Cyber Risk News

Police Efforts Help to Erode Trust on Dark Web

Info Security - Tue, 06/02/2020 - 09:08
Police Efforts Help to Erode Trust on Dark Web

Law enforcement activity over recent years is eroding trust on the dark web and forcing cyber-criminals to try new tactics, according to new Trend Micro research.

The security vendor’s latest report, Shifts in Underground Markets, charts changes over the past five years, which has seen the takedowns of numerous marketplaces including Evolution, AlphaBay and Hansa.

Trend Micro found widespread concern among cyber-criminals frequenting such sites that police may be monitoring them or the administrators themselves may try an exit scam. Others complained of login problems and frequent DDoS attacks, which may also stem from law enforcement efforts.

In a bid to rebuild trust, a new site dubbed DarkNet Trust was created to verify vendors’ reputations by analyzing their usernames and PGP fingerprints. Other efforts include security measures such as direct (walletless) buyer-to-vendor payments, multi-signatures on BTC and Monero, encrypted messaging, and a ban on JavaScript, according to the report.

In the absence of a stable and secure forum to advertise their wares, some cyber-criminals are taking to gaming comms platform Discord and e-commerce platform to buy and sell.

Trend Micro principal security strategist, Bharat Mistry, argued that the firm expects to see new tools and techniques flood dark web sites going forward.

“AI will be at the centre of these efforts. Just as it’s being used by Trend Micro and other companies to root out fraud, sophisticated malware and phishing, it could be deployed in bots designed to predict roll patterns on gambling sites. It could also be used in deepfake services developed to help buyers bypass photo ID systems, or launch sextortion campaigns against individuals,” he explained.

“Some emerging trends are less hi-tech but no less damaging. Access to devices, systems and accounts is so common today that we’re already seeing it spun out in ‘as-a-service’ cybercrime offerings. Prices for access to Fortune 500 companies can hit as much as $10,000.”

Categories: Cyber Risk News

Researcher Gets $100,000 for Sign in with Apple Zero Day

Info Security - Tue, 06/02/2020 - 08:25
Researcher Gets $100,000 for Sign in with Apple Zero Day

A security researcher has been awarded $100,000 by Apple after disclosing a critical flaw in the firm’s sign-in process for third-party sites.

Bhavuk Jain discovered the zero-day bug in Sign in with Apple, the Cupertino giant’s supposedly more privacy-centric version of Login with Facebook and Sign in with Google.

The system works in a similar way to OAuth 2.0: users can be authenticated with either a JSON Web Token (JWT), or a code generated by an Apple server which is then used to generate a JWT.

Once the authorization request has been submitted, Apple provides the user with an option, to share their Apple Email ID with the third-party app they’re trying to sign-in to, or not.

“If the user decides to hide the Email ID, Apple generates its own user-specific Apple relay Email ID. Depending upon the user selection, after successful authorization, Apple creates a JWT which contains this Email ID which is then used by the third-party app to login a user,” explained Jain.

“I found I could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account.”

The repercussions are pretty serious: an attacker could have used this technique to effect a full takeover of user accounts.

Jain warned that, if popular third-party apps such as Dropbox, Spotify and Airbnb didn’t put in place their own authentication security measures, their users may have been exposed by the bug.

“Apple also did an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability,” he explained.

The researcher received the money by disclosing responsibly to the Apple Security Bounty Program.

Categories: Cyber Risk News

Major Upgrade for Channel Island's Telecom Network

Info Security - Mon, 06/01/2020 - 18:54
Major Upgrade for Channel Island's Telecom Network

Guernsey is to benefit from a major performance upgrade and security enhancement to its telecom network.

British technology and network services company Telent Technology Services Ltd. (telent) has been awarded a contract by Sure to upgrade the service provider’s core network.

Under the contract, Telent will replace Sure’s existing 10G core network with a 100G Juniper Networks core network. The upgrade is being undertaken to allow Sure to deliver faster, more reliable internet connectivity to its consumer and business customers across the island as increasing bandwidth usage and data consumption create what Telent described as "unprecedented demand."

“Growing data consumption means demand for higher network capacity and speed is growing and service providers must ensure they are delivering on that,” said Shani Latif, sales director at Telent. 

“This upgrade for Sure will incorporate the latest technologies to ensure a future-proof network, while our experience and knowledge of the service provider market will minimize customer disruption and ensure work is completed efficiently.”

Once complete, the move to 100G will produce benefits to folks beyond the island's sandy beaches and picturesque bays. As a core network, it will also deliver increased capacity to London and Paris, connecting the Channel Islands to the rest of the world.

The upgrade will provide extra capacity for growth, future-proofing the network as growing and new technologies, including Fiber-to-the-Home (FTTH) and 5G, are rolled out commercially. 

