Cyber Risk News
More than four out of five people think up their own passwords, while 54% don’t know how to check if any of their credentials have been leaked. This is according to Kaspersky’s Defending digital privacy: taking personal protection to the next level report, which highlighted the growing need for better password storage, with people using an increasing number of online accounts.
Numerous studies have demonstrated the importance of having complex passwords that are changed regularly and differ across multiple accounts in order to prevent data breaches. Yet in this new report, 55% of users said they are able to remember all their passwords, suggesting that they do not make them sufficiently complex and unique.
The study also showed that of those who do keep a record of their passwords, many store them in places which make them vulnerable to being stolen. Of the 15,002 consumers surveyed across 23 countries, 19% stated that they store their passwords in a written file or on a computer, while 18% keep them saved on browsers their computers, smartphones, or tablets.
Kaspersky added that users should be made more aware of services such as ‘Have I Been Pwned?’ to enable them to check whether their passwords have been included in public leaks or data breaches without having to visit the dark web.
Marina Titova, head of consumer product marketing at Kaspersky, said: “Consumers can monitor the spread of personal data, including which passwords might have been leaked. And this is not only for the sake of ‘just being aware’; it also allows individuals to take the right action to minimize any invasion of privacy – along with any wider consequences. That’s why we at Kaspersky put a big focus on protecting consumer’s privacy.”
In order to minimize the risk of passwords being stolen, Kaspersky recommends that people never leave them in places where others may find them, whether written on paper or on a device.
Last week was World Password Day 2020, which promotes better password practice. This is an issue that takes on extra importance this year due to the unprecedented rise in people working from home as a result of COVID-19.
The number of employees working from home is increasing, but the security technology to support them is not being deployed.
According to a survey of 694 IT security administrators and practitioners, most companies fail to authenticate remote workers properly or inadequately inspect their network traffic for threats.
The research, conducted by Cato Networks, found 68% of respondents said their organizations fail to deploy enough prevention or authentication technologies for remote users. In particular, 37% do not use multi-factor authentication (MFA) for remote users, while 55% of respondents fail to employ intrusion prevention software, or anti-malware technology, while 11% fail to inspect traffic altogether.
“A lack of security enforcement on remote access users should be of serious concern for IT managers: enterprises cannot enable widespread remote access at the expense of security protections,” said Yishay Yovel, CMO of Cato Networks. “Enterprises should be able to provide remote access for all users anywhere, in minutes, with the security protections and network optimizations they have in the office.”
Brian Honan, CEO of BH Consulting, told Infosecurity that the numbers did not surprise him, as many companies were already struggling to roll out better authentication technologies for remote users before the global pandemic hit.
He said: “With the rush to support remote working for many more users, companies rapidly expanded their remote access solutions or migrated systems to the cloud; this rush was to ensure the business could survive and support staff to continue working.
“However, now that those immediate goals have been met and our response to the pandemic may be more long term than initially planned, companies need to review the security and resilience of their remote access solutions.”
The news follows research from earlier this week, when a Tripwire survey found 94% of cybersecurity professionals were more concerned about security in the wake of COVID-19. Its survey of 345 IT security professionals found that 89% said remote working had made the job more difficult. Additional findings included:
- 49% said they cannot effectively secure employees’ home office environments
- 41% said it is more challenging to manage what devices are connecting to their corporate networks
- 38% said it is hard to gain visibility into remote assets and systems
The survey also found that 53% of respondents were increasing security investment with 28% investing in new tools.
“The massive shift to working remotely represents a huge change for organizations’ attack surfaces,” said Tim Erlin, vice-president of product management and strategy at Tripwire. “It’s no surprise that security professionals are finding it challenging to monitor and minimize the new attack surfaces.”
Join our webinar on 28th May at 1pm EDT/6pm BST for a discussion on working from home and network security, and the issues being created. Register here.
The US government has released new technical guidance highlighting the 10 most commonly exploited vulnerabilities of recent years, in a bid to improve awareness and patching among organizations.
