgoing president Donald Trump.

On March 19, 2020, Anthony Scott Levandowski pleaded guilty to one of 33 counts of trade secrets theft originally filed against him in 2019. The 40-year-old was sentenced to 18 months in jail and a 3-year period of supervised release by US District Judge William Alsup on August 4, 2020.

As per his plea agreement, Levandowski admitted that from 2009 to 2016 he worked in Google’s self-driving car program, known then as Project Chauffer, which had a confidentiality requirement.

Levandowski left the Google subsidiary to found his own business, Ottomotto, an autonomous driving hardware and software developer that was acquired by Uber Technologies in 2016 for $680m. 

As part of his plea agreement, the entrepreneur admitted downloading thousands of Project Chauffer files onto his personal laptop prior to leaving Waymo. He also admitted downloading a variety of files from a corporate Google Drive repository. 

Among these files was an internal tracking document entitled “Chauffeur TL weekly updates – Q4 2015” that contained confidential details regarding the status of Project Chauffer. Levandowski admitted that he downloaded this file with the intent to use it to benefit himself and Uber Technologies, Inc.  

Levandowski further admitted that the stolen document was Google’s trade secret, and that stealing it caused the company to lose an estimated $1,500,000.

In addition to the custodial sentence, Judge Alsup ordered former exec Levandowski to pay a $95,000 fine and $756,499.22 in restitution to Waymo LLC, as Google’s self-driving program is now known. 

Yesterday, Levandowski was one of 73 convicted criminals who were pardoned by President Trump on his final day in office. 

In pardoning Levandowski, Trump wrote: "Mr. Levandowski pled guilty to a single criminal count arising from civil litigation. Notably, his sentencing judge called him a 'brilliant, groundbreaking engineer that our country needs.' 

"Mr. Levandowski has paid a significant price for his actions and plans to devote his talents to advance the public good."

Categories: Cyber Risk News

US Marines Create "Blue Team"

Info Security - Wed, 01/20/2021 - 17:41
US Marines Create "Blue Team"

The United States Marine Corps today announced the creation of a Marine Corps’ Adversarial Cyber Assessment "Blue Team" (MCAT).

A Blue Team is a group of people who identify security threats and risks in the operating environment and analyze the network environment and its current state of security readiness. 

Using their findings and expertise, a Blue Team will typically provide recommendations that integrate into an overall community security solution to increase a customer's cybersecurity readiness posture.

MCAT was established by Marine Corps Tactical Systems Support Activity (MCTSSA) and comprises eight to ten people from a variety of backgrounds, including cybersecurity, computer engineering, and information technology.

In a memo authorizing the new adversarial Blue Team designation, Commander of Marine Corps Forces Cyberspace Command Maj. Gen. M.G. Glavy said that the newly formed Blue Team will support Marine Corps Systems Command’s (MCSC's) Programs of Record (PoRs), which enhances acquisitions' cyber testing and evaluation capabilities.

The new team is authorized to perform evaluator, tester, and aggressor roles in accordance with the Mission Focused Cyber Hardening memo released in October 2019 by the Office of the Under Secretary of Defense Acquisition and Sustainment.

“This capability strengthens our acquisition cyber footprint while also enhancing our Corps’ operational cyber resiliency,” said MCTSSA commanding officer Lt. Col. Michael Liguori.

“The cyber ‘Blue Team’ is another example of MCTSSA’s dedication to support MCSC and our Corps’ cyber efforts in contested environments.”

MCAT will assess the security and defense of MCSC and Program Executive Officer Land Systems PoRs for systems in the field and for those that are still in the developmental test phase. 

“I would agree that having the first cyber 'Blue Team' designation for the Marine Corps is an important step and I’m proud be a plank owner,” said Gunnery Sgt. Patrick McKelvey, staff non-commissioned officer in charge of the Test and Certification Division.

“It also enables MCTSSA to potentially increase manning for Defensive and Offensive Cyberspace Operators, those with the 17XX military occupational specialty, to support the mission."

Categories: Cyber Risk News

Panel Reflects on How Orgs Should Approach Security in 2021

Info Security - Wed, 01/20/2021 - 16:10
Panel Reflects on How Orgs Should Approach Security in 2021

The growing importance of ethical hacking in protecting organizations against the current threat landscape was discussed by a panel speaking during a HackerOne webinar entitled ‘Hacker Powered Security Predictions for 2021 EMEA.’

