Cyber Risk News
Android users have been warned about another Exobot banking malware source code (v. 2.5) that was leaked online. It was first detected in May 2018 and has been dubbed "Trump Edition." The leak is expected to result in a surge of malicious Android apps given that the malware source code is now available in dark web hacking forums, according to Tripwire.
"The Trojan gets the package name of the foreground app without requiring any additional permissions. This is a bit buggy, still, but works in most cases. The interesting part here is that no Android permissions are required. All other Android banking Trojans families are using the Accessibility ore Use Stats permissions to achieve the same goal and therefore require user interaction with the victim," ThreatFabric security researcher, Cengiz Han Sahin told Bleeping Computer.
It’s no secret that bank websites and banking apps are under constant attack and that using Android Trojans to target baking apps is fairly commonplace. With this new Trump Edition, though, there are two primary concerns for security experts: First, whenever an infected Android device hits a financial institution's website, the overlay attack steals user credentials. Second, the release of any mobile banking malware will quickly ripple across the devices.
An increase in these types of attacks could have long-term implications that would likely impact more than financial institutions. “The data this malware is targeting will impact not only banks and their customers but also ecommerce companies and other industries,” said Ryan Wilk, VP of customer success, NuData Security, a Mastercard company.
“Personally identifiable information extracted from Exobot-infected devices will quickly find its way to the dark web, where it can be used against the account holder’s account, as well as other online accounts.”
This source code leak could spike an increase in overlay attacks, according to Frederik Mennes, senior manager market and security strategy, security competence center at OneSpan. “Malware on the user’s mobile device shows a window on top of the genuine mobile banking app that looks very similar to the genuine app. In this way the malware aims to trick the user into entering his credentials into the overlay window.”
A flaw in the website design for LifeLock, a company charged with protecting the identity of its online customers, resulted in millions of customer accounts being exposed, according to KrebsonSecurity. A vulnerability in the site, which reportedly lacked authentication and security, has been fixed, but the breach highlights the larger security concerns inherent in web application security.
Of particular concern is the fact that web apps have become the cornerstone of operations for today’s digital enterprises. They are accessible at all times, from any location or device, but they can also contain sensitive customer data. Securing the data must be a priority, according to Setu Kulkarni, vice president of product and corporate strategy, WhiteHat Security.
“WhiteHat Security's research has shown that web applications are consistently the most exploited means of entry into the enterprise by hackers. Despite this, companies are still failing to implement proper application security protections, making them an easy and vulnerable target.”
“We often see enterprises inheriting risk from third parties. In many cases, web pages are developed by non-IT teams without much governance. Data-flow architecture gets ignored, which can jeopardize personally identifiable information (PII). Largely by necessity, web applications are built and deployed by a wide range of coders, architects and administrators, who sometimes make mistakes.”
The LifeLock site breach serves as another reminder of the security issues in web application development, which often are not designed with security in mind. “Too many website applications are built with little thought on how to prevent being hacked,” said Chris Olson, CEO of The Media Trust.
“LifeLock's web app vulnerability appears to have resulted from developers' oversight and mirrors many other incidents in the past year alone, where security features and procedures to reinforce them receive little attention. Developers should make security a priority throughout a product's life-cycle stages, from concept to manufacturing to retirement. Website operators should police all their website third parties to ensure all their activities fall within policies and scan their sites to identify and obstruct unauthorized code.”
The breach echoes the reality that an unknown vulnerability can pose a major threat to data security and brand reputation, according to Rich Campagna, CMO, Bitglass. “Enterprises need to have visibility across their networks, cloud services and devices in order to prevent and monitor for these kinds of risks.
“This data leak could have been avoided by using data-centric security tools that can ensure appropriate configurations, deny unauthorized accesses and encrypt sensitive data at rest. Because LifeLock failed to utilize such a solution, millions of customers have had their data exposed, become more vulnerable to highly targeted spear phishing campaigns and lost trust in a company dedicated to keeping their data safe.”
In an effort to deliver more robust application and data security solutions that protect enterprises against attacks from cyber-criminals, California-based Imperva Inc. announced that it will acquire the Los Angeles-based application security company Prevoty. The deal, which is expected to close in Q3 2018, has an estimated value of $140m. The Prevoty office will become an Imperva location.
Five years into its journey to deliver application protection to enterprises, Prevoty drew Imperva's attention with its Autonomous Application Protection (AAP) product, which Imperva states will extend its ability to deliver end-to-end application services from the network edge all the way down to within the applications themselves, protecting not only the applications but also the various databases where data is stored.