It warned that “foreign cyber-actors” often choose to focus on known and often dated vulnerabilities as they require fewer resources to exploit than researching zero-days. Although the top 10 list is for flaws exploited in 2016-19, two of the featured CVEs date back even before this period, to 2012 and 2015.
“The public and private sectors could degrade some foreign cyber threats to US interests through an increased effort to patch their systems and implement programs to keep system patching up to date,” the notice urged.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”
Microsoft’s Object Linking and Embedding (OLE) technology was most commonly targeted between 2016 and 2019, featured in the top two most exploited CVEs: CVE-2017-11882 and CVE-2017-0199. Along with OLE-related CVE-2012-0158 they comprise the three bugs most frequently used by state-sponsored attackers from China, Iran, North Korea and Russia.
Chinese attackers were also still using CVE-2012-0158 in December 2019, highlighting that organizations have yet to patch, despite the vulnerability being flagged in 2015 as a common target for Beijing-backed hackers.
As for vulnerabilities exploited so far in 2020, the report warned of attacks targeting VPN systems made by Citrix and Pulse Secure, particularly in light of the rapid shift to home working due to COVID-19.
The same vulnerabilities are also thought to have been exploited by cyber-criminals in sophisticated APT-style ransomware attacks, according to Microsoft.
“The DHS report appears to align what we are seeing in the wild,” said Edgescan CEO, Eoin Keary. “Ultimately, attackers don’t care where the vulnerability is, which is why a full-stack vulnerability management approach is advised in such a fast-changing threat landscape.”
The US authorities have formally blamed Chinese-affiliated hackers for attempting to steal vital COVID-19 research from domestic companies working on vaccines.
An announcement from the FBI and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned research organizations to “maintain dedicated cybersecurity and insider threat practices” in light of the attacks.
“The FBI is investigating the targeting and compromise of US organizations conducting COVID-19-related research by PRC-affiliated cyber-actors and non-traditional collectors,” it said.
“These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”
The notice urged organizations working on COVID-19 research to assume they would be targeted and ensure all internet-connected software and systems are promptly patched.
They should also switch on multi-factor authentication (MFA), block suspicious user activity and scan web applications for unauthorized access, modification or anomalous activities, it added.
The news comes days after suspected Iranian hackers are thought to have targeted employees at US drug-maker Gilead Sciences.
Both CISA and the UK’s National Cyber Security Centre (NCSC) issued an alert earlier this month warning that APT groups are targeting healthcare and research organizations in both countries.
Reports also emerged at around the same time that UK universities working on a vaccine, including Oxford University, had been probed by state-sponsored attackers.
“The practice of stealing IP in this way has been going on for a very long time, and the fabric of the internet allows these hackers to hide their identity and even to mislead researchers as to their true country of origin,” argued Matt Aldridge, principal solutions architect at Webroot.
“Accurate attribution of the source state of these types of attack can be extremely difficult for this reason. It is likely that attackers from many nations are targeting US research intuitions right now, either with a motivation of profit through the sale of stolen research, through ransom demands via crypto malware or through illicit government payouts to feed into secret research programs.”
Two construction firms that helped to build emergency hospitals to cope with the COVID-19 pandemic have been attacked by separate cyber-attacks, it has emerged.
Bam Construct, which worked on the Yorkshire and Humber hospital, appears to have fallen victim to a ransomware attack, whilst Interserve, which worked on Birmingham's NHS Nightingale, may have suffered a major data breach.
A Bam spokesman is reported to have said the business “stood up well” after the incident last week, despite being forced to take services offline to mitigate the attack.
“Our own precautions have had more of an effect on our normal working procedures than the virus itself, but it is important for us to be absolutely confident that restoring all systems – at a time when we are working from home in unprecedented numbers – is done carefully,” he said.
Meanwhile, a statement on Interserve’s website posted yesterday said the firm was a target of an attack earlier this month.
“Interserve is working closely with the National Cyber Security Centre (NCSC) and Strategic Incident Response teams to investigate, contain and remedy the situation. This will take some time and some operational services may be affected. Interserve has informed the Information Commissioner’s Office (ICO) of the incident. We will provide further updates when appropriate,” it noted.
