Cyber Risk News
Norway's state-owned investment fund Norfund has halted all payments after losing $10m in an "advanced data breach."
Norfund is a private equity company established by the Norwegian Storting in 1997 and owned by the Norwegian Ministry of Foreign Affairs. The fund receives its investment capital from the state budget and is the largest sovereign wealth fund in the world.
On May 13, Norfund announced that it was "cooperating closely with the police and other relevant authorities" after "a series of events" allowed fraudsters to make off with $10m.
The fund said that a data breach allowed defrauders to access information concerning a loan of US$10m from Norfund to a microfinance institution in Cambodia.
Using a mixture of manipulated data and falsified information, the fraudsters managed to impersonate the borrowing institution and divert funds away from the genuine recipient and into their own pockets.
"The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified," said a Norfund spokesperson.
Funds were diverted to an account in Mexico under the same name as the Cambodian microfinance institution. The theft took place on March 16 but went undetected until April 30, when the scammers attempted to fraudulently obtain more money.
“This is a very unfortunate situation," said Olaug Svara, chair of the board of directors. "We now have to get a full overview of the chain of events in order to get to the bottom of this."
Norfund's board has engaged PwC to undertake a full review of the company's security systems and routines.
Norfund CEO Tellef Thorleifsson said: "The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this.”
Commenting on how the fraud might have been committed, Chris Hazelton, director of security solutions at Lookout, said: “There is no specific information on how this attack took place, nevertheless, how the threat actors were able to 'manipulate the communication between Norfund and the intended recipient' points to either BEC or phishing as a likely entry point for attackers."
Cyber-attacks against API endpoints have increased since lockdown measures were introduced to slow the spread of COVID-19.
Describing the number of threats leveled at just one of their customers, Cequence researchers saw malicious traffic increase by 40% to 28 million events over the week commencing April 17. As time marched forward, the volume of attacks rose.
"Week of April 23rd saw a massive spike of 279% to 78M with one attack campaign peaking at 100,000 requests per minute," noted researchers. "Week of May 1st showed yet another increase in malicious traffic to 139M requests or an 85% week over week increase."
Attackers were found to be directing the lion's share of traffic at one login API endpoint for the Android application.
Asked why this particular API received a battering, CQ Threat Research team member and hacker in residence Jason Kent told Infosecurity Magazine: "Usually this is because an attack worked once against that endpoint. Often the focus API endpoint is old, learned either several months ago, or the attacker assumes the older endpoints are forgotten (often the case) and not monitored.
"Additionally, it is much easier to decompose the API calls an application makes from Android because there are several tools to help with this, versus iOS, which is a bit more difficult."
According to Kent, the biggest trend observed in attacks instigated since "stay safe" became a standard email sign-off has been a growth in overall volume. He added that the tactics around volume, source IPs, and User-Agents (device type) have increased significantly.
"Attackers are obviously focused on account takeover and are clearly trying to get past mitigation efforts: traffic is being distributed across approximately 1 million residential IP addresses from 15,000 different organizations owned by Bulletproof Proxy vendors, and they are rotating 3 million user agents," said Kent.
"The heavy use of residential IP addresses, combined with Covid-19 driven stay-at-home orders, makes separating out malicious traffic from legitimate traffic even more important. The attackers know if they can use residential IP addresses from Bulletproof Proxy Networks, they’ll be that much harder to catch and defend against."
Advanced artificial intelligence (AI) and machine learning tools are becoming increasingly critical in detecting and combatting cyber threats. This is according to Stefaan Hinderyckx, Senior Vice President, Security - Europe at NTT Ltd. speaking at the virtual NTT European Digital Press Roundtable 2020 on May 13 2020.
According to Hinderyckx, with organizations now handling so much data, coupled with a current shortage of cybersecurity experts, identifying security threats efficiently and quickly is only possible using these technologies.
He said the global technology services company gets around 280 billion logs per month across all its clients; these can be reduced to 1000 possible threats through its automated AI and machine learning tools, which utilize complex mathematical techniques such as pattern matching and advanced correlation. NTT’s analysts can then focus on investigating these potential threats closely.