Mindful of the need for cybersecurity, Telent will implement a joint Juniper-Corero Distributed Denial of Service (DDoS) solution to provide real-time, automated DDoS protection.

Sure Group CEO Ian Kelly said that ensuring people can stay connected is more important than ever as the COVID-19 health crisis limps on. 

“The current situation is a clear reminder that telecoms are a key and growing component of our economy and daily lives,” said Kelly. 

“This network upgrade is a significant long-term investment to ensure we can continue to meet customer expectations now and in the future. We are pleased to be working with Telent which has a long history and strong reputation in the design, upgrade, build and maintenance of critical networks.”

Work on the project has already started and is expected to be completed by early 2021.

Categories: Cyber Risk News

Minneapolis City and Police Websites Attacked

Info Security - Mon, 06/01/2020 - 17:30
Minneapolis City and Police Websites Attacked

Police and city websites in Minneapolis have come under cyber-attack as both lawful protests and illegal rioting continue across America. 

The nationwide social upheaval was triggered by the death of Houston native George Floyd in the city a week ago. Floyd died after 44-year-old police officer Derek Chauvin arrested him and kneeled on his neck for nearly nine minutes despite the handcuffed man's pleas that he could not breathe.

Floyd, who had recently lost his job due to the COVID-10 pandemic, was arrested after allegedly using forged money to pay a bill at a grocery store. 

Following Floyd's tragic death, filmed by bystanders who sadly let the chance to intervene slip through their fingers, Chauvin was fired from his job. The former cop was arrested and charged with third-degree murder and second-degree manslaughter on May 29.

Chauvin's arrest has not put an end to the peaceful protests inspired by the police officer's failure to uphold a sworn promise to protect and serve the public. Nor has it doused the outbreaks of looting and vandalism that have seen American businesses, churches, and educational establishments raided, torched, and destroyed.  

Some of the city of Minneapolis' public websites and systems were hit by a cyber-attack on Thursday morning. A city spokesperson told The Hill that a denial of service (DoS) attack had resulted in the temporary shutdown of some websites and systems. 

Within hours of the incident, 95% of affected systems and sites were back up and running. It is not known whether the attack was specifically linked to the protests over Floyd's death or simply timed to exploit a city in turmoil. 

“Although these types of attacks are not completely unavoidable, they are fairly common, and the City of Minneapolis has proactive measures in place to respond to and mitigate disruptions when they do occur,” the spokesperson said. 

“The City of Minneapolis IT continues to monitor its cyber platforms to ensure further disruption doesn't happen again.”

A DoS attack was also levied at the state level. In a news briefing delivered yesterday, Minnesota governor Tim Walz said Minnesota's computers were assaulted on Saturday night.

"Before our operation kicked off last night, a very sophisticated denial of service attack on all state computers was executed," said Walz.

Categories: Cyber Risk News

Payment App Data Breach Exposes Millions of Indians' Data

Info Security - Mon, 06/01/2020 - 16:24
Payment App Data Breach Exposes Millions of Indians' Data

A major data breach at mobile payment app Bharat Interface for Money (BHIM) has exposed the personal and financial data of millions of Indians.

The breach occurred after BHIM failed to securely store vast swathes of data collected from users and businesses during a sign-up campaign.

On April 23, researchers at vpnMentor made the alarming discovery that all the data related to the campaign was publicly accessible after being stored in a misconfigured Amazon Web Services S3 bucket.

"The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals," wrote researchers.  

Data exposed in the breach included scans of Ardaar cards (India’s national ID cards), Caste certificates, professional and educational certificates, photos used as proof of residence, Permanent Account Number (PAN) cards associated with Indian income tax services, and screenshots captured within financial and banking apps as proof of fund transfers—all documents needed to open a BHIM account.

Private personal user data contained within these documents included names, dates of birth, age, gender, home address, Caste status, religion, biometric details, fingerprint scans, ID photos, and ID numbers for government programs and social security services.

Over 7 million records dating from February 2019 were exposed, some of which belonged to people aged under 18 years old.

After investigating the breach, vpnMentor's team found 409 GB of data stored insecurely by BHIM, which operates via the website Researchers traced the bucket back to BHIM as it was labeled “csc-bhim.”

Researchers informed BHIM of their discovery but did not receive a response, so contacted India’s Computer Emergency Response Team (CERT-In). 

"Many weeks later, we contacted CERT-In a second time," wrote researchers. "Shortly thereafter, the breach was closed."

The Indian mobile payment app was launched in 2016 to facilitate instant e-payments and money transfers between bank accounts via a user's smartphone. By 2020, the popular app had been downloaded 136 million times, according to non-profit business consortium, the National Payments Corporation of India (NPCI).

Categories: Cyber Risk News

Aussie Football Site Leaks 70 Million Records

Info Security - Mon, 06/01/2020 - 11:00
Aussie Football Site Leaks 70 Million Records

An Australian football fan site has been found leaking 70 million records, including users’ personal details and racist private messages, via an unprotected Elasticsearch instance.

