Cyber Risk News
Two construction firms that helped to build emergency hospitals to cope with the COVID-19 pandemic have been attacked by separate cyber-attacks, it has emerged.
Bam Construct, which worked on the Yorkshire and Humber hospital, appears to have fallen victim to a ransomware attack, whilst Interserve, which worked on Birmingham's NHS Nightingale, may have suffered a major data breach.
A Bam spokesman is reported to have said the business “stood up well” after the incident last week, despite being forced to take services offline to mitigate the attack.
“Our own precautions have had more of an effect on our normal working procedures than the virus itself, but it is important for us to be absolutely confident that restoring all systems – at a time when we are working from home in unprecedented numbers – is done carefully,” he said.
Meanwhile, a statement on Interserve’s website posted yesterday said the firm was a target of an attack earlier this month.
“Interserve is working closely with the National Cyber Security Centre (NCSC) and Strategic Incident Response teams to investigate, contain and remedy the situation. This will take some time and some operational services may be affected. Interserve has informed the Information Commissioner’s Office (ICO) of the incident. We will provide further updates when appropriate,” it noted.
“Interserve’s employees, former employees, clients and suppliers are requested to exercise heightened vigilance during this time.”
Some reports have suggested as many as 100,000 employees may have been affected by the attack on an HR database.
“A wider variety of hacking tools that would typically be used by sophisticated groups are trickling down to smaller groups or individuals,” warned Sam Curry, chief security officer at Cybereason.
“Ultimately, this creates a bigger challenge for security analysts to stay ahead of threats. Identification, remediation, 24x7 threat hunting and activating an incident response team is critical to prevent malicious and material damage from occurring in the supply chain.”
French construction giant Bouygues revealed back in February that it had been the victim of a “ransomware-type virus.”
Financial trading and spread betting service provider City Index has informed users of a breach of their personal data, including names, dates of birth, gender and bank details.
In a notification sent to users on May 8, City Index said that its network “was accessed by an unauthorized third party and client personal data may have been viewed.” Upon discovering the incident, it said it “shut down access to the server concerned and launched a full forensic investigation.” The incident took place on April 14.
In an immediate response to the incident, City Index sent an advisory to affected clients suggesting that they reset their City Index passwords and consider also resetting the password if it is used for other accounts the client may have elsewhere.
“We sincerely apologize for this incident and wish to assure you of our continued commitment to your data security,” it said in the statement.
City Index’s parent company Gain Capital declined to comment on how many people had been affected by the breach, or how long attackers had been inside the network for.
In an email to Infosecurity, a spokesperson for the Information Commissioner’s Office, said: “We have received a report from Gain Capital of an incident and are assessing the information provided.” The Financial Conduct Authority told Infosecurity that it was unable to comment on individual firms.
A new cyber-espionage framework has been unearthed by researchers at cybersecurity company ESET.
Dubbed "Ramsay," the framework appears to be tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems.
ESET believes that this framework is under an ongoing development process, because their research to date has revealed only a small number of victims. Malicious documents uncovered in their research of the framework and uploaded to public sandbox engines with titles such as "access_test.docx" or "Test.docx" seem to support this theory.
Researchers came across the previously unreported cyber-espionage framework while studying a suspicious data sample. Korean-language metadata were discovered within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates.
Alexis Dorais-Joncas, head of ESET’s Montreal-based research team, said: “We initially found an instance of Ramsay in a VirusTotal sample uploaded from Japan that led us to the discovery of further components and other versions of the framework along with substantial evidence to conclude that the framework is still in a developmental stage, with delivery vectors subject to fine testing."
Although a relatively fresh arrival on the digital spy scene, Ramsay has already undergone several re-jigs. Researchers noted that the various discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.
"Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojanized applications potentially being delivered via spear-phishing," wrote researchers.
The architecture of the framework provides a series of capabilities that include file collection and covert storage, command execution, and highly aggressive file spreading.
In the more mature versions of Ramsay, researchers observed a technique sometimes referred to as “Phantom DLL Hijacking,” which takes advantage of Windows applications' use of outdated dependencies to leverage malicious versions of those dependencies.
