Cyber Risk News
A cloud configuration error at a Chinese startup exposed the personal data of at least 214 million social media users including celebrities, researchers have warned.
The privacy snafu occurred at social media management firm Socialarks, which suffered a similar incident in August last year when 150 million users were exposed, according to Safety Detectives.
This time, a team led by Anurag Sen came across an Elasticsearch database left completely open without any password protection or encryption, during a routine IP scan.
The 408GB trove contained over 318 million records in total, although the exact number of users affected is still not known given the size of the leak. What the researchers do know is that it was illegally scraped from social media profiles on Facebook, Instagram and LinkedIn, contrary to the policy on those sites.
They discovered nearly 12 million Instagram user profiles, including names, phone numbers, usernames, email addresses, profile pictures and locations.
The trove also contained data on 82 million Facebook profiles including full names, email addresses, phone numbers, Messenger IDs, pictures and more.
Finally, the researchers uncovered 66 million LinkedIn user profiles containing full names, email addresses, job profiles and company names, amongst other data points.
Safety Detectives said it was unclear how private information such as phone numbers and email addresses were obtained by Socialarks, given its scraping tools should have lifted only publicly available information.
“In some cases, scraped data can be weaponized to carry out a specific goal of extracting personal information for criminal purposes. Potential ramifications of exposing personal information include identity theft and financial fraud conducted across other platforms including online banking,” the firm warned.
“Contact information can be harnessed to target people with targeted scams including sending personalized emails containing other personal information about the target, thereby gaining their trust, and setting the stage for a deeper intrusion into their privacy.”
Although Socialarks never replied to the research team, it remediated the leak on December 14, the day it was notified.
A social networking app used by millions is seeking a new home after being suspended by big tech over claims of failure to remove egregious content from its platform.
Parler was launched in 2018 as an antidote to sites like Twitter and Facebook that take action to censor particular content and suspend or block user accounts based on the perceived nature of content posted.
Amazon said it had made the decision to block Parler from using its AWS hosting services over concerns regarding “violent content.”
In an email, Amazon’s AWS Trust and Safety team informed Parler’s chief policy officer Amy Peikoff that the social network “does not have an effective process to comply with the AWS terms of service.”
“AWS provides technology and services to customers across the political spectrum, and we continue to respect Parler’s right to determine for itself what content it will allow on its site,” the letter said.
“However, we cannot provide services to a customer that is unable to effectively identify and remove content that encourages or incites violence against others.”
Google removed Parler from its app store on Friday, and on Saturday Apple followed suit.
Parler’s chief executive John Matze described the concurrent actions of Google, Apple, and Amazon as “a coordinated attack by the tech giants to kill competition in the marketplace.”
Responding to Google’s ban, Matze said: “We won’t cave to politically motivated companies and those authoritarians who hate free speech.”
The move to silence Parler’s approximately 10 million users comes after an executive order on preventing online censorship was issued by President Donald Trump on May 28 2020.
Early-stage cybersecurity companies in the UK have seen a year-on-year funding decline of 96% since March 2020, a trend which threatens to significantly curtail advancements in the sector. This is according to a new analysis by innovation center Plexal and database for fast-growth companies, Beauhurst, which found that cybersecurity startups seeking funding for the first time received only £11.9m in investment since the start of the COVID-19 lockdowns. This compares to £265m during the same period in 2019.
This is despite UK cybersecurity startups as a whole securing £651m since the pandemic struck, which represents a year-on-year rise of 52%. While average investment in these companies was larger, with a wider range receiving capital compared to 2019, funding was almost entirely targeted towards businesses with a proven track record. This included a number of very large follow-on investments to companies such as OneTrust (£224m), Synk (£154m) and Privitar (£70m).
This imbalance has led to fears of a “lost generation” of cyber-startups, which could be damaging to the industry over the long-term.
Saj Huq, director of innovation at Plexal and director of the London Office for Rapid Cybersecurity Advancement (LORCA), commented: “While increased total funding demonstrates the relevance of cybersecurity and shows that the UK’s cyber-industry has not been impacted to the same extent as others, the almost complete absence of backing for early-stage firms puts the sector’s future at risk. It is these companies that we will ultimately rely on to solve the inevitable new cyber-challenges arising from a society that is increasingly digital-first.