"The acquisition is expected to advance our hybrid security strategy and further our mission to deliver best-in-class cybersecurity solutions," said Chris Hylen, president and CEO of Imperva, in the press release. With the additional functionality of AAP, Imperva said it will deliver increased visibility into how applications are accessed to see what is happening within the application, thereby enhancing application services both on-premise and in the cloud.
In an email delivered to Prevoty’s employees, CEO Julien Bellanger wrote, “When we first started, Kunal and I believed in the mission of revolutionizing application security by adding protection and visibility to every piece of production software. We are well on our way there from a product perspective and market traction but not yet at the scale we were dreaming about. Becoming part of Imperva will help us reach our goals at a different scale and pace.”
Bellanger called the acquisition a milestone in his vision for Prevoty, which he co-founded in 2013, adding that the board and the executive team are excited about the opportunity to join Imperva, who has offered continued employment opportunities to Prevoty employees.
"Our team is excited to join Imperva, a company with a long track record of cybersecurity leadership and innovation,” Bellanger said in the press release. "We believe that the combination of our solutions with Imperva's portfolio of products will allow us to jointly create the gold standard in technology for application and data protection for organizations everywhere."
IT leaders could be dangerously underestimating the security risks posed by IoT, according to new research from Trend Micro.
The security vendor polled 1150 IT and security decision-makers in the UK, Germany, the US, Japan and France.
Despite businesses spending an average of over $2.5m each year on IoT projects, they don’t appear to be investing in cybersecurity.
Even though 63% of respondents agreed that IoT-linked attacks have increased over the past year, just half (53%) think they’re a threat to their organization.
This might explain why over two-fifths (43%) regard IoT security as an afterthought, and just 38% get security teams involved in the implementation process for new projects. This drops even further for smart factory (32%), smart utility (31%) and wearable (30%) projects.
Responding organizations suffered an average of three attacks on connected devices over the past year, according to Trend Micro.
“The embedded operating systems of IoT devices aren’t designed for easy patching, which creates a universal cyber risk problem,” said the firm’s COO, Kevin Simzer. “The investment in security measures should mirror the investment in system upgrades to best mitigate the risk of a breach that would have a major impact on both the bottom line and customer trust.”
While loss of customer trust (52%) and monetary loss (49%) were thought to be the biggest consequences of a related breach, loss of personally identifiable information (32%) and regulatory fines (31%) came some way behind. That’s despite the new GDPR, which could impose severe financial penalties on firms found not to have taken customer data protection seriously in the event of a breach.
“The significant investment in this technology across the globe is testament to the fact that IoT solutions can bring many advantages to businesses,” Simzer concluded. “But if security is not baked into the design of IoT solutions, and SDMs [security device managers] aren’t involved in the IoT implementation process, businesses could face damages far greater than the benefits this connected tech delivers.”
The volume of common web-based vulnerabilities found by a leading cybersecurity firm over the past nine years has refused to come down, highlighting a need for greater investment in secure coding practices and awareness.
Global information assurance firm NCC Group uncovered over 1100 vulnerabilities from more than 350 vendors of operating systems, hardware and networking services, and cloud and web services over a near decade-long period.
However, while some classes of vulnerability had virtually disappeared over the past nine years — including format string flaws, memory-related flaws and some vulnerabilities in XML applications and services — others stubbornly persisted, it claimed.
King among these is the cross-site scripting (XSS) flaw, which was the most common type overall, comprising 18% of all those found.
“Although there could be a lot of factors influencing the discovery of bugs over the past nine years — such as shifts in industry focus with regard to certain classes of bugs, and even the time that our consultants have available — there is still an ongoing prevalence of the most common vulnerabilities,” explained NCC Group research director, Matt Lewis.
“While some historically common vulnerabilities have disappeared over the last nine years, cross-site scripting has been around for almost 20 years. We should have seen a significant fall in these types of vulnerabilities, but this hasn’t been the case, which highlights the need for better education around security within the software development life cycle.”
Over the years, Lewis and his team have uncovered vulnerabilities in 53 categories and have also spotted an increase in the number targeting complex applications and hardware — including deserialization flaws and exploitation of multiple chained flaws across complex web apps.
“This highlights the need for more investment into security skills, as well as a wider understanding of how important the mitigation of these vulnerabilities is for the overall security of businesses,” said Lewis.
Security researchers have found a flaw in a home security camera model which could allow individuals to view users’ video feeds.
The bug was found in the SWWHD-Intcam, also known as the Swann Smart Security Camera, which has been on sale in several high street retailers including Currys and Walmart for the past eight months.
