Cyber Risk News

Data Breach at Texas Benefits Recovery Firm

Info Security - Wed, 07/15/2020 - 17:30
Data Breach at Texas Benefits Recovery Firm

The personal data of over a quarter of a million people has been exposed following a malicious hack perpetrated against a Texas billing and collection company.

Houston-based company Benefit Recovery Specialists, Inc. (BRSI) discovered a data breach had occurred after detecting the installation of malware on its systems. 

The malware may have allowed unauthorized individuals to view and obtain the personal and protected health information (PHI) of 274,837 people. 

BRSI provides billing and collection services to certain healthcare providers and payers. The data exposed by the attack included the private and personal information of current or former members of these plans or healthcare providers.

In a data breach notice, BRSI said that the types of personal information impacted by the cybersecurity incident “may include name, date of birth, date of service, provider name, policy identification number, procedure code and/or diagnosis code.”

The company added that the Social Security numbers of “a small number of individuals” may also have been exposed.

An internal investigation was launched after the malware was discovered by BRSI on April 30 2020. Forensic specialists were hired to uncover how the attack was carried out and to determine how far the attackers managed to penetrate company systems.

Investigators found that an unauthorized individual had gained access to the company’s systems using stolen employee credentials. After entering the network, the attacker installed malware.

Exactly what malware was installed by the bad actor was not stated in the breach notice published by BRSI on its website. The company did share that the unknown attacker first gained access to BRSI systems on April 20 2020.

The investigation “further revealed that certain BRSI customer files containing personal information may have been accessed and/or acquired by the unknown actor between April 20 2020 and April 30 2020.”

BRSI began notifying customers of the cybersecurity incident around June 2.

The company stated: “While BRSI is unaware of any misuse of personal information impacted by this event, individuals are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity and report any suspicious activity immediately to their insurance company, health care provider, or financial institution.”

Categories: Cyber Risk News

Jewish Service Zoom-bombed with Swastikas

Info Security - Wed, 07/15/2020 - 16:44
Jewish Service Zoom-bombed with Swastikas

A malicious hacker disrupted a Jewish congregation's virtual prayer service to display symbols synonymous with anti-Semitism.

Temple Sinai in Hartford, Connecticut, was the target of the anti-Semitic attack that took place on July 10. The temple had been holding services online for several months to help slow the spread of COVID-19 around the state. 

After gaining access to a service being watched on Zoom and Facebook Live by roughly 200 congregation members, the hacker posted offensive messages and images on a shared screen.

The attack disrupted the recital of the Mourner's Kaddish, a sacred prayer spoken for the benefit of the departed soul of one's deceased father or mother.

Rabbi Jeffrey Bennett said the hacker used Zoom's annotate feature to post swastikas. They also shared inappropriate messages via the chat feature and commandeered the audio system to play traditional Jewish music called klezmer that originated in the villages and ghettos of Eastern Europe. 

Fortunately, the attacker was quickly stopped from spreading their message of hatred. As soon as he realized what was happening, Bennett stopped sharing his screen and a worship service co-host muted all service attendees. 

The attacker was silenced after just three seconds, but for Bennett the incident "was three seconds too long." 

After the temple's board of directors wrote a notice to congregants informing them of what had happened, the service continued without further incident. 

Bennett said the attack was the only anti-Semitic intrusion to occur since the Temple Sinai started holding services online in March 2020. He added that actions had been taken to prevent any further incidents from taking place.  

Rather than deterring congregation members from following their religious practice, the rabbi said the attack "strengthens our resolve to celebrate who we are."

An incident report has been filed with the Anti-Defamation League (ADL) by temple leaders, who also sent a message to Zoom to inform them of the security breach. 

In May, the ADL reported that in 2019, Jews in America were targeted with more than 2,100 acts of anti-Semitic assault, vandalism, and harassment. The league said the number of incidents was the highest annual figure recorded since records began in 1979.

Categories: Cyber Risk News

Superdrug Makes Anti-Cyberbullying Pledge

Info Security - Wed, 07/15/2020 - 16:30
Superdrug Makes Anti-Cyberbullying Pledge

British retailer Superdrug has made a pledge to combat cyberbullying and trolling on social media platforms.

The high street giant was spurred into action after observing a sharp spike in the volume of derogatory comments being posted online in response to one of its beauty campaigns.

As part of a drive to promote cosmetics, Superdrug had been working with a number of up and coming make-up artists and bloggers to post inspirational images of models. The company was saddened to see these posts generate negative and hateful comments.

A company spokesperson said: “At Superdrug, we want our social spaces to be a positive experience for everyone. We won’t tolerate cyberbullying or unnecessary, hurtful comments.”

In response to the wave of hate, Superdrug has started an online campaign with the hashtag #BeKind, joining forces with content creators Simone Powderly, Imogenation and Georgia Rankin to spread the word.

The company issued this message to social media users: “We’d like to ask that if you have nothing nice to say, that you don’t say anything at all. Please be kind to each other and keep our comments section a safe space for everyone. #BeKind.”

Online creator Rankin said she had received some highly negative messages and comments over the years. 

“These words not only hurt, they stay with you, making you doubt yourself and feel unworthy,” said Rankin. “This has to stop.” 