“COVID-19 has accelerated digital transformation, increased the demand for digital services and reinforced the relevance of security as a crucial business enabler. More cybersecurity companies are receiving investment as a result, but the caution exercised by investors is preventing the UK’s cyber-sector from becoming the key driver of the economic recovery that it should be. Investors, industry, academic institutions and government must come together to safeguard the future of our brightest, early-stage cyber-startups or they could become a lost generation.”
The analysis of nearly 40,000 startups and fast-growth businesses also showed that the cybersecurity startups had faired substantially better than counterparts in other sectors. While the number of deals involving cybersecurity startups went up by 33% since March 2020, deals across all sectors fell by 26% in the same period.
Last year, LORCA revealed that cybersecurity startup and scaleup firms that have progressed through its innovation program have collectively raised over £150m in investment in two years, 280% above its original target.
The firm announced the closing of the transaction today. The financial details of the deal were not disclosed.
Forcepoint, formerly known as Websense, provides behavior-based cybersecurity solutions that protect the critical data and networks of thousands of customers worldwide by adapting to risk in real-time.
Four appointments were made by Forcepoint to coincide with the transaction's closing. Dave Stevens was named senior vice president of strategy and execution, John DiLullo is the company's new chief revenue officer, and Sean Berg has been promoted to president of global governments and critical infrastructure from his previous role as senior VP and general manager for Forcepoint’s business unit.
The company’s board of directors has appointed Manny Rivelo as chief executive officer with immediate effect. Previous executive roles held by Rivelo include chief customer officer at Arista Networks, president and CEO as well as executive vice president, security, service provider and strategic solutions at F5 Networks, president and CEO of AppViewX, and various senior leadership roles at Cisco Systems.
“Cybersecurity has never been more important for businesses and governments around the world,” said Rivelo. "As we continue to see broad-scale global attacks, the cybersecurity industry needs to evolve to deliver security capabilities to match those of today’s sophisticated threat actors."
Rivelo added that all organizations need to evolve their security posture so that cybersecurity is holistically integrated across their business operations and into their culture.
"It can no longer be viewed as ‘just an IT issue’,” said Rivelo.
As CEO, Rivelo intends to focus the company’s strategy on accelerating enterprise and government-agency adoption of emerging Secure Access Service Edge (SASE) architecture.
“I look forward to solidifying Forcepoint’s leadership position as the global cybersecurity partner of choice for enterprises and government agencies,” said Rivelo.
Founded in 1999 and based in San Francisco, Francisco Partners specializes in partnering with technology and technology-enabled businesses. Since its launch, the firm has raised over $24bn in committed capital and invested in more than 300 technology companies.
The largest non-profit association of certified cybersecurity professionals in the world is launching an online exam proctoring pilot program.
As of July 1, 2020, there were 141,607 (ISC)² members holding the CISSP certification worldwide.
Offering certification online is part of the association's efforts to counter the effects of the global outbreak of the novel coronavirus on the lives of security professionals.
“In the wake of COVID-19, (ISC)² has spent considerable time and effort to ensure the integrity of our exam process while taking into consideration that many candidates are facing extraordinary uncertainty and restrictions due to the pandemic,” said Dr. Casey Marks, chief product officer and vice president, (ISC)².
“Our pilot test program will enable us to gather the data we need to weigh the integrity and effectiveness of the exams while making them more easily accessible during these unprecedented times.”
Under the pilot test, a maximum of 2,000 total examinations will be delivered. Candidates can register for the (ISC)² online proctoring pilot test beginning today.
In this pilot program, test deliveries are being limited to candidates who are located within the United States and who have no past (ISC)² disciplinary actions on record. Tests will only be available in the English language.
The pilot program will be exclusively administered through Pearson VUE, which will offer exam appointments on a first-come, first-served basis.
Online examinations for the CAP, CCSP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP, and SSCP certifications will be administered February 15, 2021 – February 21, 2021. Online CISSP examinations will be administered February 22, 2021 – February 28, 2021.
The cost for examinations offered online as part of the pilot scheme has been set at the same rate charged for test center–delivered examinations. But, where test center candidates typically receive diagnostic information regarding how they performed in their tests, online candidates will only be given a pass/fail result.
(ISC)², which has a membership of more than 140,000 security professionals, celebrates its 30th anniversary this year.
Bridewell Consulting has announced the appointment of Martin Riley as its director of managed security services.
Riley, who has joined Bridewell’s board from today, is tasked with leading the expansion of the cybersecurity and data privacy consultancy’s managed security service (MSS) portfolio. This includes its 24/7 security operations center (SOC) and managed detection and response (MDR) service.