The 132GB leak was discovered by SafetyDetectives researchers led by Anurag Sen and is linked to, a website and mobile app dedicated to Aussie Rules Football, which has around 100,000 members.

Although the information found in the leak wasn’t always personally identifiable as users are mainly anonymous, some of the private messages seen by the researchers contained email addresses, mobile phone numbers and usernames and passwords for the site and live streams.

If discovered by cyber-criminals probing for misconfigured databases, the latter may have been useful for credential stuffing attacks on other sites.

Some user messages featured in the leak contained personal threats and racist content, which could be used by hackers to blackmail the individuals, SafetyDetectives argued.

“Private messages are fully exposed in the leak and can be traced back to specific users. This includes some high-profile users such as Australian police officers and government employees,” it said.

“Private information belonging to such individuals, including chat transcripts and email addresses, were found on the database which thereby creates a significant vulnerability in terms of potential blackmail and other reputational damage that could be caused.”

Technical data relating to the site including IP addresses, access logs, server and OS information and GPS data were also leaked, potentially allowing hackers to compromise other parts of the IT infrastructure, the firm added.

Although BigFooty didn’t respond to outreach from Sen and his team, the leak was closed shortly after they contacted government agency the Australian Cyber Security Center.

Over the past few months, SafetyDetectives has discovered similar accidental leaks at two popular money-saving websites and, perhaps most alarmingly, an adult live streaming site.

Categories: Cyber Risk News

Trump Plans to Ban Chinese Students with Military Ties

Info Security - Mon, 06/01/2020 - 09:30
Trump Plans to Ban Chinese Students with Military Ties

The Trump administration is reportedly accelerating plans to ban Chinese students with military ties from attending university in the US, as Beijing prepares its own national security law for Hong Kong.

American officials with knowledge of the discussions at the top of government told the New York Times that the long-mooted plan would involve cancelling student visas for Chinese students who took their undergraduate courses at military-affiliated institutions back home.

The fear is that many of these individuals may be actively selected by the Chinese government, and required to collect information from the research projects they end up working on. There’s a double threat from those same graduates then landing jobs at high-profile US tech companies and continuing their espionage activities.

It’s unclear how widespread the practice actually is, and students engaged in wrongdoing would certainly try to hide their affiliation.

Back in January, the Department of Justice (DoJ) indicted a People’s Liberation Army lieutenant who lied about her background and secured a position studying at Boston University’s (BU) Department of Physics, Chemistry and Biomedical Engineering from October 2017 to April 2019. There, she allegedly stole info for military research projects and profiled US scientists for her bosses.

Estimates suggest only around 3000 individuals would be affected by the mooted plans out of a potential 360,000 Chinese students in the US, although if they are formally announced it would come at a significant juncture.

Washington is currently mulling how to respond to Beijing’s newly announced plans to force a national security law on Hong Kong, which would allow China’s fearsome secret police to be stationed in the supposedly semi-autonomous region.

Rebecca Bernhard, partner at international law firm Dorsey & Whitney, explained that the US plans only affect those on F and J visas, although more may be caught up in trying to prove themselves innocent.

“Due to the scrutiny to determine which students will be suspended from entry, all students and scholars will face a lot of questions and the burden will likely be on the students and scholars to document that their research program is not subject to the bar – it appears the presumption is that the bar applies and the student or scholar will need to document that it does not,” she argued. 

“Unfortunately, this suggests to me that there will be even more delays at US consulates when they finally re-open for all Chinese graduate students and scholars in engineering."

Categories: Cyber Risk News

Amtrak Guest Rewards Breach Affects Personal Info

Info Security - Mon, 06/01/2020 - 08:43
Amtrak Guest Rewards Breach Affects Personal Info

Amtrak has revealed that some customers may have had their personal information and log-ins stolen after it detected unauthorized access of rewards accounts by a third party.

Also known as the National Railroad Passenger Corporation, the state-backed US transportation provider revealed the news in a regulatory filing with the Office of the Vermont Attorney General.

“On the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts,” it noted. “We have determined that compromised usernames and passwords were used to access certain accounts and some personal information may have been viewed. No financial data, credit card information or Social Security numbers were compromised.”

The statement claimed that Amtrak’s IT security team terminated the unauthorized access “within a few hours,” reset passwords for affected accounts and hired outside security experts to contain the incident and put safeguards in place.

The firm is also offering affected customers a free year’s membership for the Experian IdentityWorks fraud monitoring service, although such offerings only flag suspicious account activity after the event and won’t be able to stop the potential follow-on phishing attacks that could target users.

It’s unclear how the attacker got hold of Amtrak Guest Reward usernames and passwords in the first place, although the credentials may have been breached in another incident and were being reused by customers across multiple sites/accounts.

