Cyber Risk News
Cybersecurity firm Forescout Technologies Inc. yesterday sued a private equity firm for backing out of a $1.9bn buyout.
Advent International Corporation agreed to buy Forescout back in February 2020, but four days before the takeover was due to be completed, the firm announced it would no longer be closing the deal.
According to California company Forescout, Advent said it was reneging on the deal because of the impact of the global outbreak of COVID-19.
The takeover had been scheduled to go ahead on Monday, May 18. On May 20, Forescout filed a lawsuit in the Delaware Court of Chancery requesting that Advent be ordered to complete the buyout.
In a statement released yesterday, Forescout accused Advent of violating the terms of their merger agreement.
A spokesperson for the aggrieved cybersecurity company said: "Advent’s purported excuse for its wrongful conduct is that a closing condition to the transaction has not been satisfied because a 'material adverse effect' has occurred at Forescout.
"Forescout believes that no material adverse effect has occurred, that all closing conditions are satisfied, and that Advent is obligated to close the transaction."
The cybersecurity company said that the effects of COVID-19 had been factored into negotiations and that Advent "has relied on meritless excuses" to wriggle out of the deal.
"The merger agreement explicitly allocated the risk of any impacts from COVID-19 to Advent," said Forescout.
Theresia Gouw, chair of the Forescout board, described Advent's getting cold feet over the planned buyout as highly disappointing.
“The only change since the merger agreement was jointly executed in February is the deepening of the COVID-19 pandemic, which has significantly impacted global macro-economic conditions," said Gouw.
"All companies have been challenged by this pandemic, and it is highly disappointing that Advent would attempt to exploit market volatility to renege on its contractual obligations, particularly when the merger agreement explicitly excludes the effects of a pandemic as a material adverse event."
The surprising turn of events sent Forescout's shares tumbling to an all-time low yesterday. Shares were at just $18.33 when trading opened. Advent International agreed on February 6 to pay $33 a share to take Forescout private.
Researchers from ESET have discovered a new modular backdoor used by the Winnti Group to target several video game companies that develop MMO (massively multiplayer online) games.
As explained in a blog post, the malware, dubbed ‘PipeMon’ by ESET, targeted companies in South Korea and Taiwan. The video games developed by these companies are distributed all around the world, are available on popular gaming platforms and have thousands of simultaneous players.
According to researchers, the new modular backdoor is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor.
In at least one case, the attackers compromised a company’s build orchestration server, allowing them to take control of the victim’s automated build systems. This could have allowed the attackers to Trojanize video game executables, although there’s no current evidence that has occurred. In another case, attackers compromised a company’s game servers. With this attack, it would be possible to manipulate in-game currencies for financial gain, ESET explained.
“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns,” said Mathieu Tartare, malware researcher at ESET. “Furthermore, in 2019, other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020.”
Employees or contractors identified as a “flight risk” are linked to 60% of insider threat cases, increasing the likelihood that such incidents will involve theft of sensitive corporate data, according to Securonix.
The vendor’s 2020 Securonix Insider Threat Report was distilled from over 300 real-life insider incidents across multiple sectors.
It revealed that over 80% of staff members deemed likely to terminate their employment will take data with them, anywhere between two weeks and two months prior to them leaving. Flight risk can be determined from web browsing and email behavior, Securonix said.
Unsurprisingly, therefore, data exfiltration is the number one insider threat, with email the most popular vector for data loss, followed by web uploads and cloud storage sites.
Account sharing and shadow IT, especially the prevalence of cloud collaboration tools, are compounding the problem for IT security operations teams, the report claimed.
“Data aggregation and snooping of sensitive data is still prominent in most organizations, however tools to detect such behavior still lag behind. This is primarily due to organizations struggling to classify data that is deemed sensitive, combined with data being vastly distributed across networks and systems,” it explained.
“The circumvention of IT controls is prevalent across all organizations. IT security operations teams, especially ones from large enterprises, are finding it difficult to draw conclusions about such incidents mostly due to lack of, or differences between, policies and procedures for each line of business.”
Pharmaceutical firms accounted for the largest number of data exfiltration incidents analyzed by Securonix, which is understandable considering the highly sensitive IP handled by these organizations.
Behavioral analytics were used most often to detect abnormal user behavior and flag violations.
However, data theft is only one of many risks posed by employees. Many of these stem from negligence rather than deliberate malice. Human error, including misconfiguration of cloud systems and misdelivery of emails, accounted for 22% of breaches analyzed by Verizon in its latest report.
