Cyber Risk News
Experts are urging Thomas Cook customers not to respond to unsolicited messages in the wake of the UK travel company’s bankruptcy, as scammers are trying to harvest their bank details.
The 178-year-old firm collapsed on Monday, leaving a £3bn black hole in its balance sheet and 150,000 holidaymakers stranded abroad.
However, like any high-profile incident, scammers have been jumping on the news to try and part consumers with their cash.
Reports soon emerged of customers being cold called by individuals claiming to work for a company ‘refund agent’ and requesting their bank or card details to reimburse them.
Adding to the confusion, UK banks have been sending unsolicited text messages about the bankruptcy to customers, some of which contain links and a phone number.
According to tweets cited by consumer rights group Which? some of the messages were sent to individuals who hadn’t even booked holidays with Thomas Cook, adding to the sense that they may be a scam.
“We’ve heard worrying stories of criminals trying to scam people affected by the collapse of Thomas Cook, so while the messages being sent by some banks might be well-meaning, this flawed approach will only be adding to the confusion customers are facing,” said Which? consumer rights expert, Adam French.
“Our advice is to ignore unsolicited calls and texts, and avoid sharing your card or bank details. Anyone looking to claim back the cost of their flight through their debit or credit card provider should contact their bank directly themselves.”
In the wake of the travel agent’s collapse, Action Fraud urged consumers to be vigilant about potential scams and to not click on links in unexpected messages.
“Legitimate organizations will never contact you out of the blue and ask for your PIN, card details, or full banking passwords. If you get a call or message asking for these, it’s a scam,” the UK’s national fraud reporting center added.
“Remember, your bank or the police will never ask you to transfer money out of your account, or ask you to hand over cash for safe-keeping.”
US food delivery service DoorDash is in the process of notifying its customers after discovering a data breach affecting millions of consumers.
The firm claimed in a notice published yesterday that an unauthorized party managed to access data on 4.9 million customers.
“Earlier this month, we became aware of unusual activity involving a third-party service provider,” it said. “We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.”
Users who registered with the platform on or before April 5 2018 are said to be affected. Email addresses, delivery addresses, order history, phone numbers and salted and hashed passwords were stolen, as well as the last four digits of some users’ payment cards.
The last four digits of bank account numbers belonging to some of the firm’s restaurant clients and delivery drivers were also taken, along with the driver’s license numbers of 100,000 delivery staff.
Despite salting and hashing passwords, the firm is advising users to reset their credentials for the site.
Experts were quick to criticize the firm: despite its efforts to encrypt passwords, the stolen data could be used in follow-on attacks, argued Lucy Security CEO, Colin Bastable.
“In the race to grab market share, businesses like DoorDash place security too far down the list,” he argued. “Outsourcing data in-sources cyber-insecurity, and consumers pay the price of a carelessly clicked email phishing link or a targeted spear-phishing attack."
DoorDash is no stranger to security incidents. Back in September 2018 it claimed that reports from multiple users of their accounts being hacked were down to credential stuffing.
In response to that incident, it blocked the suspect IP address trying to take over accounts, integrated with the HaveIBeenPwned? breach notification site, and rolled out two-factor authentication.
The daily war waged between cyber-criminals and security experts will be played out in miniature in Abu Dhabi next month using an accurate model of a real city.
As part of the week-long HITB + Cyber Week security conference taking place at the Emirates Palace October 12–17, The Standoff challenge will pit competing teams against each other in a cyber-fight to gain control over a miniature city's digital infrastructure.
The simulated cyber-battle will take place in a live-fire environment, allowing players to develop valuable insight into vulnerabilities that could be exploited in a real-life cyber-attack.
The model city has been created to feature technology in use in the critical infrastructure of an actual modern-day metropolis and has its own power plants, freight and passenger trains, banks, and petrochemical facilities.
Red teams representing attackers will attempt to hack into the city's industrial control systems (ICS) and supervisory control and data acquisition equipment and take control of its traffic systems, electrical plants, and transportation services, while blue teams push back to defend the city's companies.
Under the competition's rules, the blue team will not be allowed any time to study the infrastructure, find weak points, pick attack detection tools, or apply fixes. Instead, they will jump straight into protecting vulnerable services that are about to be targeted by red teams.