“Interserve’s employees, former employees, clients and suppliers are requested to exercise heightened vigilance during this time.”
Some reports have suggested as many as 100,000 employees may have been affected by the attack on an HR database.
“A wider variety of hacking tools that would typically be used by sophisticated groups are trickling down to smaller groups or individuals,” warned Sam Curry, chief security officer at Cybereason.
“Ultimately, this creates a bigger challenge for security analysts to stay ahead of threats. Identification, remediation, 24x7 threat hunting and activating an incident response team is critical to prevent malicious and material damage from occurring in the supply chain.”
French construction giant Bouygues revealed back in February that it had been the victim of a “ransomware-type virus.”
Financial trading and spread betting service provider City Index has informed users of a breach of their personal data, including names, dates of birth, gender and bank details.
In a notification sent to users on May 8, City Index said that its network “was accessed by an unauthorized third party and client personal data may have been viewed.” Upon discovering the incident, it said it “shut down access to the server concerned and launched a full forensic investigation.” The incident took place on April 14.
In an immediate response to the incident, City Index sent an advisory to affected clients suggesting that they reset their City Index passwords and consider also resetting the password if it is used for other accounts the client may have elsewhere.
“We sincerely apologize for this incident and wish to assure you of our continued commitment to your data security,” it said in the statement.
City Index’s parent company Gain Capital declined to comment on how many people had been affected by the breach, or how long attackers had been inside the network for.
In an email to Infosecurity, a spokesperson for the Information Commissioner’s Office, said: “We have received a report from Gain Capital of an incident and are assessing the information provided.” The Financial Conduct Authority told Infosecurity that it was unable to comment on individual firms.
A new cyber-espionage framework has been unearthed by researchers at cybersecurity company ESET.
Dubbed "Ramsay," the framework appears to be tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems.
ESET believes that this framework is under an ongoing development process, because their research to date has revealed only a small number of victims. Malicious documents uncovered in their research of the framework and uploaded to public sandbox engines with titles such as "access_test.docx" or "Test.docx" seem to support this theory.
Researchers came across the previously unreported cyber-espionage framework while studying a suspicious data sample. Korean-language metadata were discovered within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates.
Alexis Dorais-Joncas, head of ESET’s Montreal-based research team, said: “We initially found an instance of Ramsay in a VirusTotal sample uploaded from Japan that led us to the discovery of further components and other versions of the framework along with substantial evidence to conclude that the framework is still in a developmental stage, with delivery vectors subject to fine testing."
Although a relatively fresh arrival on the digital spy scene, Ramsay has already undergone several re-jigs. Researchers noted that the various discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.
"Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojanized applications potentially being delivered via spear-phishing," wrote researchers.
The architecture of the framework provides a series of capabilities that include file collection and covert storage, command execution, and highly aggressive file spreading.
In the more mature versions of Ramsay, researchers observed a technique sometimes referred to as “Phantom DLL Hijacking,” which takes advantage of Windows applications' use of outdated dependencies to leverage malicious versions of those dependencies.
Ramsay's primary goal is to collect all existing Microsoft Word documents within the victim’s file system. Depending on the Ramsay version in play, file collection is either restricted to the local system drive or involves a search of additional drives such as network or removable drives.
Privileged access management specialist CyberArk today announced the acquisition of Identity-as-a-Service company IDaptive Holdings Inc.
Commonly known as Idaptive, the California company was formed in the fall of 2018 as an offshoot of the IDaaS service offered by Centrify. From its headquarters in Santa Clara, Idaptive serves a client list of around 500 well-known organizations that includes Swarovski, Butterball, Rémy Cointreau, and Appen.
The company describes its Next-Gen Access Cloud Platform as "like a chameleon that adapts almost instantly to its environment and has amazing 360-degree vision." The platform combines leading capabilities to seamlessly integrate single sign-on, multi-factor authentication, enterprise mobility management, and user behavior analytics to offer maximum cybersecurity.
The total purchase price for the acquisition of Idaptive was $70m in cash consideration.