A not-for-profit body for the asset management sector has been established to advance the overall reputation and recognition of the IT Asset ManagEment (ITAM) industry while providing a collaborative space for ITAM leaders to come together.
- To educate and evangelize – to encourage more companies to practice ITAM and to attract new professionals into the industry
- To promote best practice – provide a collaborative, global forum for ITAM leaders to come together and share ideas for the advancement of the ITAM industry (eventually establishing a globally-recognized Organizational certification for ITAM)
Founder Martin Thompson said that with more focus on asset management, due to the COVID-19 pandemic driving more employees to work remotely, “IT Asset Managers have a huge role to play in documenting and unpicking this rapid and unplanned investment.
“The smart management of assets is a shrewd business practice which delivers benefits far beyond IT. ITAM therefore has a rightful place outside of the niche IT/ITSM domain from where it started, and as a boardroom priority in its own right. The ITAM Forum is here to help it achieve this goal, by raising the profile of the ITAM discipline as much more than a compliance exercise and demonstrating its value to every organization looking to better manage its assets.”
In an email to Infosecurity, Lenny Zeltser, CISO of asset management vendor Axonius, said it was encouraging to see the increasing importance that cybersecurity professionals have been assigning to IT asset management in recent years.
“Security teams recognize that ITAM is a foundational aspect of a security program,” Zeltser said. “We need to know what devices, systems, users and applications we have, so we can implement the appropriate safeguards for them. Industry frameworks such as ISO 27001, CIS Critical Controls and NIST Cybersecurity Frameworks have included the need for ITAM for years. In recent years I've seen security professionals pay much closer attention to this requirement.”
Zeltser also noted that more and more enterprises are recognizing that they don't need yet another source of asset data, and instead look for ways to gather information about IT assets from the various IT data silos, such as the CMDB, network scanners, cloud instrumentation tools, Active Directory and so on. “Each of these sources of data has partial visibility into the organization's assets. By combining this data, organizations are able to get a comprehensive view into their ITAM posture.”
The ITAM Forum also announced a longer term objective to create a new certification program for ITAM, based on the global ISO standard for the ITAM industry – ISO19770 – which was first published in 2006.
“By certifying organizations against the ISO standard, the ITAM Forum will look to provide the highest measure of quality to demonstrate the competence of an ITAM department in the face of increasing board level scrutiny,” Thompson said.
“By benchmarking an ITAM department output against recognized ISO standards, stakeholders in the ITAM lifecycle (in particular those not fully versed in the complexity of IT assets) will be assured of quality. While our current priority is to establish the ITAM Forum as the credible voice of the ITAM industry, we look forward to eventually establishing the ITAM Forum certification as the globally-recognized ‘Kitemark’ for ITAM quality.”
Home Chef has confirmed a major breach of customers’ personal information, potentially affecting millions of users.
The Chicago-headquartered meal delivery service revealed in a notice on its website that email addresses, encrypted passwords, last four digits of credit card numbers and “other account information such as frequency of deliveries and mailing address” were among the compromised details.
“We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future,” it said.
Although passwords were scrambled, the firm urged customers to reset their credentials anyway. Its encryption of passwords and only partial storage of credit card details will limit the risk exposure to customers, but other personal details could be used to craft convincing phishing attacks spoofing the brand.
“You should also remain vigilant against phishing attacks and monitor your accounts for any suspicious activity,” said Home Chef. “Remember that we will never ask you to send sensitive information over email, and you can make any necessary changes to your accounts by logging into your account directly on our website.”
Although the firm claimed that only “select customer information” was taken, a dark web trader claims to have as many as eight million records up for sale.
Boris Cipot, senior security engineer at Synopsys, argued that even Home Chef’s efforts to minimize risk exposure may be undone.
"Passwords — even encrypted passwords — can be cracked. If a hacker succeeds in accessing password data, it could be a key element in carrying out additional attacks. When we add email addresses to those cracked passwords, attackers may now be able to enter other services such as bank accounts, e-commerce sites, among many others,” he argued.
“With regards to the last four digits of your credit card number, if you believe this is useless data without the full number, think again. Some services require you to only enter the last four numbers to confirm your identity. As such this data can be of use to attackers with the knowledge of how to make the most of such information."
Microsoft is warning of a major new COVID-19 phishing campaign using malicious Excel macros to achieve remote access of victims’ machines via a legitimate support tool.
Microsoft Security Intelligence revealed the news in a series of tweets, claiming the campaign began on May 12.
“The emails purport to come from Johns Hopkins Center bearing ‘WHO COVID-19 SITUATION REPORT.’ The Excel files open w/ security warning & show a graph of supposed coronavirus cases in the US. If allowed to run, the malicious Excel 4.0 macro downloads & runs NetSupport Manager RAT,” it explained.