“We have this massive haystack and we put that into a manageable number of incidents that analysts can still look at,” commented Hinderyckx. “You still need humans; machine learning and AI cannot completely replace our analysts, but you can simply do it much more efficiently and the need for speed of course is there because you can’t wait for five hours from the logs coming in and flagging the alert, it has to be near real-time.”
Hinderyckx also stated how these technologies are also able to pick up new threats that conventional security analysis techniques, such as security information and event management (SIEM), find difficult to identify. He gave the example of the emerging threat of zero day exploits. “By using AI we’re effectively addressing the white space,” he added.
Attacks on financial institutions spiked by a massive 238% from the beginning of February to the end of April, as cyber-criminals took advantage of peaks in the COVID-19 news cycle, according to VMware Carbon Black.
The company’s third annual Modern Bank Heists report revealed that over a quarter (27%) of attacks so far this year have targeted either the healthcare or financial sectors.
Interestingly, rises in attack volumes seem to have coincided with major news events during the crisis, such as the first confirmed US case, the country’s first death, and the WHO declaring a pandemic. This could be because such events provide a useful lure for phishing emails.
Ransomware attacks against the financial sector increased nine-fold from the beginning of February to the end of April 2020.
Elsewhere, Emotet and Kryptik malware variants were among the most prolific, the latter used in the notorious 2015 attack on Ukrainian power grid. Aside from ransomware, the end goal is to transfer funds or exfiltrate sensitive data.
In fact, 82% of respondents claimed that attacks had become more sophisticated over the past year. Attackers have “dramatically increased” their understanding of internal policies and procedures and are aware of blind spots in incident response, the report claimed.
A third (33%) of respondents said they’d been hit by island hopping attacks via smaller supply chain partners, and a fifth (20%) had experienced a watering hole attack.
Of even greater concern is that a quarter (25%) said they’d been targeted by destructive attacks designed to cause maximum damage rather than to elicit a ransom payment.
“Over the years, bank heists have escalated to virtual hostage situations where cybercrime groups and nation-states have attempted to commandeer digital transformation efforts,” argued VMware’s head of security strategy, Tom Kellermann. “Now, as we address COVID-19’s impact on a global scale, it’s clear attackers are putting financial institutions directly in their crosshairs, according to our data.”
According to Accenture, the cost to address and contain cyber-attacks is higher for financial services than any other sector.
Legal experts have warned of more potential delays to the official GDPR fines set to be handed down to British Airways and Marriott International, potentially undermining the authority of the UK regulator.
The Information Commissioner’s Office (ICO), Europe’s largest data protection regulator by budget and employees, originally handed down a notice of intent to fine BA a massive £183.4 million fine after a Magecart-related breach on its site. A £99 million fine was slated for the hotel group soon after for its breach of 339 million customer records.
Although these were first published in July 2019, they’ve been subject to delays as the companies involved made detailed representations to the regulator.
The initial six-month period from notice of intent to fine was extended to May 2020, according to BA’s recent annual report.
However, experts at Cordery Compliance now believe the deadline will be pushed back again due to COVID-19, to around August-September time.
“Our understanding is that whilst still emphasizing the seriousness of the breaches, the ICO will apply a lenient approach to the amount of the fines due to the financial impact of COVID-19,” the compliance firm added in an alert.
This is likely to raise questions about the ability and resolve of the ICO to bring large cases against well-funded corporations.
“Although the impact of COVID-19 may explain some of the current continued delay, quite why what may end up being over a year to resolve these matters since the ICO announced its intentions to fine may leave some wondering whether GDPR enforcement is going as quickly as it should,” said Cordery.
“In addition, what was also expected to be a showcase for the first significant fines under GDPR in the UK may now be a let-down.”
That said, the two companies are still facing the prospect of potentially costly litigation from disgruntled customers, it added.
A report out last month argued that Europe’s GDPR regulators are woefully under-resourced financially and lacking in the in-house technical expertise needed to take on the major technology firms.
A UK power grid company has suffered a possible ransomware attack, although electricity supply to homes has not been affected.
Elexon administers a crucial part of the power supply chain, known as the Balancing and Settlement Code (BSC), with customers including the country’s suppliers, generators, distributors, traders, and energy importers and exporters.
The firm takes over one million meter readings everyday to compare what generators and suppliers say they will produce or consume with actual volumes, before calculating a price for the difference and transferring funds accordingly.
