Cyber Risk News

VPN Usage in US Quadruples

Info Security - Thu, 03/26/2020 - 19:18
VPN Usage in US Quadruples

American usage of VPNs has increased by four times since 2010, according to a new study published today by American cybersecurity company PC Matic.

Researchers found that in 2010, only 1.57% of Americans were using Virtual Private Networks (VPNs) compared to 6.26% in 2019.

From 2010 through 2017, the usage of VPNs remained fairly consistent, hovering at round 1.6%. However, the networks have become increasingly popular in the last couple of years. VPN usage in the US grew from 2.40% in 2017 to 3.77% in 2018 before surging to 6.25% in 2019. 

Virtual Private Networks were initially created as a way for employees to work remotely. PC Matic Researchers said that today VPNs are being used in a different way. 

Researchers wrote: "VPNs were first developed to allow work-from-home employees to access company applications and files. However, over time individuals began using VPNs for personal use, to increase their security while using public networks. Since a VPN replaces a device’s IP address with one within the VPN service and also encrypts transmitted data, it adds an additional layer of security and privacy for online communications."

The use of personal VPNs has increased significantly. In 2010, only 0.13% of endpoints had a personal VPN installed, but by the end of the decade, personal VPN use had increased 3,477% to 4.65%.

Researchers linked the growth in VPN usage to an increased desire for privacy and security, especially while using public WiFi.

"Individuals need to ensure what they’re doing online is secure, specifically while they are using public WiFi connections like those found in airports, restaurants, coffee shops, and other public facilities. The use of a VPN while on public networks leaves the integrity of the data transmitted uncompromised by encrypting all transmitted data; meaning it cannot be read by others on the public network," wrote researchers.

Back in 2010, the most widely used commercial Virtual Private Network was CiscoVPN. In 2019, OpenVPN had the lion's share of the commercial VPN market, followed by Cisco, Sophos, Pure, and WatchGuard. 

While Cyberghost was the biggest personal VPN provider in 2010, in 2019 that title went to NordVPN.

Categories: Cyber Risk News

Data Deposit Box Exposes PII of 270K Users

Info Security - Thu, 03/26/2020 - 17:49
Data Deposit Box Exposes PII of 270K Users

A company that provides secure cloud storage services has exposed over a quarter of a million private files uploaded by its customers. 

Data Deposit Box left a database containing over 270,000 customer files on an unsecured Amazon S3 bucket. As a result of the breach, data including personally identifiable information (PII) belonging to Data Deposit Box customers was exposed. 

The open bucket was discovered on Christmas Day, 2019, by a Vpnmentor research team led by cybersecurity analysts Noam Rotem and Ran Locar. 

Inside the unsecured cloud storage device, researchers discovered a database packed with thousands of files dating from 2016 to December 25, 2019. Researchers were able to view private user data, including admin usernames and unencrypted passwords in plain text. 

Researchers were also able to access IP addresses, email addresses, and GUIDs (globally unique identifiers for resources).

In a report on the breach published March 25, Vpnmentor researchers wrote: "In this case, we identified Data Deposit Box as the owner of the database. Before publishing this report, we reached out to the company to share our findings and provide guidance on how to resolve the issue."

Data Deposit Box was contacted regarding the breach on December 20, 2019. By January 6, the database on the open bucket had been secured. 

Researchers warned that the breach could have dire consequences.

"The unencrypted usernames and passwords exposed in this breach may allow malicious parties to access Data Deposit Box’s customers’ accounts," wrote researchers.

"We didn’t log into any users’ accounts for ethical reasons, but we could’ve easily done so. The bad news is that if we’re able to do this, hackers could do it too."

Data Deposit Box is a public company based in Canada that claims to offer a "top rated secure cloud backup storage service for small businesses" that is "100% secure." The company's business model allows customers to continuously back up an unlimited number of devices to their accounts through the company’s app and web portal.

Data Deposit Box has over 350,000 users and 200 partners spread across 53 countries. On February 6, the company entered into an agreement to be acquired by HostPapa Inc..

Categories: Cyber Risk News

All 4G Networks Susceptible to DoS Attacks

Info Security - Thu, 03/26/2020 - 16:47
All 4G Networks Susceptible to DoS Attacks

New research has uncovered a vulnerability affecting all 4G and some 5G telecommunications networks.

study of the security of diameter networks completed by Positive Technologies found that weaknesses in the diameter-signaling protocol meant that 100% of 4G networks are susceptible to denial of service (DoS) attacks. 

The diameter-signaling protocol is used to authenticate and authorize messages and information distribution in 4G networks. It is a crucial component in LTE, facilitating translation and communication between Internet protocol network elements. 

Researchers found that every attempt they made to infiltrate 28 telecommunications operators across South America, Asia, Europe, and Africa with attacks between 2018 and 2019 was successful.