Ramsay's primary goal is to collect all existing Microsoft Word documents within the victim’s file system. Depending on the Ramsay version in play, file collection is either restricted to the local system drive or involves a search of additional drives such as network or removable drives.
Privileged access management specialist CyberArk today announced the acquisition of Identity-as-a-Service company IDaptive Holdings Inc.
Commonly known as Idaptive, the California company was formed in the fall of 2018 as an offshoot of the IDaaS service offered by Centrify. From its headquarters in Santa Clara, Idaptive serves a client list of around 500 well-known organizations that includes Swarovski, Butterball, Rémy Cointreau, and Appen.
The company describes its Next-Gen Access Cloud Platform as "like a chameleon that adapts almost instantly to its environment and has amazing 360-degree vision." The platform combines leading capabilities to seamlessly integrate single sign-on, multi-factor authentication, enterprise mobility management, and user behavior analytics to offer maximum cybersecurity.
The total purchase price for the acquisition of Idaptive was $70m in cash consideration.
Through the acquisition, CyberArk and Idaptive said that they aim to deliver a "comprehensive Artificial Intelligence (AI)–based, security-first approach to managing identities that is adaptive and context-aware and architected on the principles of Zero Trust and least privilege access, to dramatically reduce risk."
The deal will allow CyberArk to up its game when it comes to managing and protecting identities with various levels of privileges across hybrid and multi-cloud environments. The company said customers will benefit from the acquisition by attaining a better overall security posture with a more efficient and seamless user experience that complies with the ever-increasing number of complex regulatory requirements.
“With cyber-attacks on the rise, organizations need modern, comprehensive solutions to make better, continuous access and authorization decisions for the broadest range of users,” said Udi Mokady, founder, chairman, and CEO of CyberArk.
"With Idaptive, CyberArk will offer customers a SaaS-delivered, security-first approach to managing identities—with Privileged Access Management at its core—that reduces risk, simplifies operations and improves business agility. We are thrilled to welcome the Idaptive team to CyberArk.”
Mokady went on to praise the team at Idaptive for the spirit with which they approach their work.
He said: "Idaptive brings with it an amazing and passionate team. I am eager to bring their energy and commitment to define the future of Identity Security."
A major US healthcare provider has suffered a ransomware attack after falling for a phishing email that appeared to be sent by a client.
Magellan Healthcare received what they believed to be a genuine email from a client on April 6. Five days later, attackers compromised the systems of the Fortune 500 company, exfiltrating records containing personal information before launching ransomware to encrypt files.
In a cyber incident notification letter dated May 12 that was sent to those whose information had been compromised, Magellan Healthcare said that the exfiltrated records "include personal information such as name, address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number and, in limited circumstances, may also include usernames and passwords."
An information-hungry thief or thieves exfiltrated a subset of data taken from a single Magellan corporate server, but they didn't stop there. According to a Magellan spokesperson: "In limited instances, and only with respect to certain current employees, the unauthorized actor also used a piece of malware designed to steal login credentials and passwords."
Upon discovering the ransomware attack, Magellan hired cybersecurity forensics firm Mandiant to help conduct a thorough investigation of the incident. It was Mandiant that discovered that prior to the launch of the ransomware, data had been exfiltrated.
The company also reported the cyber-attack to the FBI and relevant law enforcement agencies and filed a notice with the California attorney general's office on Monday.
Commenting on the incident, Erich Kron, security awareness advocate at KnowBe4, said: “The bigger story here was not the encryption of data and subsequent downtime, but the actual exfiltration of the data, which is becoming the norm in ransomware attacks.”
Magellan said that, since the incident occurred, the company has implemented additional security protocols "designed to protect our network, email environment, systems, and personal information."
Writing to those whose data was exposed in the attack, Magellan said: “At this point, we are not aware of any fraud or misuse of any of your personal information as a result of this incident."
Identity theft protection is being provided by the company to people whose information was stolen.