Moderator Mårten Mickos, CEO of HackerOne, firstly emphasized how the shift to digital, including remote working, had “opened up a lot of new attack surfaces and exposures to various forms of criminality.” In addition, the SolarWinds attack at the end of last year demonstrated just how interconnected everything is, with one security breach impacting numerous organizations throughout the world. Mickos added this showed “we are not really cyber-secure until everything is cyber-secure.”

Julien Ahrens, a full-time ethical hacker, believes that in this environment, organizations firstly must embrace transparency, clearly communicating when an attack has taken place or when a vulnerability has been discovered. He said: “If I’m going to report a security vulnerability in a system, then I would expect the company to be transparent about how they tackled the issue and when they plan to release a fix.” Ahrens added this approach can help ethical hackers like him to find further security issues.

Teemu Ylhaisi, CISO at OP Financial Group, concurred, saying this kind of external transparency is “vital” in the financial industry. “This is an area where financial institutions do not need to compete – we’re not competing against each other – we have a common enemy, the criminals, and we’re working together to fight them.”

In regard to the use of bug bounty programs to find vulnerabilities, both Ylhaisi and Ahrens acknowledged that many industries have some reluctance, but Ahrens noted that “as soon as you explain the principle and the details to stakeholders, they tend to agree.”

Mickos commented: “The best way to develop resistance to COVID-19 is to take the vaccine, and similarly, ethical hacking is the immune system of the internet – it’s better to take the ethical hackers and the reports that they give you than to allow a breach to happen.”

As well as bug bounty programs, Mickos highlighted the growth of vulnerability disclosure programs (VDPs), particularly favored by governmental organizations in the US. Here, “the organization will say anybody’s welcome to report vulnerabilities to us but we don’t promise to pay you anything.” Mickos added that “it’s a way of having an official channel for anybody who finds a flaw to report it.”

In the view of Ahrens, these can be useful for companies in learning about their security weaknesses, but generally won’t be as effective as paid bug bounty initiatives, “where you usually get the attention of hackers that are on more of a professional level.”

Looking ahead to the coming year, Ylhaisi outlined that “visibility, detection capabilities and the reaction to incidents is key” for organizations to protect themselves.

Early detection is critical as the panellists acknowledged that it is virtually impossible for organizations to block every potential pathway into a system. The best way of achieving this, according to Ylhaisi, is improving user awareness of staff, as the targeting of employees through tactics such as phishing is by far the most common cause of system breaches. He noted that staff at his company now report 35,000 email threats monthly. “This has helped us a lot to react at the very early phases,” he stated.

Summing up, Mickos compared the situation to being a soccer goalkeeper, stating “you cannot cover the whole goal but if you are very quick in your reactions and if you can predict where they [the cyber-criminal] will try, you can jump there to catch it.”

Categories: Cyber Risk News

#Inauguration2021: Cyber-Experts React as Joe Biden Set to Become 46th US President

Info Security - Wed, 01/20/2021 - 15:00
#Inauguration2021: Cyber-Experts React as Joe Biden Set to Become 46th US President

Today, January 20 2021, Joe Biden will be sworn in as the 46th President of the Unites States of America.

He and Vice-President-elect Kamala Harris will take their oaths of office on the West Front of the US Capitol.

The Inauguration Day celebrations will take place in unprecedented circumstances, with increased security measures following the January 6 attack on the US Capitol building and a variety of social distancing precautions due to the ongoing COVID-19 pandemic.

Experts in the cybersecurity field have commented on the key cybersecurity matters that are likely to play pivotal roles in the Biden/Harris administration over the next four years.

“The first days of 2021 have been marked by tumultuous events that have diverted attention and resources from what should be a safe and streamlined transfer of power,” said Andrew Rubin, CEO and co-founder, Illumio.

“On top of that, the US is dealing with the SolarWinds breach, which is perhaps the largest and most catastrophic single breach event our country has ever seen. Together, this has created a perfect storm for cyber-attacks and left the United States with a heightened level of cyber-risk, which threatens the safety and security of the country as a whole.”