The findings aren't just bad news for 4G; the vulnerabilities in the protocol are a problem for any 5G networks built on top of the previous generation of networks, using the same LTE network core. Networks linked in this way could be susceptible to the same threats, such as tracking user location and obtaining sensitive information.

Researchers warned that users of 5G networks that are riddled with weaknesses inherited from their 4G predecessors could see their service downgraded to insecure 3G networks.

Dmitry Kurbatov, CTO at Positive Technologies, said: "A lot of the major mobile operators are already starting to roll out their 5G networks and so the industry needs to avoid repeating the mistakes of the past by having security front and centre of any network design. If left unchecked, their 5G networks will not be immune from the same vulnerabilities of previous generation networks." 

Other vulnerabilities detected in the diameter protocol allow external actors to track subscriber location and obtain a subscriber's sensitive information. This information could later be used to intercept voice calls, bypassing restrictions on mobile services.

"Gartner predicts 25 billion IoT devices to be connected by 2021. Therefore, a denial of service attack becomes so much bigger than simply a slow internet connection stopping you from posting a picture on Instagram," said Kurbatov. 

"It can cripple cities which are beginning to use IoT devices in various ways from national infrastructure to industry."

Categories: Cyber Risk News

#COVID19 Drives Phishing Emails Up 667% in Under a Month

Info Security - Thu, 03/26/2020 - 12:00
#COVID19 Drives Phishing Emails Up 667% in Under a Month

Phishing emails have spiked by over 600% since the end of February as cyber-criminals look to capitalize on the fear and uncertainty generated by the COVID-19 pandemic, according to Barracuda Networks.

The security vendor observed just 137 incidents in January, rising to 1188 in February and 9116 so far in March. Around 2% of the 468,000 global email attacks detected by the firm were classified as COVID-19-themed.

As is usually the case, the attacks used widespread awareness of the subject to trick users into handing over their log-ins and financial information, and/or unwittingly downloading malware to their computers

Of the COVID-19 phishing attacks, 54% were classified as scams, 34% as brand impersonation attacks, 11% blackmail and 1% as business email compromise (BEC).

As well as the usual lures to click through for more information on the pandemic, some scammers are claiming to sell cures and/or face-masks, while others try to elicit investment in companies producing vaccines, or donations to fight the virus and provide support to victims.

“This is a new low for cyber-criminals, who are acting like piranha fish, cowardly attacking people on mass when they are at their most vulnerable,” argued MP Dean Russell, member of the Health and Social Care Select Committee. “It’s vital that the public remain vigilant against scam emails during this challenging time.”

Unfortunately, computer users are as exposed as ever to phishing scams like these, according to new research.

Security awareness training company KnowBe4 claimed that 38% of untrained end users are susceptible to phishing, i.e. they will fail realistic phishing scenarios. This is up by over 8% from 2019 figures.

The good news is that this average dropped 60% after 90 days of phishing training with real-world simulation exercises, the vendor claimed.

Categories: Cyber Risk News

Tupperware Site Hacked by Digital Skimming Gang

Info Security - Thu, 03/26/2020 - 10:35
Tupperware Site Hacked by Digital Skimming Gang

Household brand Tupperware has had several websites compromised by digital skimming code, potentially exposing a million monthly visitors, according to Malwarebytes.

The security vendor discovered a targeted attack aimed at the company’s main dot com site and several localized versions last week.

To harvest Tupperware customers’ card details, the hackers inserted a fake iframe in the site’s checkout page to mimic a real payment form. On further discovery it was found to be loading content from deskofhelp[.]com, a domain registered just days earlier, on March 9, buy a .ru email address.

The same domain is also hosted on a server alongside multiple phishing domains, explained director of threat intelligence, Jérôme Segura.

“The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out,” he added.

“This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.”

The fraudulent payment form itself was activated by malicious code hidden inside a PNG file, a technique known as steganography. It’s unclear exactly how Tupperware was first hacked to insert the malicious image, but Segura claimed it may have been running an outdated version of the Magento e-commerce platform.

However, the group behind the attack isn’t as polished as many others carrying out Magecart-like attacks. For one, they forgot to localize the iframe, so that on foreign language versions of the site, the fake payment page still appeared in English.

Segura claimed that digital skimming attacks are likely to be ramping up now as online orders come flooding in from shoppers kept at home by COVID-19.

Although Tupperware did not respond to Malwarebytes’s emails, phone calls and social media messages, the PNG file and malicious JavaScript was removed as of Wednesday.

Categories: Cyber Risk News

Three-Quarters of Large Firms Suffered Security Breach Last Year

Info Security - Thu, 03/26/2020 - 09:30
Three-Quarters of Large Firms Suffered Security Breach Last Year

Nearly half (46%) of UK firms reported suffering a security breach or cyber-attack over the past year, an increase on previous years, but they are getting better at recovering from and deflecting such blows, according to the government.