This isn’t the first time the railroad giant has been forced to alert the authorities about a suspected breach. In 2018, it revealed that service provider Orbitz had suffered a security incident exposing customers’ personal information.

A year later, critical vulnerabilities were discovered in the Amtrak mobile application which researchers said could lead to a data breach of at least six million Amtrak Guest Rewards accounts.

It’s unclear how many passengers were affected in the latest data breach incident.

Categories: Cyber Risk News

Utah Tech CEO Jailed for Possessing Thousands of Files Depicting Child Sexual Abuse

Info Security - Fri, 05/29/2020 - 18:13
Utah Tech CEO Jailed for Possessing Thousands of Files Depicting Child Sexual Abuse

The 40-year-old one-time CEO of a Utah tech company is serving a custodial sentence after downloading over 13,000 images of child sexual abuse, bestiality, and rape. 

Douglas Eugene Saltsman was sentenced yesterday to 210 days in prison and 48 months of probation by Utah 3rd District Judge Douglas Hogan after being convicted on three felony charges of sexual exploitation of a minor. 

Addressing the virtual court, Saltsman said he had sought help from a psychiatrist after recognizing that he had illegal sexual tendencies. 

The former CEO of the now defunct blockchain and cryptocurrency company Saltmine said he was unable to control himself despite being put on medication and enrolled in therapy.

Utah's Internet Crimes Against Children Task Force raided Saltsman's Sandy home on May 7 last year. A search of his laptop, computer, an SD card, and an SSD storage device turned up more than 13,000 files containing images of graphic sexual abuse.

One of the files consisted of a compilation video of girls from the ages of 3 to 8 years old being bound and raped. The files were seized and sent to the National Center for Missing and Exploited Children’s law enforcement clearinghouse in a bid to identify the victims. 

Saltsman initially faced 11 felony counts of sexual exploitation of a minor, but in March 2020 he agreed to plead guilty to three felonies in exchange for the dismissal of the remaining seven charges.

Under the terms of the deal, Saltsman could only be handed the maximum recommended sentence for a first-time offender set 14 years ago by the Utah Sentencing Commission—210 days in jail and four years on probation.

An online petition to recall Judge Hogan has been signed by 114,000 people who felt Saltsman's sentence was too lenient and were presumably unaware of the agreed-upon deal. 

Saltsman's sentencing comes just weeks after the former director of operations for Salt Lake City Airport, 69-year-old Randall Darwood Berg, was charged with 25 counts of sexual exploitation of a minor. 

Berg, of Draper, is accused of possessing approximately 50,000 images of child sexual abuse. His residence was searched following the submission of eight separate Cybertip reports to the NCMEC alleging Berg was storing illegal files on a Google Photo account.

Categories: Cyber Risk News

Texas University to Create Cybersecurity Innovation Institute

Info Security - Fri, 05/29/2020 - 17:04
Texas University to Create Cybersecurity Innovation Institute

The University of Texas at San Antonio (UTSA) is to create and lead a new federal digital research institute that will devise ways to shield America's manufacturers from cyber-threats. 

In addition to assisting US industry in blocking cyber-attacks, the Cybersecurity Manufacturing Innovation Institute (CyManII) will explore how to help manufacturers achieve energy efficiency. 

Other areas of focus will include supporting technical innovation, job creation, and assisting manufacturers to be more competitive. 

The National Security Collaboration Center (NSCC) at UTSA, with more than 25,000 square feet of space, has been dedicated as the home base for CyManII.

Explaining why UTSA was chosen for the institute, James Milliken, chancellor for the UT system said: “We selected UTSA to lead CyManII due to the university’s well-known strengths in cybersecurity and national connectivity in this space.”

In order to bring the project to life, UTSA will receive $70m over a five-year period under a cooperative agreement with the US Department of Energy.

The UT system will inject an additional $10m into the institute, and a further $30m will be contributed by other cost-sharing partners. 

“CyManII leverages the unique research capabilities of the Idaho, Oak Ridge and Sandia National Laboratories as well as critical expertise across our partner cyber manufacturing ecosystem,” said UTSA president Taylor Eighmy. “We look forward to formalizing our partnership with the DOE to advance cybersecurity in energy-efficient manufacturing for the nation.”

Building a national program for education and workforce development, securing automation, and securing the supply-chain network are three high-priority areas on which CyManII will focus its national strategy. 

“As United States manufacturers increasingly deploy automation tools in their daily work, those technologies must be embedded with powerful cybersecurity protections,” said Howard Grimes, CyManII chief executive officer and associate vice president and associate vice provost for institutional initiatives at UTSA. 

“UTSA has assembled a team of best-in-class national laboratories, industry, nonprofit and academic organizations to cyber-secure the US manufacturing enterprise. Together, we will share the mission to protect the nation’s supply chains, preserve its critical infrastructure and boost its economy.”