“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.”
In this respect, the campaign is similar to many others that have been launched over recent weeks and months, with cyber-criminals effectively rebranding existing content with COVID-19 themes to increase success rates.
Google claimed it has been blocking over 240 million COVID-themed spam messages each day, and 18 million malware and phishing emails.
“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines,” Microsoft said of the latest RAT campaign.
“The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands.”
In the UK, these kinds of emails should be reported to the National Cyber Security Centre’s Suspicious Email Reporting Service, but this first requires the presence-of-mind to do so from employees.
“The advice for organizations and employees is to remain vigilant to this new kind of threat, and to deploy training as regularly as possible to make sure individuals remain aware,” advised DomainTools malware researcher, Tarik Saleh. “Phishing is at its core an attack on people, and people remain the best defense against it, in addition to ensuring proper processes remain in place.”
Michigan victims of cybercrime now have a dedicated phone line to call for free round-the-clock support and advice.
The Cybercrime Victim Support Initiative is available free of charge to residents in 13 northern Michigan counties, including Antrim, Benzie, Grand Traverse, Kalkaska, and Leelanau.
Residents who have been targeted by cyber-criminals can call or text 211 from any phone to report the crime and receive tips on how to recover their personal information and funds.
Calls will be handled by a center in Grand Rapids staffed by trained advisors from United Way, an organization that brings donors, volunteers, and community organizations together to solve critical problems.
In addition to offering practical guidance on what to do after a crime has taken place, the advisors will offer tips on how to avoid being caught in the cyber-criminal's net.
Data collected by the advisors will be stored in a central database and used to warn Michigan residents of all the latest scams doing the rounds.
Seth Johnson, president of the United Way of Northwest Michigan, said that while most people are aware of old scams like the phishing email that appears to be sent by a Nigerian prince, some of the newer nefarious schemes, including ruses to con Americans out of their COVID-19 stimulus checks, are not common knowledge.
"More and more of us are online and so more and more of us are vulnerable," Johnson said.
As cybercrime grows ever more sophisticated, the hotline has been established as a place to which residents can turn for clear and reliable guidance.
Johnson said: "This is meant to be a 24/7 resource where they can get the information they need."
The initiative was launched by the Cybercrime Support Network and Heart of West Michigan United Way in partnership with the Heart of Florida United Way. Funding for the hotline was provided via a Department of Justice Office for Victims of Crime Vision 21 Grant.
Leelanau County Sheriff Mike Borkovich said the hotline is a valuable resource for victims of cybercrime.
Borkovich, who has seen an increase in the number of reported cybercrime incidents since the outbreak of COVID-19, said: "People have no scruples when it comes to things like that. They'll take advantage of senior citizens and try to rip them off."
Boston cybersecurity firm Cygilant has announced plans to create 65 jobs at its new European security operations center (SOC) in Northern Ireland's capital city, Belfast.
Cygilant, which employs 80 people globally, established the SOC in February 2020 with the support of Invest NI, the economic development agency for Northern Ireland.
Already, 25 employees have been recruited to work at the new center, which is based in the Centrepoint Building next to the BBC on Ormeau Avenue. Now the company has pledged to create a further 40 jobs at the center over the next couple of years, with wages averaging around £43,000.
While lockdown measures introduced to slow the spread of COVID-19 in Northern Ireland remain in place, the SOC is being operated on a remote basis.
But despite the difficulties created by the outbreak of the novel coronavirus, Cygilant's chief executive Rob Scott said that around ten new staff had been recruited for the center since lockdown measures were imposed.
Invest NI has offered Cygilant a generous £455,000 in funding toward the creation of new jobs in Northern Ireland.
Former Formula 1 race-car driver Scott said the investment played a key part in the company's decision to site their European operations in the Emerald Isle.
The Mancunian and lifelong Manchester United Football Club fan explained: “Opening this SOC is our first foray into the European market and thanks to the support of Invest NI, we made the decision to invest here in Belfast.”
Scott also cited Belfast's local talent as a determining factor. He said: “There are between 18 and 20 cybersecurity companies, so it’s becoming a major hub for that technology. It’s because there’s already a pool of people and on top of that, there are the universities, which have great cyber-security programs.”
Economy Minister Diane Dodds said that the 65 jobs created by the US company will eventually contribute £2.8m in annual salaries.
“In these challenging times it is welcome news to be able to announce new cybersecurity jobs for Northern Ireland," Dodds told The Irish News.
“This is an important endorsement of Northern Ireland’s growing reputation for excellence in cybersecurity.”