The annual Cyber Security Breaches Survey revealed an increase in the overall volume of businesses reporting incidents, up from 32%. The number of medium (68%) and large (75%) businesses reporting breaches or attacks also jumped, from 60% and 61% respectively.

This puts the 2020 report’s findings in line with the first government analysis in 2017, it claimed.

Of those businesses that reported incidents, more are experiencing these at least three times a week than in 2017 (32% versus 22%).

The government also claimed that organizations are experiencing more phishing attacks (from 72% to 86%) whilst fewer are seeing malware (from 33% to 16%) than three years ago.

However, the rise in incidents has been offset by stronger response and resilience, according to the report. Since 2017, the proportion of businesses listing any outcome from an incident has fallen by 19% and the proportion being negatively impacted has fallen by 18%.

Cybersecurity is also becoming more of a board-level issue: 80% of respondents said it’s a high priority for their senior management and 37% said they have board members with a security brief.

However, elsewhere there’s still some way to go: just 32% reported having cyber insurance, half (50%) have conducted audits in the past year, 15% have reviewed supply chain risk and only a quarter (27%) said they’d reported breaches to anyone beyond their IT/security providers.

The latter is particularly concerning given the strict reporting requirements of the GDPR.

Redscan CTO, Mark Nicholls, questioned whether malware is really on the wane, given new variants of fileless threats that are harder to detect, and pointed out another discrepancy in the report’s findings.

“The most concerning thing for me, is the significant number of organizations that have been targeted and aren’t aware of it. While a significant percentage of businesses identify multiple attacks each week, more than half say they haven’t had a single one in 12 months,” he argued.

“Being able to swiftly detect attacks is key to minimizing damage but many organizations still lack the appropriate controls and a deep awareness of what activity to look for.

RSA Security UK & Ireland regional director, Chris Miller, argued that supply chain risk assessments should be carried out through the lens of potential impact on business operations.

“First, you must identify the most important parts of your business and then focus on protecting them. Ask yourself: which data flows in and out of the business? Which suppliers have access to what corporate data? Where is my most critical data and who can access it?” he said.

“By taking this approach, you can align your security protocols so you know how much access to grant to, and how much trust to place, in your suppliers.”

Categories: Cyber Risk News

Canadian Volunteers to Form Cyber Civil Defense Brigade

Info Security - Wed, 03/25/2020 - 17:57
Canadian Volunteers to Form Cyber Civil Defense Brigade

IT professionals in Canada are joining forces to protect their country's vital services and critical infrastructure from cyber-threats. 

The mission of the all-volunteer cyber-defense team will be to defend Canada's health-care providers, municipalities, and critical infrastructure from cyber-attacks launched amid the COVID-19 health crisis.

A volunteer recruitment effort led by the SecDev Group is calling on IT pros to lend a hand by providing preventative measures to thwart attackers. The group is also asking for assistance from volunteers who can offer remedial services that help organizations recover from cyber-attacks. 

Rafal Rohozinski, principal and CEO of the SecDev Group, said that not only are cyber-criminals preying on vital organizations made vulnerable by the current coronavirus crisis, but they are also weaponizing public fear over COVID-19. 

"Hackers are targeting hospitals and health care providers, preying on their distraction, fear and anxiety and their hope for a cure," said Rohozinski.

"Posing as public health officials from the World Health Organization, [the] Centers for Disease Control and UNICEF, cyber criminals are flooding hospitals, medical laboratories, vaccine testing facilities, municipalities and critical service providers with phishing emails, forcing some to shut down."  

So far, twelve companies and associations have volunteered their services. Construction has begun on a secure online exchange service that can match volunteering tech professionals with agencies and institutions in need of cybersecurity help.

Volunteers will offer services such as cybersecurity training and advice to organizations free of charge. 

Rohozinski described the group's formation as "both a patriotic and public service reflex" designed to support a deeply interconnected society. 

"If the internet goes down, and in particular if critical institutions that we count on—like hospitals, like cities, like utilities—start to be ransomed or start to go down because of cyber malfeasance, we're all in a lot of trouble," said Rohozinski.

No cyber-attacks on Canadian hospitals or institutions have been reported since the COVID-19 health crisis began, but hospitals in Paris and the Czech Republic and a medical research company in Britain that is working on a COVID-19 vaccine have been targeted. 

Rohozinski said the launch of the exchange website is expected to take place in the next few days.

Categories: Cyber Risk News

Alleged Operator of Telegram Sexual Abuse Ring Identified

Info Security - Wed, 03/25/2020 - 16:53
Alleged Operator of Telegram Sexual Abuse Ring Identified

The alleged leader of a sexual abuse ring run over the messaging app Telegram has been identified by South Korean officials.

Authorities took the unusual step of naming the man accused after a record five million South Koreans signed multiple petitions on the presidential office website asking for his identity to be made public. 