Categories: Cyber Risk News

UK Government Launches Funding Program to Boost Security of IoT Market

Info Security - Fri, 05/29/2020 - 15:15
UK Government Launches Funding Program to Boost Security of IoT Market

The UK government has today launched a program to incentivize the creation of design schemes that test the security of Internet of things (IoT) products. Under the initiative, innovators are encouraged to bid for funding from a pot of £400,000 to create more assurance schemes, which ultimately aims to boost the security of consumer-smart products.

Assurance schemes are vital in the IoT product market, as they prove that a device has undergone independent testing or a robust and accredited self-assessment process. Their importance is set to grow, with an estimated 75 billion internet connected devices, such as televisions, cameras and home assistants, to be in homes around the world by the end of 2025.

It is hoped the program will provide manufacturers with a variety of options to choose from in testing their consumer-smart products in accordance with the UK’s Code of Practice for Consumer IoT Security. An increase in these assurance schemes will also assist retailers in stocking secure IoT devices and customers in making security-conscious purchasing decisions.

Digital Minister Matt Warman, from the Department for Digital, Culture, Media and Sport (DCMS) commented: “We are committed to making the UK the safest place to be online and are developing laws to make sure robust security standards for consumer internet-connected products are built in from the start.

“This new funding will allow shoppers to be sure the products they are buying have better cybersecurity and help retailers be confident they are stocking secure smart products.”

Commenting on the announcement, Jake Moore, cybersecurity specialist at ESET, said: “This comes at a time when IoT seems to have been forgotten about, yet funding to support the security of such devices couldn’t be more vital. Many people favor convenience over security so it’s paramount that IoT devices come fitted with security by design, to help protect the devices and customers. This is usually where the manufacturers choose cutting costs over the protection of the end users, which in turn puts the users at risk of a range of potential attacks. Hopefully this will be the beginning of more funding as I’m not sure how far this initial input will go.”

The move comes amid other initiatives being taken by the UK government to combat cybercrime. These include legislation to bring in minimum security requirements for smart devices, and last month the government launched the ‘Cyber Aware’ campaign to advise people on protecting passwords, accounts and devices.

Warman added: “People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber-criminals.”

Categories: Cyber Risk News

Alabama Seniors Offered Free Cybersecurity Courses

Info Security - Fri, 05/29/2020 - 14:34
Alabama Seniors Offered Free Cybersecurity Courses

Seniors in Alabama are being given the chance to learn about cybersecurity free of charge thanks to the University of Alabama.

Cybersecurity is just one of a batch of free online adult education courses being offered by the university's Osher Lifelong Learning Institute (OLLI).

Usually, OLLI courses are delivered in a traditional classroom setting; however, all in-person programming has been suspended in an effort to slow the spread of COVID-19. To keep adult education services up and running, courses are now being taught via the video-conferencing app Zoom.

OLLI director Jennifer Anderson said: “OLLI is privileged to be in a position to provide educational and social opportunities online for its members and the community, some of whom are the most vulnerable to coronavirus and may be among the last of our citizens to emerge from their homes, even as social distancing guidelines are lifted in our community."

Anderson said adults aged over 50 were just as much in need of social and intellectual stimulation as any other group in society, especially while lockdown measures remain in place. 

“Our members, like everyone else, can only spend so much time alone, cleaning their homes and reading,” said Anderson. “They need their social network, and interactive online classes provide that along with intellectual aspects.”

OLLI's wide-ranging courses cover everything from shadow wars of tariffs and sanctions with Iran to arthritis exercises and awareness and the love stories that made history.

Courses are developed by OLLI’s curriculum committee and based on newsworthy topics, events that changed history, or useful skills to have in the modern world. Tutors are chosen by the committee from a pool of experts, educators, and professionals.

Anderson said that instead of simply logging on and viewing pre-recorded video content, mature students who take advantage of free OLLI courses are encouraged to actively engage with the learning process. 

“We hope viewers will experience the education, entertainment and social benefits,” Anderson said. 

“OLLI students will not just ‘view’ their classes. They will participate because the classes are synchronous. Participants can speak in class and the instructors can have discussions in addition to the lectures provided.”

Categories: Cyber Risk News

Most Organizations Not Prepared to Safely Support Home Working

Info Security - Fri, 05/29/2020 - 14:05
Most Organizations Not Prepared to Safely Support Home Working

Most organizations are not sufficiently prepared to securely support remote working even though 84% intend to continue this practice beyond COVID-19 lockdowns, according to Bitglass’ 2020 Remote Workforce Report. The survey of IT professionals found that 41% of businesses have not taken any steps to expand secure access for the remote workforce, while 65% are allowing personal devices to access managed applications.

The study was undertaken to better understand how well businesses were prepared, from a cybersecurity perspective, for the sudden surge in remote working as a result of the pandemic.

