Cyber Risk News
Efforts to take down multiple domains that offered distributed denial-of-services (DDoSs) for hire were successful and resulted in another announcement from the Justice Department (DOJ), which yesterday declared that it had seized 15 internet domains, as well as filed criminal charges against three defendants who facilitated the computer attack platforms.
According to a DOJ news release the sites were selling what are commonly known as “booter” or “stresser” services. When purchased, users could leverage these services to launch DDoS attacks, which overwhelm victim computers with a flood of information that prevents them from successfully accessing the internet.
These types of booter services are alleged to enable wide-scale attacks on an array of victims around the globe. Often the targets include financial institutions, universities, internet service providers, government systems and various gaming platforms, according to the DOJ.
“The attack-for-hire websites targeted in this investigation offered customers the ability to disrupt computer networks on a massive scale, undermining the internet infrastructure on which we all rely,” said US Attorney Nick Hanna. “While this week’s crackdown will have a significant impact on this burgeoning criminal industry, there are other sites offering these services – and we will continue our efforts to rid the internet of these websites. We are committed to seeing the internet remain a forum for the free and unfettered exchange of information.”
The director of security research at Flashpoint, Allison Nixon, said that the company provided threat intelligence derived from extensive visibility into deep and dark web actors and communities. “It’s this expertise that was tapped to provide actionable intelligence about cybercrime tools, techniques and operators. Our input was combined with a wealth of intelligence from a range of fantastic industry partners. This combined threat intelligence and attribution is strong enough to stand up in a court of law.”
However, as Hanna noted, DDoS is a complex issue without a quick fix, but Nixon pointed out that something significant happened among these seizures. “The US government just made the argument that running a booter service itself is inherently illegal. The FBI, in executing these actions, has stated clearly and unequivocally that the act of running a service that attacks any website in exchange for anonymous money is not just reckless but patently illegal – and will be prosecuted."
December is a time of year when the cybersecurity industry sees a surge in DDoS attacks, particularly targeting the gaming world, largely because of the Christmas holiday, but this year the criminals might not be so merry.
"Many cyber-criminals have convinced themselves they have found a legal 'loophole' to hurt people," said Hanna. "The development that we all hope for is that cyber-criminals see this, realize they will never legally profit from attacking websites without clear consent and change behavior toward more productive – and legal – applications of their talents. They have been sufficiently warned. Merry Christmas.”
The agency at the helm of Singapore’s digital services, the Government Technology Agency of Singapore (GovTech Singapore), announced that Singapore will be working with security researchers over the course of three weeks on a bug bounty program intended to further protect Singapore citizens and help secure public-facing government systems.
Singapore has established multiple cyber initiatives as part of its Smart Nation Singapore strategy. According to its website, the Strategic National Project aims “to drive pervasive adoption of digital and smart technologies throughout Singapore, we have identified key Strategic National Projects, which are key enablers in our Smart Nation drive.”
Among the goals of those key projects are enabling a lean, agile and future-ready government by implementing e-payment capabilities and delivering government services across different agencies to the citizens of Singapore. All of which hold the promise of convenience and efficiency but also present risks, which the government is proactively seeking to mitigate.
According to HackerOne, the crowdsourced platform with which GovTech Singapore has partnered, this is the country's second bug bounty program, which follows the successful endeavor of a bug bounty program with the Singapore Ministry of Defence (MINDEF) that ran earlier this year.
GovTech Singapore and the Cyber Security Agency of Singapore (CSA), aim to build a secure and resilient Smart Nation by leveraging access to local and overseas hackers through this collaboration with the hacker community as Singapore continues to undergo its digital transformation.
During the three-week challenge that will extend from December 2018 into January 2019, a select group of bug bounty hackers will receive financial payments, commonly called bounties, as a reward for identifying and reporting valid vulnerabilities to GovTech. The goal is for researchers to find security flaws in five public-facing government systems and websites so that GovTech may fix them before they are exploited by malicious actors.