Superdrug has also teamed up with international youth organization Ditch the Label to remind social media users to treat each other with respect. 

Ditch the Label runs a program of research, support channels and education to support young people who are being bullied or who experience mental health, relationship and identity issues.

The organization's chief executive and founder, Liam Hackett, said: “At Ditch the Label, we are committed to working towards a world that’s fair, equal and free from all types of bullying. It’s always encouraging when other voices join our cause so we are delighted to support Superdrug with the anti-bullying initiative #BeKind in making a stand against online bullying. Together we can make a difference in the lives of anyone affected by bullying and online abuse.”

Categories: Cyber Risk News

Cofense Detects HMRC #COVID19 Tax Relief Scam

Info Security - Wed, 07/15/2020 - 14:20
Cofense Detects HMRC #COVID19 Tax Relief Scam

The Cofense Phishing Defense Center (PDC) has observed a new email-based phishing scam that aims to harvest Her Majesties Revenue and Customs (HMRC) credentials and sensitive personal information by preying on UK workers who are expecting COVID-19 tax relief grants.

According to Cofense, the threat actors use a legitimate-looking email address ( with the impersonated organization in the name and set the name to match (HM Revenue & Customs). They also use the somewhat poorly written subject line of “Helping you during this covid from government.”

Receivers of the email are presented with a notification that the government is offering between £2500 and £7500 in tax grants for those whose ability to work has been affected by the health crisis.

Jake Longden from Cofense PDC explained: “The email includes a link to check their [users’] eligibility. With the government publicly and repeatedly mentioning such sums, the email is believable to inattentive users. The attacker also mentions the ‘Open Government Licence v3.0,’ a legitimate copyright licence used by the Government and Crown Services, to provide additional credibility.”

Once the link is clicked, the user is presented with a realistic clone of the GOV.UK website and asked to enter personal and sensitive data.

“The volume and sensitivity of data requested far exceeds what is required to sign into a legitimate account,” Longden added. “The data requested here screams identity theft/impersonation.”

The user is then directed to a ‘loading page’ which is constructed to give the impression that the data entered is being processed and verified for the tax claim, however the information is in fact harvested by the scammers and no tax relief is generated.

Categories: Cyber Risk News

Media and Video Companies Suffer Huge Increase in Cyber-Attacks

Info Security - Wed, 07/15/2020 - 11:40
Media and Video Companies Suffer Huge Increase in Cyber-Attacks

The media industry suffered 17 billion credential stuffing attacks over the course of two years, as part of a huge increase in attacks against the sector.

According to research by Akamai, between January 2018 and December 2019, 20% of the 88 billion total attacks recorded were against media companies. The company also recorded 630% and 208% year-over-year increases in attacks against broadcast TV and video sites, respectively.

Steve Ragan, Akamai security researcher and author of the State of the Internet/Security report, said: “As long as we have usernames and passwords, we’re going to have criminals trying to compromise them and exploit valuable information.

“Password sharing and recycling are easily the two largest contributing factors in credential stuffing attacks. While educating consumers on good credential hygiene is critical to combating these attacks, it’s up to businesses to deploy stronger authentication methods and identify the right mix of technology, policies and expertise that can help protect customers without adversely impacting the user experience.”

Video sites are not the sole focus of credential stuffing attacks within the media industry. The report noted a staggering 7000% increase in attacks targeting published content. Newspapers, books and magazines sit squarely within the sights of cyber-criminals, indicating that media of all types appear to be fair game when it comes to these types of attacks.

In an email to Infosecurity, Alex Guirakhoo, threat research team lead at Digital Shadows, said credentials for video and music streaming services are in high demand on cyber-criminal platforms, and he had seen streaming accounts account for 13% of all listings, surpassed only by bank or financial accounts, which comprised 25% of all listings.

“Attackers can obtain these accounts cheaply and efficiently using credential stuffing tools, which prey on password reuse,” Guirakhoo said. “Individual streaming accounts can be purchased for an average of under $10. These accounts are also frequently traded for free on cyber-criminal forums like XSS and RaidForums, likely to help build a sense of community among forum users."

Leo Pate, application security consultant at nVisium, said conducting credential stuffing attacks is easy, low-risk and they deliver high return on investment (ROI) if successful. “From a criminal point-of-view, most media platforms don't offer strong security controls, like multi-factor authentication, or users simply do not take advantage of them even if available, thereby resulting in a higher rate of successful compromise,” he added.

“Additionally, some media platforms utilize the same credentials in other platforms they own; for example, Amazon Prime Video and Amazon Prime. Therefore, a successful compromise of an Amazon Prime Video account will likely lead to a successful compromise of an Amazon Prime account as well. This also enables the criminal to potentially even more financial and personal information.”

Categories: Cyber Risk News

CISA: Patch Critical SAP RECON Bug Now

Info Security - Wed, 07/15/2020 - 10:30
CISA: Patch Critical SAP RECON Bug Now

The US government is urging SAP customers to patch a critical vulnerability published earlier this week, which could affect as many as 40,000 customers.

Released as part of the software giant’s July patch update round, CVE-2020-6287 affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard.

According to an alert from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the bug is introduced thanks to a lack of authentication in the component.