Riley comes with nearly 20 years of experience in helping scale up organizations’ security infrastructure and digitalization as well as leading enterprise managed services.
Most recently, Riley held the position of chief technology officer at Timico, where he led the strategic direction and digital transformation of the business. He was also previously head of infrastructure at cloud services and integrator company Adapt.
Scott Nicholson, director, Bridewell Consulting, comment: “Martin brings tremendous expertise and experience to our business and will be instrumental in helping us deliver on our ambitious growth strategy. Our 24/7 managed detection and response capability around Azure Sentinel and Defender XDR is already best in class across the industry, but with Martin’s support, we hope to strengthen this further and deliver high end security automation and operations across critical national infrastructure.”
Speaking on his new position, Riley said: “I have been passionate about the role cybersecurity plays in infrastructure and cloud services for many years and am excited to work for an ambitious and fast growth business like Bridewell. Managed security services continues to be one of the biggest growth areas in IT and I look forward to helping develop opportunities to expand Bridewell’s services, mature our capabilities and strengthen our position in the security market.”
Anthony Young, director, Bridewell Consulting, added: “When first meeting Martin, it was clear to see he had passion for cybersecurity and delivering an excellent service to customers which aligns with our values. That, coupled with his experience across managed services and scaling businesses through technology automation, makes him a brilliant addition to the board and will help us deliver on our growth plans.”
The US government has announced the creation of a new cybersecurity agency to align with the country’s diplomatic efforts.
The Bureau of Cyberspace Security and Emerging Technologies (CSET) was finally approved by outgoing secretary of state, Mike Pompeo — over a year-and-a-half after Congress was first notified of the plans.
A brief statement from the department explained that the need to “reorganize and resource” the government’s cybersecurity and diplomacy has become even more critical in the intervening months. China, Russia, Iran, North Korea and “emerging technology competitors and adversaries” were name-checked in the note.
“The CSET bureau will lead US government diplomatic efforts on a wide range of international cyberspace security and emerging technology policy issues that affect US foreign policy and national security, including securing cyberspace and critical technologies, reducing the likelihood of cyber-conflict, and prevailing in strategic cyber-competition,” it continued.
“The secretary’s decision to establish CSET will permit the department to posture itself appropriately and engage as effectively as possible with partners and allies on these pressing national security concerns.”
However, the reason for that 18-month delay to the creation of CSET was former House Foreign Affairs Committee chairman Eliot Engel, who argued at the time that its focus was too narrow.
A 2018 bipartisan bill, the Cyber Diplomacy Act, sets out to establish not a bureau but an Office of International Cyberspace Policy at the State Department.
“While Congress has pursued comprehensive, bipartisan legislation, the State Department has plowed ahead in its plan to create a bureau with a much narrower mission focused only on cybersecurity,” Engel is reported saying at the time.
“This move flies in the face of repeated warnings from Congress and outside experts that our approach to cyber-issues needs to elevate engagement on economic interests and internet freedoms together with security.”
A former State department cybersecurity diplomat under Obama and Trump also dismissed the move.
“Laughable that this is done @ the 11th hr when this was not adequately resourced or prioritized for four yrs,” tweeted Chris Painter. “Also, this formulation only preserves stovepipes rather than coordination.”
Security researchers revealed today that it took them just hours to access over 100,000 personal records and credentials belonging to United Nations employees.
A team from Sakura Samurai had decided to look for bugs to report to the UN under its vulnerability disclosure program, first probing multiple endpoints that were in scope.
It initially found an exposed subdomain for UN body the International Labour Organization (ILO), according to Sakura Samurai founder John Jackson. This gave them access to Git credentials which they used to takeover a legacy MySQL database and a survey management platform. Exfiltration of these credentials was done with the git-dumper tool.
Although these assets contained “hardly anything of use,” the researchers then discovered an exposed subdomain related to the United Nations Environment Programme (UNEP), which was a much bigger privacy risk. The domain was also leaking Git credentials.
“Ultimately, once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects and within the projects we found multiple sets of database and application credentials for the UNEP production environment,” Jackson explained.
“In total, we found seven additional credential pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via database backups that were in the private projects.”
In total, the team discovered over 100,000 employee records including names, ID numbers, gender, pay grade, records of travel details, work sub-areas and departments, evaluation reports and funding source records.
The UN is a frequent target for nation state attackers and its cybersecurity has often been found wanting in the past.
A year ago it emerged that hundreds of gigabytes of internal data, potentially including highly sensitive information on human rights activists, had been stolen in 2019 by attackers.