"Singapore is again setting an example for the rest of the world to follow by taking decisive steps towards securing their vital digital assets," said Marten Mickos, CEO HackerOne. "Only governments that take cybersecurity seriously can reduce their risk of breach and interruption of digital systems. Singapore's continued commitment to collaboration in cybersecurity is something that will help propel the industry’s progress just as much as it will contribute to protecting Singapore citizen and resident data."
US chain Caribou Coffee announced a payment card data breach on Thursday, listing 265 outlets across 11 states that had been affected.
It claimed to have identified unusual network activity on November 28, enlisting the help of Mandiant, which subsequently found evidence of unauthorized access to point of sales (POS) systems two days later.
The firm claimed it is confident that this access was stopped immediately and the breach contained. However, it is warning that an unspecified number of customers may have had their payment card details taken.
“If you visited any of our company-owned Caribou locations between August 28, 2018 and December 3, 2018, there is a possibility that your name and credit card information, including card number, expiration date and card security code may have been accessed as a result of this unauthorized activity,” it stated.
“Payments made through your Caribou Coffee Perks account or other loyalty account were not affected. Any catering orders placed online with Bruegger’s Bagels, Einstein Bros. Bagels, Manhattan Bagel and Noah’s NY Bagels were also not affected by this breach.”
The firm urged customers to check the list of outlets affected and monitor their credit/debt card transactions carefully.
It does not appear to be offering any free credit monitoring or credit freeze services.
The incident proves POS malware remains a threat for businesses handling card data. The advent of EMV was meant to deter attackers, because it includes additional security measures to make it difficult to clone cards following a card-present breach.
However, many merchants are making the hackers’ job easier by continuing to use EMV cards' fallback magstripe functionality, according to recent research.
Gemini Advisory claimed in November that of the 60 million US payment cards compromised in the previous 12 months, 75% were stolen at POS and 90% of these were EMV-enabled.
“As 2018 comes to a close, besides refuelling stations, there are numerous merchant locations that are still asking their customers to swipe rather than use the chip insert method, thus completely neglecting the EMV security features,” it warned.
“This often happens because the merchant does not have an upgraded EMV enabled POS or the merchant has the EMV enabled POS system but is not using its full capabilities. In some cases, retailers are opposing migration to newer EMV technology because of the inherent high cost of the equipment.”
Microsoft has been forced to release an emergency patch for a critical remote code execution vulnerability in Internet Explorer (IE) being actively exploited in the wild.
Clement Lecigne of Google’s Threat Analysis Group is credited with the discovery of the flaw (CVE-2018-8653), which apparently affects the way that the scripting engine handles objects in memory in IE.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft explained.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Redmond claimed that in a web-based attack, a hacker could host a malicious website designed to exploit the bug through IE and then trick the user into visiting, ie via a phishing email.
The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory, it added.
“While details are not currently available, in most cases, attackers exploit similar vulnerabilities by sending convincing emails to their intended targets with a link to a specially crafted website containing the exploit code,” Satnam Narang, senior research engineer at Tenable.
“The vulnerability affects Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019. Internet Explorer 9 is affected on Windows Server 2008, while Internet Explorer 10 is affected on Windows Server 2012. As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise."
Researchers have attributed a new wave of Shamoon disk wiper attacks to Iranian hacking group APT33.
The attacks targeted several energy, telecoms and government organizations in the Middle East, often via suppliers in Europe. They include version 3 of Shamoon, a malware family first used in the infamous destructive attack on Saudi Aramco in 2012 which wiped over 30,000 machines.
Unlike that, and subsequent raids on Saudi targets in 2016/17 which used Shamoon v2 and the Stonedrill wiper, this wave of attacks used a new modular approach and wiper.
A .Net toolkit features capabilities to read a list of targeted computers; extract OS info and spread the file eraser in each machine; remotely execute the wiper via PsExec; and a new wiper, Filerase.
“The attackers have essentially packaged an old version (v2) of Shamoon with an unsophisticated toolkit coded in .Net. This suggests that multiple developers have been involved in preparing the malware for this latest wave of attacks,” McAfee security researcher, Thomas Roccia, explained.