Under the nickname "baksa," which means "doctor" in Korean, Cho Ju-bin allegedly ran an online network that blackmailed 58 women and 16 girls into sharing degrading and sometimes violent sexual digital images of themselves. 

Users of the ring paid up to $1,200 in cryptocurrency to view the abusive images, which were allegedly uploaded by the 25-year-old. 

The images were posted and viewed in sites known as Nth rooms. According to the news agency Yonhap, police said similar sites are used by more than 260,000 people.

The Korean National Police Agency has arrested 124 suspects in connection with the sexual abuse ring. Cho is one of 18 alleged operators of the ring who have been held in detention since September 2019. 

Cho Ju-bin has been charged with violating the child protection act, the privacy act, and the sexual abuse act. He is further accused of abusive and threatening behavior and of coercion.

It is alleged that Cho trapped victims by initially approaching them with offers of part-time work, then paying them for nude photographs. Cho would then allegedly use the threat of exposing a victim's identity to blackmail her into performing sexual acts on video, including some involving violence.

Some victims were allegedly forced to carve the word "slave" into their bodies as proof that they were owned by Cho.

Speaking from outside a police station in the nation's capital Seoul on Wednesday, Cho Ju-bin did not confess to any crimes but told reporters that he had been driven to hurt people by forces outside of his control.

“I apologize to those who were hurt by me,” said Cho. "Thank you for ending the life of a demon that I couldn’t stop.” 

Min Gap-ryong, the commissioner general of the Korean National Police Agency, said: "Through strict investigation, the police will entirely transform the social apathy to digital sex crime and strongly root out such crime from our society."

Categories: Cyber Risk News

Cincinnati Firm Faces $5m Data Breach Lawsuit

Info Security - Wed, 03/25/2020 - 15:56
Cincinnati Firm Faces $5m Data Breach Lawsuit

A Cincinnati freight brokerage company is facing a $5m lawsuit over a data breach that occurred last month. 

Computer systems at Total Quality Logistics (TQL) were compromised in a cyber-attack that took place on February 23. Customer and carrier information was exposed after threat actors breached the company's online web portal.

Carrier data compromised in the attack included tax ID numbers, bank account numbers, and in some cases Social Security numbers. Breached customer data included email addresses, phone numbers, first and last names, and TQL customer ID numbers.

Now TQL is being sued by an unnamed trucking company owned by Charles Newman of Milwaukee County, Wisconsin. A complaint filed in the US District Court for the Southern District of Ohio alleges that TQL failed to "implement and maintain reasonable security measures over personally identifiable information."

The plaintiff accuses TQL of negligence and claims that the consequences of the data breach were dire and far-reaching. 

"Had TQL taken the well-known risk of cyber-intrusion seriously and adequately tested, audited and invested in its IT systems, and adequately trained its staff," the lawsuit states, "the data breach would never have occurred."

The complaint alleges that as a result of the breach, hackers have accessed, "and in a growing number of cases" have used, compromised data to conduct fraudulent transactions. According to the lawsuit, "the full scope of the harm has yet to be realized." 

Newman, who is represented by The Kerger Law Firm in Toledo, Ohio, is seeking to have the complaint certified as a class action, which would allow other motor carriers to join the lawsuit. 

TQL is one of America's largest privately owned freight brokerage firms, moving over 1.8 million loads of freight across the US and Canada each year. The company has 57 sales offices and a vast network of over 85,000 carriers. 

Four days after the breach occurred, TQL president Kerry Byrne sent a breach notification email out to carriers, including Newman.

According to Byrne's email, the attackers may have gained access to TQL's data via an "information/data phishing attempt." 

TQL advised carriers to check whether their bank accounts had been compromised and recommended that each carrier take extra security measures, including setting up a fraud alert on their credit files.

Categories: Cyber Risk News

APT41 Exploited Cisco, Citrix and Zoho Bugs in Wide-Ranging Campaign

Info Security - Wed, 03/25/2020 - 12:02
APT41 Exploited Cisco, Citrix and Zoho Bugs in Wide-Ranging Campaign

Security researchers have described what they claim to be one of the most widespread threat campaigns from a Chinese APT group in recent years, exploiting Citrix and Zoho endpoints at scores of customer organizations.

FireEye explained in a new report that the state-sponsored APT41 group worked between January 20 and March 11 to target 75 customers with attacks on Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central products.

Although the group appeared to be working from a pre-selected group of targets, victim organizations ranged from a huge sweep of verticals, including telecommunications, manufacturing, healthcare, government, oil & gas, higher education, defense, industrial, pharmaceutical, finance, high-tech, petrochemical, transportation, construction, utilities, media, non-profit, legal, real estate, and travel.

Victims were located all over the globe, in the US, Canada, Switzerland, Philippines, Australia, UK, UAE, Finland, France, Malaysia, Denmark, Mexico, Qatar, Saudi Arabia, Sweden, Japan and Poland.