Web-application firewall (WAF) rules, next-generation firewall (NGFW) policies, basic account management, and the ability to delete malicious payloads are the only tactics allowed in the blue team's defensive repertoire. Attackers are under no such constraints and can do what they like, provided they don't disturb the infrastructure needed to run the contest.
Dhillon Kannabhiran, founder and CEO of Hack In The Box (HITB), said: "The Standoff is one of the most challenging attack and defense contests in the world, where teams are competing to find vulnerabilities and attack vectors in real-world critical infrastructure."
The Standoff's hackable city was designed by Positive Technologies as a fun way for cyber-professionals to hone the protection and monitoring skills they use when dealing with real-world cybersecurity problems.
Head of cyber-battle business development at Positive Technologies, Gregory Galkin, said: "We've been working on The Standoff for almost 10 years now. We started with specialized trainings for information security experts and CTF players, but then understood that bringing our expertise even closer to the realities of life is a must in order to maximize the cyber-battle's practical value."
America's Healthcare and Public Health Sector Coordinating Council (HSCC) has launched an information-sharing resource aimed at improving the cybersecurity of the healthcare sector.
The new Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) helps users stay on top of the latest security threats by providing them with a convenient list of cybersecurity information-sharing organizations across the United States.
Featured in the new matrix are details of more than 25 cybersecurity information-sharing organizations and their services, including nine resources geared specifically toward the healthcare industry and the security of medical devices.
Each listing includes a description of the organization and its mission together with details about any areas of cybersecurity specialization and how much, if anything, they charge for the information they share.
Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center (H-ISAC) and co-chair of the HSCC Information Sharing Task Group that created the HIC-MISO toolkit, said: "Many health organizations are beginning to understand the importance of cybersecurity information sharing but don't know where to start.
"With cyber-attacks against health organizations increasing in number and severity, one of the most important things an enterprise can do is build awareness and preparedness through community engagement. The HIC-MISO points them in the right direction."
The launch of HIC-MISO follows a recommendation in a 2017 report by a Department of Health and Human Services advisory group, the Healthcare Industry Cybersecurity Task Force, to improve cybersecurity information sharing in the healthcare sector.
A key objective of the matrix is to make it easy for smaller healthcare organizations, which may lack the resources to implement a first-rate cybersecurity system, to engage with the cybersecurity information and defensive tips that are being shared.
More help is on its way, according to Bill Hagestad, co-lead of the task group behind the new matrix.
Hagestad said: "The Task Group recognized the broad range of budgets and capabilities across the sector, and accordingly we will begin work to supplement the HIC-MISO with a guide for how organizations can establish an information sharing management structure appropriate to their enterprise size, resources, and risk profile."
Preparations are underway in Texas to introduce mandatory annual cybersecurity training for nearly all government employees.
The Lone Star State passed a House bill to introduce the cyber-safety training into law on June 14 of this year. As if to reinforce the need for Texas to protect itself from cyber-criminals, 23 local government entities in the state were targeted in a single coordinated ransomware attack just two months later.
On Monday, the Texas Department of Information Resources (DIR) announced that it was accepting applications to certify cybersecurity training programs. DIR, in consultation with the Texas Cybersecurity Council, is required to certify at least five cybersecurity training programs as required by the new legislation.
To be certified, a cybersecurity awareness training program must focus on forming habits and procedures that will help government employees protect information resources. The program must also teach best practices for detecting, assessing, reporting, and addressing information security threats.
A spokesperson for DIR said: "DIR has worked with statewide stakeholders and the Texas Cybersecurity Council to develop detailed certification criteria and a systematic process for certifying cybersecurity programs. Once DIR certifies a minimum of five training programs, the list of programs will be published on the DIR website."
To be considered for inclusion on the very first list of certified training programs, applicants must submit their security-awareness training programs by Friday, October 4.
The initial year of the mandatory training will be a rolling certification period, in which additional programs will be certified on a continuing basis. In subsequent years, companies that want to put forward their programs for certification will have to submit them within a designated time frame. To remain on the approved list, training programs will have to be resubmitted for certification annually.