At nearly midday local time yesterday the firm posted an alert claiming its internal IT systems had been impacted by a cyber-attack.
“BSC Central Systems and EMR are currently unaffected and working as normal. The attack is to our internal IT systems and ELEXON’s laptops only. We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails,” the notice read.
A further message nearly four hours later revealed that the firm had “identified the root cause and we are taking steps to restore our internal IT systems.”
The National Grid took to Twitter to reassure customers about electricity supply.
“We’re aware of a cyber-attack on Elexon’s internal IT systems,” it noted. “We’re investigating any potential impact on our own IT networks. Electricity supply is not affected. We have robust cybersecurity measures across our IT and operational infrastructure to protect against cyber-threats.”
Although yet to be confirmed, the downtime to internal systems would seem to suggest a ransomware attack, although there are other possibilities.
The power grid, like other parts of critical national infrastructure (CNI), has come under increasing scrutiny from nation state actors in recent years, especially Kremlin-backed hackers.
Back in 2017, NCSC boss Ciaran Martin warned of Russian attacks on UK media, telecoms and energy sectors as part of its bid to “undermine the international system.”
Earlier this month Donald Trump declared a national emergency over the threat of foreign adversaries launching crippling cyber-attacks against the US power grid.
The Ohio House of Representatives has voted through new legislation that will criminalize all malicious hacking attempts, whether they succeed or not.
Backers of House Bill 368 say changes are necessary as currently only malicious computer hacks that succeed are punishable under Ohio law.
House Bill 368 was passed yesterday with a vote of 93–1, with the lone "nay" cast by state Representative Tavia Galonski.
If approved by the Senate, the new law will prohibit a person from gaining access to, attempting to gain access to, or causing access to be gained to a computer, computer system, or computer network when certain conditions apply.
Ethical hackers, such as those hired to test a company's cybersecurity, would not be punishable under the new law, even if they were to accidentally access data that they were not supposed to.
The legislation also proposes making penalties for offenders convicted of computer trespass harsher if they are found to have acted recklessly or if they have deliberately targeted elderly or disabled users.
Under the new bill, victims of cybercrime would be permitted to file a civil lawsuit pursuing compensation from offenders convicted of cyber-offenses.
Currently, Ohio only has two categories of offense covering computer crimes: criminal mischief and unauthorized use of a computer. The new legislation would update and expand these offenses with several new felony-level offenses.
Electronic data tampering and electronic data manipulation, electronic data theft, unauthorized data disclosure, electronic computer service interference, and computer trespass are among the new felony-level offenses.
The bill was sponsored by state Representative Brian Baldridge. Speaking in support of the bill on the House floor yesterday, state Representative David Leland said: “It really corrects some glaring holes in our criminal statute related to cybersecurity."
Leland added that the newly proposed offenses would penalize crimes such as a recent attempt by an unknown malicious hacker to partially take down Ohio’s unemployment benefits website.
The website is used by employers to report workers who have quit or refused to work during the COVID-19 pandemic, putting them at risk of losing their unemployment benefits.
Critical flaws have been discovered in a cybersecurity company's next-generation firewall and VPN technology.
Researchers at vpnMentor detected two vulnerabilities in cybersecurity devices developed by Cyberoam Technologies. Founded in 1999, Ahmedabad-based company Cyberoam was bought by British security software and hardware company Sophos Group plc in 2014.
Cyberoam employs 550 people globally and serves 65,000 users in over 120 countries, offering security solutions to “global corporations in the manufacturing, healthcare, finance, retail, IT sectors, and more, in addition to educational institutions, public sector and large government organizations.”
The first vulnerability was found in the FirewallOS of Cyberoam SSL VPNs in the last quarter of 2019, while the second was shared with vpnMentor by an anonymous ethical hacker at the beginning of 2020 and verified at vpnMentor's Research Lab.
"After confirming their findings, our team discovered a third flaw, which had also gone unnoticed," wrote researchers.
"These vulnerabilities, both independently and when put together, could have been potentially exploited by sending a malicious request, which would enable an unauthenticated, remote attacker to execute arbitrary commands."