“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications,” it explained.

“The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability.”

As SAP NetWeaver AS Java supports a large range of SAP applications, the potential impact is severe. These include: SAP Enterprise Resource Planning, Product Lifecycle Management, Customer Relationship Management, Supply Chain Management, Supplier Relationship Management, NetWeaver Business Warehouse, Business Intelligence, NetWeaver Mobile Infrastructure, Enterprise Portal, Process Orchestration/Process Integration, Solution Manager, NetWeaver Development Infrastructure, Central Process Scheduling, NetWeaver Composition Environment, and Landscape Manager.

Onapsis Research Labs, which discovered the vulnerability, named it RECON and warned that the CVSS 10.0 bug could affect more than 40,000 global SAP customers.

It could allow remote attackers to steal PII from employees, customers and suppliers, delete or modify financial records, change banking details, disrupt operations and much more, the vendor claimed.

“The business impact of a potential exploit targeting RECON could be financial loss, compliance violations and reputation damage for the organization experiencing a cyber-attack,” it added.

Categories: Cyber Risk News

More Malware Found Hidden in Chinese Tax Software

Info Security - Wed, 07/15/2020 - 10:15
More Malware Found Hidden in Chinese Tax Software

A malware campaign hiding backdoors in mandatory Chinese corporate tax software is far more extensive than at first thought, according to researchers from Trustwave.

The vendor warned last month that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.

China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme, indicating that the malware campaign has either direct sponsorship from the government, or is happening with its blessing.

Soon after Trustwave reported on the powerful GoldenSpy backdoor, which it said could not be removed, an uninstaller appeared out of the blue which directly negates the threat.

Now the vendor has discovered a second piece of malware, dubbed GoldenHelper, which dates back to before GoldenSpy. It’s found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino, Nou Nou Technologies.

The malware, while functionally different to GoldenSpy, has a similar delivery mechanism, according to Trustwave’s VP of cyber-threat detection and response, Brian Hussey. It utilizes three DLL files to: interface with the Golden Tax software; bypass Windows security and escalate privileges; and download and execute arbitrary code with system-level privileges.

It also uses multiple techniques to hide its presence and activity, including randomization of name whilst in transit and of file system location, timestomping, IP-based Domain Generation Algorithm (DGA), and UAC bypass and privilege escalation.

Active from January 2018 to July 2019, the malware delivered a final payload of “taxver.exe,” although Hussey admitted his team has yet to get hold of a sample for analysis.

“Several individuals report receiving an actual Windows 7 computer (Home edition) with this Golden Tax software (and GoldenHelper) preinstalled and ready to use. This deployment mechanism is an interesting physical manifestation of a Trojan horse,” he continued.

“Trustwave SpiderLabs understands that the VAT tax invoice software is a government requirement and recommends that any system hosting third-party applications with a potential for adding a gateway into your environment, be isolated and heavily monitored with strict processes and procedures in their usage.”

Categories: Cyber Risk News

Experts: Patch Wormable DNS Server Bug Immediately

Info Security - Wed, 07/15/2020 - 09:17
Experts: Patch Wormable DNS Server Bug Immediately

Microsoft has released yet another gargantuan security update this month, fixing 123 vulnerabilities including 18 marked critical.

The July Patch Tuesday is close to the largest ever update, which came last month, fixing 129 bugs, and is the fifth month in a row that the Redmond giant has issued patches for over 100 software flaws.

Although none of the bugs listed are known to be actively exploited in the wild, four of the critical vulnerabilities are market as “exploitation more likely.” 

Gill Langston, head security nerd at SolarWinds MSP, urged administrators to tackle one of these, CVE-2020-1350, first.

“While there are vulnerabilities listed in many areas this month, I cannot stress enough how important the patch for Microsoft DNS server is for this month. While restarting your DNS server or the Active Directory server it is a part of was likely not in this week’s plans, you should really consider making this patch your number one priority,” she argued.

“Since nearly everyone is running DNS with Active Directory, bad actors are likely to see the high target count this offers and develop exploits rather quickly. If you cannot patch it, at least set aside some time to deploy the workaround to protect this important part of your infrastructure until you can deploy the patch.”

The 18 critical CVEs affect Windows, IE, Office, SharePoint, .Net Framework and Visual Studio. Ivanti senior product manager, Todd Schell, said the OS, browser and Office should be prioritized, but that SharePoint, .Net and Visual Studio should not be neglected.

“Microsoft has also included Servicing Stack Updates (SSUs) for all Windows versions in this month’s updates that resolves a critical vulnerability, which is a first,” he added.

CVE-2020-1346 is an elevation of privilege vulnerability in Windows Modules Installer that could allow an attacker to gain elevated privileges on the affected system. In this case the attacker would need to execute code on the target system. This vulnerability affects all Windows OSs including Windows 7, Server 2008 and 2008 R2.”

Categories: Cyber Risk News

US the Primary Target of ‘Significant’ Cyber-Attacks

Info Security - Wed, 07/15/2020 - 08:20
US the Primary Target of ‘Significant’ Cyber-Attacks

The US experienced far more ‘significant’ cyber-attacks than any other country in the period of May 2006 to June 2020, according to a new analysis by Specops Software, which used data from the Center for Strategic and International Studies (CSIS).