Controversially, the organization itself appeared to use its diplomatic immunity to keep the incident a secret.
Fortunately, this time around the UN is believed to have quickly patched the vulnerabilities in question and secure the exposed data.
Privacy experts are celebrating after the High Court ruled against the intelligence agencies’ use of bulk hacking for domestic targets.
In 2014, Edward Snowden first revealed the use of hacking techniques to target large numbers of users simultaneously. The government relied on the issuing of “general warrants” under section 5 of the Intelligence Services Act 1994 to do so.
Non-profit Privacy International challenged the practice in the Investigatory Powers Tribunal (IPT), a secretive court set-up to handle cases involving the intelligence agencies. However, the IPT ruled in the latter’s favor, back in 2016.
Although the government then tried to block a High Court challenge to the ruling, by claiming the tribunal’s decisions can’t be subject to judicial review, it lost, and the case went ahead.
On Friday, the High Court agreed with Privacy International, quashing the IPT decision.
It cited 250 years of common law precedent whereby individuals have a right not to not have their property searched without lawful authority, even in cases of national security. As general warrants don’t apply to individuals, the authorities are wrong to take this approach, it found.
“The aversion to general warrants is one of the basic principles on which the law of the United Kingdom is founded,” the court noted. “As such, it may not be overridden by statute unless the wording of the statute makes clear that parliament intended to do so.”
Privacy International legal director, Caroline Wilson Palow, argued the ruling brought legal precedent into the modern age, where searching “property” could mean remotely spying on users’ digital lives.
“General warrants are no more permissible today than they were in the 18th century. The government had been getting away with using them for too long. We welcome the High Court's affirmation of these fundamental constitutional principles,” she said.
However, some government hacking powers are now governed by a newer law, the controversial Snooper’s Charter, or Investigatory Powers Act.
There are also various legal challenges underway to this legislation. In October last year, campaigners received a boost when the Court of Justice of the European Union (CJEU) ruled that bulk collection and retention of citizens’ data must be brought into line with EU privacy law, even in cases of national security.
The UK has a vested interest in rowing back from its position on bulk surveillance, as it seeks an “adequacy decision” from the EU on data handling that is vital to seamless cross-border data flows in the new post-Brexit era.
A Russian hacker who was instrumental in one of the largest thefts in history of US customer data from a single financial institution has been sentenced to prison.
Moscow resident Andrei Tyurin, also known as Andrei Tiurin, was part of an international hacking campaign that compromised the computer systems of major financial institutions, brokerage firms, news agencies, and other companies to steal data.
Tyurin's illegal activities were committed with the help of partner Gery Shalon, along with Joshua Samuel Aaron, Ziv Orenstein, and other co-conspirators in furtherance of securities market manipulation, illegal online gambling, and payment processing fraud schemes.
According to the allegations contained in the indictments to which Tyurin pled guilty, the 37-year-old Muscovite hacked into companies between 2012 and mid-2015 and stole the personal information of over 100 million customers.
Among the companies targeted were E*Trade, Scottrade, the Wall Street Journal, and JPMorgan Chase and Co., from which Tyurin stole personal data belonging to more than 80 million of the bank's customers.
On top of the hacks, from around 2007 to mid-2015, Tyurin carried out cyber-attacks against numerous American and foreign companies for the benefit of various criminal enterprises operated by Shalon and his co-conspirators, including unlawful internet gambling businesses and international payment processors.
Through these various criminal schemes, Tyurin, Shalon, and their co-conspirators obtained hundreds of millions of dollars in illicit proceeds, with Tyurin personally amassing $19m in profits from his hacking activity alone.
In one scheme, Tyurin, Shalon, and his co-conspirators misleadingly marketed certain stocks, publicly traded in the US, to customers of the victim companies whose contact information Tyurin had stolen, in an attempt to artificially inflate the stocks' prices.
To carry out his nefarious activities, Tyurin used computer infrastructure located across five continents, which he controlled from his home.
Tyurin was extradited to the United States from the country of Georgia in September 2018. On January 7, in Manhattan Federal Court, US District Judge Laura Taylor Swain sentenced Tyurin to 144 months in prison for computer intrusion, wire fraud, bank fraud, and illegal online gambling offenses in connection with his involvement in the hacking campaign.
In addition to the prison term, Judge Swain ordered Tyurin to pay forfeiture in the amount of $19,214,956.
A cyber-attack on a Vermont healthcare provider has delayed the rollout of an electronic health record (EHR) system and cost millions of dollars in lost revenue.