Biden therefore has a huge amount of work to do in the cybersecurity area, with attacks at an all-time high against the US public and private sector, added Chris Morales, head of security analytics at Vectra.

“We did not improve the nation’s cybersecurity posture over the last four years,” he argued.

A key area of concern is the debate over end-to-end encryption and law enforcement, Morales continued. “The Trump administration believed that private industry should provide access to encryption, which fundamentally breaks personal privacy.”

Furthermore, at the end of Trump’s term, “he fired the top level cybersecurity official at DHS, Chris Krebs, who routinely countered Trump’s statements as contradictory. Chris Krebs did a great job of aligning government with industry and cybersecurity.”

Rubin argued that, moving forward, the US needs a more robust, multi-pronged strategy to mitigate future attacks that couples prevention and monitoring with an effective perimeter protection strategy for all critical entities.

“Given the current situation and vulnerabilities, the US should assume that bad actors are already in their environment. To keep people and information safe, the government should prioritize measures, like establishing deeper layers of security, that can mitigate the impact and spread of a breach.”

Morales concurred, adding: “I would like to see a pivot from cyber-warfare back to risk mitigation and personal privacy. While going on the offensive sounds like a deterrent, it is not aligned with how cyber-attacks truly occur.

“The target is a mix of public/private, and every organization is left to its own defenses. Attacks happen on home turf, not in a distant land where a military can wage war, and cyber-attacks end up hurting the end users more than the army waging war. It is good to have offensive capabilities, but we’ve got to shore up our own internal defenses first. For example, solving ransomware targeting local/state governments with small security staffs and lack of budget.”

Categories: Cyber Risk News

Retail and Hospitality Facing Deluge of Critical Web App Flaws

Info Security - Wed, 01/20/2021 - 13:00
Retail and Hospitality Facing Deluge of Critical Web App Flaws

More than three-quarters of applications in the retail and hospitality sector contain at least one vulnerability, with a high percentage of these requiring urgent attention, according to Veracode.

The application security vendor analyzed more than 130,000 applications to compile its latest State of Software Security report.

However, while the 76% of buggy apps in the retail and hospitality sector is about average compared to other verticals, Veracode warned that 26% are high severity — one of the worst rates of any industry.

This matters, as the industry has been delivering a raft of new applications in order to reach customers online during the pandemic, amid social distancing and lockdowns. It’s especially important to hospitality firms, which have been forced to radically reshape their business models to adapt to the new reality.

Yet while web applications can be a life-saver for such businesses, they might also introduce extra cyber-risk. They were involved in 43% of breaches analyzed by Verizon last year and were the number one attack vector for the retail industry, with personal or payment data exploited in about half of all breaches.

That said, retail and hospitality ranked second-best for overall fix rate, according to Veracode. Half of its flaws were remediated in 125 days, which is nearly one month faster than the next-fastest sector.

Veracode claimed that, although retail and hospitality firms did well at addressing common flaw types like information leakage and input validation, developers struggled with encapsulation, SQL injection and credentials management issues.

“Retail and hospitality companies face the dual pressure of being high-value targets for attackers while also requiring software that allows them to be highly responsive to customers and compliant with industry regulations such as PCI,” said Chris Eng, Veracode chief research officer.

“Using API-driven scanning and software composition analysis to scan for flaws in open source components offer the best opportunity for improvement for development teams in the sector.”

Categories: Cyber Risk News

Malwarebytes: SolarWinds Hackers Read Our Emails

Info Security - Wed, 01/20/2021 - 11:35
Malwarebytes: SolarWinds Hackers Read Our Emails

Malwarebytes has confirmed that the SolarWinds attackers managed to access internal emails, although via a different intrusion vector to many victims.

While many of the organizations caught up in the suspected Russian cyber-espionage campaign were compromised via a malicious SolarWinds Orion update, US government agency CISA had previously pointed to a second threat vector. This involved use of password guessing or spraying and/or exploiting inappropriately secured admin or service credentials.

The security vendor said attackers abused applications with privileged access to Microsoft Office 365 and Azure environments.

“We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks,” the vendor explained.

“The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.”

Malwarebytes clarified that it found no evidence of unauthorized access or compromise in any of its on-premises or production environments.