The study outlined the degree to which countries around the world are targeted by significant attacks; this is defined as those targeting a country’s government agencies, defense and high-tech companies, or economic crimes resulting in losses in excess of $1m.  

It found the US faced 156 such attacks – equivalent to 11 per year – over this timeframe, while in second place was the UK at 47. This included the large-scale cyber-attack deployed across the Labour Party’s digital platforms during the 2019 general election. The country experiencing the third highest amount of significant attacks was India, at 23.

Next on the list was Germany (21), followed by South Korea (18), Australia and Ukraine (both 16). Interestingly, China, Iran and Saudi Arabia each experienced 15 of these kinds of attacks during the period studied.

The countries which have faced the lowest amount of significant attacks were North Korea (5), Turkey (6) and Vietnam (6).

Darren James, cybersecurity expert from Specops Software, commented: “No one can rest on their laurels when it comes to cybersecurity. This research highlights the frequency of cyber-attacks which have devastatingly affected key political, social and economic institutions within different countries.

“Whilst some countries have had to deal with more cyber-attacks classified as significant than others, it’s an important reminder for those in notable positions of power the role they can play in providing the public sufficient and continual governance on what best practices they can implement to prevent their IT estate from being exploited by opportunistic cyber-criminals.”

Categories: Cyber Risk News

‘Secure’ Chat App Spies on Users

Info Security - Tue, 07/14/2020 - 18:00
‘Secure’ Chat App Spies on Users

A chat app that claims to be secure has been found to be an instrumental part of a long-running cyber-espionage campaign believed to be based in the Middle East.

Researchers at ESET said claims that Android app Welcome Chat and the website promoting and distributing the app are both secure “couldn't be further from the truth.”

While functioning as a communication app, Welcome Chat was found to simultaneously be serving as spyware, harvesting data for a campaign with links to threat group Gaza Hacker, also known as Molerats. 

“In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet,” said Lukáš Štefanko, the ESET researcher who conducted the analysis of Welcome Chat.

Researchers found that the app does not encrypt the data it transmits, leaving users vulnerable to exposure. 

“Unfortunately for the victims, the Welcome Chat app, including its infrastructure, was not built with security in mind," said Štefanko. 

“Transmitted data is not encrypted, and because of that, not only is it freely accessible to the attacker, but also to anyone on the same network.”

While posing as a secure and legitimate app, Welcome Chat was never available on the official Android app store. However, the app behaves like any other chat app downloaded from outside Google Play, requiring the setting “Allow installing apps from unknown sources” to be activated.

After installation, the app requests permission to send and view SMS messages, access files, and record audio, as well as requests access to contacts and device location. As soon as permissions are received, Welcome Chat starts receiving commands from its command and control (C&C) server, and it uploads any harvested information. 

In addition to stealing chat messages, the app leaks sent and received SMS messages, call history, contact list, photos, phone call recordings, and the device’s GPS location.

ESET researchers tried to establish whether Welcome Chat is an attacker-Trojanized version of a clean app, or a malicious app developed from scratch. 

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability, but our best guess is that no such app exists,” said Štefanko.

Categories: Cyber Risk News

Herjavec Group Acquires Securience

Info Security - Tue, 07/14/2020 - 17:00
Herjavec Group Acquires Securience

Global cybersecurity firm Herjavec Group has acquired an identity and access management and IT security consulting firm based in the UK.

Group founder and CEO Robert Herjavec, known to millions as a leading investor on the Emmy Award–winning TV show Shark Tankannounced the acquisition of British company Securience on July 9.

Identity management experts Doug Chin and Mike Sims founded Securience in 2014. The company drives identity and access management programs for complex global enterprises with the use of proprietary technologies for deploying and managing large-scale identity environments. 

Last year, Securience won Best IAM Solution Provider UK 2019 at the AI Cyber Security Awards and was listed among the finalists in the category of Security Company to Watch 2019 by Computing Security.  

Herjavec Group has offices and security operations centers across the United States, UK and Canada. The acquisition has been undertaken with the aim of expanding Herjavec Group’s existing capabilities, which have been formally recognized by Forrester, IDC and Gartner.

Herjavec said that the erosion of the traditional office work environment had heralded the need for change in cybersecurity practices.

“As more businesses shift to remote work, traditional perimeters are rapidly evaporating, fueling the growth for strong identity services and products,” said Herjavec. 

“As a result of this flexible workforce environment, CIOs and CISOs are challenged with the need to safeguard access controls in order to ensure that the right people are accessing the right data and systems for the right reasons.”

Following the acquisition, Herjavec Group is now deploying Securience's proprietary tools, including staging solution and analytics tool Data Manager and Access Anywhere, which enables enterprises to externalize critical business activities such as line manager approvals, user access reviews or recertifications, or notifications of violations and issues, and the all-in-one data integration platform.

Securience's managing director, Doug Chin, said the acquisition presented an opportunity for the company he cofounded to expand. 

He added: “We are excited to be able to enhance, expand, and grow our identity services across the globe. Herjavec Group is well-known in the security space, and our team is excited to be able to work with like-minded professionals that are as passionate about security as our team.”