The cybersecurity degree offered by Stanford University has been ranked the best in the United States by independent educational organization Cyber Degrees Edu.
Private California university Stanford topped a list of America's 55 best cybersecurity degree providers published by Cyber Degrees Edu on May 18. In second and third place respectively were Carnegie Mellon University in Pennsylvania and the University of California, Davis.
Of the three top degree providers, Stanford has the lowest student-to-faculty ratio with 5 students to every 1 faculty member. At Carnegie Mellon, the ratio doubles to 10 to 1, while at the University of California, Davis, the ratio is an even higher 20 to 1.
A proprietary ratings system was used to rank the various colleges and universities offering cybersecurity bachelor’s and master’s degree programs.
The criteria used to determine the rankings included the school’s rates of acceptance and graduation. Researchers also compared educational establishments by their retention rate, which is the number of first-time students who return to the university the following year.
Stanford boasts the highest graduation rate with 94% of students leaving the university with a degree. At Carnegie Mellon, the rate is slightly lower at 89%, while at University of California, Davis, 86% of students graduate.
Researchers also looked at the costs of studying, the grants and scholarships available, and which colleges specialized in cybersecurity with a variety of degree programs.
"All schools on the list are either high quality or very affordable and are located across the country," said a spokesperson for Cyber Degrees Edu. "While the list provides some of the best schools for cybersecurity, Cyber Degrees EDU also recognizes that it is important for students to find the best school for their particular needs and so these rankings aim to provide the information needed for students to make the best possible choice for them."
When weighing up which degree provider was best, researchers looked beyond the school's overall reputation to its alumni.
Cyber Degrees Edu said: "What matters most is the reputation of the individual cybersecurity program. That is why knowing which schools were attended by the best cybersecurity professionals is so vital."
New security issues have been discovered in the UK Government’s NHS contact tracing app, as well as a potential data breach.
The app is currently being trialed on the Isle of Wight and privacy issues have been raised, which the National Cyber Security Centre (NCSC) told BBC News it was already aware of and is in the process of addressing. Raised by researchers Dr Chris Culnane and Vanessa Teague, the main issues include:
- In the presence of an untrusted TLS server, the registration process does not properly guarantee either the integrity of the authority public key or the privacy of the shared secrets established at registration. The result completely undermines core security goals of the protocol, including its privacy and its resistance to spoofing and manipulation
- In the presence of an untrusted TLS server, the storing and transmitting of unencrypted interaction logs facilitates the recovery of InstallationIDs without requiring access to the Authority Private Key
- Long lived BroadcastValues undermine BLE specified privacy protections and could reveal additional lifestyle attributes about a user who submits their data
- The monitoring of interactions at eight second intervals could create unique interaction signatures that could be used to pairwise match device interactions, and when combined with unencrypted submission, allow the recovery of InstallationID from BroadcastValue without access to the Authority Private Key
- The use of a deterministic counter to trigger KeepAlive updates risks creating an identifier that could be used to link BroadcastValues over multiple days
The researchers praised the “cryptographic protocol of the UK’s app [that] includes a much better effort at mitigation of most external attacks” and said there are admirable aspects of the implementation and the open availability of the source code.
“However, the messaging around the app, and in particular suggestions of broadening the data collected, combined with insufficient legislative protections, a lack of siloing of the data and no sunsetting of the data retention or usage, risk undermining the trust that has been earned,” they added.
The number of risks were varied, Culnane told BBC News, explaining that, terms of the registration issues, “it's fairly low risk because it would require an attack against a well protected server, which we don't think is particularly likely.” However, he did warn that the risk surrounding the unencrypted data is higher, “because if someone was to get access to your phone, then they might be able to learn some additional information because of what is stored on that.”
David Grout, CTO for EMEA at FireEye, said: “The mounting security concerns and doubts attached to the trailed NHS app are stemming from registration issues and the use of unencrypted data within the app which can be exploited by cyber-criminals. One of the biggest concerns is attached to the fact it’s based on a ‘centralized’ model.
“Just yesterday, France defended its own centralized model where contact-matching happens via a computer service, as opposed to the decentralized model which uses the people’s phone to make the match. The UK Government will need to address these safeguarding issues ahead of the full nation roll-out, so citizens are fully confident that their data is not compromised but stored securely.”
The research came as Serco apologized after an employee accidentally shared the email addresses of almost 300 contact tracers when they were cc’d (rather than bcc’d) in an email to inform new trainees about training details.
Also, a group of civil society organizations, privacy advocates and academic researchers have written an open letter to Health Secretary Matt Hancock, asking questions about the contact tracing data store.