Cyberoam software works by forming a gateway that blocks unauthorized access to a network. Researchers revealed that the main flaw in Cyberoam’s security involved two separate weaknesses in how an email is "released from quarantine" on a Cyberoam device.
"Both unrelated issues could have been used to give hackers access to Cyberoam’s devices, and, as an end result, make it easier to exploit any device which their firewalls were guarding," wrote researchers.
Hotfixes have been published by Sophos to resolve the vulnerabilities, which are not the first flaws to be discovered in Cyberoam's security products.
"For many years, people have been identifying significant weaknesses in their software products and devices," wrote researchers, before citing three specific weaknesses.
The first of these dates back to July 2012, when it was revealed that Cyberoam was using the same SSL certificate across many of its devices, making it possible for hackers to access any affected device on the company's network and intercept its data traffic.
In 2018, massive portions of Cyberoam databases were discovered for sale on the dark web after being swiped by a hacker, according to Indian media reports.
New research published today by the Identity Defined Security Alliance (IDSA) has revealed that 79% of organizations have experienced an identity-related security breach in the last two years.
The worrisome finding emerged from a study titled “Identity Security: A Work in Progress,” which is based on an online survey of 502 IT security and identity decision makers conducted in April. The study was carried out to identify trends in identity-related security and to deduce how forward-thinking companies are trying to reduce the risk of a breach.
Researchers found that identity-related breaches are as common as mud, with 94% of organizations experiencing this particular calamity at some point and 79% saying that a breach had occurred within the past two years.
Of those surveyed, 99% believe that the breach they experienced was preventable, but fewer than half have fully implemented key identity-related security outcomes.
Asked for their views on how identity-related breaches typically occur, 66% of respondents identified phishing as the most common cause. The results suggested that cybersecurity training could reduce the risk of a breach.
"Phishing presents a significant challenge for security leaders—of companies breached, 71% surveyed said the attack could have been prevented through better security awareness training," wrote researchers.
The study revealed a link between an organization's attitude to cybersecurity and how recently it had experienced a breach. Only 34% of companies with a "forward-thinking" security culture have had an identity-related breach in the past year compared with 59% of companies that foster a "reactive" security culture.
Another key difference between reactive and proactive companies was the impact of a breach. Forward-thinking companies experienced similar phishing-related breaches, but fewer stolen credentials (34% vs 42%), compromised privileged credentials (27% vs 32%), inadequately managed privileges (35% vs 40%), and socially engineered passwords (32% vs 41%).
Researchers concluded that organizations could do more to prevent future breaches. They said: "There is no doubt that with explosive growth in identities in the last five years and what is still to come, organizations are shifting strategies to protect their most vulnerable attack vector with some success. But there is more work to be done."
DWF has appointed Mark Hendry as its director of data protection and cybersecurity, joining from Deloitte where he was responsible for data protection and cybersecurity risk and remediation projects for clients.
At DWF, Hendry will work alongside the global head of data protection and cybersecurity, Stewart Room, and the wider leadership team, to develop and grow the global legal business’ cybersecurity consultancy services. He will help clients from different sectors to address their cybersecurity issues and requirements, particularly in the areas of multi-disciplinary incident response services, strategic improvement and risk remediation.
Hendry’s appointment follows a lengthy career in data protection and cybersecurity. Prior to his role at Deloitte, he worked at PwC for nine years where he held a variety of positions, including group leader for the 100+ headcount London cybersecurity and business resilience business, technology audit lead for the FTSE100 practice and leadership team member of the multi-disciplinary data protection group.
Before then, he worked for Research Machines Plc and British Telecom in client facing technical project and program management roles.
Commenting on the appointment, Room stated: “We are delighted to be welcoming Mark to DWF. He is an extremely experienced data protection and cybersecurity professional who provides DWF with an added edge in the market. Mark will be critical in advising clients across a range of sectors to address their cybersecurity issues, with a focus on incident response services, strategic improvement and risk remediation."
Hendry is the latest high profile appointment for DWF already this year, following the recruitment of James Drury-Smith as its new UK national leader of privacy and cyber security last month and Room as partner and global head of data protection and cybersecurity in February.
Hendry commented: “I am delighted to have joined DWF which is a business in prime position to serve our clients and grow with them. The combination of DWF's legal expertise and associated legal and non-legal services globally provides an incredibly powerful and united platform from which to serve our clients and markets.”