Through the acquisition, CyberArk and Idaptive said that they aim to deliver a "comprehensive Artificial Intelligence (AI)–based, security-first approach to managing identities that is adaptive and context-aware and architected on the principles of Zero Trust and least privilege access, to dramatically reduce risk."
The deal will allow CyberArk to up its game when it comes to managing and protecting identities with various levels of privileges across hybrid and multi-cloud environments. The company said customers will benefit from the acquisition by attaining a better overall security posture with a more efficient and seamless user experience that complies with the ever-increasing number of complex regulatory requirements.
“With cyber-attacks on the rise, organizations need modern, comprehensive solutions to make better, continuous access and authorization decisions for the broadest range of users,” said Udi Mokady, founder, chairman, and CEO of CyberArk.
"With Idaptive, CyberArk will offer customers a SaaS-delivered, security-first approach to managing identities—with Privileged Access Management at its core—that reduces risk, simplifies operations and improves business agility. We are thrilled to welcome the Idaptive team to CyberArk.”
Mokady went on to praise the team at Idaptive for the spirit with which they approach their work.
He said: "Idaptive brings with it an amazing and passionate team. I am eager to bring their energy and commitment to define the future of Identity Security."
A major US healthcare provider has suffered a ransomware attack after falling for a phishing email that appeared to be sent by a client.
Magellan Healthcare received what they believed to be a genuine email from a client on April 6. Five days later, attackers compromised the systems of the Fortune 500 company, exfiltrating records containing personal information before launching ransomware to encrypt files.
In a cyber incident notification letter dated May 12 that was sent to those whose information had been compromised, Magellan Healthcare said that the exfiltrated records "include personal information such as name, address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number and, in limited circumstances, may also include usernames and passwords."
An information-hungry thief or thieves exfiltrated a subset of data taken from a single Magellan corporate server, but they didn't stop there. According to a Magellan spokesperson: "In limited instances, and only with respect to certain current employees, the unauthorized actor also used a piece of malware designed to steal login credentials and passwords."
Upon discovering the ransomware attack, Magellan hired cybersecurity forensics firm Mandiant to help conduct a thorough investigation of the incident. It was Mandiant that discovered that prior to the launch of the ransomware, data had been exfiltrated.
The company also reported the cyber-attack to the FBI and relevant law enforcement agencies and filed a notice with the California attorney general's office on Monday.
Commenting on the incident, Erich Kron, security awareness advocate at KnowBe4, said: “The bigger story here was not the encryption of data and subsequent downtime, but the actual exfiltration of the data, which is becoming the norm in ransomware attacks.”
Magellan said that, since the incident occurred, the company has implemented additional security protocols "designed to protect our network, email environment, systems, and personal information."
Writing to those whose data was exposed in the attack, Magellan said: “At this point, we are not aware of any fraud or misuse of any of your personal information as a result of this incident."
Identity theft protection is being provided by the company to people whose information was stolen.
"Unfortunately, these sorts of attacks are increasingly common," a Magellan spokesperson told FOX Business. "We are aggressively investigating this matter and will continue to provide updates to those impacted as the investigation continues."
Microsoft has fixed 111 vulnerabilities in its latest update round, the third month in a row that the number of addressed CVEs has exceeded a century.
Although there are no zero-day bugs to fix this month, 13 of the flaws were rated as critical, with many of them exploitable simply by visiting a web page or server, according to Recorded Future senior solutions architect, Allan Liska.
He said organizations should prioritize CVE-2020-1117, a remotely executable (RCE) vulnerability in the Microsoft Color Management Module (ICM32.dll), which could be exploited if an attacker persuades a victim to visit a website under their control, or via malvertizing.
Another RCE bug, CVE-2020-1153, exists in the Microsoft Graphics Component and affects end-of-life systems including Windows 7 and Server 2008.
There are also four critical flaws to patch in Microsoft SharePoint, versions 2013 to 2019: CVE-2020-1023, CVE-2020-1024, CVE-2020-1069 and CVE-2020-1102.
“SharePoint is increasingly targeted by attackers and similar vulnerabilities have been exploited in the wild,” explained Liska. “With more people working from home during the pandemic, it is likely these vulnerabilities will be targeted once proof-of-concept code is developed.”