Signed by the likes of the Open Rights Group, Big Brother Watch, Privacy International and Liberty, they urged Hancock to “provide the public with more information and take appropriate measures to reduce the risk of data sharing and keep the aggregated data under democratic control.”
Most UK retailers are expecting a surge in online fraud due to the current COVID-19 pandemic, with many customers having already experienced account takeover (ATO) attacks, according to Riskified.
The fraud-screening firm polled 1000 consumers and over 120 e-commerce professionals to better understand their challenges during the current crisis.
It found that a fifth (20%) of customers have suffered an account takeover attack over the past year. This is often done via phishing or credential stuffing, where reused logins are tried over numerous accounts and sites simultaneously by fraudsters.
Once inside, they could steal personal information and card details stored in the account, use it to fraudulently pay for goods, or sell access to the account on the dark web.
Despite the significant numbers of customers already affected, and the fact that 52% of retailers think fraud will increase during the pandemic, over a quarter (26%) admitted to having no measures in place to tackle ATO.
This is a concern, not just because of the extra fraud losses it could incur but also in terms of the long-term customer relationships. More than half (51%) of respondents said they’d stop shopping with a retailer if they suffered ATO and a similar number claimed they’d delete their account. Over a third (37%) would go to a competitor.
Part of the problem is that detecting ATO is difficult because the attacker effectively looks like a legitimate customer. This might account for the fact that just 4% of consumers that suffered ATO learned their accounts were compromised from the retailer.
Riskified warned that mandating two-factor authentication or long-and-strong passwords for improved account security would cause extra friction that may put shoppers off.
Instead, retailers need systems that can check for things like device and network details, proxy usage and previous logins as well as subsequent purchasing behavior, it said.
UK e-commerce fraud losses on cards are said to have topped £359 million last year, but fraud often rises during recessions.
A notorious West African BEC gang may have made millions defrauding the US government out of COVID-19 business compensation payments, according to Agari.
The security company said it had been tracking the Scattered Canary group for over a year and has now briefed the Secret Service of its findings.
The group — which has been involved in BEC, social security fraud and student aid fraud schemes in the past — has targeted at least eight states so far: Hawaii, Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming.
In Washington state, it has filed at least 174 fraudulent claims for unemployment benefit since April 29. Agari calculated that these claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks. Plus, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week up to July 31.
This amounts to a potential windfall for the cybercrime gang of $4.9 million in this one state alone, assuming all claims are approved.
Between April 15 and April 29, Scattered Canary filed at least 82 fraudulent claims for CARES Act Economic Impact Payments, 30 of which were accepted by the IRS, explained Agari founder Patrick Peterson.
The scammers are using a tactic first revealed by Agari last year to scale their operations. Namely, they take advantage of a little-known feature in Gmail which means that a single user controls all “dotted versions” of their email address.
Thus, they can register multiple addresses for separate claims payments which are effectively the same address with dots in different places. They will then all redirect to a single inbox.
“As a result of our analysis, we have identified 259 different variations of a single email address used by Scattered Canary to create accounts on state and federal websites to carry out these fraudulent activities,” explained Peterson.
The group is also taking advantage of Green Dot prepaid cards to cash out its fraudulently obtained government payments. These cards are able to receive direct payments and government benefits up to four days before they’re due to be officially paid, meaning they have obvious benefits for fraudsters.
“It shouldn’t be a surprise that scammers are trying to get a piece of the billions of dollars that has flooded the system to try and provide relief to millions of people who have been impacted by the pandemic,” concluded Peterson.
“Based on what we’ve seen from Scattered Canary’s 10-year history of scamming, they will continue to expand their portfolio of cybercrime to try and find new ways to con individuals, businesses, and governments out of as much money as they can.”
Ukrainian intelligence officers have arrested a man they believe to be Sanix, a notorious cyber-criminal responsible for selling billions of log-ins online.
In concert with cyber police, agents from the Secret Service of Ukraine (SBU) swooped on the individual, who lived in the Ivano-Frankivsk region.
They seized 2TB of stolen user information, mobile phones “with evidence of illegal activities” and cash from illegal transactions amounting to around 190,0000 hryvnias ($7100) and more than $3000.
Officers also took from the arrested man’s apartment PINs for bank cards, cryptocurrency wallets, PayPal account details, and “information about computers hacked for further use in botnets and for organizing DDoS attacks.”
Sanix is widely believed to have been responsible for selling the “Collection” combo lists of email usernames and passwords that first emerged in January 2019.