“In our last post, we observed that Shamoon is a modular wiper that can be used by other groups. With these recent attacks, this supposition seems to be confirmed. We have learned that the adversaries prepared months in advance for this attack, with the wiper execution as the goal.”
Unlike the Shamoon v3 code, Neterase and the toolkit are not obfuscated. The researchers were therefore able to find ASCII art inside the .Net wiper, with a message from the Quran.
Victims were infected via phishing websites featuring job ads, which allowed the attackers to grab their credentials and from there deploy the toolkit.
Both wipers, Shamoon v3 and Filerase, are then spread to the victim machine: the former overwriting files and disk sectors and the latter erasing files and folders.
The US Justice Department (DOJ) has charged two Chinese intelligence officers believed to be part of advanced persistent threat group APT10 with allegedly engaging in cyber-espionage and conducting ongoing campaigns targeting the intellectual property of technology-service providers in the US and around the globe, according to The Hill.
Deputy attorney general Rod Rosenstein, accompanied by other US officials at the DOJ, reportedly charged the two men, Zhu Hua and Zhang Shilong, with conspiracy to commit computer intrusions, conspiracy to commit wire fraud and aggravated identity theft in alleged cyber-attacks targeted at dozens of private companies and government agencies in the US.
"We want China to cease its illegal cyber activities and honor its commitment to the international community," Rosenstein reportedly said in remarks this morning.
In a news conference on Thursday, FBI director Chris Wray said, “China’s goal, simply put, is to replace the US as the world’s leading superpower and they’re using illegal methods to get there,” according to Reuters.
As was anticipated, several allied countries, including the UK, Japan and Australia, have begun issuing statements in support of the actions taken by the US government.
The Evening Standard has reported that the Foreign Office has accused a group affiliated with the Chinese Ministry of State of launching a “'widespread and significant' campaign of 'cyber intrusion' against the UK and its allies in the US and Asia with the intention stealing intellectual property and others sensitive business data."
Taking a firm stance against China for its alleged cyber-attacks on American companies, the Trump Administration has also formally accuse China of engaging in state-sponsored hacking, a violation of a bilateral agreement signed by both countries in 2015.
"In reality, China isn’t the only country using cyber as their weapon of choice. That's why cybersecurity is so critical; there needs to be an awareness that in addition to monetary gain, somebody might be stealing your data for political gain too. Protecting that data is just as critical, regardless of who's taking it," said Terry Ray, chief technology officer at Imperva.
“What’s more, the trickle-down effect of nation-state hacking is particularly concerning, as sophisticated methods used by various governments eventually find their way into the hands of resourceful cyber-criminals, typically interested in attacking businesses and individuals."
The US Air Force's third bug bounty program has concluded after a month-long hacking period, which ran from October 19 to November 22, 2018. As a result of their research findings, hackers were awarded more than $130,000 in bounties.
According to the official results of Hack the Air Force 3.0 (HTAF 3.0), released by the U.S. Department of Defense (DoD) and HackerOne, the Air Force fixed over 120 valid security vulnerabilities, bringing the combined total of the three bug bounty challenges to more than 430 unique security vulnerabilities discovered and fixed. In total, researchers have earned more than $350,000 through the HTAF programs.
“It’s critical to allow these researchers to uncover vulnerabilities in Air Force websites and systems, which ultimately strengthens our cybersecurity posture and decreases our vulnerability surface area,” said Capt. James “JT” Thomas, Air Force digital services.
“By opening up these types of challenges to more countries and individuals, we get a wider range of talent and experience we would normally not have access to in order to harden out networks.”
HackerOne CEO Marten Mickos applauded the continued efforts of the US Air Force, noting in a press release that it is “the only military organization in the world to leverage the crowdsourced security model three times. Their relentless dedication to uncovering vulnerabilities before their adversaries through innovative measures remains unmatched. We’re honored to do our part in protecting government systems, employees and U.S. citizens.”