"Unfortunately, these sorts of attacks are increasingly common," a Magellan spokesperson told FOX Business. "We are aggressively investigating this matter and will continue to provide updates to those impacted as the investigation continues."
Microsoft has fixed 111 vulnerabilities in its latest update round, the third month in a row that the number of addressed CVEs has exceeded a century.
Although there are no zero-day bugs to fix this month, 13 of the flaws were rated as critical, with many of them exploitable simply by visiting a web page or server, according to Recorded Future senior solutions architect, Allan Liska.
He said organizations should prioritize CVE-2020-1117, a remotely executable (RCE) vulnerability in the Microsoft Color Management Module (ICM32.dll), which could be exploited if an attacker persuades a victim to visit a website under their control, or via malvertizing.
Another RCE bug, CVE-2020-1153, exists in the Microsoft Graphics Component and affects end-of-life systems including Windows 7 and Server 2008.
There are also four critical flaws to patch in Microsoft SharePoint, versions 2013 to 2019: CVE-2020-1023, CVE-2020-1024, CVE-2020-1069 and CVE-2020-1102.
“SharePoint is increasingly targeted by attackers and similar vulnerabilities have been exploited in the wild,” explained Liska. “With more people working from home during the pandemic, it is likely these vulnerabilities will be targeted once proof-of-concept code is developed.”
Meanwhile, Todd Schell, senior product manager at Ivanti, argued that sysadmins should take care when prioritizing which bugs to fix first.
“What is interesting, and often overlooked, is that seven of the 10 CVEs at higher risk of exploit are only rated as important. It is not uncommon to look at the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are actually the ones rated as important,” he explained.
“If your prioritization stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics. Look to other risk metrics such as publicly disclosed, exploited (obviously) and exploitability assessment (Microsoft specific) to expand your prioritization process.”
Organizations that decide to pay their ransomware attackers may end up doubling the overall cost of recovery, according to a new report from Sophos.
The UK-headquartered security firm polled 5000 IT decision makers in organizations across 26 countries to compile its State of Ransomware 2020 report.
It revealed that the average cost of an attack — including business downtime, lost orders, and operational costs, but not the ransom itself — was $730,000. However, this figure rose to $1.4m when the ransom was included.
Over a quarter (27%) of respondents admitted to paying up when hit by an attack.
“Organizations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory,” argued Chester Wisniewski, principal research scientist at Sophos.
“Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair.”
Over half (51%) of organizations said they experienced a significant ransomware attack in the previous 12 months, nearly as many as the peak of 54% in 2017, when WannaCry and NotPetya hit. Data was encrypted in 73% of cases where attackers breached the organization.
Over half (56%) of the IT managers surveyed said they were able to recover data from backups without paying the ransom, but while backing up is now industry best practice, there are other elements to consider, according to Wisniewski.
“Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes. We’ve recently reported on LockBit using this tactic,” he explained.
“Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay. The way to address these malicious maneuvers is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages.”
Email security failings among most of the banks designated to handle COVID-19 business stimulus loans could be putting applicants at risk of phishing, according to Proofpoint.
The security vendor claimed that only 13 out of the 64 accredited financial institutions have implemented the strongest Domain-based Message Authentication, Reporting & Conformance (DMARC) policy.
This means 80% of the banks aren’t proactively blocking fraudulent emails from reaching customers, while 61% have published no DMARC record at all.
DMARC helps to prevent certain types of spam and phishing attacks by verifying that the domain of the sender hasn’t been impersonated. However, it must be set to p=reject in order to prevent suspicious emails being sent to customer inboxes.
The need for improved anti-phishing measures is heightened at the present time as cyber-criminals lie ready to defraud victim organizations by impersonating trusted authorities like banks.
The government’s Coronavirus Business Interruption Loan Scheme (CBILS), which offers essential financial support to many companies affected by the pandemic, offers just such an opportunity.
“By not implementing simple, yet effective email authentication best practices, these accredited organizations are putting already vulnerable businesses at even greater risk, whilst COVID-19-related attacks are on the rise.” said Adenike Cosgrove, cybersecurity strategist, international at Proofpoint.