The first data dump, dubbed “Collection #1,” contained 772 million unique email addresses, the largest single trove to be fed into the HaveIBeenPwned breach notification site, and more than 21 million unique passwords.
It subsequently emerged that this collection contained data that was two or three years old, gathered from multiple sources. However, the person trying to sell them, dubbed “Sanixer” on Telegram, told Brian Krebs at the time that the other packages up for sale were more current.
Together, he claimed they amounted to around 4TB of data, or many billions of records.
Such lists are typically bought and used in credential stuffing attacks, where they’re fed into an automated program and tried simultaneously on multiple sites and accounts in a bid to crack them open.
The reason cyber-criminals have success with this tactic is that computer users continue to reuse their passwords across multiple services.
The SBU said it found evidence of Collection #1 on Sanix’s machine along with “at least seven similar databases” of stolen and cracked/decrypted passwords.
A threat group that claims to have stolen nearly a terabyte of data from a prominent entertainment law firm has said it will put sensitive information relating to Madonna up for auction.
REvil allegedly made off with 756GB of data from New York lawyers Grubman Shire Meiselas & Sack in a ransomware attack earlier this month. The law firm, whose celebrity client list includes LeBron James and Mariah Carey, confirmed last week that it had fallen victim to a ransomware attack.
After their initial ransom demand for $21m in Bitcoin was not met, REvil doubled it and released 2GB of data that appeared to be taken from contracts involving Lady Gaga. But so far, the law firm has not paid the criminals a dime.
In a statement to Page Six, Grubman Shire Meiselas & Sack said: “We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law.”
However, paying to retrieve the encrypted files may not have been ruled out entirely by the law firm, which told Bleeping Computer: “Unless the FBI determines the ransomware was deployed by a designated terrorist organization or nation state, the FBI treats ransomware investigations as criminal matters.”
Now the threat group, intent on monetizing their crime, has said it will auction off stolen data relating to the singer Madonna on May 25. Bidding is set to start at $1m.
The criminals claim that the auction will take place confidentially and that they will delete their copy of the data after the sale has been completed.
Earlier this week, REvil claimed to have data about Donald Trump for sale. The group said that the data was not stolen from Grubman Shire Meiselas & Sack but was "accumulated over the entire time of our activity."
Without producing any evidence to back up its claim, REvil is now conveniently saying that the data on Trump has been sold. On its Tor site, the group stated: "Interested people contacted us and agreed to buy all the data about the US president."
Commenting on the alleged sale of the Trump data, Emsisoft's Brett Callow said: "Whether they had the presidency-destroying information that they claimed to have is something we may never know. But I still think it was probably a bluff!"
Minnesota law enforcement agencies have reported a surge in reports of sexual crimes against children online since lockdown measures were introduced to impede the spread of the novel coronavirus.
Authorities believe the jump in crime is linked to children's and predators' spending more time online as schools and businesses remain closed.
The Minnesota Bureau of Criminal Apprehension recorded more than 1,000 complaints involving child pornography or other forms of cyber exploitation of minors in March and April 2020. The disturbing statistic represents a 30% increase in complaints received over the same period last year.
Drew Evans, superintendent of the Bureau of Criminal Apprehension that operates the Internet Crimes Against Children investigative unit, said it was "very unusual to see such a large jump" year on year.
Sadly, the spike in reports of online child exploitation while the United States is under lockdown isn't unique to Minnesota. The National Center of Missing and Exploited Children recorded more than 6 million tips concerning online child exploitation in March and April 2020. This figure is three times higher than the number recorded over the same time period in 2019.
“That’s probably the largest number of reports in a two-month period that we’ve ever received,” said John Shehan, vice president of the center’s Exploited Children Division.
According to Shehan, child predators have openly stated on the dark web that they are taking advantage of stay-at-home orders to indulge their illegal predilections.
Shehan said that the majority of tips received by the center are reports of child pornography, but many concern sextortion incidents in which children are enticed into sharing lewd photos online, usually on social media.
Under social distancing restrictions, Minnesota has suspended the use of grand juries since March 23. Without them, federal prosecutors are struggling to indict crimes involving the sexual exploitation of children online.
“We’re not indicting cases, but they’re still coming in and we’re still working them,” said Minnesota US Attorney Erica MacDonald.
She said her office was working with county prosecutors and law enforcement to ensure “we don’t leave people in the community who are posing an imminent threat” to minors.
MacDonald anticipates a boom in indictments once the temporary suspension is lifted.
A new program to train veterans and their families for careers in cybersecurity was announced today by NPower and AT&T.