Of those surveyed, 50% said lack of proper equipment was the biggest barrier to providing secure access for employees working from home. The types of applications that organizations were most concerned about securing were file sharing (68%), web applications (47%) and video conferencing (45%).

Malware was listed as the most concerning threat vector related to remote working by IT professionals (72%), followed by unauthorized user access (59%). Unsurprisingly, anti-malware was the most utilized security tool for remote work, at 77%. However, there was a lack of deployment of tools like single sign-on (45%), data loss prevention (18%) and user and entity behaviour analytics (11%).

“This research indicates that many organizations are not implementing the security measures necessary to protect their data in the current business environment,” commented Anurag Kahol, CTO of Bitglass. “For example, while respondents said that the pandemic has accelerated the migration of user workflows and applications to the cloud, most are not employing cloud security solutions like single sign-on, data loss prevention, zero trust network access or cloud access security brokers.

“On top of that, 84% of organizations reported that they are likely to continue to support remote work capabilities even after stay at home orders are lifted. To do this safely, they must prioritize securing data in any app, any device, anywhere in the world.”

Another worrying aspect of the study was that 63% of respondents believed remote working would impact their compliance with regulatory mandates, with 50% citing GDPR specifically.

Categories: Cyber Risk News

NSA: Russian Military Sandworm Group is Hacking Email Servers

Info Security - Fri, 05/29/2020 - 10:40
NSA: Russian Military Sandworm Group is Hacking Email Servers

The US National Security Agency (NSA) has released a new alert warning that Russian state hackers have been exploiting a vulnerability in Exim email servers for over nine months.

Exim is mail transfer agent (MTA) software developed by the University of Cambridge which is used on Unix-based operating systems. Bundled with many popular Linus distributions like Red Hat and Debian, it’s thought to run on millions of email servers globally.

However, the NSA warned that organizations which have failed to patch CVE-2019-10149, which was fixed in June 2019, may be at risk of attack from the infamous Sandworm group.

“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the ‘MAIL FROM’ field of an SMTP (Simple Mail Transfer Protocol) message,” the advisory stated.

“An unauthenticated remote attacker can send a specially crafted email to execute commands with root privileges allowing the attacker to install programs, modify data, and create new accounts.”

Specifically, when CVE-2019-10149 is exploited by Sandworm, the targeted machine downloads and executes and shell script from a domain under the group’s control. This script will in turn attempt to: add privileged users, disable network security settings, update SSH configuration to enable additional remote access and execute an additional script to enable follow-on exploitation.

The NSA urged organizations to upgrade their Exim installations to 4.93 or newer, and use network-based security appliances to detect and/or block CVE-2019-10149 exploit attempts.

Staffed by operatives from the Russian GRU (military intelligence) Main Center for Special Technologies (GTsST), field post number 74455, Sandworm is known to be one of the most sophisticated state hacking outfits around.

It has been widely linked to the BlackEnergy malware used in attacks on Ukrainian power stations in 2015 and 2016, which caused major outages during winter, as well as campaigns against NATO members and European governments in 2019.

Categories: Cyber Risk News

Revealed: Advanced Java-Based Ransomware PonyFinal

Info Security - Fri, 05/29/2020 - 09:15
Revealed: Advanced Java-Based Ransomware PonyFinal

Microsoft has warned of a new type of data stealing Java-based ransomware, dubbed PonyFinal.

PonyFinal is what Microsoft describes as “human-operated ransomware” — to distinguish it from commoditized variants that are distributed in an automated way by hackers.

The tech giant’s Security Intelligence group revealed in a series of tweets this week that the first stage involves access to a targeted organization via brute force attacks against the systems management server.

A VBScript is deployed to run a PowerShell reverse shell which enables data exfiltration to a C&C server over Port 80. The attackers also deploy a remote manipulator system to bypass event logging.

“In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run. However, evidence suggests that attackers use information stolen from the systems management server to target endpoints with JRE already installed,” Microsoft continued.

Thus, if organizations already have JRE on their systems, they may be blind to any attack.

“The PonyFinal ransomware is delivered through an MSI file that contains two batch files and the ransomware payload,” Microsoft continued. “UVNC_Install.bat creates a scheduled task named 'Java Updater' and calls RunTask.bat, which runs the payload, PonyFinal.JAR.”

According to Microsoft, PonyFinal encrypts files at a specific date and time and, like similar “human-operated” ransomware attacks, it is likely that those wielding it will bide their time to wait for the most opportune moment to deploy the payload.

In the case of recent attacks on hospitals, that was in early April when many healthcare organizations were battling a peak of COVID-19 admissions.

Microsoft recommends that organizations reduce their attack surface by ensuring internet-facing assets are up-to-date with patches, especially VPNs and other remote access infrastructure, and conducting regular audits of misconfigurations and vulnerabilities.