The news comes as FireEye released a new report detailing the various ways the SolarWinds attackers moved laterally to the Microsoft 365 cloud after gaining an initial foothold in networks.

They include: stealing an Active Directory Federation Services (AD FS) token-signing certificate and using it to forge tokens for arbitrary users, compromising credentials of highly privileged on-premises accounts synced to Microsoft 365 and modifying/adding trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls.

The attackers also backdoored existing Microsoft 365 apps by adding a new application or service principal credential. This enabled them to use the legitimate permissions assigned to the application, such as reading emails, FireEye said.

The security vendor has joined CrowdStrike and CISA in releasing a new tool which will help organizations spot if their Microsoft 365 tenants have been subject to the same techniques used by the group.

Categories: Cyber Risk News

Quarter of Orgs Don’t Offer Cybersecurity Training Due to Lack of Budget

Info Security - Wed, 01/20/2021 - 10:35
Quarter of Orgs Don’t Offer Cybersecurity Training Due to Lack of Budget

A quarter (25%) of company directors are prevented from delivering cybersecurity training to staff by budgetary constraints, according to iomart’s Cybersecurity Insights Report.

The survey of UK-based workers across C-level, director, manager and employee level, found that 28% of businesses offer no cybersecurity training whatsoever. Additionally, 42% said that whilst some training was offered by their firm, it was only available to select staff, while over two-thirds (70%) of respondents revealed their company doesn’t provide training to all employees.

Of those that confirmed they did receive training, 82% admitted this only consisted of a short briefing rather than a comprehensive course, with just 17% receiving regular sessions related to cybersecurity.

iomart therefore calculated that less than one in 10 (8%) of those who took part in the survey received regular cybersecurity training.

The study also found that a quarter (25%) of businesses do not have a disaster recovery policy, while a further 31% said there was one but they had never tested it.

These findings are especially concerning given that 20% of respondents reported they had seen an increase in cyber-attacks as a result of remote working, which has expanded enormously since the start of the COVID-19 pandemic.

Although company directors cited budget as the main factor in not delivering cybersecurity training, other factors highlighted by all respondents were a lack of technical expertise within the business (8%) and the issue not being a main priority (5%).

Bill Strain, security director of iomart, commented: “It’s clear that many organizations still don’t consider cybersecurity and data protection to be a top priority.

“They need to understand what the potential threats are and build resilience into their business strategy so they can react quickly and maintain operations if their IT systems are compromised.

“Many businesses would not survive the operational – let alone financial – impact of a data breach. By understanding the potential risk and introducing positive behavior around cyber-awareness, they have a much better chance of surviving an incident.”

In a survey at the end of last year, a third of remote working employees said they had not received security training in the last six months.

Categories: Cyber Risk News

Coin-Mining Malware Volumes Soar 53% in Q4 2020

Info Security - Wed, 01/20/2021 - 09:55
Coin-Mining Malware Volumes Soar 53% in Q4 2020

Detections of crypto-mining malware surged by 53% quarter-on-quarter in the final three months of 2020 as the value of Bitcoin soared, according to Avira.

The price of one Bitcoin now stands at over $35,500, close to an all-time-high it hit earlier this month, according to the security vendor’s Avira Protection Labs.

"The rapid increase in coin-miner malware suggests that malware authors are taking advantage of the price trend in recent months and increasingly spreading malware that aims to exploit other people’s computer resources for illegal mining activities,” argued Alexander Vukcevic, director of Avira Protection Labs.

“This correlation is not surprising but is nevertheless worrying for legitimate miners and investors.”

Crypto-mining or crypto-jacking came of age in 2017 and 2018 as cyber-criminals sought a quick and easy way to monetize attacks. It was claimed at the time that because attacks didn’t require user interaction to start generating profits for the perpetrator, many would-be ransomware groups were pivoting to the new threat.

Avira listed three main types of coin-mining malware today: executable files, browser-based cryptocurrency miners and advanced fileless miners.

It was the browser-based Coinhive that drove the previous spike in cryptocurrency-mining activity. By February 2018 it had impacted 23% of global organizations, according to one study. One researcher even found it installed on UK and US government sites including those belonging to the UK’s Information Commissioner’s Office (ICO), United States Courts, the General Medical Council, the UK’s Student Loans Company and NHS Inform.