NPower is a national nonprofit organization that specializes in delivering cutting-edge information technology training to veterans and their families from underserved communities. The new training program, which starts in late June, will support veterans living in Dallas, Texas, as they embark on a second career in the cybersecurity field.
AT&T has worked with NPower to augment the curriculum of the new program. The telecommunications company has also supported the program with a cash injection of $200,000.
AT&T’s contribution to NPower will support 25 veterans and military spouses as they learn the skills necessary to succeed in a new cybersecurity role.
According to the US Department of Labor (DOL), while some industries are struggling with the effects of lockdown measures introduced to slow the spread of COVID-19, the employment prospects for information security analysts are bright.
The DOL states that employment of information security analysts is projected to grow 32% from 2018 to 2028, much faster than the average for all occupations.
“As more people use digital communications to stay connected during the COVID-19 crisis, our country needs more cybersecurity professionals who are ready to help lead the fight against cybercrime,” said Roger Thornton, VP, Products and Technology, AT&T Cybersecurity.
Thornton said that the training veterans receive from the military gives them transferable skills for a new career in digital defense.
“Military veterans are perfect candidates for these positions because they already have many of the technical skills required for a career in information technology," said Thornton.
"At AT&T, we are proud to employ a large number of military veterans, and we are pleased to be working with NPower to prepare even more veterans for a rewarding career that will allow them to help protect our critical digital infrastructure.”
NPower’s curriculum exposes students to security and cloud architecture and teaches them how to diagnose networks, manage operating systems, and utilize security tools to address vulnerabilities and threats. Students have an opportunity to earn both CompTIA Security+ and Linux+ certifications.
There was a marked increase in the volume of cyber-attacks across all industries in 2019 compared with 2018, according to NTT’s 2020 Global Threat Intelligence Report (GTIR) published today. The study also revealed the extent to which cyber-criminals are innovating their methods, which is causing major challenges to all organizations.
According to the global technology service company, the most common methods used by malicious actors last year were remote code execution (15%) and injection (14%) attacks. Such attacks were found to be effective due to organizations’ poor practices related to network, operating system and application configuration, testing, security controls and overall security hygiene.
Additionally, the growing use of artificial intelligence (AI) and machine learning to automate attacks by cyber-criminals was highlighted, with 21% of malware detected found to be in the form of a vulnerability scanner.
NTT also said it had seen a re-emergence of Internet of Things (IoT) weaponization in 2019, with a resurgence of Mirai and derivatives underpinning these attacks.
In the wide-ranging report, it was revealed that technology was the sector most targeted by cyber-criminals last year, involved in 25% of all attacks compared with 17% in the previous year. More than half of attacks aimed at this industry were application-specific (31%) and DoS/DDoS (25%). This was followed by government, at 16% of all attacks, and finance at 15%.
Around 20% of attacks targeted content management systems such as WordPress, Joomla!, Drupal and noneCMS, which criminals see as a means of stealing data from businesses and launching further attacks.
Mark Thomas, global head of threat intelligence at NTT, commented: “The technology sector experienced a 70% increase in overall attack volume. Weaponization of IoT attacks also contributed to this rise and, while no single botnet dominated activity, we saw significant volumes of both Mirai and IoTroop activity. Attacks on government organizations nearly doubled, including big jumps in both reconnaissance activity and application-specific attacks, driven by threat actors taking advantage of the increase in online local and regional services delivered to citizens.”
The report also made some observations regarding the activities of cyber-criminals so far in 2020, particularly in light of the COVID-19 pandemic.
Matthew Gyde, president and CEO of the security division, NTT, said: “The current global crisis has shown us that cyber-criminals will always take advantage of any situation and organizations must be ready for anything. We are already seeing an increased number of ransomware attacks on healthcare organizations and we expect this to get worse before it gets better. Now more than ever, it’s critical to pay attention to the security that enables your business, making sure you are cyber-resilient and maximizing the effectiveness of secure-by-design initiatives.”
easyJet has revealed that the personal data of approximately nine million of its customers has been accessed following a “highly sophisticated” cyber-attack on its system. This includes credit card details of a small subset of these customers (2208), with the airline confirming it has already taken action to contact and offer support to those individuals.
For the rest of the customers affected, email addresses and travel details were accessed. Easyjet said these customers will be contacted in the next few days to and the company will “advise them of protective steps to minimize any risk of potential phishing.”
The company took immediate steps to manage the incident once it was aware of the attack and closed off the unauthorized access. It also stated that it has notified the National Cyber Security Centre and the Information Commissioner's Office (ICO) of the breach. The firm has not given any details on the nature of the breach.