For PonyFinal in particular it is recommended to scan for brute force activity.

Categories: Cyber Risk News

Over 600 NTT Customers Hit in Major Data Breach

Info Security - Fri, 05/29/2020 - 08:20
Over 600 NTT Customers Hit in Major Data Breach

One of the world’s largest telecoms and IT services companies has revealed that attackers may have stolen data from its internal systems, affecting over 600 customers.

NTT Communications provides cloud, network and data center services to some of the world’s biggest companies. Its parent, NTT Group, is ranked in the top 100 of the Fortune Global 500.

The firm claimed in a lengthy statement on Thursday that it detected unauthorized access to its Active Directory (AD) server on May 7, confirming the attack four days later.

Although an English language version of the notice has yet to be published, it appears that hackers first compromised a cloud server (labelled server B by the firm) located in its Singapore data center, before using it as a stepping stone to attack another internal server (server A) and its AD server.

Attackers also jumped from server B to compromise an information management server (server C) used to service NTT's cloud and hosting customers.

It is server C which NTT Communications claimed attackers may have breached to steal data on 621 customers.  

The firm said it is taking steps to mitigate the incident and prevent anything similar happening in the future.

Just last week, NTT warned in its annual Global Threat Intelligence Report that the technology sector was the most attacked worldwide in 2019.

It claimed that hackers are increasingly using “multi-function attack tools” and artificial intelligence/machine learning capabilities, as well as automation techniques, to increase their chances of success. Over a fifth (21%) of attacks globally featured some form of vulnerability scanner, it said.

The type of NTT customer data stolen by hackers in May and the techniques used to compromise servers and move laterally inside its network are unclear at this stage.

Categories: Cyber Risk News

Comedian Arrested for Cybercrime over Face Swap

Info Security - Thu, 05/28/2020 - 17:34
Comedian Arrested for Cybercrime over Face Swap

Tanzanian comedian Idris Sultan has been arrested after posting a face-swap photo on social media involving his president. 

Earlier this month, Sultan shared images of himself and of Tanzanian president John Pombe Magufuli in which the faces of each subject had been swapped over. One of the pictures shows Sultan posing on a presidential chair with the national seal, while the other shows the president's face on the comedian's body.

Sultan's lawyer, Benedict Ishabakaki, said the comedian and radio show host was summoned by police on May 19 and questioned over a possible violation of a law against cyberbullying.

According to news agency the AFP, Sultan was subsequently charged with a lesser offense related to using a SIM card registered in someone else's name.

Sultan, a former show winner of the TV series Big Brother Africa, was released from police custody on May 27 after posting bail of 15 million Tanzanian shillings (more than $6,000).

His hearing was attended by his sister and vocalist Lulu Diva and by the singer Lady Jay Dee. 

The comedian's release comes the day after opposition leaders and activists launched a Twitter campaign to demand that the case against Sultan be dismissed. 

Sultan is no stranger to Tanzania's legal system. In October last year, the comedian was arrested for photoshopping President Magufuli’s face onto a picture of himself and sharing it with his 5 million followers on social media.

The comedian said that he had shared the photo in good faith as a way to celebrate the president's birthday on October 29. 

Sultan said: “I had no ill intentions; I was just wishing the president a happy birthday. If the president did not like my birthday message, I apologize."

Following his foray into photoshopping, Sultan was accused of violating Tanzania's Cybercrimes Act, which forbids the use of a computer to impersonate someone else. After being questioned over his alleged intent to "coerce, intimidate, harass or cause emotional distress," the comedian was eventually released without charge.

Magufuli took office in 2015 as a corruption-fighting "man of the people" but has been criticized for his authoritarian leadership style. According to Human Rights Watch and Amnesty International, there is a "shrinking space for freedom of expression" in Tanzania.

Sultan's latest case is due to be heard in court on June 9.  

Categories: Cyber Risk News

DoD Contractors Team Up with HPE on Ransomware-Stopper

Info Security - Thu, 05/28/2020 - 16:48
DoD Contractors Team Up with HPE on Ransomware-Stopper

Hewlett Packard Enterprise (HPE) has announced the inclusion of RackTop Systems' BrickStor SP in its Complete program. 

BrickStor SP is a data security software platform that boldly claims to eliminate the threat of ransomware attacks and data breaches. The platform was built by Department of Defense intelligence community veterans charged with protecting the United States’ data while meeting the nation's data security compliance regulatory requirements.

HPE plans to resell RackTop BrickStor SP software with its own ProLiant and Apollo Servers to meet the high-security file-storage needs of  ]the federal government.

RackTop Systems CEO Eric Bednash said a prevailing failure to update their cybersecurity tools is making organizations in the United States vulnerable to cyber-attacks.  

“Enterprises and government entities are losing the cyber-war because they are using old tools and 90’s design standards which are largely focused on stopping network infiltration, rather than protecting data," said Bednash.