Meanwhile, Todd Schell, senior product manager at Ivanti, argued that sysadmins should take care when prioritizing which bugs to fix first.
“What is interesting, and often overlooked, is that seven of the 10 CVEs at higher risk of exploit are only rated as important. It is not uncommon to look at the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are actually the ones rated as important,” he explained.
“If your prioritization stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics. Look to other risk metrics such as publicly disclosed, exploited (obviously) and exploitability assessment (Microsoft specific) to expand your prioritization process.”
Organizations that decide to pay their ransomware attackers may end up doubling the overall cost of recovery, according to a new report from Sophos.
The UK-headquartered security firm polled 5000 IT decision makers in organizations across 26 countries to compile its State of Ransomware 2020 report.
It revealed that the average cost of an attack — including business downtime, lost orders, and operational costs, but not the ransom itself — was $730,000. However, this figure rose to $1.4m when the ransom was included.
Over a quarter (27%) of respondents admitted to paying up when hit by an attack.
“Organizations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory,” argued Chester Wisniewski, principal research scientist at Sophos.
“Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair.”
Over half (51%) of organizations said they experienced a significant ransomware attack in the previous 12 months, nearly as many as the peak of 54% in 2017, when WannaCry and NotPetya hit. Data was encrypted in 73% of cases where attackers breached the organization.
Over half (56%) of the IT managers surveyed said they were able to recover data from backups without paying the ransom, but while backing up is now industry best practice, there are other elements to consider, according to Wisniewski.
“Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes. We’ve recently reported on LockBit using this tactic,” he explained.
“Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay. The way to address these malicious maneuvers is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages.”
Email security failings among most of the banks designated to handle COVID-19 business stimulus loans could be putting applicants at risk of phishing, according to Proofpoint.
The security vendor claimed that only 13 out of the 64 accredited financial institutions have implemented the strongest Domain-based Message Authentication, Reporting & Conformance (DMARC) policy.
This means 80% of the banks aren’t proactively blocking fraudulent emails from reaching customers, while 61% have published no DMARC record at all.
DMARC helps to prevent certain types of spam and phishing attacks by verifying that the domain of the sender hasn’t been impersonated. However, it must be set to p=reject in order to prevent suspicious emails being sent to customer inboxes.
The need for improved anti-phishing measures is heightened at the present time as cyber-criminals lie ready to defraud victim organizations by impersonating trusted authorities like banks.
The government’s Coronavirus Business Interruption Loan Scheme (CBILS), which offers essential financial support to many companies affected by the pandemic, offers just such an opportunity.
“By not implementing simple, yet effective email authentication best practices, these accredited organizations are putting already vulnerable businesses at even greater risk, whilst COVID-19-related attacks are on the rise.” said Adenike Cosgrove, cybersecurity strategist, international at Proofpoint.
“In times of urgency and uncertainty, individuals are much more susceptible to these kinds of attacks, particularly if a fraudulent email looks like it has come from a genuine domain. Having the recommended level of DMARC protection is essential for any organization accredited for the CBILS.”
The government mandated p=reject DMARC for all departments back in 2016 but progress has been slow. Only around a quarter of gov.uk domains support the best practice security protocol, according to a 2019 report from Egress.
Join our webinar next week where we will look at the issue of phishing attacks, and methods such as DMARC to help prevent and manage their impact. Join us live at 3pm BST on Thursday 21st May register here.
Media and entertainment lawyers Grubman Shire Meiselas & Sacks have confirmed reports that their firm has fallen victim to a ransomware attack.
News of a possible attack surfaced last week when the threat group behind the REvil ransomware (also known as Sodinokobi) published what it claimed was a sample of 756GB data exfiltrated from the New York City law firm. Among the data it now appears was genuinely stolen from Grubman Shire Meiselas & Sacks is personal data belonging to a host of celebrities including Bruce Springsteen, Mary J. Blige, and Madonna.
The website for Grubman Shire Meiselas & Sacks is currently down while digital forensic experts work to recover the firm's encrypted files.