More than four out of five people think up their own passwords, while 54% don’t know how to check if any of their credentials have been leaked. This is according to Kaspersky’s Defending digital privacy: taking personal protection to the next level report, which highlighted the growing need for better password storage, with people using an increasing number of online accounts.
Numerous studies have demonstrated the importance of having complex passwords that are changed regularly and differ across multiple accounts in order to prevent data breaches. Yet in this new report, 55% of users said they are able to remember all their passwords, suggesting that they do not make them sufficiently complex and unique.
The study also showed that of those who do keep a record of their passwords, many store them in places which make them vulnerable to being stolen. Of the 15,002 consumers surveyed across 23 countries, 19% stated that they store their passwords in a written file or on a computer, while 18% keep them saved on browsers their computers, smartphones, or tablets.
Kaspersky added that users should be made more aware of services such as ‘Have I Been Pwned?’ to enable them to check whether their passwords have been included in public leaks or data breaches without having to visit the dark web.
Marina Titova, head of consumer product marketing at Kaspersky, said: “Consumers can monitor the spread of personal data, including which passwords might have been leaked. And this is not only for the sake of ‘just being aware’; it also allows individuals to take the right action to minimize any invasion of privacy – along with any wider consequences. That’s why we at Kaspersky put a big focus on protecting consumer’s privacy.”
In order to minimize the risk of passwords being stolen, Kaspersky recommends that people never leave them in places where others may find them, whether written on paper or on a device.
Last week was World Password Day 2020, which promotes better password practice. This is an issue that takes on extra importance this year due to the unprecedented rise in people working from home as a result of COVID-19.
The number of employees working from home is increasing, but the security technology to support them is not being deployed.
According to a survey of 694 IT security administrators and practitioners, most companies fail to authenticate remote workers properly or inadequately inspect their network traffic for threats.
The research, conducted by Cato Networks, found 68% of respondents said their organizations fail to deploy enough prevention or authentication technologies for remote users. In particular, 37% do not use multi-factor authentication (MFA) for remote users, while 55% of respondents fail to employ intrusion prevention software, or anti-malware technology, while 11% fail to inspect traffic altogether.
“A lack of security enforcement on remote access users should be of serious concern for IT managers: enterprises cannot enable widespread remote access at the expense of security protections,” said Yishay Yovel, CMO of Cato Networks. “Enterprises should be able to provide remote access for all users anywhere, in minutes, with the security protections and network optimizations they have in the office.”
Brian Honan, CEO of BH Consulting, told Infosecurity that the numbers did not surprise him, as many companies were already struggling to roll out better authentication technologies for remote users before the global pandemic hit.
He said: “With the rush to support remote working for many more users, companies rapidly expanded their remote access solutions or migrated systems to the cloud; this rush was to ensure the business could survive and support staff to continue working.
“However, now that those immediate goals have been met and our response to the pandemic may be more long term than initially planned, companies need to review the security and resilience of their remote access solutions.”
The news follows research from earlier this week, when a Tripwire survey found 94% of cybersecurity professionals were more concerned about security in the wake of COVID-19. Its survey of 345 IT security professionals found that 89% said remote working had made the job more difficult. Additional findings included:
- 49% said they cannot effectively secure employees’ home office environments
- 41% said it is more challenging to manage what devices are connecting to their corporate networks
- 38% said it is hard to gain visibility into remote assets and systems
The survey also found that 53% of respondents were increasing security investment with 28% investing in new tools.
“The massive shift to working remotely represents a huge change for organizations’ attack surfaces,” said Tim Erlin, vice-president of product management and strategy at Tripwire. “It’s no surprise that security professionals are finding it challenging to monitor and minimize the new attack surfaces.”
Join our webinar on 28th May at 1pm EDT/6pm BST for a discussion on working from home and network security, and the issues being created. Register here.
The US government has released new technical guidance highlighting the 10 most commonly exploited vulnerabilities of recent years, in a bid to improve awareness and patching among organizations.
It warned that “foreign cyber-actors” often choose to focus on known and often dated vulnerabilities as they require fewer resources to exploit than researching zero-days. Although the top 10 list is for flaws exploited in 2016-19, two of the featured CVEs date back even before this period, to 2012 and 2015.