“In times of urgency and uncertainty, individuals are much more susceptible to these kinds of attacks, particularly if a fraudulent email looks like it has come from a genuine domain. Having the recommended level of DMARC protection is essential for any organization accredited for the CBILS.”
The government mandated p=reject DMARC for all departments back in 2016 but progress has been slow. Only around a quarter of gov.uk domains support the best practice security protocol, according to a 2019 report from Egress.
Join our webinar next week where we will look at the issue of phishing attacks, and methods such as DMARC to help prevent and manage their impact. Join us live at 3pm BST on Thursday 21st May register here.
Media and entertainment lawyers Grubman Shire Meiselas & Sacks have confirmed reports that their firm has fallen victim to a ransomware attack.
News of a possible attack surfaced last week when the threat group behind the REvil ransomware (also known as Sodinokobi) published what it claimed was a sample of 756GB data exfiltrated from the New York City law firm. Among the data it now appears was genuinely stolen from Grubman Shire Meiselas & Sacks is personal data belonging to a host of celebrities including Bruce Springsteen, Mary J. Blige, and Madonna.
The website for Grubman Shire Meiselas & Sacks is currently down while digital forensic experts work to recover the firm's encrypted files.
In a statement given to Variety, Grubman Shire Meiselas & Sacks said: “We can confirm that we’ve been victimized by a cyberattack. We have notified our clients and our staff."
The law firm gave no indication of how much Bitcoin was demanded in ransom by the threat actors. Nor did it state whether any payment would be made to recover the encrypted data of their star roster.
From the little information that the firm did release, it seems that rather than pay the cyber-thieves, an alternative solution is being sought to recover the data that was encrypted and stolen with REvil ransomware.
"We have hired the world’s experts who specialize in this area, and we are working around the clock to address these matters,” said Grubman Shire Meiselas & Sacks.
The threat group has threatened to publish the stolen data in nine installments. According to the threat group, information compromised in the attack includes contracts, telephone numbers, email addresses, personal correspondence, and non-disclosure agreements.
Jonathan Knudsen, senior security strategist at Synopsys, commented: "Personal information is valuable by itself, but personal information about celebrities is even more valuable. The attackers in this case have, unfortunately, perpetrated a crime with deep impact."
Knudsen said that while ransomware attack victims could pay up to recover their files, they might struggle to recover their peace of mind.
He said: "Even if you regain access to your own information, your attacker might still have a copy of the information and be able to resell it to other interested parties."
Ontario's privacy commission has launched an investigation into a "significant privacy breach" at a long-term care home where 66 residents have died after contracting COVID-19.
Canada's long-term care minister Merilee Fullerton announced on Twitter on Saturday evening that an inquiry will be launched into the unauthorized release of private data belonging to residents of the Orchard Villa retirement community in the city of Pickering.
"I’m learning of disturbing news out of Pickering’s Orchard Villa LTC home," said Fullerton. "There is a possibility of a significant privacy breach regarding individual resident personal health info."
According to Fullerton, the residential care home has informed the Information Privacy Commissioner Office "and other authorities as appropriate" that a data breach has occurred.
The minister went on to say that the situation was being monitored closely by the government, which "takes personal privacy very seriously."
In a statement shared on Monday, Privacy Commissioner Brian Beamish confirmed that his office is investigating a data breach at the 233-bed care home.
Jason Gay, the home’s executive director, confirmed that an internal investigation was conducted, but would not comment further regarding the breach.
“We can confirm there is a possibility of a privacy breach of personal health information,” wrote Gay in an email. “We have informed the privacy commissioner and an internal investigation has been conducted. We will not be commenting further at this time.”
According to the MPP for Pickering-Uxbridge, Peter Bethlenfalvy, Orchard Villa is taking action to notify residents and their families of the unauthorized release of information.
Orchard Villa is one of 36 residential care homes owned by Southbridge Care Homes, based in Cambridge, Ontario. Since the outbreak of the novel coronavirus in March, Orchard Villa has sadly lost 66 residents to the deadly virus and confirmed 200 cases.