The University of Vermont Health Network, which is based in Burlington, was hit by ransomware in October 2020, and is yet to make a full recovery. Most computer systems have been brought back online; however, some applications are still down, causing delays in various departments, including radiology.
The network serves much of Vermont and parts of upstate New York. When attackers struck at six of the network's hospitals, Vermont's governor, Phil Scott, deemed the situation serious enough to merit the deployment of the Vermont Army National Guard’s Combined Cyber Response Team 1 to aid in the recovery effort.
In December, UVM Health Network CEO Dr. Stephen Leffler said that the cyber-attack was costing the network about $1.5m a day in lost revenue and recovery costs.
The UVM Health Network completed the first phase of implementation of the Epic EHR system in November 2019, launching additional clinical and administrative capabilities for inpatient and outpatient settings that included clinical care, billing, registration, and scheduling.
Phases two and three were scheduled to take place in March 2021 and November 2021. However, the combined effects of the ransomware attack and the impact of the coronavirus outbreak have now pushed those dates back to November 2021 and April 2022, pending approval from the Green Mountain Care Board.
“In 2020, our Network, like those across the world, experienced tremendous challenges due to the COVID-19 pandemic, only to be further encumbered by a ransomware attack,” John Brumsted, M.D., president and CEO of the UVM Health Network, said in a statement published Tuesday.
“An electronic health record is one of the most significant things we can do to ensure high quality care and create a seamless experience for our patients. That is why it is absolutely critical to our patients, our people, and our communities that we get the implementation of this system right.
"Given the obstacles we faced over the last year, modifying our timeline for installation of the EHR is the right thing to do.”
By bringing StackRox’s Kubernetes-native security capabilities to Red Hat OpenShift, Red Hat said it hopes to take one step closer to creating a single platform that will enable users to "build, deploy and securely run nearly any application across the entirety of the hybrid cloud."
In addition to Red Hat OpenShift, StackRox will carry on supporting multiple Kubernetes platforms, including Microsoft Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE).
StackRox was founded in 2014 with the goal of reinventing enterprise security. The company is headquartered in Mountain View, California, and employs around 60 people.
For StackRox CEO Kamal Shah, the planned acquisition is confirmation of StackRox's originality when it comes to Kubernetes security, which over the past two years has evolved to be the company's focus.
"We're thrilled to join forces with Red Hat, coupling the industry’s first Kubernetes-native security platform with the leading Kubernetes platform for hybrid cloud, multicloud, and edge deployments," said Shah.
"This is a tremendous validation of our innovative approach to container and Kubernetes security. Red Hat is an ideal partner to accelerate our vision of enabling organizations to securely build, deploy and run their cloud-native applications anywhere."
Red Hat revealed plans to open source StackRox’s technology post-acquisition in an action that's consistent with Red Hat's open source heritage. Red Hat has pledged to continue to support the KubeLinter community as well as new communities as the company works to open source StackRox’s tech treasures.
The transaction is scheduled to close in the first quarter of 2021, subject to the usual closing conditions.
"Securing Kubernetes workloads and infrastructure cannot be done in a piecemeal manner; security must be an integrated part of every deployment, not an afterthought," said Red Hat CEO and president Paul Cormier.
"Red Hat adds StackRox's Kubernetes-native capabilities to OpenShift's layered security approach, furthering our mission to bring product-ready open innovation to every organization across the open hybrid cloud across IT footprints."
The notorious Emotet Trojan is back at the top of the malware charts, having had a makeover designed to make it more effective at escaping detection.
Check Point’s newly released Global Threat Index for December 2020 revealed that the malware variant bounced back from fifth place in November.
It now accounts for 7% of malware infections globally after a spam campaign targeted more than 100,000 users per day over the holiday period, the security vendor claimed. Emotet is closely followed by fellow modular Trojan Trickbot and info-stealer Formbook, both on 4%.
“It has now been updated with new malicious payloads and improved detection evasion capabilities: the latest version creates a dialogue box, which helps it evade detection from users,” explained Check Point.
“The new malicious spam campaign uses different delivery techniques to spread Emotet, including embedded links, document attachments, or password-protected Zip files.”
Emotet and Trickbot are often used in combination by ransomware groups to gain an initial foothold into networks. Attackers can then pick and choose which victims to go after with “hands-on-keyboard” multi-staged attacks.
In fact, a new report detailing the activities of the Ryuk variant recommended one of the best ways for organizations to mitigate the threat is to prevent initial infection by malware like Emotet.