Coinhive shut down in February 2019, but the practice appears to be spiking again alongside the value of digital currency.

Chris Sedgwick, security operations director, Sy4Security, argued that it is the lesser-known Monero currency rather than Bitcoin that’s in high demand.

“The reason why the majority of cryptocurrency malware mines Monero instead of Bitcoin is that the mining requirements for Monero is a fraction of that required for Bitcoin,” he said.

“Monero is also favored over Bitcoin amongst those individuals looking to use their gains for illegal use as there is no tracking of transactions and the Blockchain is not transparent.”

Categories: Cyber Risk News

MAZE Exfiltration Tactic Widely Adopted

Info Security - Tue, 01/19/2021 - 18:59
MAZE Exfiltration Tactic Widely Adopted

New research by New Zealand company Emsisoft has found that a cyber-blackmail tactic first debuted by ransomware gang MAZE has been adopted by over a dozen other criminal cyber-gangs.

The internationally renowned security software company declared a ransomware crisis in the last month of 2019. Their latest ransomware report shows that this particular type of malware has had a huge impact on the United States in 2020.

Emsisoft threat analyst Brett Callow described the numbers in "The State of Ransomware in the US: Report and Statistics 2020" as "pretty grim."

At least 2,354 US governments, healthcare facilities, and schools were impacted by ransomware last year, including 113 federal, state, and municipal governments and agencies, 560 healthcare facilities, and 1,681 schools, colleges, and universities.

Researchers noted that the attacks "caused significant, and sometimes life-threatening, disruption: ambulances carrying emergency patients had to be redirected, cancer treatments were delayed, lab test results were inaccessible, hospital employees were furloughed and 911 services were interrupted."

In 2020, MAZE became the first ransomware group to be observed exfiltrating data from its victims and using the threat of publication as additional leverage to extort payment. 

"At the beginning of 2020, only the Maze group used this tactic," wrote researchers. "By the end of the year, at least 17 others had adopted it and were publishing stolen data on so-called leak sites."

According to a November report by Coveware, some ransomware gangs that exfiltrate data don't delete it, even after receiving a ransom from their victims. Coveware observed REvil (Sodinokibi) asking for a second ransom payment for stolen data it had already been paid to erase. 

Netwalker (Mailto) and Mespinoza (Pysa) were observed publishing exfiltrated data on dedicated leak-site portals despite receiving ransoms from their victims. 

Emsisoft found that in 2019 and in 2020, the same number of federal, state, county, and municipal governments and agencies were impacted by ransomware (113). 

"Of the 60 incidents that occurred in Q1 and Q2, data was stolen and released in only one case; it was, however, stolen and released in 23 of the 53 incidents that occurred in Q3 and Q4," they wrote.

Categories: Cyber Risk News

Suspicious Vaccine-Related Domains Triple

Info Security - Tue, 01/19/2021 - 18:18
Suspicious Vaccine-Related Domains Triple

The number of suspicious domains that feature the word "vaccine" in their title increased by almost 100% in the month after the first Pfizer COVID-19 vaccine was given outside of a clinical trial.

British grandmother Margaret Keenan became the first person in the world to receive the vaccine on December 8, 2020, a week before her 91st birthday. 

New research by American cybersecurity software company Webroot observed that December 8 through January 6, there was an 94.8% increase in suspicious domain names using "vaccine" compared with the previous 30 days.

When compared with the month of March 2020, the total use of the word "vaccine" within suspicious domain names between December and January 6 was found to have increased by 336%.

“As 2021 brings the first mass vaccination programs to fight COVID-19, we’re already seeing cybercriminals exploiting the publicity and anticipation surrounding these to target businesses and consumers in phishing and domain spoofing attacks," said Nick Emanuel, senior director of product at Webroot.

"Scams using keywords based on emotive subjects concerning medical safety and the pandemic are always going to be more effective, especially when they’re in the public interest."

Webroot’s Real-Time Anti-Phishing protection system detected a rise in malicious URLs using other words related to the pandemic.

Over 4,500 new suspicious domains were found, which contained a combination of words relating to "COVID-19," "Corona," "Vaccine," "Cure COVID," and others.