In related news, the UK government has announced that it will also be leveraging the crowdsourced security model available through HackerOne. The National Cyber Security Centre (NCSC), part of GCHQ, announced that it will launch a vulnerability disclosure program.
The NCSC vulnerability coordination pilot has been a project in the making for the past two years, during which time the NCSC has come to understand that “having a mature and coordinated vulnerability disclosure process helps decrease the risk of an incident occurring.”
In the aftermath of an extensive New York Times investigation into Facebook’s data privacy regulations and whether the company violated the privacy and public policy regulations of the Federal Trade Commission, Sen. Amy Klobuchar (Minn.) said that it is time for her colleagues to step up.
During an NPR interview, Sen. Klobuchar talked about commonsense legislation that she and Sen. John Kennedy (La.) had introduced in April. Since then, however, "Congress has been paralyzed. Nothing has been happening. Whether it's because of lobbying, whether it's because of the complexity of this, we just have to put all that aside and move," she said.
Three key parts of the legislation included using plain language so that it is clear a user is making a decision to share personal data; granting individuals greater control over their data by allowing them to opt out of any sharing arrangements; and mandating that users be notified of any privacy breach.
Yet the legislation never made it out of committee. “I think a lot of that has to do with the lobbying that goes on from the tech industry,” Klobuchar said. “And I believe that our colleagues in both the Commerce Committee, Judiciary and the Republican majority are going to have to step up.”
While some continue to debate whether Facebook violated the FTC agreement about not sharing personal data, Klobuchar said, “I don't quite understand how it couldn't have been violated.”
Facebook’s defense is that the partners with whom it shared information, including Spotify, Netflix, Amazon, Microsoft and Yahoo, were extensions of the company, in which case Facebook was not required to obtain user consent in order to share information.
Not everyone agrees with that argument. “The only common theme is that they are partnerships that would benefit the company in terms of development or growth into an area that they otherwise could not get access to,” said Ashkan Soltani, former chief technologist at the FTC, told the New York Times.
Gaining access to user data via Facebook benefited more than 150 companies. Included among its largest partners were Amazon, Microsoft and Yahoo, which reportedly said that they used the data appropriately.
Collecting and sharing data among these tech giants has created what Klobuchar called a "monster." While there are benefits to technological innovations, they also come with a cost. Said Klobuchar, "It has created vulnerabilities for our democracy, vulnerabilities for cyber-attacks, vulnerabilities for stealing data and intruding on people's privacy."
The UK government is under pressure to act after two drones were spotted flying over London's Gatwick Airport, forcing all flights to be cancelled since Wednesday evening.
Tens of thousands of Christmas passengers have been stranded since yesterday evening and that number is likely to increase exponentially today with over 700 flights potentially affected if police can’t catch the drone operators.
Officers told the Evening Standard they believe this to be “a deliberate act to disrupt the airport,” but said “there are absolutely no indications to suggest this is terror related.”
The drones apparently flew intermittently between 9pm on Wednesday and 3am on Thursday morning, at which point the runways were reopened, but they reappeared a few hours later.
At the time of writing both runways remain closed and 20 police units from two forces are reported to be searching for the operators of the unmanned aerial vehicles. It’s said they can’t shoot down the drones for fear of stray bullets harming members of the public.
Shadow transport secretary, Andy McDonald, has claimed the government has been too slow at addressing the potential security risks posed by drones flying near airports.
“The government should fast-track the introduction of a regulatory framework to protect against the misuse of drones and ensure the safety of UK airspace,” he said. “This should include a drone exclusion zone around airports.”
This isn’t the first time London Gatwick has been affected by a drone. One flying near the airport in July 2017 forced the authorities to close the runway twice, diverting flights as far away as Bournemouth.
The UK Airprox Board, which monitors such incidents, claims that there were 70 near misses involving drones in 2016, versus just 29 in 2015.
Security experts have long warned about the risks of drones being hacked to cause mayhem: insurer Allianz released a report in 2016 raising these concerns.
However, it’s unclear at this stage whether the operators are flying their own machines or have hijacked other users' devices.