The focus therefore should be on email security with anti-phishing capabilities and enhanced end user awareness training, although defense-in-depth is always preferable, including two-factor authentication and prompt patching to reduce the attack surface further.
“Emotet was originally developed as banking malware which sneaked on to users’ computers to steal private and sensitive information. However, it has evolved over time and is now seen as one of the most costly and destructive malware variants,” said Maya Horowitz, director of threat intelligence & research, products at Check Point.
“It’s imperative that organizations are aware of the threat Emotet poses and that they have robust security systems in place to prevent a significant breach of their data. They should also provide comprehensive training for employees, so they are able to identify the types of malicious emails which spread Emotet.”
Ping Identity has announced the appointment of Hall of Fame CIO Paul Martin to its board of directors.
Martin will help the security firm enhance its leadership strategy and IT innovation. He joins with a strong track record as an IT leader, having received a number of accolades. This includes being named to the CIO Hall of Fame by CIO Magazine in 2017 and being awarded the 2020 Chicago CIO of the Year Leadership ORBIE Award.
His most recent position was as CIO and senior vice-president for healthcare company Baxter International Inc., where he was responsible for its global IT strategy, operations, security and processes. He has also held IT leadership roles at Rexam PLC, CIT Group, BNSF Railway and Frito-Lay Inc.
Commenting on the appointment, Andre Durand, CEO of Ping Identity, said: “Few CIOs can match Paul’s proven track record of innovating IT solutions that generate bottom-line profitability and stakeholder value. His extensive experience in the CIO community will bring greater insight to Ping Technology’s leadership, and further champion our customers throughout all business operations.”
Martin is also a board member for Unisys Corporation and Baxter Credit Union as well as being a trustee at Rush University Medical Center and Ravinia Festival.
The appointment of Martin is the latest step taken by Ping Identity to expand its business during recent months. In October, it appointed Emma Maslen as its vice-president and general manager for EMEA and APAC to grow its international operations, and in November announced the acquisition of dynamic authorization company Symphonic Software.
The infamous operators of the Ryuk ransomware have amassed a fortune of at least $150m, according to researchers who studied the flow of Bitcoin to the group.
A new report from US threat prevention firm AdvIntel and UK-based threat intelligence vendor Hyas is based on analysis of 61 cryptocurrency deposit addresses linked to Ryuk.
Most of the digital currency the group collects is sent to Asia-based exchanges Huobi or Binance, which may help them to escape scrutiny, the report authors argued.
“Huobi and Binance are interesting choices because they claim to comply with international financial laws and are willing to participate in legal requests but are also structured in a way that probably wouldn’t obligate them to comply. In addition, both Huobi and Binance are companies that were founded by Chinese nationals but moved their business to other countries that are more friendly to cryptocurrency exchanges,” the researchers explained.
“Both exchanges require identity documents in order to exchange crypto-currencies for fiat or to make transfers to banks, however it isn’t clear if the documents they accept are scrutinized in any meaningful way.”
The team were also able to observe “significant flows” of Bitcoin to smaller entities. These are likely to be criminal enterprises set up to help launder funds into local currencies or other types of digital money.
As a further step to obfuscate their true identity, the Ryuk attackers get victims to pay a well-known broker, who in turn makes payments to the group, sometimes in the millions but more likely in the hundreds of thousands of dollars.
Any money not cashed out at the two Asian exchanges is used to pay for goods and services on cybercrime markets, the report claimed.
Two unique Protonmail addresses are prepared to communicate with each victim. These organizations are selected according to a scoring system in precursor malware used by the attackers, which apparently assesses their likelihood of paying.
“With the limited visibility available to analysts, it is painfully clear that the criminals behind Ryuk are very business-like and have zero sympathy for the status, purpose or ability of the victims to pay,” the researchers continued.
“Sometimes the victims will attempt to negotiate with Ryuk and their significant offers are denied with a one-word response. Ryuk did not respond or acknowledge one organization that claimed to be involved in poverty relief and lacked the means to pay.”
The report recommended organizations develop counter-measures to prevent initial infection by precursor malware like Emotet or Zloader. All remote access points should require multi-factor authentication (MFA), and Office macros and remote access tools should be restricted, it added.
The Russian CEO of a software provider has hit back at reports that one of the firm’s products may have been exploited by Russian hackers in the recent SolarWinds campaign.
Czech-headquartered JetBrains provides tools for software developers including TeamCity, a continuous integration and deployment system at the center of the reports.