“The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date,” the notice urged.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”
Microsoft’s Object Linking and Embedding (OLE) technology was most commonly targeted between 2016 and 2019, featured in the top two most exploited CVEs: CVE-2017-11882 and CVE-2017-0199. Along with OLE-related CVE-2012-0158 they comprise the three bugs most frequently used by state-sponsored attackers from China, Iran, North Korea and Russia.
Chinese attackers were also still using CVE-2012-0158 in December 2019, highlighting that organizations have yet to patch, despite the vulnerability being flagged in 2015 as a common target for Beijing-backed hackers.
As for vulnerabilities exploited so far in 2020, the report warned of attacks targeting VPN systems made by Citrix and Pulse Secure, particularly in light of the rapid shift to home working due to COVID-19.
The same vulnerabilities are also thought to have been exploited by cyber-criminals in sophisticated APT-style ransomware attacks, according to Microsoft.
“The DHS report appears to align what we are seeing in the wild,” said Edgescan CEO, Eoin Keary. “Ultimately, attackers don’t care where the vulnerability is, which is why a full-stack vulnerability management approach is advised in such a fast-changing threat landscape.”
The US authorities have formally blamed Chinese-affiliated hackers for attempting to steal vital COVID-19 research from domestic companies working on vaccines.
An announcement from the FBI and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned research organizations to “maintain dedicated cybersecurity and insider threat practices” in light of the attacks.
“The FBI is investigating the targeting and compromise of US organizations conducting COVID-19-related research by PRC-affiliated cyber-actors and non-traditional collectors,” it said.
“These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”
The notice urged organizations working on COVID-19 research to assume they would be targeted and ensure all internet-connected software and systems are promptly patched.
They should also switch on multi-factor authentication (MFA), block suspicious user activity and scan web applications for unauthorized access, modification or anomalous activities, it added.
The news comes days after suspected Iranian hackers are thought to have targeted employees at US drug-maker Gilead Sciences.
Both CISA and the UK’s National Cyber Security Centre (NCSC) issued an alert earlier this month warning that APT groups are targeting healthcare and research organizations in both countries.
Reports also emerged at around the same time that UK universities working on a vaccine, including Oxford University, had been probed by state-sponsored attackers.
“The practice of stealing IP in this way has been going on for a very long time, and the fabric of the internet allows these hackers to hide their identity and even to mislead researchers as to their true country of origin,” argued Matt Aldridge, principal solutions architect at Webroot.
“Accurate attribution of the source state of these types of attack can be extremely difficult for this reason. It is likely that attackers from many nations are targeting US research intuitions right now, either with a motivation of profit through the sale of stolen research, through ransom demands via crypto malware or through illicit government payouts to feed into secret research programs.”
Two construction firms that helped to build emergency hospitals to cope with the COVID-19 pandemic have been attacked by separate cyber-attacks, it has emerged.
Bam Construct, which worked on the Yorkshire and Humber hospital, appears to have fallen victim to a ransomware attack, whilst Interserve, which worked on Birmingham's NHS Nightingale, may have suffered a major data breach.
A Bam spokesman is reported to have said the business “stood up well” after the incident last week, despite being forced to take services offline to mitigate the attack.
“Our own precautions have had more of an effect on our normal working procedures than the virus itself, but it is important for us to be absolutely confident that restoring all systems – at a time when we are working from home in unprecedented numbers – is done carefully,” he said.
Meanwhile, a statement on Interserve’s website posted yesterday said the firm was a target of an attack earlier this month.
“Interserve is working closely with the National Cyber Security Centre (NCSC) and Strategic Incident Response teams to investigate, contain and remedy the situation. This will take some time and some operational services may be affected. Interserve has informed the Information Commissioner’s Office (ICO) of the incident. We will provide further updates when appropriate,” it noted.
“Interserve’s employees, former employees, clients and suppliers are requested to exercise heightened vigilance during this time.”
Some reports have suggested as many as 100,000 employees may have been affected by the attack on an HR database.
“A wider variety of hacking tools that would typically be used by sophisticated groups are trickling down to smaller groups or individuals,” warned Sam Curry, chief security officer at Cybereason.