Their first target was Citrix ADC and Gateway devices exposed by the CVE-2019-19781 vulnerability. Although the CVE was only published on December 17 2019, it took the group less than a month to start exploiting it.

FireEye noted a lull in activity around the Chinese New Year holidays, and another drop off between February 2-19, which coincided with strict new Covid-19 quarantine measures in the country.

The group then went on to exploit a Cisco RV320 router at a telecoms firm on February 21, possibly using a Metasploit module combining CVE-2019-1653 and CVE-2019-1652.

APT41 was even quicker to exploit a new vulnerability (CVE-2020-10189) in the Zoho ManageEngine Desktop Central product. A PoC was published on March 5 and the group began attempting to exploit the CVE just three days later at over a dozen FireEye customers, resulting in the compromise of at least five of them.

The raids highlight the resourcefulness and agility of this particular APT group, said the vendor.

“While APT41 has previously conducted activity with an extensive initial entry, such as the trojanizing of Netsarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41,” it concluded.

“It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents, APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.”

However, a FireEye spokesperson told Infosecurity that the motives for the campaign are still a mystery. APT41 is unusual in that previously it has been observed carrying out attacks for both traditional state-sponsored cyber-espionage and personal financial gain.

Categories: Cyber Risk News

Android Malware Takes Payment for ‘Coronavirus Finder’ Map

Info Security - Wed, 03/25/2020 - 10:35
Android Malware Takes Payment for ‘Coronavirus Finder’ Map

Security researchers are warning of a new Android banking Trojan that tricks users into handing over their card details in return for information on who’s infected with Covid-19 in their local area.

The Ginp Trojan is not entirely new; Kaspersky has observed campaigns before using the malware to trick users mainly in Spain into handing over their financial details. However, the naming convention of the new version hints that it’s now ready to go global.

This latest iteration opens a web page on the victim’s Android device after receiving a special command. This ‘Coronavirus Finder’ purports to show a map view detailing the number of people in the local area that have contracted the Covid-19 virus.

Using tried-and-tested social engineering techniques, it states how many people there are infected near the user and requests a small charge, just €0.75, to view the map.

“As you may remember, Ginp is a very capable banking Trojan that relies on a lot of different lures to make users input their credit card data into forms, so that it can steal it. If you guessed this web-page is just another form aimed at stealing data — you’ve guessed it right,” explained Kaspersky malware analyst, Alexander Eremin.

“Once you fill in your credit card data, it goes directly to the criminals … and nothing else happens. They don’t even charge you this small sum (and why would they, now that they have all the funds from the card at their command?). And of course, they don’t show you any information about people infected with Coronavirus near you, because they don’t have any.”

To keep the Trojan at bay, Eremin urged Android users to only download apps from the official Google Play marketplace, to use AV on their handsets and to not grant the accessibility permission to any apps that request it, other than AV apps.

Categories: Cyber Risk News

General Electric Employees Breached via Supply Chain

Info Security - Wed, 03/25/2020 - 09:58
General Electric Employees Breached via Supply Chain

General Electric (GE) has reported a breach of employee data which occurred via a third-party service provider.

The US corporate giant claimed in the filing with the Californian Office of the Attorney General (OAG) that it was notified about the incident on February 28 by Canon Business Process Services.

“Canon had determined that, between approximately February 3 - 14, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems,” it said.

“Canon has indicated that the affected documents, which contained certain personal information, were uploaded by or for GE employees, former employees and beneficiaries entitled to benefits in connection with Canon’s workflow routing service.”

Documents including direct deposit forms, driver’s licenses, passports, birth, marriage and death certificates, and benefits application forms were exposed, potentially compromising names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and more.

GE was at pains to point out that its own systems were not affected and said it’s both trying to work out how the unauthorized party gained access to the personal data, and is taking steps to ensure the same thing doesn’t happen again.

Canon is offering a free two-year membership of Experian IdentityWorks Credit 3B product to help those affected detect misuse of their personal information, which they must enrol in by the end of June.

This isn’t the first time GE has suffered a cybersecurity incident, albeit via its supply chain. A year ago the Department of Justice unsealed a complaint against a former GE engineer, Xiaoqing Zheng, which it accused of conspiring with Chinese government-funded companies to steal IP related to the firm’s gas and steam turbine technology.

Categories: Cyber Risk News

JEDI Contract to Have Only One Master

Info Security - Tue, 03/24/2020 - 19:09
JEDI Contract to Have Only One Master

The US Department of Defense has confirmed that a massive cloud-computing contract potentially worth $10bn will be awarded to a single contractor.

Rumors had circulated that the lucrative Joint Enterprise Defense Infrastructure (JEDI) contract might be jointly awarded to Microsoft Azure and Amazon Web Services. However, a Pentagon spokesman said this morning that the award would not be split. 