Categories: Cyber Risk News

Park Place Technologies Appoints Security and Army Veteran as its First CISO

Info Security - Tue, 07/14/2020 - 16:05
Park Place Technologies Appoints Security and Army Veteran as its First CISO

Park Place Technologies, a global IT leader focused on optimizing data centers and IT infrastructure for 17,000 customers, today announced that John Parlee has joined the company as its first Chief Information Security Officer (CISO).

Parlee brings an impressive background of security knowhow and expertise to the role having previously served as director of information security at VMware Carbon Black, head of information security for the Cognex Corporation and as a security engineer for the MITRE Corporation. He also holds degrees from Carnegie Mellon University and the United States Military Academy at West Point, and served as a Captain in the United States Army and the United States Army Reserve.

In his new role, Parlee will lead development and implementation of the Park Place security strategy, management of security threats and vulnerabilities and compliance with relevant security requirements and privacy laws.

Currently providing remote hardware monitoring, Park Place is increasing its focus on security as it prepares to expand its service offerings to discovery and network analytics.

“I am impressed with Park Place’s mission and commitment to customers,” said Parlee. “I look forward to working with the innovative team at Park Place to ensure that security and privacy are top priorities as the company continues to rapidly grow.”

Chris Adams, president and CEO, Park Place Technologies, added: “The addition of John and his security expertise to our team will strengthen our ability to fulfil compliance requirements and minimize risk. His appointment demonstrates that we take the security of our customers very seriously.”

Categories: Cyber Risk News

US Army Seeks Cryptocurrency Tracing Tools

Info Security - Tue, 07/14/2020 - 14:45
US Army Seeks Cryptocurrency Tracing Tools

The United States Army has expressed interest in kitting out its principal investigative division with cryptocurrency tracing tools.

In a Statement of Work (SOW) published July 10, the Army's Criminal Investigation Command's Major Cybercrime Unit (MCU) began the process of welcoming bids from contractors. 

Instead of software or hardware offerings, the Army is inviting vendors of SaaS (Software-as-a-Service) solutions to come forward and provide information for planning purposes. Contractors have until July 20 to accept the Army's invitation to express interest.

According to the document, the US Army Contracting Command-New Jersey (CC-NJ) located at Fort Dix, NJ, is "surveying the market for potential contractors capable of providing one license for one user of a cloud, web-based application capable of assisting law enforcement to identify and stop actors who are using cryptocurrencies for illicit activity such as fraud, extortion, and money laundering."

The Army isn't interested in developing an app from scratch, but instead wants to garner information about pre-existing web-based applications. 

Applications submitted must enable users to conduct an in-depth investigation into the source of cryptocurrency transactions and provide multi-currency analysis "from Bitcoin to other top cryptocurrencies."

The SaaS solution must provide real-time Bitcoin and other cryptocurrency transaction tracing, to include service attribution and identification, and must be able to spot transaction patterns and interaction with other entities. 

Furthermore, it must have the capability to set up unlimited individual user accounts with unlimited queries available.

To facilitate the analysis of data, the app must have some type of visualization and/or link analysis tool and has to be capable of exporting graphs and generating reports as a csv, pdf, or image file. 

This latest publication comes almost a year after the Army shared a pre-solicitation notice that revealed users of the app will be located throughout the US and overseas where there is a CCIU (Computer Crimes Investigation Unit) presence. 

Previously, the Pentagon looked into the use of cryptocurrency in a war game designed around domestic civil unrest. Documents obtained by The Intercept detailed a scenario in which a "rebellion" was launched by a Gen Z that included the use of crypto to redistribute stolen funds.

Categories: Cyber Risk News

Senior Catalonian Politician’s Phone Allegedly Targeted By Government Spyware

Info Security - Tue, 07/14/2020 - 14:42
Senior Catalonian Politician’s Phone Allegedly Targeted By Government Spyware

A senior Catalonian politician has claimed his phone was targeted with spyware by the Spanish government in a case of possible domestic political espionage, it has been reported by The Guardian newspaper today.

Roger Torrent, the speaker of Catalan parliament, and at least two other pro-independence supporters, have reportedly been told their phones were targeted last year using ‘Pegasus’ spyware that its maker, Israeli firm NSO group, says is only sold to governments to track criminals and terrorists.

The warning came from researchers working with WhatsApp, who believe the attacks occurred in a two-week period from in April to May 2019 when 1400 of its users were allegedly targeted by Pegasus. WhatsApp’s owner, Facebook, has since begun legal proceedings against NSO group over the matter.

According to a Facebook lawsuit, the Pegasus spyware exploited a previous vulnerability in WhatsApp’s software, potentially enabling the operator to access everything on the target’s phone, including emails and text messages. It may have even been able to turn on the phone’s recorder and camera and listen in on conversations.

Quoted in The Guardian, Torrent said: “It seems wrong that politicians are being spied on in a democracy with the rule of law. It also seems to me to be immoral for a huge amount of public money to be spent on buying software that can be used as a tool for the persecution of political dissidents.”

Commenting on the story, Joe Hancock, head of cyber at law firm Mishcon de Reya, said: “The debate around intrusive surveillance can be uncomfortable, balancing rights to privacy against lawful intrusions to protect public safety.