Families of Orchard Villa residents have criticized the care home for not sharing sufficient information regarding the outbreak of COVID-19 at the facility. A group led by resident family member June Morrison is now calling for an inquiry to be launched into practices at the care home.
Morrison told Global News that Orchard Villa "should have gone to the ministry early on and asked for help."
WannaCry, notorious as the largest ransomware epidemic in history, reached its peak on May 12, 2017. Recent research by Kaspersky confirms that three years on, WannaCry retains the dubious honor of being among the most prevalent ransomware families causing trouble around the world.
To raise awareness of this ongoing threat, both INTERPOL and Kaspersky have dubbed today Anti-Ransomware Day and urged organizations to back up their data and adopt relevant security protections.
Failing to take all possible steps to secure a business against a ransomware attack can be a very expensive mistake. According to research published by Kaspersky in October 2019, organizations hit with ransomware attacks last year lost on average $1.46m.
The costs associated with a ransomware attack go beyond the ransom amount demanded by the cyber-criminal(s). Companies that fall victim to this crime can incur financial losses for downtime and reputational damage and incur additional costs for data recovery and fines.
Kaspersky researchers found a total of 767,907 users were attacked by encryptors in 2019, with almost a third of them (30%) found in businesses. WannaCry was still the most common of all the encryption families, attacking 164,433 users and accounting for 21% of all detected attacks in 2019.
Other prevalent encryptors used in 2019 include GandCrab, wielded in 11% of attacks, and Stop, deployed in 4%.
"The WannaCry epidemic, which saw companies lose millions in revenue because of downtime or costs related to reputational damage, demonstrated what can happen if ransomware happens on such a large scale,” said Sergey Martsynkyan, head of B2B product marketing at Kaspersky.
“The threat remains relevant today, as there will be users out there who still may not know much about it and can become a victim. The good news is that the right security approach and relevant measures can make ransomware yet another non-critical threat."
By supporting Anti-Ransomware Day, Craig Jones, director, INTERPOL Cybercrime Directorate, said the organization wished to encourage the public "to keep good cyber hygiene and to #WashYourCyberHands.”
The Certified Information Systems Security Professional (CISSP) certification has been officially recognized as equivalent to a master’s degree across Europe. The qualification was designated as comparable to Level 7 of the Regulated Qualifications Framework (RQF) by UK NARIC, the UK’s designated national agency responsible for providing information and expert guidance on qualifications from across the world.
The change will enable cybersecurity professionals to use the CISSP certification towards higher education course credit and also open up new opportunities for roles that require or recognize master’s degrees. The new designation will apply both to the UK and across Europe.
The announcement followed the American Council on Education’s College Credit Recommendation Service’s (ACE CREDIT®) recognition of six (ISC)2 certifications as eligible for college credit.
In making their decision, the UK NARIC undertook an in-depth independent benchmarking study of the CISSP certification. This involved the review of core qualification components as well as a comparative analysis of the skills assessed during a candidate’s computer adaptive test (CAT) examination to the RQF. This analysis concluded that the CISSP qualification assessed candidate’s knowledge and skills comparable to the RQF Level 7 standard. It noted CISSP required skills such as organizational problem solving and decision making and awareness and correct use of industrial standards, policy and best practice.
“Recognizing the CISSP as comparable to master’s level qualifications further underlines the robust educational and operational value of the certification within Europe,” said Deshini Newman, managing director EMEA at (ISC)2. “It will support our members in their career progression as they embark on opportunities both within their own organizations and externally when applying for roles with degree entry criteria.”
The RQF was developed by the UK government to help differentiate the levels of demand in various qualifications according to an eight-point scale. It can also help employers understand and compare cybersecurity qualifications throughout Europe, with the European Qualifications Framework (EQF) referencing the eight levels of the RQF.
International security awareness training provider KnowBe4 has announced the promotion of special operations engineer Colin Murphy to the position of chief information officer (CIO).