In an email to news site Breaking Defense, public affairs officer Lt. Col. Robert Carver wrote: "DoD will not ‘split the award,’ as the requirement remains for a single award and the solicitation calls for a single award.”

Under the JEDI contract, the DoD would consolidate most of its more than 500 cloud contracts into a single general-purpose pathfinder contract. The planned change would allow the department to implement high-speed, AI-assisted Multi-Domain Operations and take advantage of emerging technologies. 

The JEDI mega-contract was awarded to Microsoft on October 25, 2019. However, in February 2020, a federal judge in Washington ordered the company to halt all work on the project after rival contractor Amazon put forward a legal challenge over how the contract was awarded.

In the challenge, Amazon has suggested that a feud between the company's chief executive, Jeff Bezos, and American president Donald Trump resulted in Microsoft's winning the contract. Amazon had been considered a front-runner to receive the contract after building cloud services for the Central Intelligence Agency. 

In a sealed opinion, Judge Patricia E. Campbell-Smith of the Court of Federal Claims ordered all work on the Joint Enterprise Defense Infrastructure project to cease until Amazon’s legal challenge was resolved. 

Legal challenges have not been issued by other rival companies IBM, Oracle, and Google, which similarly lost out to Microsoft on this occasion. Google dropped out of the running for the contract in 2018, while Oracle and IBM were deemed not up to the challenge in early 2019. 

Speaking after the JEDI contract was awarded to Microsoft, the Department of Defense said: “The acquisition process was conducted in accordance with applicable laws and regulations. All offerors were treated fairly and evaluated consistently with the solicitation’s stated evaluation criteria.”

Categories: Cyber Risk News

Hack Attempt on the WHO

Info Security - Tue, 03/24/2020 - 18:22
Hack Attempt on the WHO

An elite band of hackers is thought to be behind a digital break-in attempt at the World Health Organization.

WHO Chief Information Security Officer Flavio Aggio said that the attempted attack occurred earlier this month and had made use of a malicious domain. The assailants behind the bungled break-in are yet to be identified. 

The hack was just one of a huge number of attempts made against the organization and its partners in recent weeks, according to Reuters. A senior agency official told the news site that since the outbreak of COVID-19, the number of cyber-attacks on the WHO has doubled as criminals attempt to take advantage of the crisis. 

The WHO issued a warning last month that hackers had been mimicking the agency in an attempt to steal personal information and money from the public. 

This latest unsuccessful break-in was discovered by cybersecurity expert and attorney for Blackstone Law Group Alexander Urbelis, who reported it to Reuters. Blackstone Law Group tracks the registration of suspicious domains from its office in New York.

Urbelis said: “I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic."

Urbelis detected a dodgy site which the WHO's Aggio confirmed had been used in an attempt to steal passwords from multiple staff members at the organization. 

According to two anonymous sources approached by Reuters, responsibility for the attempted hack could lie with an advanced hacking group called DarkHotel. The threat group has been carrying out cyber-espionage for at least 13 years. 

Digital forensic evidence collected by cybersecurity firms including Bitdefender and Kaspersky suggests that DarkHotel has operation based in East Asia. Organizations targeted by the threat group in the past have included government employees and business executives in China, North Korea, Japan, and the United States.

Other malicious sites detected by Urbelis include thousands of websites that seek to con victims out of their money and/or data by exploiting the current coronavirus outbreak.

Describing how many such coronavirus-inspired sites he encounters during the course of his working day, Urbelis said: “It’s still around 2,000 a day. I have never seen anything like this.”

Categories: Cyber Risk News

Malicious "Corona Anti-Virus" Software Discovered

Info Security - Tue, 03/24/2020 - 17:38
Malicious "Corona Anti-Virus" Software Discovered

Researchers at Malwarebytes have unearthed a website advertising fake anti-virus software it claims can protect people from contracting the real human virus COVID-19.

In what comes across as a bizarrely comic case of miscommunication, the site (antivirus-covid19[.]site) offers users the chance to "Download our AI Corona Antivirus for the best possible protection against the Corona COVID-19 virus." 

The site's operators carefully chose an academic big hitter to endorse it. According to the website, the Corona Anti-virus was developed by "scientists from Harvard University" who "have been working on a special AI development to combat the virus using a Windows app."

To further authenticate their product's claims, the site's creators have included a meaningless graphic of three people standing around a circular raised platform while staring at some connecting balls suspended in mid-air. One of the figures points at a ball as though symbolically indicating the presence of a cure.   

The Corona Anti-virus claimed: "your PC actively protects you against the Coronaviruses (Cov) while the app is running."

It's hard to imagine this ill-conceived ruse netting any victims whatsoever, but those who are persuaded to install the fake Corona Anti-virus will inadvertently infect their computer with malware.

Researchers found that criminals are using the malicious fake anti-virus software to distribute a BlackNet remote administration tool. Users who try to download Corona Anti-virus [antivirus-covid19[.]site/update.exe] will turn their PC into a bot that is ready to receive commands from a threat actor. 