“Eavesdropping and 'bugging' has been used for decades and is viewed as part of legitimate law enforcement activity, although it also happens as part of commercial espionage. Traditional eavesdropping requires the listener to have a level of physical access to their target. This is not the same for the tools allegedly used in this attack, which can be used to target devices internationally.

“We are likely to see more attacks like this one come into the news. When malicious software is found on a device, there is no evidence on the device of the governance or legal process that may have led to the attack being appropriately authorized or not. There may be legitimate reasons and due process for a specific target being selected, whether we agree with that selection or not. All we can do is ensure that oversight and governance of surveillance is appropriate and that we control the availability of these tools where possible.”

In response to the allegations, the Spanish Prime Minister’s office stated: “The government has no evidence that the speaker of the Catalan parliament, Roger Torrent, the former MP Anna Gabriel and the activist Jordi Domingo have been the targets of hacking via their mobiles.

“Furthermore, we must state that any operation involving a mobile phone is always conducted in accordance with the relevant judicial authorization.”

Categories: Cyber Risk News

UK Bans Deployment of Huawei Technology Over Security Fears

Info Security - Tue, 07/14/2020 - 13:45
UK Bans Deployment of Huawei Technology Over Security Fears

UK Prime Minister Boris Johnson has ordered Huawei equipment to be removed completely from Britain’s 5G network by 2027.

After the Chinese company had been previously approved to run the UK’s 5G network on a limited basis, the UK’s National Security Council has decided to ban the purchase of 5G components from the end of this year, and ordered the removal of all existing Huawei technology from the 5G network by 2027.

According to Reuters, the National Cyber Security Center (NCSC) told ministers it could no longer guarantee the stable supply of Huawei gear after the United States imposed new sanctions on chip technology.

“This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run,” Digital, Culture, Media and Sport (DCMS) secretary Oliver Dowden told parliament. “By the time of the next election, we will have implemented, in law, an irreversible path for the complete removal of Huawei equipment from our 5G networks.”

Dowden said the decision was made after the US imposed sanctions in May, which forced Huawei to use its own microchips and the NCSC advised ministers that they could no longer guarantee that the risk would be reduced.

The NCSC said Huawei have zero access alternatives which the UK has sufficient confidence in, and new restrictions make it “impossible to continue to guarantee the security of Huawei equipment in the future,” according to ITV News

US President Donald Trump has repeatedly voiced caution over the use of Huawei technology, calling it an “agent of the Chinese Communist state,” and requested the UK follow his lead.

Huawei’s technology is used in multiple mobile networks, including BT's EE mobile network, and by Vodafone and Three for 4G and 5G capabilities. The government also wants operators to “transition away” from purchasing new Huawei equipment for use in the full-fiber network, with Dowden saying he expected this to happen within two years, according to the BBC

Shortly before the announcement, Sky News revealed that Lord Browne, Huawei's UK chairman and the ex-chief executive of BP, would be leaving the Chinese company before his term had expired. It said he had given his notice a few days ago and would formally step down in September.

In a statement, Huawei called the decision “disappointing” and “bad news for anyone in the UK with a mobile phone.”

The statement claimed the decision will move Britain into the digital slow lane, push up bills and deepen the digital divide. “Instead of ‘levelling up’ the government is levelling down and we urge them to reconsider,” it said.

“We remain confident that the new US restrictions would not have affected the resilience or security of the products we supply to the UK.” 

Huawei said its future in the UK has become politicized and it will conduct a detailed review of what today’s announcement means for its business in the UK, “and will work with the UK government to explain how we can continue to contribute to a better connected Britain.”

Michael Downs, director of telecom security at Positive Technologies, said: “The ongoing tug of war within the UK on Huawei’s involvement in its 5G networks has come to an end. Although the government isn’t stripping Huawei’s equipment straight away, the phased approach will have a marked effect on the telecoms industry, potentially costing billions because a lot of the major UK operators such as BT and Vodafone are already using its equipment not just for 5G but previous generation networks as well.

“Long term, the decision to exclude Huawei cannot be solved with a solution as idealistically simple as just swapping it for an alternative vendor immediately. There is also the additional cost of delaying deployments, as companies have already gone through the process of testing 5G equipment from Huawei.

“This whole process – including testing – will have to be started all over again. This will mean a more expensive network for the UK and a delay that could result in its national infrastructure being inferior compared to other countries.”

Andrew Glover, chair of the ISPA, added: “The Government’s 5G announcement today provides some welcome clarity to our members who are rolling out networks and providing broadband to consumers and businesses across the UK. We look forward to further consultation with Government to determine the policy for fixed networks with a clear focus on ensuring that our members can roll out new gigabit-capable networks at pace.

“As the Secretary of State emphasized today, supply chain interventions have a direct impact on the speed at which networks can be rolled out, so any new restrictions need to be counter-balanced with an appropriate level of support for the sector.

“The Government has rightly made upgrading our digital communications infrastructure a priority, we now need to see a clear, ambitious plan from policymakers to help the companies that are leading this charge.”