Once the certified programs have been chosen, all mandated state and local government employees will have until June 14, 2020, to complete their cybersecurity training.
In state agencies, the training will only be mandatory for elected or appointed officials and for employees who use a computer to complete at least 25 percent of their required duties. At local government entities, all elected officials and employees who have access to a local government computer system or database must complete the training.
Local governments can get around the obligatory training if they employ a dedicated information resources cybersecurity officer and have a cybersecurity training program in place already that satisfies the requirement.
Very few companies are securing the majority of their cloud-native apps with DevSecOps practices, according to new research.
However, 68% of companies are expected to be securing 75% (or more) of their cloud-native applications with DevSecOps practices within two years. The research analyzed 371 responses, and according to Doug Cahill, senior analyst and group practice director of cybersecurity for ESG, while organizations have started, there is more work to be done when it comes to securing their cloud-native apps with the benefits DevSecOps offers.
He said: “Organizations should consider newer approaches to securing their cloud-native apps, particularly solutions that address API-related vulnerabilities, which tops respondents’ minds when identifying their top threat concern.
Doug Dooley, Data Theorem COO, said that as production workloads are shifting to public cloud platforms, and organizations are quickly adopting serverless functions, they need to understand the associated risks and new threat model they are facing, and the means of addressing cloud native and API risks.
Asked by Infosecurity if they are seeing more companies adopt DevSecOps practices at the moment, or planning to adopt that strategy, Dooley said that security automation is gaining momentum for apps that are run by DevOps teams.
“We are still a few years away before it’s completely mainstream,” he said. “The culture of enterprise security has been a bit reluctant to embrace automation, but it’s the only way the best security teams are keeping up with the pace of DevOps.”
In an email to Infosecurity, Jeff Williams, co-founder and CTO of Contrast Security, said that most organizations only secure a small percentage of their application portfolio (cloud native or not) and they typically use application security tools, techniques and practices on only 10-20% of their apps and APIs which are determined to be the “critical,” “external,” public facing, or privacy related apps.
“To help remedy this gap, DevSecOps practices and tools are rapidly being adopted,” Williams said. “However, there is also a disturbing trend to shove the same old AppSec tools onto development teams that don’t have the skills to use them effectively under the guise of ‘shifting left’. Real DevSecOps requires a fundamental change to the way application security work is performed.”
Regarding the increase from 8% to 68% of cloud native app teams practicing DevSecOps, Williams said it is possible, as cloud native apps are close to the ideal scenario for DevSecOps. “However, it won’t happen without hard work to transform the people, process and pipeline in these teams."
Security researchers have spotted a new tactic being trialed by Magecart hackers: targeting commercial grade routers to skim large volumes of card details.
These routers are typically used in venues such as airports, casinos and hotels to serve large numbers of users — theoretically giving the attackers a major haul of card details if they succeed.
“We believe that MG5 aims to find and infect web resources loaded by L7 routers with its malicious code, and possibly also inject malicious ads that captive users have to click on to eventually connect to the internet,” IBM said in its report.
“The compromise can therefore be two-fold: 1. Guest payment data can be stolen when they browse through a compromised router; 2. malicious content can be injected into web pages viewed by all connecting guest devices, including those who pay to use the internet and those connecting to hotels’ free Wi-Fi hot spots.”
IBM also claimed to have found evidence that MG5 had injected malicious digital skimming code into a popular open source mobile module which provides sliding features on devices. This kind of supply chain attack could result in spreading the code to all apps which unwittingly incorporate that module, in order to steal data en masse from users.
This is in keeping with MG5’s usual MO, which is to target larger numbers of victims by infecting third-party platforms, improving the ROI of attacks versus those such as the raids on BA and Newegg which targeted the website/e-commerce provider directly.
Another unprotected Elasticsearch database has been found online, leaking the personal data of tens of thousands of dating app users.
Researcher Avishai Efrat of VPN comparison firm WizCase was able to access a database of around 77,000 users of Heyyo, a Turkey-based online dating service.
The 600MB of data contains a trove of sensitive personal information which could be used in follow-on phishing or identity fraud attacks, including: name, email address, country, date of birth, dating history, phone number, occupation, and even a link to social media profiles.