"The full source code for this toolkit was published on GitHub a month ago," said researchers. "Some of its features include deploying DDoS attacks, taking screenshots, stealing Firefox cookies, stealing saved passwords, implementing a key logger, executing scripts and stealing Bitcoin wallets."

Researchers reported the site to American web-infrastructure and website-security company CloudFlare.

"We informed CloudFlare, since the threat actors were abusing their service, and they took immediate action to flag this website as a phish," said researchers.

Categories: Cyber Risk News

Public ICS Intrusion Tools “Lower the Bar” for Hackers

Info Security - Tue, 03/24/2020 - 12:15
Public ICS Intrusion Tools “Lower the Bar” for Hackers

Attack tools designed to target industrial control systems (ICS) are becoming more widespread, raising risk levels for CISOs in affected sectors, according to FireEye.

The security vendor warned that while attacks on OT systems usually require a “high level of skill and expertise” on the part of the hackers, various publicly available tools and exploit modules, often released by white hat researchers, are “making it easier to bridge the knowledge gap.”

The majority analyzed by FireEye were network discovery (28%) and software exploitation (24%) tools, with most designed to be vendor agnostic, or developed to target products from the largest ICS OEMs like Siemens, which accounted for 60% of vendor-specific ICS tools.

Software exploit modules are particularly attractive to budding ICS attackers who may have lower skill levels, the firm claimed.

Developed to automate exploits for specific vulnerabilities, they’re added to legitimate exploit frameworks like Metasploit and Core Impact, or ICS-specific ones like Autosploit, Industrial Exploitation Framework (ICSSPLOIT), and the Industrial Security Exploitation Framework.

The freely available Metasploit framework, used by pen testers, was highlighted by FireEye as particularly useful for cyber-criminals.

Organizations should ensure they understand the scale of the threat to ICS platforms presented by abuse of such frameworks by hackers, FireEye concluded. That's because equipment vulnerable to exploits which use these known tools is “low-hanging fruit” for a range of attackers.

“Awareness about the proliferation of ICS cyber-operation tools should serve as an important risk indicator of the evolving threat landscape. These tools provide defenders with an opportunity to perform risk assessments in test environments and to leverage aggregated data to communicate and obtain support from company executives,” it said.

“Organizations that do not pay attention to available ICS cyber operation tools risk becoming low-hanging fruit for both sophisticated and unexperienced threat actors exploring new capabilities.”

Categories: Cyber Risk News

Microsoft: Targeted Attackers Are Exploiting Two Zero-Day Bugs

Info Security - Tue, 03/24/2020 - 11:15
Microsoft: Targeted Attackers Are Exploiting Two Zero-Day Bugs

Microsoft is warning that targeted attackers are exploiting two Windows zero-day vulnerabilities in the wild.

Issued on Monday, the security advisory flags two previously undisclosed remote code execution (RCE) bugs. The flaws exist in Microsoft Windows when “the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.”

The vulnerabilities are rated critical and are present in Windows 7-10 and Server 2008 to 2019.

“There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially-crafted document or viewing it in the Windows Preview pane,” Microsoft explained.

“Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.”

Until a patch is available, Microsoft is recommending customers disable the Preview Pane and Details Pane in Windows Explorer, which will mean OTF fonts are no longer automatically displayed.

Another workaround suggested in the security advisory is to disable the WebClient service, which will block what Microsoft described as the “most likely remote attack vector”: the Web Distributed Authoring and Versioning (WebDAV) client service.

However, doing so will mean WebDAV requests aren’t transmitted and any services depending on WebClient won’t start.

A third workaround is to rename ATMFD.DLL, although this doesn’t apply to Windows 10, which doesn’t run the DLL. If organizations decide to go down this path they should be aware that applications that rely on embedded font technology will not display properly.

Categories: Cyber Risk News

Interpol Seizes $14m in Fake #COVID19 Pharma Goods

Info Security - Tue, 03/24/2020 - 10:00
Interpol Seizes $14m in Fake #COVID19 Pharma Goods

Interpol has announced a global crackdown on counterfeit medical and pharmaceutical supplies following a surge in demand for items as the COVID-19 pandemic worsens.

The law enforcement organization claimed in an update over the weekend that the latest push in its long-running Operation Pangea strategy had already borne fruit.

It announced the seizure of 34,000 counterfeit surgical masks, as well as “corona spray,” “coronavirus packages” and “coronavirus medicine,” and the shut down of more than 2500 web pages advertising sale of such items.

The week of action, running from March 3-10, saw an 18% increase in seizures of unauthorized anti-viral medicine compared to Interpol's 2018 action week, and a 100% increase in seizures of unauthorized anti-malarial medicine chloroquine. Interpol said the increases were likely due to COVID-19 demand.