The word "vaccine" was specifically included in the title of 934 domains, while misspellings of "vaccine" cropped up in 611 more. 

"COVID" was in the title of 2,295 suspicious domains, and "Test" or "Testing" appeared in the title of 622 domains.

Threat actors also appeared to be using public interest in travel restrictions as a phishing lure. Among the suspicious domain titles flagged by researchers were "COVID Validator," "Testing Update," "COVID Travelcard," and "Private Vaccine."

"For individuals, defending against these kinds of attacks should involve security awareness training and remaining vigilant in scrutinising the types of emails they receive," said Emanuel. 

"This should also be underpinned by cybersecurity technology such as email filtering, anti-virus protection, and strong password policies.”

Categories: Cyber Risk News

Atlanta Synagogue Reports Cyber-Attack

Info Security - Tue, 01/19/2021 - 17:40
Atlanta Synagogue Reports Cyber-Attack

An annual religious service held in Atlanta in honor of Martin Luther King Jr. Day was disrupted by a cyber-attack. 

Threat actors reportedly targeted a Shabbat service that was being broadcast live over the internet from Atlanta synagogue The Temple on January 15. The attack occurred as US Senator-elect Raphael Warnock, the pastor at Martin Luther King Jr.’s historic Ebenezer Baptist Church in Atlanta, was delivering a sermon.

People attempting to watch the service live via the Temple's website were unable to access it, according to a letter penned by the synagogue's president, Kent Alexander.

Writing to the congregation on Saturday, Alexander said: “To the many of you who tried to log on through the Temple website but could not, and missed the service, we apologize and want to offer an explanation.

“Our website service provider informed our executive director, Mark Jacobson, last night that ‘malicious user agents’ had continuously loaded the Temple website with the objective of shutting it down.” 

Alexander did not name the service provider but added that he had been told that the attack was the "largest-ever attack affecting the provider's network of client synagogues" and that websites across the United States had also been blocked.

"Eventually, access was restored for all, but The Temple was last," the director wrote. "Our site was down for over an hour into the service."

The incident is currently under investigation by the authorities. Alexander theorized that the attack was inspired by religious and racial bigotry.  

After highlighting that Warnock will soon become Georgia's first African American senator, Alexander wrote: "Presumably, The Temple was singled out by a racist and anti-Semitic group or individual bent on silencing our joint Temple-Ebenezer Baptist Church MLK Jr. Shabbat."

The Temple was founded in 1867 and is located in the city's midtown. An annual Martin Luther King Jr. Day Shabbat service has been hosted there for over a decade. 

In 1958, the Temple's north entrance was bombed by the "Confederate Underground" in an incident denounced by then President Dwight Eisenhower. The bomb, made using 50 sticks of dynamite, caused damage valued at $750k today.

Categories: Cyber Risk News

World Economic Forum: Action Required to Address Digital Inequalities Post-COVID

Info Security - Tue, 01/19/2021 - 13:00
World Economic Forum: Action Required to Address Digital Inequalities Post-COVID

“A world leader once said ‘a decade can go by without any real news and then you can feel a decade happening in a week.’ I feel that a decade has happened in the past year,” commented Børge Bende, president of the World Economic Forum (WEF), speaking during a press conference highlighting the findings from the organization’s 16th Global Risks Report 2021.

This has arisen from the ongoing COVID-19 pandemic, which has brought about substantial changes to the political, economic and social landscape. During the webinar, the panellists emphasized the growing importance of technology, both in helping governments and businesses function amid the ongoing crisis, and for the rebuilding of the world’s economy going forward.

Peter Giger, group chief risk officer, Zurich Insurance Group, explained that COVID-19 had accelerated the so-called ‘fourth industrial revolution’ by rapidly expanding areas such as e-commerce, online education, digital healthcare and remote working. “These shifts will continue to transform human interactions and livelihoods long after COVID is behind us,” he outlined.

This move towards a “digital economy” offers great opportunities but also poses the risk of more global inequality by the creation of an “underclass” of people who are excluded from work as a result of a lack of internet and educational access. For instance, the report noted that internet usage ranges from 87% of the population in high-income countries to under 17% in low-income countries. Widening inequality gaps is particularly dangerous at this time of substantial polarization and the biggest peacetime economic slump in history, as it will threaten global stability, according to Bende.