In a statement given to Variety, Grubman Shire Meiselas & Sacks said: “We can confirm that we’ve been victimized by a cyberattack. We have notified our clients and our staff."
The law firm gave no indication of how much Bitcoin was demanded in ransom by the threat actors. Nor did it state whether any payment would be made to recover the encrypted data of their star roster.
From the little information that the firm did release, it seems that rather than pay the cyber-thieves, an alternative solution is being sought to recover the data that was encrypted and stolen with REvil ransomware.
"We have hired the world’s experts who specialize in this area, and we are working around the clock to address these matters,” said Grubman Shire Meiselas & Sacks.
The threat group has threatened to publish the stolen data in nine installments. According to the threat group, information compromised in the attack includes contracts, telephone numbers, email addresses, personal correspondence, and non-disclosure agreements.
Jonathan Knudsen, senior security strategist at Synopsys, commented: "Personal information is valuable by itself, but personal information about celebrities is even more valuable. The attackers in this case have, unfortunately, perpetrated a crime with deep impact."
Knudsen said that while ransomware attack victims could pay up to recover their files, they might struggle to recover their peace of mind.
He said: "Even if you regain access to your own information, your attacker might still have a copy of the information and be able to resell it to other interested parties."
Ontario's privacy commission has launched an investigation into a "significant privacy breach" at a long-term care home where 66 residents have died after contracting COVID-19.
Canada's long-term care minister Merilee Fullerton announced on Twitter on Saturday evening that an inquiry will be launched into the unauthorized release of private data belonging to residents of the Orchard Villa retirement community in the city of Pickering.
"I’m learning of disturbing news out of Pickering’s Orchard Villa LTC home," said Fullerton. "There is a possibility of a significant privacy breach regarding individual resident personal health info."
According to Fullerton, the residential care home has informed the Information Privacy Commissioner Office "and other authorities as appropriate" that a data breach has occurred.
The minister went on to say that the situation was being monitored closely by the government, which "takes personal privacy very seriously."
In a statement shared on Monday, Privacy Commissioner Brian Beamish confirmed that his office is investigating a data breach at the 233-bed care home.
Jason Gay, the home’s executive director, confirmed that an internal investigation was conducted, but would not comment further regarding the breach.
“We can confirm there is a possibility of a privacy breach of personal health information,” wrote Gay in an email. “We have informed the privacy commissioner and an internal investigation has been conducted. We will not be commenting further at this time.”
According to the MPP for Pickering-Uxbridge, Peter Bethlenfalvy, Orchard Villa is taking action to notify residents and their families of the unauthorized release of information.
Orchard Villa is one of 36 residential care homes owned by Southbridge Care Homes, based in Cambridge, Ontario. Since the outbreak of the novel coronavirus in March, Orchard Villa has sadly lost 66 residents to the deadly virus and confirmed 200 cases.
Families of Orchard Villa residents have criticized the care home for not sharing sufficient information regarding the outbreak of COVID-19 at the facility. A group led by resident family member June Morrison is now calling for an inquiry to be launched into practices at the care home.
Morrison told Global News that Orchard Villa "should have gone to the ministry early on and asked for help."
WannaCry, notorious as the largest ransomware epidemic in history, reached its peak on May 12, 2017. Recent research by Kaspersky confirms that three years on, WannaCry retains the dubious honor of being among the most prevalent ransomware families causing trouble around the world.
To raise awareness of this ongoing threat, both INTERPOL and Kaspersky have dubbed today Anti-Ransomware Day and urged organizations to back up their data and adopt relevant security protections.
Failing to take all possible steps to secure a business against a ransomware attack can be a very expensive mistake. According to research published by Kaspersky in October 2019, organizations hit with ransomware attacks last year lost on average $1.46m.
The costs associated with a ransomware attack go beyond the ransom amount demanded by the cyber-criminal(s). Companies that fall victim to this crime can incur financial losses for downtime and reputational damage and incur additional costs for data recovery and fines.
Kaspersky researchers found a total of 767,907 users were attacked by encryptors in 2019, with almost a third of them (30%) found in businesses. WannaCry was still the most common of all the encryption families, attacking 164,433 users and accounting for 21% of all detected attacks in 2019.