The New York Times and others claimed that unspecified US intelligence agencies and cybersecurity investigators are looking into whether Russian state attackers managed to compromise the software. They’re unsure whether it may have been used to gain a foothold into the SolarWinds developer environment, or as a direct attack vector into US government systems, it said.
According to the report, JetBrains is used at 300,000 businesses globally including 79 of the Fortune 100 and has research labs in Russia.
However, in two posts following the reports, St Petersburg-based CEO Maxim Shafirov refuted any allegations that the firm may have played an unwitting role in the audacious cyber-espionage campaign, and added that no government officials had yet been in contact.
“To date we have no knowledge of TeamCity or JetBrains having been compromised in any way that would lead to such a situation. In addition, we not only run regular scheduled audits of our software, but we are now organizing a further independent security audit of TeamCity,” he explained.
“If we are to find any vulnerability in the product that may have led to this, we will be fully transparent on the matter and inform our customers under our security and privacy policies. It’s also worth mentioning that we ourselves do not use SolarWinds Orion or any of their other software.”
Shafirov essentially argued that if JetBrains is under investigation, it is merely because TeamCity is used by SolarWinds during its build process.
However, in a separate post, he did explain a hypothetical situation in which the product may have been abused.
“It’s important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability,” Shafirov said.
This week, the Department of Justice became the first US government entity to shed some light on the scope of the compromise, claiming attackers managed to access 3% of its Office 365 inboxes, which means more than 3000 users were affected.
Cyber-attackers are disguising malware as a video file depicting a fake sex scandal involving United States President Donald Trump.
The email-based attack was discovered by cybersecurity researchers at Trustwave who were reviewing their spam traps.
Targets are sent an email with the attachment “TRUMP_SEX_SCANDAL_VIDEO.jar”. Those who click on the malicious Java Archive (JAR) file unwittingly install the Qnode Remote Access Trojan (RAT) onto their computer.
Unusually, the title of the malicious file bore no resemblance to the subject of the email to which it was attached.
When the researchers opened the email “GOOD LOAN OFFER!!,” they expected to discover nothing more than an investment scam. However, attached to the email was an archive containing the malicious JAR file.
"We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is totally unrelated to the email’s theme," wrote researchers.
An investigation into the attack revealed that the JAR file is a variant of a QRAT downloader researchers brought to the public's attention in August. Similarities between the new and old variants include Allatori Obfuscator's being used to obfuscate the JAR file and the installer of Node.Js's being retrieved from the official website nodejs.org.
As is the case with the old variants, researchers found that the new downloader supports Windows platforms only.
Researchers noted that while the Trump sex scandal email campaign used to deliver the malware "was rather amateurish," the new QRAT was more sophisticated than prior variants.
"This threat has been significantly enhanced over the past few months since we first examined it. To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics and behavior were improved," wrote researchers.
The attackers ditched the string “qnodejs,” which can distinguish the files related to this threat. And, to avoid detection, they split up the malicious code of the downloader into different buffers inside the JAR.
Researchers advised email administrators to "take a hard line" against inbound JARs and to use their email security gateways to block them.
The United States Army has promoted the first Army Reserve cyber officer to the rank of brigadier general.
Colonel Robert Powell Jr. was promoted in a December ceremony held at Signal Theater at Fort Gordon in Georgia. Having pinned the one-star rank to his Army Green Service Uniform, Powell will serve as the deputy commanding general of the 335th Signal Command (Theater).
Powell was born in Tennessee and graduated from Middle Tennessee State University in 1991. He was commissioned through the Reserve Officer Training Corps (ROTC) and started his military career as an armor officer with the 1st Cavalry Division at Fort Hood, Texas.
In 2004, Powell joined the Army Reserve as a military intelligence officer. He commanded the US Army Reserve Cyber Protection Brigade from 2016 to 2019 and recently mobilized to support the Cyber National Mission Force, US Cyber Command at Fort Meade in Maryland.
Powell's promotion ceremony was hosted by Maj. Gen. Stephen J. Hager, deputy commander of operations, Cyber National Mission Force, US Cyber Command, who Powell met during a deployment in Kuwait. Hager recruited Powell to the Cyber National Mission Force after being tasked with finding talented senior officers for US Army Cyber Command.
"Out of over 200,000 people in the Army Reserve, there are less than 130 general officers," said Hager. "The jump from colonel to flag officer is a very competitive endeavor."