It is for this reason that the report listed digital inequality as one of the main risks over the coming years, and argued that economic growth needs to be more inclusive and sustainable. It is therefore critical that efforts are made to improve access to the internet and the development of digital skills. Bende added: “We have to invest in global access to the internet and we have to invest in schools, upskilling, reskilling, making sure that inequalities are not growing but are declining.”

As well as the potential sowing of more division through digital inequality, the panel highlighted other dangers that a rapid shift to technology brings. One of these is cybersecurity failures, which the WEF report highlighted as a big worry over the next two years. Carolina Klint, risk management leader for continental Europe at Marsh, noted that the almost overnight shift to home working many businesses were forced to undertake last year has “exponentially increased cyber-exposures and created more complex and potentially less secure networks.” Klint added: “Businesses should now really take the time to assess changes that were made in the heat of the pandemic and verify that the right investments have been made in networks and controls.”

Another major issue emanating from greater internet usage is the rise in misinformation, which has been particularly demonstrated by the fear-mongering and conspiracy theories linked to the COVID-19 crisis. In the view of Giger, this is causing more disconnect and polarization, as well as threatening democracy. However, governments must be cautious when taking regulatory action over this, and on protecting people from big tech monopolies, as this could lead to information censorship and more restricted internet access, risking “our hard won personal freedoms.”

Ultimately, the panel stated that the pandemic has provided an important lesson to countries in dealing with unexpected events. Guillaume Barthe-Dejean, director, chairman’s office at SK Group.  noted that those countries “that digitized early tended to perform better” both from a health and economic point of view. These were nations such as Japan, Korea and China, which have effective track and trace systems, more effective communications, a greater continuity of public services and minimized labor disruptions. Barthe-Dejean added: “That’s a real learning point from hyper-connected economies such as South Korea, which has the highest internet penetration, at 96.2% of it’s population.”

Categories: Cyber Risk News

Cloud Config Error Exposes X-Rated College Pics

Info Security - Tue, 01/19/2021 - 12:00
Cloud Config Error Exposes X-Rated College Pics

A cloud misconfiguration at a now-defunct social media app has exposed hundreds of thousands of files, including explicit photos of users that they thought had been deleted, according to vpnMentor.

A research team led by Noam Rotem discovered the AWS S3 bucket on October 13 last year, tracing it back to Fleek and owner Squid Inc.

The app apparently marketed itself as an uncensored alternative to Snapchat “Campus Stories.” A hit with US college students, it promised to automatically delete photos after a short period, encouraging users to post salacious pics of themselves engaged in sexually explicit and illegal activities.

However, as the researchers found, many photos were not deleted at all — in fact, they were still being stored long after the app was closed down in 2019.

“Many of these were shared in folders given offensive and derogatory names like ‘asianAss’ by the app’s developers,” vpnMentor explained.

“Fleek users were mostly college students naive of the implications of uploading images that show them engaging in embarrassing and criminal activities, such as drug use. If cyber-criminals obtained these images and knew how to find the people exposed, they could easily target them and blackmail them for large sums of money.”

In total, the research team found around 377,000 files in the 32GB bucket. This also included photos and bot scripts which it’s believed relate to a paid chat room service the app’s owners were trying to promote to users.

To encourage male users, the app’s owners appear to have created numerous bot accounts using images of women scraped from the internet. To ‘chat’ to these bots, users would have to pay a fee.

Having contacted both Squid Inc’s founder and AWS to notify about the privacy snafu, vpnMentor found the bucket had been secured about a week after it was discovered. However, it’s unclear whether the data has been deleted or not.

“Never share anything you’d be embarrassed about online — few systems are 100% secure from hacking, leaks, or dishonest people saving incriminating images to hurt you in the future,” warned vpnMentor.

“It's also important to know what happens to your data after a company that has collected it goes bankrupt or shuts down. Often, with smaller companies, the owner maintains possession of the data, and there’s very little accountability stopping them from misusing it or sharing with others in the future.”