“Once again, Operation Pangea shows that criminals will stop at nothing to make a profit,” argued Interpol secretary general, Jürgen Stock. “The illicit trade in such counterfeit medical items during a public health crisis shows their total disregard for people’s wellbeing, or their lives.”

In total, global customs and regulatory authorities inspected 326,000 packages and seized 48,000. Alongside the COVID-19-related items, there were discoveries of large volumes of vitamins, erectile dysfunction pills, anti-cancer medication, hypnotic and sedative agents, anabolic steroids and more.

Interpol warned that often unauthorized versions of these either contain the wrong amount of active ingredient, or are genuine items but have been stolen and then improperly stored or have expired.

Europol, which took part in the operation, claimed 37 organized crime groups had been dismantled as part of the raids, €13m ($14m) in potentially dangerous pharmaceuticals seized, 121 arrests made, and a total of 4.4 million units seized.

The operation highlights the continued agility of criminal gangs in using current events to help increase illegal profits.

Categories: Cyber Risk News

33% of UK Orgs Lack Tech Infrastructure for Long-Term Remote Working

Info Security - Tue, 03/24/2020 - 09:38
33% of UK Orgs Lack Tech Infrastructure for Long-Term Remote Working

A third of UK businesses do not currently have the tech infrastructure to handle long-term remote working, according to new data commissioned by Leonne International and conducted by independent survey company Censuswide.

The concerning research comes at a time when large numbers of businesses have closed their offices and implemented mass working from home efforts as part of social distancing attempts to help slow the spread of the highly-infectious coronavirus (COVID-19).

The survey quizzed 200 senior business decision makers from large and medium-sized companies on the business impact of the COVID-19 crisis, discovering that 41% plan to increase their IT and tech investment in the coming weeks to cope with the new remote working structure.

Worryingly, 28% of respondents said they were actively planning to make redundancies to survive the crisis.

Tech expert Sridhar Iyengar, MD of Zoho Europe, said: “The COVID-19 crisis poses an existential threat to many businesses, with a significant number of companies completely unprepared for the sudden shift towards 100% remote working.

“With many businesses scrambling to introduce virtual meetings, manage projects online and provide essential daily briefings for employees, the tech industry has a moral obligation to step in and offer resources to help companies to adapt to this new way of working.”

Jonathan Young, CIO, FDM Group, a FTSE 250 company, added that whilst the sudden shift to complete remote working will be a shock for many companies, it’s vital to recognize that organizations can find ways to operate without a formal office space.

“Despite millions of workers remaining isolated at home for the foreseeable future and juggling family commitments, workers still want to get online and do their jobs as efficiently as possible. It’s critical that businesses leaders take action to address these demands, bringing together digital talent from across the business to ensure every member of staff has access to online support and systems to continue operating as normal.”

The fallout from the COVID-19 pandemic has seen numerous tech companies offer free products, services and advice to organizations to support them as they turn to long-term remote working strategies.

Categories: Cyber Risk News

US Court Blocks Website Selling Fake #COVID19 Vaccine

Info Security - Mon, 03/23/2020 - 18:07
US Court Blocks Website Selling Fake #COVID19 Vaccine

The US Department of Justice on Saturday filed its first court action against a website operator accused of committing fraud to profit from the global COVID-19 pandemic.

A temporary restraining order was filed in a federal court in Austin against the operator of, who allegedly offered fake coronavirus vaccines for sale in a shameless attempt to cash in on a health crisis that has killed 15,430 people. 

The website claimed to offer consumers access to COVID-19 vaccine kits approved by the World Health Organization in exchange for a shipping fee of $4.95. To gain access to the fake vaccine, users were required to enter their credit card information on the website. 

The scam emerged as scientists around the world race to develop a vaccine for COVID-19.

An investigation of the website and its operators is now underway. Meanwhile, the federal court used a statute that permits federal courts to issue injunctions to prevent harm to potential victims of fraudulent schemes to shut the site down.

In response to a request from the Department of Justice, US District Judge Robert Pitman issued a temporary restraining order requiring that the registrar of the fraudulent website immediately take action to block public access to it.

The enforcement action follows US Attorney General William Barr's recent instructions for the department to prioritize the detection, investigation, and prosecution of illegal conduct related to the coronavirus health crisis.  

“The Department of Justice will not tolerate criminal exploitation of this national emergency for personal gain,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division.  

“We will use every resource at the government’s disposal to act quickly to shut down these most despicable of scammers, whether they are defrauding consumers, committing identity theft, or delivering malware.”

Christopher Combs, special agent in charge of the FBI’s San Antonio Field Office, said scammers posed a dual threat to Americans who are "understandably desperate to find solutions to keep their families safe and healthy."

"Fraudsters who seek to profit from their fear and uncertainty, by selling bogus vaccines or cures, not only steal limited resources from our communities, they pose an even greater danger by spreading misinformation and creating confusion," said Combs.

Categories: Cyber Risk News