The problem relates to the Safe by Swann cloud system which allows users to view their feeds remotely via smartphone, according to the BBC.
These contain a serial number unique to each camera, which can be manually altered to allow access to other devices, the report claimed.
They apparently also identified a way to work out which serial numbers Swann cameras were using, allowing them to theoretically view any account with ease.
"Swann was able to detect the subsystem Ken Munro and his team were attempting to hack and promptly addressed the vulnerability", a spokeswoman for the company told the BBC.
"This vulnerability did not apply to any other Swann products. We have not detected any other such attempts."
However, there are concerns that other camera brands supported by Israel-headquartered supplier OzVision may be vulnerable to attack. A problem was discovered in Flir cameras back in October last year, with a patch apparently imminent.
Some 40% of UK consumers are concerned that devices can listen in to their private conversations, according to McAfee research.
“People need to feel empowered and protected so they can embrace new technologies that aim to deliver peace of mind. Businesses manufacturing these devices must do their bit and ensure that security is built-in from the get-go,” said chief scientist, Raj Samani.
“There are also simple measures consumers can take when introducing new connected gadgets to their home environments. For example, people need to ensure they have protected Wi-Fi in place with multi-factor authentication and complex passwords. This will help prevent cyber-criminals from accessing devices and getting their hands on personal information.”
More than three-quarters of DevOps professionals do not practice “DevSecOps”, or are still in the process of implementation.
According to the DevOps Pulse 2018 survey by Logz.io, its survey of 1044 DevOps engineers, sys admins, developers and other IT professionals found that 54% said that their department handles security incidents in their organization, while only 41% have dedicated security operations personnel.
Because of that, 76% of those surveyed either do not practice DevSecOps or are still implementing it, while 71% do not feel their team have adequate knowledge of DevSecOps best practices and 56% do not feel there are adequate tools available to help with DevSecOps.
Eoin Keary, founder of edgescan, told Infosecurity that he felt that 54% handling security incidents was a good thing, as this shows that cybersecurity is integrating with DevOps professionals earlier and continuously.
“Handling incidents is also positive assuming the know-how is there: most incident response teams have staff from different departments within a company,” he said. “At edgescan, we see a large uptick for SaaS and managed services given the ability for a client to leverage dedicated experts and knowledge in particular fields they may not have internally in the organization.”
Keary also acknowledged that DevSecOps is still an emerging movement, and the cultural change required to implement a DevSecOps methodology can take time to foster.
Kai Roer, CEO of CLTRe, told Infosecurity that he felt that the 76% figure was natural, as even if half of all organizations did manage incidents within the DevOps team, “this transformation of culture is work in progress.”
He said: “DevSecOps is a huge cultural shift, merging different teams, with different focuses, interests and competences, into one team. This shift has seen some very interesting successes, for example by speeding up patch deployments, as well as improving security by making changes available much faster.
“DevOps has matured a lot over the past few years, and adding security to form DevSecOps has been idealized for some time now. Just as merging operations and development made a huge cultural shift to the teams and to their organizations, adding security is likely to do the same. Suddenly, security goes from being a specialist team who sits on the side-lines, into a function that is tightly incorporated within development and operations.”
Roer said that this change is “bound to improve the security competence in those organizations”, and thereby directly influencing the security culture in those organizations.
Chinese shipping giant COSCO is said to have suffered a major ransomware-related outage affecting its Americas operations, although so far seems to be trying to minimize the potential news fall-out.
Reports from the trade press citing internal emails suggest the firm has been hit by ransomware in the US and is asking staff not to open suspicious emails.
However, an official statement from the stet-owned firm yesterday doesn’t mention malware as the cause.
“Due to local network breakdown within our America regions, local email and network telephone cannot work properly at the moment. For safety precautions, we have shut down the connections with other regions for further investigations,” it states.
“So far, all the vessels of our company are operating as normal, and our main business operation systems are performing stably. We are glad to inform you that we have taken effective measures. Except for above regions affected by the network problem, the business operation within all other regions will be recovered very soon.”
The ‘network breakdown’ also appears to have taken COSCO’s US website offline at the time of writing.
One report suggested that the firm had been forced to rely on the telephone to communicate with customers, slowing operations but not putting them completely out of action.
If the reports are true, they call to mind the NotPetya-related outage at Danish shipper Maersk, which resulted in an estimated $300m loss for the firm.
It’s another reminder of the potential impact ransomware can have, even on large organizations which should have a generous pot of revenue assigned to cybersecurity.