Categories: Cyber Risk News

Most Financial Services Have Suffered COVID-Linked Cyber-Attacks

Info Security - Tue, 01/19/2021 - 11:25
Most Financial Services Have Suffered COVID-Linked Cyber-Attacks

Financial services firms were hit hard over the past year, with 70% experiencing a successful cyber-attack and most of these blaming COVID-related conditions for the incident, according to Keeper Security.

The password security firm commissioned the Ponemon Institute to poll over 370 UK IT security leaders in the sector, as part of a larger global study.

It revealed that the rapid shift to remote working forced on businesses during the pandemic provided threat actors with an opportunity to target remote workers.

Over half (57%) of respondents argued that cyber-attacks are increasing in severity as a result of work-from-home (WFH) and 41% argued that remote workers are putting the business at risk of a major data breach.

Respondents were most concerned about a lack of physical security wherever their employees are remote working from (48%) and their devices becoming infected with malware (34%). This matters in the UK especially as it boasts more privileged users than any other country: 31% of remote workers have access to critical, sensitive and proprietary information.

Trend Micro research last year revealed that home workers often engage in more risky behavior than when they’re at the office. When combined with the surge in COVID-19 phishing emails and devices that may be shared with other users in the same household and/or less well protected than corporate equivalents, it adds up to a potential perfect storm of risk.

Insufficient budget and lack of know-how on combatting cyber-attacks were flagged by respondents as the biggest IT security challenges with remote working.

They were most concerned about the threat to customer records (50%) and financial information (48%). IT security managers right to be worried, given the potential regulatory and reputational impact of a breach.

According to Keeper Security CEO, Darren Guccione, things are particularly precarious given the double whammy of the pandemic and Brexit, which saw UK banks lose their crucial “passporting” rights.

“The adjustments to life as we know it due to COVID-19, and the limitations set to be imposed by Brexit, have seen businesses struggle adopt essential operational requirements to stay afloat,” he argued.

“Without rigorous security in place, financial institutions across the UK jeopardise their future. It only takes one cyber-attack to destroy the reputation of the entire business.”

Categories: Cyber Risk News

GDPR Fines Surge 39% Over Past Year Despite #COVID19

Info Security - Tue, 01/19/2021 - 09:35
GDPR Fines Surge 39% Over Past Year Despite #COVID19

The past year has seen double-digit increases in the value of GDPR fines imposed by regulators and the volume of breaches notified to regulators, according to a new analysis by DLA Piper.

The international law firm said that €158.5m ($192m, £141m) in fines was imposed since January 28 2020, a 39% increase on the previous 20-month period since the law came into force in May 2018.

Breach notifications surged by 19%, the second consecutive double-digit increase, to reach 121,165 over the past year.

In total, €272.5m ($332m, £45m) in fines has been issued since the start of the new regulatory regime, with Italy (€69m) having imposed the larges number, followed by Germany and France.

Total breach notification volumes have reached 281,000, with Germany (77,747), the Netherlands (66,527) and the UK (30,536) topping the table. However, when weighted according to national populations, Denmark comes top, followed by the Netherlands and Ireland.

Although the upward trajectory of fines and notifications would suggest that the GDPR is forcing organizations to be more transparent about incidents and providing regulators with a powerful statutory instrument to punish major transgressors, the truth is more nuanced.

In the UK, for example, the Information Commissioner’s Office (ICO), a leading regulator in the drafting of the legislation, significantly reduced fines planned for BA and Marriot International, from a combined £282m to just £38m last year. It is believed the COVID-19 pandemic may have been a factor.

Concerns were raised last year that national regulators are simply not resourced sufficiently to launch major investigations against the world’s biggest companies, especially tech giants with deep pockets.

However, the coming year is likely to see a ramping up of regulatory pressure, warned Ross McKean, chair of DLA Piper’s UK Data Protection and Security Group.

“Regulators have adopted some extremely strict interpretations of GDPR, setting the scene for heated legal battles in the years ahead. However, we have also seen regulators show a degree of leniency this year in response to the ongoing pandemic with several high-profile fines being reduced due to financial hardship,” he explained.

“During the coming year we anticipate the first enforcement actions relating to GDPR’s restrictions on transfers of personal data to the US and other ‘third countries’ as the aftershocks from the ruling by Europe’s highest court in the Schrems II case continue to be felt."

Categories: Cyber Risk News