There is currently no evidence that the information accessed has been misused; however, the airline is urging its customers to stay alert to any unsolicited communications and to be “cautious of any communications purporting to come from easyJet or easyJet Holidays.”
Johan Lundgren, easyJet chief executive officer, said: “We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber-attackers get ever more sophisticated.
“Since we became aware of the incident, it has become clear that owing to COVID-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”
The incident has come a particularly bad time for easyJet, who face the possibility of a large fine under General Data Protection Regulation (GDPR) rules.
Commenting on the breach, Felix Rosbach, product manager at data security specialists comforte AG, said: “The aviation industry is struggling at present given the current pandemic so seeing another major airline succumb to a data breach is not pleasant. On first glance, easyJet has followed the correct procedures and informed all affected customers who have had their sensitive data compromised. However, this situation could have been avoided.”
Last year, British Airways (BA) was hit by a record £183m GDPR (intention to) fine after failing to prevent a digital skimming attack in 2018.
Security leaders are being challenged to create business metrics, but without having total trust in the data they work with.
According to research by Panaseer of over 400 security leaders in financial services organizations, 96% of companies use metrics to measure their cyber-posture, but 36% said their biggest challenge in creating metrics to measure and report on risk is trust in the data.
Other issues included the resources required to produce metrics (21%), the frequency of requests (14%) and confusion over knowing what metric to use (15%). Fewer than half of respondents (47%) could claim to be very confident that they are using the right security metrics to measure cyber-risk.
Nik Whitfield, CEO, Panaseer, said not knowing the accuracy, timeliness or even limitations of a security metric can render it useless – which is simply unacceptable against a backdrop of tightening regulation and an increasing attack surface.
“We must move on from the era of out-of-date inaccurate metrics to one where they are automated and measured on a continuous basis,” he said. “Financial service organizations, in particular, need trusted and timely metrics into an organization’s technology risk, segmented where possible to critical operations. With this information, the board can then have a better understanding of what risks are and aren't acceptable to keep customer data safe.”
The research determined the primary use for security metrics to be risk management (41%), demonstrating the success of security initiatives (28%), supporting security investment business cases (19%) and board and executive reporting (10%).
The research also found that teams are wasting an inordinate amount of time processing metrics, as it can take an average of five days to produce them. Auditors demand data most frequently at every 10.4 days per month, while boards have a need for updated metrics almost twice a month or more.
Commenting, Bob Sibik, vice-president of Fusion Risk Management, said that most CEOs “are starved for metrics and want solid metrics as they use them to prepare for how secure they are.” Talking to Infosecurity, Sibik said CEOS like “internal metrics” to show trends and to be able to compare themselves to their peers.
“We rely heavily [on metrics] and metrics are huge for us, and they come in handy and are crucial for day-to-day operations and to define a future strategy,” said Fusion director of cybersecurity, Safi Raza.
Manual processes were also cited as fueling data mistrust. Over half (59%) of security leaders said that they are still relying on spreadsheets to produce metrics and 52% are using custom scripts. Nearly one in five (18%) admitted to relying exclusively on manual processes to develop their security metrics for risk.
The US attorney general has again attacked Apple for its stance on device encryption even as he revealed that FBI investigators had managed to access a deceased terrorist’s iPhones.
At a press conference to announce updates to the investigation into fatal shootings at Pensacola Naval Air Station, William Barr, claimed the “relentless efforts and ingenuity of FBI technicians” had helped reveal more about Mohammed Saeed Alshamrani’s ties to Al Qaeda.
However, he couldn’t resist doubling down on long-standing government criticism of Silicon Valley over encryption.
“Apple made a business and marketing decision to design its phones in such a way that only the user can unlock the contents no matter the circumstances,” Barr argued.
“In cases like this, where the user is a terrorist, or in other cases, where the user is a violent criminal, human trafficker, or child predator, Apple’s decision has dangerous consequences for public safety and national security and is, in my judgment, unacceptable.”
Barr again repeated the belief, roundly debunked by the world’s leading encryption experts, that “there is no reason why companies like Apple cannot design their consumer products and apps to allow for court-authorized access by law enforcement while maintaining very high standards of data security.”
In fact, it is widely believed in security circles that if Apple or any tech firm engineered de facto backdoors into their products, the information would eventually end up on the cybercrime underground, undermining security for hundreds of millions of legitimate users.
The Cupertino giant hit back at Barr’s suggestion it had not been any help in the investigation, claiming that it provided iCloud backups, account info and other information on Alshamrani to the FBI.
“The false claims made about our company are an excuse to weaken encryption and other security measures that protect millions of users and our national security,” it continued in a statement.
“It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor — one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers.”