Given the sensitive nature of the dating app, there are also exposed details which could be used to blackmail individuals, such as sexual orientation and preferences. If hackers found users of the app who are already married or in long-term relationships, that could also provide an opportunity to extort money from them.
Most of the affected users are from Turkey, where there’s a less forgiving climate for the LGBT community than in many western countries.
There were also a significant number of Heyyo users from the US and Brazil exposed in the leak, according to WizCase.
“Heyyo used an Elasticsearch engine, which is installed on a Digital Ocean cloud hosted server. The Elasticsearch default setting requires no authentication or password to gain entry,” explained the firm’s web security expert, Chase Williams.
“Servers should never be exposed like this to the open world. Password authentication, IP whitelisting, and additional monitoring would have greatly reduced the chances of such a data breach. Unfortunately, companies using default or misconfigured security settings for their databases is an all too common scenario these days.”
Automated cloud security tools can be used to detect, alert and remediate misconfigurations like the one affecting Heyyo, according to DivvyCloud CTO, Chris DeRamus.
“Database misconfigurations have proven time and time again to be the Achilles’ heel of many organizations that have suffered data breaches this year, yet there are very simple and highly effective solutions available to prevent this,” he argued.
A UK teenager convicted of hacking ISP TalkTalk in a notorious 2015 data breach has been indicted in the US for stealing funds from customers of a cryptocurrency exchange.
Elliott Gunton, 19, of Old Catton, near Norwich is accused alongside US citizen Anthony Nashatka of targeting the EtherDelta exchange.
Back in 2017, they are alleged to have gained control of an admin account belonging to CEO Zachary Coburn, using it to manipulate the site’s DNS records in order to redirect customers to a domain under their control.
Harvesting customer credentials in this way, they were allegedly able to subsequently log-in as these victims to steal cryptocurrency from their accounts.
The total sum stolen isn’t known, although one victim lost $800,000 in the operation, according to reports.
The charges, filed in San Francisco, could apparently lead to prison sentences of up to 20 years.
Gunton was only 16 when he hacked TalkTalk. Back in August, the teen was sentenced to 20 months behind bars for offering hacking services online. At that time he was ordered to pay back £400,000 in cryptocurrency he is said to have made from these endeavors.
After his arrest, police were able to trace at least £275,000 of these funds, although it’s unclear whether any of them were linked to the EtherDelta attack.
Edgard Capdevielle, CEO of Nozomi Networks, warned that law enforcers are slowly turning up the heat on budding cyber-criminals.
“While there can be no denying hacking tools are increasing in sophistication, the tools law enforcement use to track cyber-criminals are also improving,” he argued. “We are likely to continue to see more and more perpetrators charged for cybercrimes, making hackers think twice before launching attacks, as traces will always be left.”
American military veterans on the hunt for a new job are the latest group to be targeted by bold new threat group Tortoiseshell.
The group, which was discovered earlier this month by researchers at Symantec, has been active since July 2018, primarily targeting IT providers in Saudi Arabia with a mix of customized and "common or garden" malware.
New intelligence published yesterday by Cisco Talos reveals that Tortoiseshell has refocused its criminal campaign to strike at targets in the United States. Talos discovered that team Tortoiseshell was behind a malicious website that has been cleverly crafted to resemble a legitimate recruitment site for US military veterans.
Users of the site hxxp://hiremilitaryheroes[.]com were prompted to download an app that in reality was a malware downloader that deployed malware and spyware.
Warren Mercer, technical leader at Cisco Talos, told Infosecurity Magazine that the nature of the attack indicated that Tortoiseshell was hoping to ensnare active military personnel in addition to former servicemen.
"As it seems they were targeting HR/recruitment efforts, it's possible they hoped to attack current military servicemen as well as current veterans."
Talos would not confirm or deny whether reports that Tortoiseshell is based in Iran are correct. However, what is clear is that should Tortoiseshell get its claws into active members of the military, the outcome could be potentially devastating.
Mercer told Infosecurity Magazine: "Depending on the victim they are successful compromising, the level of detail/information they [Tortoiseshell] can obtain is very varied.
"If Tortoiseshell successfully targeted a currently enlisted military professional with access to potentially confidential information, this could become very damaging to the parties involved."