"Based on our experience, most of the bad guys are already inside the network today."

Explaining how RackTop's platform works to block ransomware attacks, Bednash said: “BrickStor attacks the problem properly by securing unstructured data at its source so that it can’t be seized, maliciously encrypted, or exploited. 

"Together with HPE and their world class secure and versatile hardware, for the first time, customers can achieve end-to-end infrastructure security from a single vendor without gaps or loosely coupled bolt-ons.”

Rapid and unstructured data growth can result in information's not being stored securely, making an organization vulnerable to cyber-attackers. Chris Powers, VP, Collaborative Platform Development, HPE Storage and Big Data, said RackTop tackles this issue by embedding its security and compliance software within a scalable data-storage system for unstructured files, protecting it at the source.

“BrickStor SP fills a high data security need in the storage market. We are entering a new era in IT infrastructure where security and compliance are a necessity,” said Powers.

“RackTop’s storage software and security platform is a natural fit with our ProLiant and Apollo Servers which feature silicon-anchored, cradle-to-grave security. Together we bring our Federal Government customers a complete Zero Trust data security solution.”

Categories: Cyber Risk News

IT Leaders Overestimate Staff's Commitment to WFH Security

Info Security - Thu, 05/28/2020 - 16:18
IT Leaders Overestimate Staff's Commitment to WFH Security

IT leaders who trust their employees to follow security best practices while working from home are sadly overoptimistic.  

According to new research published today by email security firm Tessian, while 91% of IT leaders believe their staff are doing their best to work securely from home, 52% of employees believe toiling from home means they can get away with riskier behavior.

Tessian surveyed 2,000 employees across the US and the UK as well as 250 IT decision-makers to examine the state of data loss within organizations. Researchers also set out to learn how data loss is impacted by employees working remotely. 

The survey revealed that 48% of employees cite “not being watched by IT” as the number one reason for not following safe data practices when working from home. The second excuse given for working on the wild side was "being distracted."

While such results might lead one to conclude that tighter controls are needed to maintain security, Tim Sadler, CEO and co-founder of Tessian, said that this tactic would not work on its own.

"Business leaders need to address security cultures and adopt advanced solutions to prevent employees from making the costly mistakes that result in data breaches and non-compliance," said Sadler.

"It’s critical these solutions do not impede employees’ productivity though. We’ve shown that people will find workarounds if security gets in the way of them doing their jobs, so data loss prevention needs to be flexible if it’s going to be effective.” 

Researchers found that IT leaders in the US underestimate how many of their employees' emails are misdirected. While IT leaders in US organizations with over 1,000 employees estimate that 480 emails are sent to the wrong person every year, the real figure recorded by Tessian platform data is 1.6 times higher.

More than half of survey respondents―51%―said security policies were impeding their productivity, while 54% said that they will find workarounds if security policies stop them from doing their jobs. 

Compared to the UK, workers in the US were much more likely to act in way that could jeopardize the security of their company. Employees in the US were twice as likely to send an email to the wrong person and twice as likely to take company documents home with them when they leave a job.

Categories: Cyber Risk News

Intelligence Gateway Launches to Compile Malicious #COVID19 URLs

Info Security - Thu, 05/28/2020 - 16:15
Intelligence Gateway Launches to Compile Malicious #COVID19 URLs

An internet intelligence gateway has been established to analyze and compile malicious URLs related to COVID-19.

With thousands of newly created COVID-19-related malicious websites launching every day, the gateway accepts submissions of suspicious URLs or emails, providing a lookup service that taps into RiskIQ’s infrastructure to analyze and compile malicious URLs related to COVID-19. Submissions are analyzed by RiskIQ’s systems and each malicious URL is added to RiskIQ blacklists through community participation.

Over a two-week period, RiskIQ noted 317,000 new websites related to COVID-19. 

“Our goal with the gateway is to help the security community work together in our response to the influx of criminal activity,” said RiskIQ CEO Lou Manousos. “The COVID-19 Internet Intelligence Gateway will be a powerful resource for keeping organizations safe during this crisis.”

The gateway will also allow security teams to block blacklists of known bad infrastructure to immediately protect their organizations from new campaigns leveraging the COVID-19 crisis.

Also newly launched is a COVID-19 Chrome Extension, which allows users to submit suspect URLs, host names or domains to RiskIQ for “crawling” purposes. Reports will include detailed information from the crawl, including referenced pages, screenshots and classification of content.

In April, it was reported that 18 million malware and phishing Gmail messages related to COVID-19 were detected by  Google’s Threat Analysis Group per day, in addition to more than 240 million COVID-related daily spam messages.

It detected examples including fake solicitations from charities and NGOs, messages trying to mimic employer communications and employees working from home, along with websites posing as official government pages and public health agencies.

Categories: Cyber Risk News