Murphy is an IT executive with over 13 years of expertise in security and software development in the telecommunications, energy deregulation and financial industries. In his new role, Murphy will be responsible for information technology strategies and computer systems to ensure they support KnowBe4’s goals and high-level business objectives.
Stu Sjouwerman, CEO of KnowBe4, said: “Colin has been an integral part of KnowBe4 for several years now and his previous experience as CIO for several other companies made him a natural fit to take on this opportunity. We believe in promoting from within whenever possible and he was already assuming the role of CIO by leading the IT area before the position was formally offered to him. I have confidence that Colin will surpass all expectations as KnowBe4’s CIO.”
Chris Murphy added: “As an executive and security professional, I have seen the countless ways KnowBe4 has transformed what security awareness means for its customers. My goal for the team is to create a strategic IT vision that drives innovation to accelerate growth and improve our internal efficiencies. We are determined to deliver the best IT solutions and support to the staff at KnowBe4 so they can meet their goals, deliver key results and enhance the organization’s position in the US and global markets.”
Security experts are warning of a 30% spike in COVID-19-themed cyber-attacks over the past two weeks as hackers continue to spoof trusted brands and organizations.
Check Point revealed an average of 192,000 coronavirus-related cyber-attacks per week over the past fortnight — the vast majority of which were phishing emails.
Some, like a WHO-themed phishing email purporting to be an ‘urgent letter’ containing information on the first human vaccine test, contain password-stealing keylogging malware.
Others seen by the vendor are spoofed to appear as if sent by the WHO or UN and are extortion emails demanding Bitcoin payments.
Check Point also observed a surge in domain registrations as part of ongoing coronavirus-related phishing campaigns.
Nearly 37% of Zoom-related domains were registered in the past three weeks, it said. Of the 2449 detected, 1.5% were malicious and 13% categorized as suspicious. Similar lures include fake Microsoft Teams and Google Meets links/domains.
In total, Check Point claimed to have detected nearly 20,000 new COVID-19 registrations in the past three weeks, over a fifth (22%) of the total spotted so far since the beginning of the outbreak. Of this most recent batch, 2% are malicious and 15% suspicious.
The vendor urged users to beware of lookalike domains with spelling errors and unfamiliar senders, to not reuse passwords across accounts and to order goods only from authentic sources.
Intelligence from Google, Microsoft and the National Cyber Security Centre (NCSC) has maintained that, although COVID-19 threats are on the rise, the overall level of cybercrime is not.
Instead, it appears that cyber-criminals are repurposing other campaigns with COVID-19 themes in the hope of generating an improved success rate.
Google claimed last month to be blocking over 240 million COVID-19-themed spam messages each day, and 18 million malware and phishing emails.
A major mailing technology firm has been hit by ransomware for the second time in just seven months, after the notorious Maze gang struck.
The group is known for stealing sensitive files from targeted organizations before encrypting systems, in order to force a ransom payment.
This is what it appears to have done with US firm Pitney Bowes, although it claimed that the encryption part was unsuccessful.
“Recently, we detected a security incident related to Maze ransomware. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited,” noted a statement from the firm.
“Working with our third-party security consultants, we immediately took critical steps to thwart the attack before data could be encrypted. At this point, there is no evidence of further unauthorized access to our IT systems. The investigation remains ongoing.”
However, screenshots posted by Maze seem to indicate that information on employees, and sensitive financial and customer data, may be in the hands of the attackers.
The previous attack on Pitney Bowes is believed to have been carried out by the equally prolific Ryuk group.
At the time the firm admitted that it had “encrypted information on some systems and disrupted customer access to our services.” These included SendPro products, postage refill and Your Account access.
According to Microsoft, Maze is one of several groups that have been targeting hospitals during the COVID-19 crisis, with sophisticated attack techniques more akin to APT groups, including credential theft, lateral movement, reconnaissance, persistence and data exfiltration.
In the past it has been known to target virtual desktop endpoints without multi-factor authentication, end-of-life platforms like Windows Server 2003, misconfigured web servers and vulnerabilities in Citrix Application Delivery Controller (ADC) and Pulse Secure VPN systems.