“Ultimately, this creates a bigger challenge for security analysts to stay ahead of threats. Identification, remediation, 24x7 threat hunting and activating an incident response team is critical to prevent malicious and material damage from occurring in the supply chain.”
French construction giant Bouygues revealed back in February that it had been the victim of a “ransomware-type virus.”
Financial trading and spread betting service provider City Index has informed users of a breach of their personal data, including names, dates of birth, gender and bank details.
In a notification sent to users on May 8, City Index said that its network “was accessed by an unauthorized third party and client personal data may have been viewed.” Upon discovering the incident, it said it “shut down access to the server concerned and launched a full forensic investigation.” The incident took place on April 14.
In an immediate response to the incident, City Index sent an advisory to affected clients suggesting that they reset their City Index passwords and consider also resetting the password if it is used for other accounts the client may have elsewhere.
“We sincerely apologize for this incident and wish to assure you of our continued commitment to your data security,” it said in the statement.
City Index’s parent company Gain Capital declined to comment on how many people had been affected by the breach, or how long attackers had been inside the network for.
In an email to Infosecurity, a spokesperson for the Information Commissioner’s Office, said: “We have received a report from Gain Capital of an incident and are assessing the information provided.” The Financial Conduct Authority told Infosecurity that it was unable to comment on individual firms.
A new cyber-espionage framework has been unearthed by researchers at cybersecurity company ESET.
Dubbed "Ramsay," the framework appears to be tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems.
ESET believes that this framework is under an ongoing development process, because their research to date has revealed only a small number of victims. Malicious documents uncovered in their research of the framework and uploaded to public sandbox engines with titles such as "access_test.docx" or "Test.docx" seem to support this theory.
Researchers came across the previously unreported cyber-espionage framework while studying a suspicious data sample. Korean-language metadata were discovered within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates.
Alexis Dorais-Joncas, head of ESET’s Montreal-based research team, said: “We initially found an instance of Ramsay in a VirusTotal sample uploaded from Japan that led us to the discovery of further components and other versions of the framework along with substantial evidence to conclude that the framework is still in a developmental stage, with delivery vectors subject to fine testing."
Although a relatively fresh arrival on the digital spy scene, Ramsay has already undergone several re-jigs. Researchers noted that the various discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.
"Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojanized applications potentially being delivered via spear-phishing," wrote researchers.
The architecture of the framework provides a series of capabilities that include file collection and covert storage, command execution, and highly aggressive file spreading.
In the more mature versions of Ramsay, researchers observed a technique sometimes referred to as “Phantom DLL Hijacking,” which takes advantage of Windows applications' use of outdated dependencies to leverage malicious versions of those dependencies.
Ramsay's primary goal is to collect all existing Microsoft Word documents within the victim’s file system. Depending on the Ramsay version in play, file collection is either restricted to the local system drive or involves a search of additional drives such as network or removable drives.
Privileged access management specialist CyberArk today announced the acquisition of Identity-as-a-Service company IDaptive Holdings Inc.
Commonly known as Idaptive, the California company was formed in the fall of 2018 as an offshoot of the IDaaS service offered by Centrify. From its headquarters in Santa Clara, Idaptive serves a client list of around 500 well-known organizations that includes Swarovski, Butterball, Rémy Cointreau, and Appen.
The company describes its Next-Gen Access Cloud Platform as "like a chameleon that adapts almost instantly to its environment and has amazing 360-degree vision." The platform combines leading capabilities to seamlessly integrate single sign-on, multi-factor authentication, enterprise mobility management, and user behavior analytics to offer maximum cybersecurity.
The total purchase price for the acquisition of Idaptive was $70m in cash consideration.
Through the acquisition, CyberArk and Idaptive said that they aim to deliver a "comprehensive Artificial Intelligence (AI)–based, security-first approach to managing identities that is adaptive and context-aware and architected on the principles of Zero Trust and least privilege access, to dramatically reduce risk."
The deal will allow CyberArk to up its game when it comes to managing and protecting identities with various levels of privileges across hybrid and multi-cloud environments. The company said customers will benefit from the acquisition by attaining a better overall security posture with a more efficient and seamless user experience that complies with the ever-increasing number of complex regulatory requirements.