Categories: Cyber Risk News

Rogue Javascript Integrations Permit Attacking Opportunities

Info Security - Tue, 07/14/2020 - 13:03
Rogue Javascript Integrations Permit Attacking Opportunities

Analysis of the Alexa top 1000 websites has revealed a troubling lack of security controls required to prevent data theft and loss through client-side attacks.

According to research from Tala Security, techniques such as Magecart attacks, formjacking, cross-site scripting and credit card skimming are exploiting vulnerable JavaScript integrations running on 99% of the world’s top websites, and security effectiveness against JavaScript vulnerabilities is declining.

The research determined the average website includes content from 32 third-party JavaScript vendors, and 58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations. 

“The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources,” said Aanand Krishnan, founder and CEO of Tala Security. “It’s imperative that organizations keep security top of mind and pay much closer attention to what has become a pervasive attack vector.”

Whilst 30% of the websites analyzed had implemented security policies, only 1.1% were found to have effective security in place.

Jonathan Knudsen, senior security strategist at Synopsys, said the compnay’s own research showed the average commercial application has well over 400 third-party open source components. He explained: “While the research conducted by Tala Security might identify 32 independent vendors, when looking at any software supply chain, it’s important to look not only at the known vendors, but also at the usage of open source software in the final product or service. After all, it’s impossible to patch something you don’t know is there.”

He also claimed it is “hardly surprising that the research found that the average website has content from 32 third-party vendors” as modern software is more assembled than it is written, with useful chunks of functionality often coming from open source, third-party software components and interactions happening via APIs with multiple other systems.

“There is nothing inherently wrong with using third-party software components, the JavaScript language, or the web ecosystem,” he argued. “Just as with anything else, risk must be managed and minimized during the construction and deployment of websites.”

Keith Geraghty, solutions architect at Edgescan, said that Javascript is not the issue here, as it has “revolutionized the user experience on the web.

“When we refer to vendors, we are usually referring to talented programmers who have developed tools and solutions that, along with HTML and CSS, make up the backbone of the web,” he said. “Like with all plugins and solutions, organizations need to ensure that what they use is safe, up-to-date and falling under the same controls as their traditional patch management strategy.”

Craig Young, senior security researcher at Tripwire, said: “The situation with loading so many JavaScript libraries from so many different domains greatly amplifies the risk subdomain hijacking attacks pose to the internet at large. The problem is that each third-party domain supplying unauthenticated JavaScript presents an opportunity for a server compromise to serve malicious content to unsuspecting users unless the site operator has taken specific security precautions.”

Categories: Cyber Risk News

Researchers Unmask Video Conferencing Users from Images

Info Security - Tue, 07/14/2020 - 11:00
Researchers Unmask Video Conferencing Users from Images

Security researchers have warned video conferencing users not to post screen images to social media after they managed to unmask the identities of users relatively easily.

A team from Ben-Gurion University (BGU) of the Negev used image processing recognition tools and social network analysis to process 15,700 collage images and over 142,000 face images of meeting participants from Zoom, Microsoft Teams and Google Meet.

AI-based image processing algorithms allowed them to identify the same individuals’ participation at different meetings, either via facial recognition or analyzing features in the background.

According to BGU, they were able to detect faces 80% of the time, as well as gender and approximate ages.

Web-based text recognition libraries available free-of-charge allowed the researchers to work out almost two-thirds of usernames from screenshots. Images can be cross-referenced with social media data to raise further potential security and privacy risks, BGU claimed.

The researchers were able to unmask individuals as well as networks of colleagues, highlighting the risk to corporate users as well as consumers.

“The findings in our paper indicate that it is relatively easy to collect thousands of publicly available images of video conference meetings and extract personal information about the participants, including their face images, age, gender and full names,” said Michael Fire of the BGU Department of Software and Information Systems Engineering (SISE).

“This type of extracted data can vastly and easily jeopardize people’s security and privacy, affecting adults as well as young children and the elderly.”

BGU urged individuals and companies not to post video conference images or videos online and to use generic pseudonyms rather than unique usernames or real names on such platforms. A virtual background is also a better choice as real backgrounds can help “fingerprint” user accounts across multiple meetings, it added.

There was also advice for the platform-makers themselves: BGU said that by adding filters or Gaussian noise to images they can disrupt facial recognition without interfering with the image.

“Since organizations are relying on video conferencing to enable their employees to work from home and conduct meetings, they need to better educate and monitor a new set of security and privacy threats,” Fire said. “Parents and children of the elderly also need to be vigilant, as video conferencing is no different than other online activity.”

Categories: Cyber Risk News

Lack of Diversity and Career Burnout Blights Infosec Industry

Info Security - Tue, 07/14/2020 - 09:41
Lack of Diversity and Career Burnout Blights Infosec Industry

A lack of diversity and excessive workplace pressure are two of the top challenges for the IT security industry, according to a new study from the Chartered Institute of Information Security (CIISec).

Compiled from interviews with 445 UK industry professionals, The Security Profession 2019/2020 report revealed that over half (54%) had left a job because of overwork or burnout, or worked with someone who had.

The problem appears to be tied to industry skills shortages which leave many practitioners overwhelmed with work, especially during holidays and busy periods.