However, in general, reports of the malware to the FBI have decreased over the past year. The Bureau received only 1783 ransomware complaints in 2017, linked to losses of just $2.3m. That’s a sizeable drop from the 2673 reports it processed in 2016 and the 2453 from 2015.
With a 50 year history, COSCO is said to be the fourth largest shipper in the world.
A US senator has written to three key government agencies responsible for federal cybersecurity, urging them to begin the transition process away from Adobe Flash.
"As the three agencies that provide the majority of cybersecurity guidance to government agencies, the National Security Agency, the National Institute of Standards and Technology and the Department of Homeland Security must take every opportunity to ensure that federal workers are protected from cyber-threats and that the government is not intentionally supporting risky online behavior,” he wrote.
“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming — the government must act to prevent the security risk posed by Flash from reaching catastrophic levels.”
Wyden demanded three actions be taken: that no new Flash content is deployed on any federal website, starting from within the next 60 days, that all agencies remove Flash content by August 1 2019 and that they remove Flash from employee desktop computers by the same deadline.
He claimed these efforts could be accelerated by an expansion of DHS cyber hygiene scans of agencies to include Flash content. The department could then provide a list to each agency of all the locations of Flash content on their sites along with guidance on how to transition away from it.
Known vulnerabilities are arguably a bigger preventable risk than eye-grabbing zero days: just 14 of the 19,954 vulnerabilities reported by Flexera in 2017 were zero-days, a 40% decrease from 2016.
Adobe Flash has long been a magnet for hackers and continues to get regular updates each Patch Tuesday, although system administrators often struggle to prioritize and keep up-to-date with the barrage of fixes issued by vendors, most with different update mechanisms.
Wyden is know for his tech literacy, introducing the first net neutrality bill back in 2006, and is a regular champion of cybersecurity and internet freedom on the Hill.
The US Department of Homeland Security (DHS) has flagged a new report highlighting an increase in attacks on critical ERP apps by state-sponsored hackers, cyber-criminals and hacktivists.
The joint research by Digital Shadows and Onapsis revealed that hackers are increasingly targeting known vulnerabilities to steal highly sensitive data or disrupt business processes — exploiting known vulnerabilities, supply chain gaps and misconfiguration errors.
It claimed that there are now around 9000 known vulnerabilities in SAP and Oracle apps, which have seen a 100% increase in the number of publicly-available exploits over the past three years.
The report also calculated a 160% increase in activity related to ERP-specific vulnerabilities from 2016 to 2017.
It’s not just traditional state-sponsored actors targeting these apps for espionage or disruption, or cyber-criminals looking to make money — the report claimed hacktivist group Anonymous has carried out nine operations since 2013.
Some of the attacks observed include use of popular malware like banking trojan Dridex to grab user credentials.
In some cases, the supply chain is making the job of the attackers even easier: the researchers found 545 SAP configuration files publicly exposed on misconfigured FTP and SMB, offering valuable information on the location of sensitive files in targeted organizations.
Companies are also guilty of basic security mistakes which could play into the hands of attackers: the report claimed to have found over 17,000 SAP and Oracle ERP apps exposed on the internet — many not up-to-date with patches.
The dark web provides threat actors with a wealth of information on where the key weaknesses to exploit lie, according to Digital Shadows.
“Threat actors are continually evolving their tactics and targets to profit at the expense of organizations. On the one hand, with the type of data that ERP platforms hold, this isn’t shocking. However, we were surprised to find just how real and severe the problem is,” said Digital Shadows CISO, Rick Holland.
The perils of phishing emails and cyber-insurance were laid bare this week after news emerged of an American bank that fell victim to hackers twice within eight months and is suing its provider for failing to cover the losses.
The Virginian National Bank of Blacksburg was hit in late May 2016 and again in January 2017 thanks to phishing emails which eventually resulted in the combined theft of $2.4m.
The first attack enabled attackers to install malware on a victim’s PC, allowing them to access the STAR interbank network and disable controls including PINs, daily withdrawal limits and anti-fraud measures, according to journalist Brian Krebs.
The attackers were then able to dispense funds from customer accounts of over half a million dollars to ATMs around the country.
The second attack apparently used a booby-trapped Microsoft Word document to access the bank’s Navigator software, which they used to artificially credit various accounts with $2m before withdrawing funds from ATMs in the same way and deleting the evidence.
Chandu Ketkar, principal consultant at Synopsys, argued that the breaches came from failures of security awareness training, monitoring controls, emergency response, and policy around Office macros.