Researchers are urging WordPress administrators to patch two new vulnerabilities discovered in a popular plugin that have been downloaded over a million times.
If an attacker is able to trick an admin into clicking on a phishing link or opening a booby-trapped attachment, they could gain full remote control of the site, warned Wordfence threat analyst, Chloe Chamberland.
The security vendor notified plugin developer Site Origin, whose Page Builder software is affected, on May 4, with the firm releasing a patch a day later.
The plugin itself is designed to simplify page and post editing in WordPress, via features like a live editor.
Both discovered flaws are cross-site request forgery to reflected cross-site scripting vulnerabilities with a CVSS score of 8.8, making them high severity. They affect versions of Page Builder up to and including 2.10.15.
“Both of these flaws allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser,” noted Chamberland. “[They] could be used to redirect a site’s administrator, create a new administrative user account, or, as seen in the recent attack campaign targeting XSS vulnerabilities, be used to inject a backdoor on a site.”
Users are urged to upgrade to version 2.10.16 of Page Builder as soon as possible to mitigate the threat.
The news comes just days after Wordfence notified WordPress administrators of a spike in attack traffic targeting cross-site scripting vulnerabilities in various plugins and themes.
The firm detected a 30-fold increase in attack traffic over the previous month, with attacks on more than 900,000 sites, from over 24,000 different IP addresses, all from the same malicious actor.
Designed to achieve remote control of targeted sites, the attacks may change slightly over time as the hacker pivots to using other vulnerabilities, Wordfence warned.
The United States Department of Homeland Security and the Federal Bureau of Investigation are reportedly on the brink of issuing a cybersecurity warning over the alleged theft of COVID-19 vaccine data by state-backed threat actors.
According to the New York Times, the warning will allege that cyber-criminals supported by the People's Republic of China are actively trying to steal American research in a bid to develop vaccines and treatments for the novel coronavirus.
The newspaper claims that a draft of the warning states that China is on the grab for “valuable intellectual property and public health data through illicit means related to vaccines, treatments and testing.”
The warning, which the paper rather vaguely claims "officials" said will be "issued in the days to come," is expected to focus on cyber-theft and malicious action by nontraditional actors. The term “nontraditional actors” refers to students and researchers who steal data from inside academic and private laboratories.
Should the warning materialize, it will follow in the wake of the recent alleged cyber-attack on Gilead Sciences Inc, makers of the FDA-approved coronavirus treatment drug Remdesivir. Reuters reported on May 8 that hackers believed to be from Iran had targeted staff at the company with a phishing attack.
Ohad Zaidenberg, lead intelligence researcher at Israeli cybersecurity firm ClearSky, said attackers impersonated journalists over email in a bid to compromise the email accounts of Gilead staff. Gilead did not confirm whether the attack had been successful or if one had occurred at all.
News of the imminent warning comes as the FBI's Internet Crime Complaint Center (IC3) marks 20 years of tracking cybercrime. The center, which started life as the Internet Fraud Complaint Center but was renamed in 2002, logged its 5 millionth complaint in March of this year.
A spokesperson for IC3 said: "All that data has improved the public’s awareness of online crimes and helped the FBI and other law enforcement agencies better address internet-enabled attacks, fraud, thefts, and scams."
In its first full year of operation, the IC3 logged 49,711 complaints, most of which involved internet auction fraud, non-delivery scams, and a certain fake phishing email from a Nigerian prince.
“People still fall victim to that letter and versions of it,” said IC3 chief Donna Gregory. “We still see scams that involve lotteries or windfalls where the victim just needs to pay what they believe are taxes or some fee to receive the winnings or a share of the fortune.”
Cyber-thieves are impersonating videoconferencing platform Zoom to steal victims' Microsoft credentials.
Describing the conceit, researchers said: "This attacker impersonates Zoom by crafting a convincing email and landing page that mimics meeting notifications from Zoom. The email masquerades as an automated notification stating that the user has recently missed a scheduled meeting and implores the user to visit the link for more details and a recording of the meeting."