Other prevalent encryptors used in 2019 include GandCrab, wielded in 11% of attacks, and Stop, deployed in 4%.
"The WannaCry epidemic, which saw companies lose millions in revenue because of downtime or costs related to reputational damage, demonstrated what can happen if ransomware happens on such a large scale,” said Sergey Martsynkyan, head of B2B product marketing at Kaspersky.
“The threat remains relevant today, as there will be users out there who still may not know much about it and can become a victim. The good news is that the right security approach and relevant measures can make ransomware yet another non-critical threat."
By supporting Anti-Ransomware Day, Craig Jones, director, INTERPOL Cybercrime Directorate, said the organization wished to encourage the public "to keep good cyber hygiene and to #WashYourCyberHands.”
The Certified Information Systems Security Professional (CISSP) certification has been officially recognized as equivalent to a master’s degree across Europe. The qualification was designated as comparable to Level 7 of the Regulated Qualifications Framework (RQF) by UK NARIC, the UK’s designated national agency responsible for providing information and expert guidance on qualifications from across the world.
The change will enable cybersecurity professionals to use the CISSP certification towards higher education course credit and also open up new opportunities for roles that require or recognize master’s degrees. The new designation will apply both to the UK and across Europe.
The announcement followed the American Council on Education’s College Credit Recommendation Service’s (ACE CREDIT®) recognition of six (ISC)2 certifications as eligible for college credit.
In making their decision, the UK NARIC undertook an in-depth independent benchmarking study of the CISSP certification. This involved the review of core qualification components as well as a comparative analysis of the skills assessed during a candidate’s computer adaptive test (CAT) examination to the RQF. This analysis concluded that the CISSP qualification assessed candidate’s knowledge and skills comparable to the RQF Level 7 standard. It noted CISSP required skills such as organizational problem solving and decision making and awareness and correct use of industrial standards, policy and best practice.
“Recognizing the CISSP as comparable to master’s level qualifications further underlines the robust educational and operational value of the certification within Europe,” said Deshini Newman, managing director EMEA at (ISC)2. “It will support our members in their career progression as they embark on opportunities both within their own organizations and externally when applying for roles with degree entry criteria.”
The RQF was developed by the UK government to help differentiate the levels of demand in various qualifications according to an eight-point scale. It can also help employers understand and compare cybersecurity qualifications throughout Europe, with the European Qualifications Framework (EQF) referencing the eight levels of the RQF.
International security awareness training provider KnowBe4 has announced the promotion of special operations engineer Colin Murphy to the position of chief information officer (CIO).
Murphy is an IT executive with over 13 years of expertise in security and software development in the telecommunications, energy deregulation and financial industries. In his new role, Murphy will be responsible for information technology strategies and computer systems to ensure they support KnowBe4’s goals and high-level business objectives.
Stu Sjouwerman, CEO of KnowBe4, said: “Colin has been an integral part of KnowBe4 for several years now and his previous experience as CIO for several other companies made him a natural fit to take on this opportunity. We believe in promoting from within whenever possible and he was already assuming the role of CIO by leading the IT area before the position was formally offered to him. I have confidence that Colin will surpass all expectations as KnowBe4’s CIO.”
Chris Murphy added: “As an executive and security professional, I have seen the countless ways KnowBe4 has transformed what security awareness means for its customers. My goal for the team is to create a strategic IT vision that drives innovation to accelerate growth and improve our internal efficiencies. We are determined to deliver the best IT solutions and support to the staff at KnowBe4 so they can meet their goals, deliver key results and enhance the organization’s position in the US and global markets.”
Security experts are warning of a 30% spike in COVID-19-themed cyber-attacks over the past two weeks as hackers continue to spoof trusted brands and organizations.
Check Point revealed an average of 192,000 coronavirus-related cyber-attacks per week over the past fortnight — the vast majority of which were phishing emails.
Some, like a WHO-themed phishing email purporting to be an ‘urgent letter’ containing information on the first human vaccine test, contain password-stealing keylogging malware.
Others seen by the vendor are spoofed to appear as if sent by the WHO or UN and are extortion emails demanding Bitcoin payments.