Security experts are warning of a new HMRC scam using a threatening automated message in a bid to trick taxpayers into paying a ‘fine.’
The scam calls appear designed to cash-in on the busy end-of-year period in the UK where taxpayers look to get their affairs in order before the self-assessment deadline at the end of January.
The automated message reveals the presumably fictitious name of an HMRC officer and extension number, before warning “the issue at hand is extremely time sensitive.”
“If you do not call us back or we do not here from your solicitors, either, then get ready to face the legal consequences,” it continues.
“Comparitech attempted to call the number back in order to find out more information, but did not receive a response as of time of writing,” explained the vendor’s privacy advocate, Paul Bischoff.
“However, other people who have reported the same message from the same number say they were asked to pay upwards of £3000 in taxes. If they did not pay immediately, the scammer told them, that figure would increase 20-fold by the end of the day.”
Another variation on the scam apparently features a message claiming HMRC agents are watching the victim’s property and only a payment will prevent them from raiding it.
Victims were urged to report any scam phone numbers to Action Fraud, and HMRC-related phishing/vishing attempts to its own dedicated unit.
“Scammers often attempt to instill a sense of urgency in victims to make them slip up. The real HMRC will not make threats over the phone, legal or otherwise, that require immediate action.”
The HMRC is one of the UK’s most phished organizations, which is partly why the National Cyber Security Centre’s active cyber defence (ACD) initiative was launched. It aims to take down phishing sites and use DMARC protocol to block phishing emails from getting through to end users.
Chinese military hackers have been blamed for a simple phishing attack which allowed them to access the private diplomatic communications of EU officials for years.
In a new report, US security firm Area 1 explained how it discovered back in 2015 a People’s Liberation Army (PLA) Strategic Support Force campaign targeting a wide range of entities, including the United Nations, ministries of foreign affairs and finance, think tanks and trade unions like the AFL-CIO.
“In late November 2018, Area 1 Security discovered that this campaign, via phishing, successfully gained access into the computer network of the Ministry of Foreign Affairs of Cyprus, a communications network used by the European Union to facilitate cooperation on foreign policy matters,” it explained. “This network, known as COREU, operates between the 28 EU countries, the Council of the European Union, the European External Action Service, and the European Commission. It is a crucial instrument in the EU system of foreign policy making.”
Unfortunately, access was as simple as it gets. The hackers stole credentials from network administrators and senior staff, gaining privileged network access, from where they introduced PlugX malware to create a persistent backdoor and establish a path for C&C communications.
Windows console commands were used to move from machine to machine inside the network, eventually allowing the attackers to find the remote file server that stored the diplomatic cables from the COREU network.
Data was then compressed and exfiltrated.
As explained in the New York Times, the diplomatic cables seen by the Chinese allowed them to understand EU thinking on a range of sensitive topics, from relations between it and Beijing to the Trump-Putin meeting, North Korea, and EU official meetings with various world leaders.
The documents are said to have been classified, but only to a fairly low “limited/restricted” level.
The revelations will still be embarrassing to the EU but it’s certainly not alone: 93% of data breaches analyzed by Verizon last year included some form of phishing.
“When the risks are so high, cybersecurity needs to echo this,” argued Jake Moore, cybersecurity expert at ESET UK. “No expense should be spared when the implications can damage a country’s security and reputation.”
This Christmas, Infosecurity has invited some top industry names to each fill the role of guest editor for a day, and we are delighted to introduce James Lyne, who will be taking the reins today.
James is a self-professed 'massive geek' and has technical expertise spanning a variety of the security domains from forensics to offensive security. James has worked with many organizations on security strategy, handled a number of severe incidents and is a frequent industry advisor. He is a certified instructor at the SANS Institute and is often a headline presenter at industry conferences.
James firmly believes that one of the biggest challenges we face is in making security accessible and interesting to those outside the industry. As a result, he takes every opportunity to educate on security threats and best practice, always featuring live demonstrations and scenarios of how cyber-criminals operate in the real world.