Close attention had been paid to every detail of the malicious website to ensure that it closely mimicked a genuine site in its choice of name, imagery, and the style of language used. However, Mercer said that what might appear to be sophisticated actions by the group were more probably evidence of their dogged resolve.
Commenting on the site's seemingly genuine appearance, Mercer told Infosecurity Magazine: "This isn’t suggestive of a sophisticated actor; it’s more indicative of a determined actor. They want to ensure that they remain as aligned as possible to their fake website, and the text, images, and domain name help with that."
In carrying out this latest attack, Tortoiseshell used the same backdoor method employed against its targets in the Middle East. Perhaps this reliance on the same tactics, techniques, and procedures (TTPs) will be the group's downfall.
The online survey questioned 400 people, of whom 70% were IT professionals, about what happened in their company when new staff were onboarded and when current employees switched roles or were deprovisioned.
Asked whether unnecessary access rights are removed when employees change roles, 45% of the respondents said "no." This statistic swells in importance when paired with the knowledge that more survey respondents worked for the government (14.5%) than for any other industry.
When it came to the access rights of employees leaving for new pastures, 13% of those surveyed said that they were not confident that the last person to exit their organization no longer had access to the company's critical systems and information. Only 48% said they were "somewhat confident" that access had been blocked.
Given what respondents thought their former coworkers might get up to, it's surprising that closer tabs weren't being kept on their access rights. When asked what security risks were a concern in relation to improperly deprovisioned employees, 38% said a leak of sensitive data, 26% feared a cybersecurity hack through an unmanaged account, and 24% were concerned about malicious data detection/theft.
Perhaps the survey's most worrying finding was that 52% of respondents admitted that either they or somebody they knew still had access to a former employer’s applications and data.
Most of the respondents (84%) were based in the US, but the online survey was also completed by people in the Netherlands, the UK, and Canada.
Senior director of information technology at Ivanti, Adam Jones, told Infosecurity Magazine: "If you don’t know where you are vulnerable, it creates big issues and problems, especially when people can access privileges they shouldn’t. It creates an opportunity for exploitation by cyber-criminals or disgruntled employees (malicious insiders)."
It isn't clear from the survey whether access rights are being mismanaged due to the absence of proper assignment and management processes or because the trouble isn't being taken to regularly monitor permissions and update them as necessary.
"Essentially, manually monitoring these processes is a productivity vampire," said Jones. "People often fail to complete their manual checklists, and we’ve even heard of instances where HR terminates an employee and forgets to tell their IT team.
"Make sure you have the tools to automate manual tasks, so that you can monitor just the exceptions for when something doesn’t go right."
A new study has found that hackers are exploiting a popular remote working tool to attack almost all the companies that use it.
The Remote Desktop Protocol (RDP) has become a virtually indispensable part of modern business operations, as it allows users to control systems from afar without losing any functionality.
Research published today by Californian tech firm Vectra has revealed suspicious RDP behaviors in 90% of companies using RDP, with organizations in the manufacturing, finance and insurance, retail, government, and healthcare industries identified as being most at risk of attack.
Researchers used Vectra's Cognito platform to monitor metadata collected from network traffic between more than four million workloads and devices in customer cloud, data centers, and enterprise environments between January and June 2019.
During the six-month period, the platform detected 26,800 suspicious RDP behaviors. However, more could have occurred, since Cognito was set up to spot only two specific incidences. The first is repeated failed attempts to establish an RDP connection to a workload or host, and the second is a successful connection with unusual characteristics; for example, a connection normally established via an English-character keyboard being made instead with a French keyboard.
Manufacturing organizations had the highest rate of dodgy RDP detections, with mid-sized operations showing a detection rate twice as high as the industry's average, which was 10 detections per 10,000 workloads and devices.
Together, the finance and insurance, manufacturing, and retail industries accounted for 49.8% of all suspect RDP detections.
Alarming as the findings are, they come as no surprise to Vectra's head of security, Chris Morales, who told Infosecurity Magazine: "RDP is so widely used in different organizations that a high rate of misuse is inevitable. It's used in multiple forms of attacks as attackers look to hide from detection.