Almost two-thirds (64%) of respondents said their employers simply hope they can cope with fewer resources when necessary, whilst 51% let routine or non-critical tasks slip. This was certainly the case during the mass shift to remote working in early 2020.

Amanda Finch, CEO of CIISec, warned that the current crisis would likely put security pros under more pressure given the impact on budgets and ways of working.

“Unless the industry can learn how to do more with less while also addressing issues of diversity and burnout, risks will rise and organizations will suffer. To avoid this, we need the right people with the right skills, giving them the help they need to reach their full potential,” she added.

“This doesn’t only apply to technical skills, but to the people skills that will be essential to giving organizations a security-focused culture that can cope with the growing pressure ahead.” 

The signs don’t look good: 82% of respondents told CIISec that security budgets are not keeping pace with rising threat levels – whether because they’re rising too slowly, staying the same or falling.

A related challenge facing the profession is its continued lack of diversity. According to (ISC)2, just 24% of the global cybersecurity workers are female.

CIISec warned that a pronounced gender pay gap continues to afflict the industry in the UK.

For example, 37% of women earned less than £50,000 per year, compared to 21% of men, and only 15% of women earned more than £75,000 per year, compared to 39% of men, the study found.

Just 5% of women earned more than £100,000, versus 18% of men, and no women were paid more than £125,000 per year but 12% of men were.

“Addressing a lack of diversity in the industry isn’t only a matter of fairness,” continued Finch. “It also unlocks the skills and talents of a whole range of people who could collectively rejuvenate the industry and help reduce the huge pressure many security teams are under.”

Categories: Cyber Risk News

Millions of Logins from UK Ticket Site for Sale on Dark Web

Info Security - Tue, 07/14/2020 - 08:42
Millions of Logins from UK Ticket Site for Sale on Dark Web

Security researchers have discovered a database containing millions of emails and usernames up for sale on the dark web, linked to a well-known UK ticketing provider.

Analysts at Israeli cyber-intelligence firm KELA detected the trove of 4.8 million records, posted to an underground site on July 8. A spokesperson for the company told Infosecurity that they managed to get hold of a sample of 10,000 emails and just 300 (3%) were duplicates.

New user “Jamescarter” is selling the details for $2500, with a .ru contact email. Although the trader claims the email/log-in data comes from a “shopping and forex trading site,” KELA is confident it belongs to customers of a popular ticketing service for live shows based in the UK.

The owners of said email addresses can expect follow-on phishing and potentially credential stuffing attacks if the details are sold.

Although most are from commercial webmail providers, there are also government domains in the haul, potentially putting these high-value accounts at risk of compromise.

Interestingly, the compromised ticketing provider has had its website defaced in the past and was also identified by KELA on a Pastebin list of “websites vulnerable to SQL Injection," although it’s not known if the two incidents are connected.

Affected users are located mainly in the UK, US, New Zealand, Australia, South Africa, Germany and France, the firm explained.

Credential stuffing alone costs EMEA organizations in the region of $4m each year, according to research from Akamai last year. This was calculated based on the cost of application downtime, loss of customers, extra work for IT security teams and the cost of follow-on fraud.

Categories: Cyber Risk News

Bitcoin Thieves Hit Cashaa

Info Security - Mon, 07/13/2020 - 18:15
Bitcoin Thieves Hit Cashaa

Cyber-criminals have compromised a British cryptocurrency exchange, making off with over $3m in Bitcoin. 

Cashaa has halted all its crypto-related transactions after cyber-criminals stole more than 336 Bitcoin from their exchange. The company has said that prima facia users have not been impacted by the theft. 

In a media brief shared with Cointelegraph, Cashaa’s CEO Kumar Gaurav said: “We are still investigating the damage caused by the incident and suspend all the withdrawals for 24 hours.”

Kumar said that the theft occurred after malicious hackers compromised one of the exchange’s digital wallets. Once access had been gained, the hackers sent the cryptocurrency contained within the wallet to themselves. 

Guarav said that he had reason to believe that the cyber-criminals who hit Cashaa are based in East Delhi, India. Acting on this suspicion, the exchange has filed a cyber-crime incident report with the Delhi crime bureau under the cryptocurrency crime category.

A meeting of Cashaa’s board has been called to determine whether the company will bear all the losses associated with the crime.

Cashaa said it believes that to carry out the theft, cyber-criminals installed malware onto a computer used to make exchange transfers like user withdrawals. This malware sent a notification to the cyber-criminals at 1:23pm on July 10 when an employee logged into the account and made two transfers from a wallet. It was this wallet that was then compromised and illegally relieved of over 336 Bitcoin. 

The company is now taking steps to prevent the cyber-criminals who hit Cashaa from selling the stolen cryptocurrency on exchanges. On Twitter, Cashaa posted the Bitcoin address of the hacker in hopes of tracking any movement of the illegally acquired funds. 

Guarav said Bitcoin thefts were on the rise because some cryptocurrency exchanges made it easy for cyber-criminals to launder stolen funds.

“As of today, hackers are very confident to hack crypto addresses and move it through exchanges that are facilitating such laundering through their systems,” said Guarav.

“Exchanges like these must be shut down and owners of these exchanges should be charged with money laundering facilitation crime.” 

Categories: Cyber Risk News