Ryan Wilk, vice president at NuData Security, added that phishing risk can be mitigated by migrating away from static username/password combinations.
“This is a clear example of why merchants and financial institutions are moving past the user’s personally identifiable information (PII) as a way to authenticate them and incorporating multi-layered solutions with passive biometrics and behavioral analytics,” he added. “These technologies thwart the reuse of data by fraudsters and, instead, verify users based on their behavioral information.”
In a further twist, the bank is now suing its provider, Everest National Insurance Company, for failing to pay out.
The problem lies with the policy details: the bank had two types of coverage — one “computer and electronic crime” rider with a liability of $8m and another covering lost stolen or altered debit cards with just a $50,000 liability.
The insurer apparently claims both breaches fall under the latter.
It’s another example of the challenges facing the burgeoning cyber-insurance industry. In July it emerged that security vendor Trustwave is being sued by two insurers that claim its PCI audits failed to pick up issues which led to a massive breach at their client: Heartland Payment Systems.
Twitter has announced new developer requirements designed to combat spam, privacy invasion and attempts to “manipulate conversations” on the social media platform.
The firm claimed to have kicked 143,000 apps which violated its policies off the site between April and June this year but wants to go further to improve visibility and control over developers’ use of user data.
All new API requests will now need to go through a new developer account application process in a bid to reduce “spammy and low-quality apps,” the firm said. This will eventually be expanded to all developers with existing API access, although Twitter couldn’t specify when.
The firm said it’s also limiting the number of apps registered by a single developer account to 10.
In a further bid to reduce spam, Twitter is looking to introduce tighter controls on apps that create tweets, retweets, likes, follows and direct messages.
These rate limits represent “a significant decrease in the existing rate of POST activity allowed from a single app by default,” the firm claimed. For example, from September 10 apps will only be allowed to post 300 combined tweets and retweets per three hours and 15,000 direct messages per 24 hours.
“Going forward, as apps approach these rate limits, we’ll continue to proactively review and contact developers with instructions about how to request elevated access,” the firm said. “These ongoing reviews will help avoid disruption for compliant developers, as well as help developers more quickly identify and address any behaviors that are non-compliant with our policies.”
The final new initiative is a “report a bad app” function in the Help Center designed to help users feedback when they spot abuses of Twitter’s policy.
The moves can be seen as something of a response to criticism of the social media platform following long-running Russian attempts to manipulate popular discourse on the site — most notably ahead of the 2016 presidential election.
However, it remains to be seen whether the measures go far enough, and will be enough to root out malicious activity on the platform.
Trend Micro’s Zero Day Initiative (ZDI) has expanded its bug bounty program to include a new $1.5m pot for researchers able to discover new vulnerabilities in server-side open source products like Drupal, Apache and WordPress.
The new addition to ZDI’s Targeted Incentive Program (TIP) will aim to ramp up the number of critical exploits found in some of these popular tools, with special rewards on offer for the first few months.
From August 1 to the end of September this year, ZDI will be offering $25,000 for vulnerabilities in Joomla and Drupal running on Ubuntu Server 18.04 x86. WordPress flaws will get $35,000 until the end of September, while NGINX and Apache HTTP Server bugs receive a massive $200,000 until the end of November and December respectively.
Vulnerabilities in Microsoft IIS running on Windows Server 2016 x64 also get $200,000, until January next year.
Only fully functioning exploits demonstrating remote code execution earn the full bounty amount; that means proof-of-concepts won’t cut it. These need to be true zero-days affecting the core code, not add-on components or plug-ins, said the ZDI.
Researchers must be able to find exploits that work despite the software running on fully patched versions of the relevant OS and which circumvent mitigations such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and application sandboxing.
Trend Micro director of vulnerability research, Brian Gorenc, revealed that the ZDI has published 600 advisories already this year thanks to schemes like this.
“One advantage of purchasing this many bug reports is that we can guide researchers towards specific areas that either interest us or enhance protections for our customers,” he added. “For example, we added a virtualization category to our Pwn2Own event to see what sort of exploits could escape a guest OS, and the results were fascinating. That’s one of the main drivers behind the newest addition to our existing bug bounty.”
The expansion of the bug bounty scheme is well-timed, given the continued problems facing users of popular open source products.
However, security is a two-way street and users will only be protected if they make a concerted effort to update to the latest software version. Last year hackers managed to deface over one million WordPress sites that weren’t patched, while the Ukrainian energy ministry was hit by ransomware targeting an unpatched Drupal installation earlier this year.