James has given multiple TED talks, including at the main TED event. He's also appeared on a long list of national TV programs to educate the public. As a spokesperson for the industry, he is passionate about talent development, regularly participating in initiatives to identify and develop new talent for the industry.
An active email campaign is reportedly targeting banking and financial services employees in the US and UK using popular cloud services to host the malicious payload, according to a blog posted today by Menlo Security.
The campaign targets endpoints, including PCs, and attackers are reportedly using two types of payloads – VBScripts and JAR files – to compromise the endpoints. In looking at the victims who have clicked on malicious links to archive files, researchers found that all files were either ZIP or GZ.
Evidence suggests that the campaign has been active since August, and researchers have confirmed that the malware one RAT family used was Houdini.
“Of the JAR files we identified, we believe one file (Swift invoice.jar) belongs to the Houdini/jRAT malware family. We reached this conclusion because it communicated with pm2bitcoin.com. The other JAR files are still being investigated, and we believe they belong to the Qrat malware family,” researchers wrote.
According to the blog, attackers used storage.googleapis.com, the domain of the Google Cloud Storage service, to host the malicious payload, and the primary attack vector is email, where malicious URLs are embedded within emails rather than sent as attachments.
A compromised machine inside an enterprise network has wide-ranging business impact, which could be anywhere between loss of personally identifiable information to potentially much more damaging consequences like exfiltration of intellectual property, according to Vinay Pidathala, director of security research at Menlo Security.
“You can no longer trust ANY website: attackers are increasingly hiding behind well-know, popular hosting services to avoid detection. Credential attacks and remote access Trojans (RAT) malware are trends that will continue in the finance sector. These payloads, often zipped-up and in some cases in two layers, will continue to evolve to maneuver payloads into the environment,” Pidathala said.
“Botnets will decrease, and RAT malware will increase due to the ability RATs give attackers to customize and control every step of the attack. Once they get in, they can live off the fat of the land in the enterprise. We will continue to see an increase in cross-platform malware, similar to the malware we've seen in this specific campaign. By writing cross-platform malware, attackers only need to write one file to attack both platforms. Also, attackers tend to follow the money. With more enterprises using Macs, there is more of a motivation to go after them.”
In August 2017, Click2Gov software, a payment technology widely used by local governments to process utility payments, was the victim of a breach in which Oceanside, California, was the first in a long line of compromised municipalities. Many of the payment cards stolen from the compromised records are now likely being sold in underground marketplaces, according to Gemini Advisory.
During its routine monitoring of dark web marketplaces that sell compromised payment card data, Gemini Advisory noted “an out-of-pattern concentration of victims located in small-to-medium US cities. Further analysis of the card data linked to these locations and collaboration with partner banks have determined that records [have] likely been stolen from local municipal services that license Click2Gov software.”
According to Gemini Advisory’s blog post by Stas Alforov, there have been 46 confirmed compromised locations across the US with an additional location reported in Canada. At the time Gemini Advisory conducted its research, 294,929 payment records had reportedly been stolen. From those criminals have earned at least $1.7 million. Click2Gov's parent company, Superion, has made efforts to deploy patches, yet the software remains vulnerable, and three additional municipalities have reportedly been breached since October 2018.
Dozens of municipalities have reported instances of the Click2Gov breach, with at least 111,860 payment cards compromised. Those stolen cards were then uploaded and reportedly sold on the dark web for an average of $10 per card, and “breached payment card data was linked to over 1000 financial institutions, with 65% of stolen records associated with the top 20 affected banks,” Alforov wrote.
"In addition to Click2Gov payment records being sold on the dark web, we can also assume that the associated account login credentials – name and password pairs – were also for sale,” said Franklyn Jones, CMO, Cequence.
“So these nearly 300,000 credentials will likely be acquired for secondary bot attacks designed to gain unauthorized access to accounts on other web applications. And bot attacks, which are becoming more pervasive, are typically successful 10% of the time, which can lead to additional account takeover, financial fraud and business disruption."