“With cyber-attacks on the rise, organizations need modern, comprehensive solutions to make better, continuous access and authorization decisions for the broadest range of users,” said Udi Mokady, founder, chairman, and CEO of CyberArk.
"With Idaptive, CyberArk will offer customers a SaaS-delivered, security-first approach to managing identities—with Privileged Access Management at its core—that reduces risk, simplifies operations and improves business agility. We are thrilled to welcome the Idaptive team to CyberArk.”
Mokady went on to praise the team at Idaptive for the spirit with which they approach their work.
He said: "Idaptive brings with it an amazing and passionate team. I am eager to bring their energy and commitment to define the future of Identity Security."
A major US healthcare provider has suffered a ransomware attack after falling for a phishing email that appeared to be sent by a client.
Magellan Healthcare received what they believed to be a genuine email from a client on April 6. Five days later, attackers compromised the systems of the Fortune 500 company, exfiltrating records containing personal information before launching ransomware to encrypt files.
In a cyber incident notification letter dated May 12 that was sent to those whose information had been compromised, Magellan Healthcare said that the exfiltrated records "include personal information such as name, address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number and, in limited circumstances, may also include usernames and passwords."
An information-hungry thief or thieves exfiltrated a subset of data taken from a single Magellan corporate server, but they didn't stop there. According to a Magellan spokesperson: "In limited instances, and only with respect to certain current employees, the unauthorized actor also used a piece of malware designed to steal login credentials and passwords."
Upon discovering the ransomware attack, Magellan hired cybersecurity forensics firm Mandiant to help conduct a thorough investigation of the incident. It was Mandiant that discovered that prior to the launch of the ransomware, data had been exfiltrated.
The company also reported the cyber-attack to the FBI and relevant law enforcement agencies and filed a notice with the California attorney general's office on Monday.
Commenting on the incident, Erich Kron, security awareness advocate at KnowBe4, said: “The bigger story here was not the encryption of data and subsequent downtime, but the actual exfiltration of the data, which is becoming the norm in ransomware attacks.”
Magellan said that, since the incident occurred, the company has implemented additional security protocols "designed to protect our network, email environment, systems, and personal information."
Writing to those whose data was exposed in the attack, Magellan said: “At this point, we are not aware of any fraud or misuse of any of your personal information as a result of this incident."
Identity theft protection is being provided by the company to people whose information was stolen.
"Unfortunately, these sorts of attacks are increasingly common," a Magellan spokesperson told FOX Business. "We are aggressively investigating this matter and will continue to provide updates to those impacted as the investigation continues."
Microsoft has fixed 111 vulnerabilities in its latest update round, the third month in a row that the number of addressed CVEs has exceeded a century.
Although there are no zero-day bugs to fix this month, 13 of the flaws were rated as critical, with many of them exploitable simply by visiting a web page or server, according to Recorded Future senior solutions architect, Allan Liska.
He said organizations should prioritize CVE-2020-1117, a remotely executable (RCE) vulnerability in the Microsoft Color Management Module (ICM32.dll), which could be exploited if an attacker persuades a victim to visit a website under their control, or via malvertizing.
Another RCE bug, CVE-2020-1153, exists in the Microsoft Graphics Component and affects end-of-life systems including Windows 7 and Server 2008.
There are also four critical flaws to patch in Microsoft SharePoint, versions 2013 to 2019: CVE-2020-1023, CVE-2020-1024, CVE-2020-1069 and CVE-2020-1102.
“SharePoint is increasingly targeted by attackers and similar vulnerabilities have been exploited in the wild,” explained Liska. “With more people working from home during the pandemic, it is likely these vulnerabilities will be targeted once proof-of-concept code is developed.”
Meanwhile, Todd Schell, senior product manager at Ivanti, argued that sysadmins should take care when prioritizing which bugs to fix first.
“What is interesting, and often overlooked, is that seven of the 10 CVEs at higher risk of exploit are only rated as important. It is not uncommon to look at the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are actually the ones rated as important,” he explained.
“If your prioritization stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics. Look to other risk metrics such as publicly disclosed, exploited (obviously) and exploitability assessment (Microsoft specific) to expand your prioritization process.”