Hager added that with his acceptance of the new role, Powell's allegiance to the Army had entered new territory.
"This is a major event," said Hager. "This appointment and promotion come with a very large commitment. I often tell leaders that when you are a colonel with 25 to 30 years you are 'seriously dating the Army. When you become a general, you are married to the Army.'"
Hager told Powell's wife, daughter, and son, who were present at the ceremony, that they should be proud of Powell's promotion.
"Rob is the first United States Army Reserve General Officer to come from the cyber branch. That is significant since it demonstrates to our younger troops that there is a path to general officership," said Hager.
The United States has imprisoned the leader and several members of a cyber-gang that stole $5m in a skimming attack on gas pumps in the Eastern District of Virginia.
According to court documents, the six conspirators placed skimming devices on gas pumps located in Northampton County. The devices recorded the credit and debit card numbers, along with their PINs, of customers who used their card at the pump to pay for gas.
In April and May 2018, the crew traveled to various branches of the supermarket Harris Teeter, among other destinations, and used the stolen card information to withdraw money from the victims’ bank accounts. The illicitly obtained financial data was also exploited to purchase prepaid gift cards.
The all-male crew, who are all Cuban nationals residing in Florida, was sentenced on January 5 to a total of more than 28 years in prison. Four of the men were convicted of aggravated ID theft while all six were convicted of conspiracy to commit bank fraud.
Several other conspirators involved in the attack remain at large and are thought to be living in Mexico.
The Department of Justice said that many of the conspirators "had significant criminal histories involving the same conduct and were known to travel the country perpetrating this scheme." Over the course of several years, the gang caused victims to suffer aggregate losses of over $5m.
Crew leader Yasmani Granja Quijada used his email account to deal in stolen data. The 33-year-old was found to be trading over 9,800 additional stolen credit card numbers.
Quijada received the largest sentence of 120 months in prison. Twenty-nine-year-old Luis Miguel Fernandez Cardente received 64 months; 31-year-old Jorge Bello Fuentes, 60 months; 34-year-old Guillermo Bello Fuentes, 47 months; 40-year-old Pedro Emilio Duran, 30 months; and 29-year-old Yariel Monsibaez Ruiz, 19 months.
The FBI and US Marshals Service seized numerous vehicles and other items that were purchased by the criminals with stolen funds, including a 2006 Triton 2895CC Boat and trailer, a 2017 Ford F250 Super Cab truck, a 2016 Cruise Radiance Travel Trailer RV, a 2017 Ford Escape SUV, a 2017 Maserati Ghibli, and a 2013 Porsche Panamera.
Sensitive data stolen from Hackney Council in the UK has allegedly been published online, three months after the ransomware attack on the local authority that took place last year.
A cyber-criminal group called Pysa/Mespinoza has claimed it has published a range of information resulting from the incident on the dark web. This includes sensitive personal data of staff and residents, such as passport documents.
In October 2020, London’s Hackney Council revealed it had been victim of a serious cyber-attack which affected many of its services and IT systems.
In a new statement on its website, the council said it was working with NCSC, National Crime Agency, Information Commissioner's Office, the Metropolitan Police and other experts to investigate what has been published and the next steps to take.
It noted that experts believe the data has not been published on a widely available public forum and is not visible through internet search engines, adding that “at this stage, it appears that the vast majority of the sensitive or personal information held by the council is unaffected, but the council and its partners are reviewing the data carefully and will support any directly affected people.”
Mayor of Hackney, Philip Glanville, stated: “I fully understand and share the concern of residents and staff about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected.
“While we believe this publication will not directly affect the vast majority of Hackney’s residents and businesses, that can feel like cold comfort, and we are sorry for the worry and upset this will cause them.
“We are already working closely with the police and other partners to assess any immediate actions we need to take, and will share further information about the additional action we will be taking as soon as we can.”
Commenting on the story, Matt Aldridge, principal solutions architect, Carbonite & Webroot, said: “Once a data breach has occurred, and the data has been exfiltrated, no amount of ransom payment can guarantee that all copies of the data will be securely destroyed. For this reason, it is critical that all organizations invest appropriately in their cyber-defenses and, wherever possible, that they have their approach validated by trusted independent third parties.
“Understanding the criticality and sensitivity of all organizational data is key, and different data types, locations and classifications should be protected appropriately, with more investment and protection being put in place to protect the most sensitive data within the organization. Regular reviews need to be made to keep on top of this situation, as data locations, types and flows are constantly changing in any modern organization.”