When the user clicks on the legitimate-looking Zoom link, they are taken to a fake Microsoft login page with the name of the user’s organization and "Zoom" above the sign-in location.
"This indicates that the attackers are more interested in the user’s Microsoft credentials, which can be used to access a larger trove of sensitive information," concluded researchers.
The attack was observed occurring across several organizations with specific elements such as usernames customized to target each specific recipient.
While the attackers attempted to cover their tracks by making it appear as though the malicious notifications were stemming from multiple sources, researchers picked up on tell-tale signs that indicate they were linked.
"Although the attackers are trying to disguise their location by using many different VPN sources, the messages all look similar, were sent during a short, discrete time period, and use the same VPN services, which leads us to believe that these are coordinated attacks by the same malicious actor," wrote researchers.
Asked how sophisticated this attack was on a scale of one to ten, with ten being the most sophisticated, Abnormal Security's VP of cybersecurity strategy, Ken Liao, rated it a six.
"Our models picked up on the abnormalities of the email, found in the 'Techniques to Detect' image on our blog, which included suspicious features like suspicious IP geolocation as well as unusual sender," Liao told Infosecurity Magazine. "However, the attacker created links with the brand name and customized landing pages for each organization they targeted, so there was some tailoring of the attacks to the specific targets."
Only 19% of employees working from home as a result of COVID-19 lockdown measures have checked if their anti-virus solution is up to date, according to new research shared today by Avast Business.
The company surveyed 2,000 employees of small to medium UK businesses in April 2020 to find out how secure their home working practices are. The results were good news for threat actors on the lookout for easy marks.
Researchers found that nearly a fifth (18%) of those currently working from home are doing so from their own unprotected devices, with not even half, 45%, working on secure devices provided by their employer.
Along with technology provision, security support was found to be an issue for remote workers. With only 26% of workers having access to designated IT support provided by their employer, the research points to the majority of employees being left to navigate security's rocky terrain on their own.
According to the research, most employees went into lockdown with little security training to fall back on. While 24% of those polled said they had received regular security training at work in the past, only 7% of employees had undergone specific online security training when lockdown measures were implemented.
Many employees working from home have turned to videoconferencing platforms like Zoom to help them stay in touch with colleagues and customers, but few have been advised on how to use them safely. Researchers found that only 23% of employees had received any guidance on how to use platforms like Zoom and Microsoft Teams.
“Not all businesses have a designated point of contact for IT security, or the necessary resources. This makes it even more imperative that both business owners and employees take active responsibility," commented Jaya Baloo, chief information security officer for Avast.
While countries around the world have tentatively begun easing lockdown restrictions, Baloo predicts that ensuring workers can securely work remotely will remain crucial.
He said: "Even when the lockdown starts coming to an end, there’s high chance that increased remote working becomes the new normal for a long time."
Avast researchers said companies whose employees are working remotely should prepare for the worst.
They said: "You must assume everyone is connecting in an Internet cesspool and they are accessing important corporate assets. This means that they need the appropriate protection, security, and tools to get their jobs done."
New research from business ISP specialist Beaming has revealed that the volume of cyber-attacks on UK businesses increased by almost a third in the first three months of 2020.
Beaming analysts identified 394,000 unique IP addresses used to attack UK businesses in the first quarter of 2020, discovering that companies with internet connections experienced 157,000 attacks each, on average – the equivalent of more than one a minute.
This rate of attack was 30% higher than the same period in 2019 when UK businesses received 120,000 internet-borne attempts to breach their systems each.
Beaming cited IoT applications as the most common targets for cyber-criminals in the first quarter, attracting almost 19,000 online attacks per company. Company databases and file-sharing systems were also targeted frequently, with companies experiencing approximately 5000 attacks for each application, on average.
Sonia Blizzard, managing director of Beaming, said: “The record levels of cyber-attacks on UK businesses experienced during the second half of last year were maintained in the first three months of 2020, with companies being attacked more than once every minute on average.
“Businesses of all sizes need to take the threat seriously and take sensible steps to improve their resilience to attack, particularly now that the risk is magnified with so many people working from home.”