Check Point also observed a surge in domain registrations as part of ongoing coronavirus-related phishing campaigns.
Nearly 37% of Zoom-related domains were registered in the past three weeks, it said. Of the 2449 detected, 1.5% were malicious and 13% categorized as suspicious. Similar lures include fake Microsoft Teams and Google Meets links/domains.
In total, Check Point claimed to have detected nearly 20,000 new COVID-19 registrations in the past three weeks, over a fifth (22%) of the total spotted so far since the beginning of the outbreak. Of this most recent batch, 2% are malicious and 15% suspicious.
The vendor urged users to beware of lookalike domains with spelling errors and unfamiliar senders, to not reuse passwords across accounts and to order goods only from authentic sources.
Intelligence from Google, Microsoft and the National Cyber Security Centre (NCSC) has maintained that, although COVID-19 threats are on the rise, the overall level of cybercrime is not.
Instead, it appears that cyber-criminals are repurposing other campaigns with COVID-19 themes in the hope of generating an improved success rate.
Google claimed last month to be blocking over 240 million COVID-19-themed spam messages each day, and 18 million malware and phishing emails.
A major mailing technology firm has been hit by ransomware for the second time in just seven months, after the notorious Maze gang struck.
The group is known for stealing sensitive files from targeted organizations before encrypting systems, in order to force a ransom payment.
This is what it appears to have done with US firm Pitney Bowes, although it claimed that the encryption part was unsuccessful.
“Recently, we detected a security incident related to Maze ransomware. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited,” noted a statement from the firm.
“Working with our third-party security consultants, we immediately took critical steps to thwart the attack before data could be encrypted. At this point, there is no evidence of further unauthorized access to our IT systems. The investigation remains ongoing.”
However, screenshots posted by Maze seem to indicate that information on employees, and sensitive financial and customer data, may be in the hands of the attackers.
The previous attack on Pitney Bowes is believed to have been carried out by the equally prolific Ryuk group.
At the time the firm admitted that it had “encrypted information on some systems and disrupted customer access to our services.” These included SendPro products, postage refill and Your Account access.
According to Microsoft, Maze is one of several groups that have been targeting hospitals during the COVID-19 crisis, with sophisticated attack techniques more akin to APT groups, including credential theft, lateral movement, reconnaissance, persistence and data exfiltration.
In the past it has been known to target virtual desktop endpoints without multi-factor authentication, end-of-life platforms like Windows Server 2003, misconfigured web servers and vulnerabilities in Citrix Application Delivery Controller (ADC) and Pulse Secure VPN systems.
Researchers are urging WordPress administrators to patch two new vulnerabilities discovered in a popular plugin that have been downloaded over a million times.
If an attacker is able to trick an admin into clicking on a phishing link or opening a booby-trapped attachment, they could gain full remote control of the site, warned Wordfence threat analyst, Chloe Chamberland.
The security vendor notified plugin developer Site Origin, whose Page Builder software is affected, on May 4, with the firm releasing a patch a day later.
The plugin itself is designed to simplify page and post editing in WordPress, via features like a live editor.
Both discovered flaws are cross-site request forgery to reflected cross-site scripting vulnerabilities with a CVSS score of 8.8, making them high severity. They affect versions of Page Builder up to and including 2.10.15.
“Both of these flaws allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser,” noted Chamberland. “[They] could be used to redirect a site’s administrator, create a new administrative user account, or, as seen in the recent attack campaign targeting XSS vulnerabilities, be used to inject a backdoor on a site.”
Users are urged to upgrade to version 2.10.16 of Page Builder as soon as possible to mitigate the threat.
The news comes just days after Wordfence notified WordPress administrators of a spike in attack traffic targeting cross-site scripting vulnerabilities in various plugins and themes.
The firm detected a 30-fold increase in attack traffic over the previous month, with attacks on more than 900,000 sites, from over 24,000 different IP addresses, all from the same malicious actor.
Designed to achieve remote control of targeted sites, the attacks may change slightly over time as the hacker pivots to using other vulnerabilities, Wordfence warned.