"The rate of detection in the six-month period is consistent with what Vectra has monitored over an extended period of time. RDP is a regular occurrence in attacks and a staple tool of the attackers' toolkit."
Despite the cybersecurity risk posed by RDP, Morales foresees no sunset on the tool's use. He told Infosecurity Magazine: "The business value delivered by RDP will ensure its continued use, and it will therefore continue to represent significant risk as an exposed attack surface."
Asked if we should all ditch the internet and go back to using fax machines, Morales said: "I do not think so. We just need to be more diligent in how we use services and thoughtful in their implementation."
The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the launch of its global open call for its fourth cohort of cyber-scaleups.
LORCA, launched in June 2018 and hosted at Plexal, an innovation center located in the Here East campus in London’s Queen Elizabeth Olympic Park, aims to bolster the UK’s cybersecurity sector and make the internet safer for everyone by supporting the most promising later-stage companies.
LORCA offers 12-month programs from which companies can benefit from a collaborative ecosystem of academia, innovators, government, investors and industry.
It has already welcomed three cohorts of companies into its previous programs, which have gone on to raise over £58m in investment and won 514 contracts.
LORCA is now inviting new applications based on three innovation themes, after consulting with industry leaders from various sectors about their most pressing cyber-challenges and the types of solutions they need from the market in the future.
The three themes are: connected economy, connected everything and connected everyone.
The latest cohort will receive bespoke support with scaling in the UK and abroad, as well as access to commercial and engineering experts through delivery partners Deloitte and the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.
Saj Huq, program director, LORCA, said: “As technology increasingly impacts all aspects of business and society, it’s clear that a cybersecurity paradigm shift is needed. Now more than ever, we need to support the development of cutting-edge innovations across the board to help us lead safer digital lives, keep our infrastructure secure and protect our digital economy from complex and evolving cyber threats. Given its increasing significance within a world that is more connected by the day, cybersecurity has to be everywhere – and serve everyone.”
The deadline for applying is Monday November 4 2019, with full details available here.
Google’s victory in a landmark right to be forgotten case asks more questions than it answers, according to legal and technology experts.
The European Court of Justice (ECJ) ruled yesterday that the search giant only needs to remove links from its services inside the EU in order to comply with legitimate right to be forgotten/right to erasure requests.
French privacy regulator CNIL had demanded that Google remove links globally to pages containing false or damaging info on a person, in a case dating back to 2015.
Part of Google’s argument for not removing info outside the EU was that the law could be exploited by oppressive governments to cover up abuses and control the flow of information, much as China does with its Great Firewall censorship apparatus.
“Since 2014, we've worked hard to implement the right to be forgotten in Europe, and to strike a sensible balance between people's rights of access to information and privacy,” the search giant said of the result. "It's good to see that the court agreed with our arguments."
However, some argued that the ruling undermines the right to be forgotten by failing to institute the law globally.
“Google is normally able to detect visitors from Europe to its global search engines and block them from seeing certain web pages containing sensitive information about individuals from queries made using their names,” explained Simon Migliano, head of research at Top10VPN.
“However, anyone connected to a VPN server located outside Europe will evade such detection and be able to view those results regardless of any 'right to be forgotten' decision in place. This loophole highlights the significant limitations of geo-restricting contentious web content in this day and age.”
Mishcon de Reya data protection adviser, Jon Baines, added that there are still question marks over what happens to the UK if it leaves the EU without a deal.
“Will UK search engine domains retain links to information removed from EU search engine domains? Or might the UK decide ultimately to give effect to delinking decisions made in the EU? Private individuals, as well as businesses, will want urgent clarification on this from government,” he argued.
EU citizens have been able to request information on them be removed from the web since 2014. However, since then, the GDPR has made it easier for EU citizens to request that such information be expunged from the web, with its right to erasure clause. Providers have a month to respond to a verbal or written request.
Ron Moscona, a partner at international law firm Dorsey & Whitney, explained that the ruling has failed to add clarity on how and when the GDPR should be limited in scope to within the EU.
“The provisions of Article 3 of GDPR that define its territorial effect clearly extend the legal rights and obligations of GDPR, in many circumstances, to the processing of personal data outside the EU including by entities operating outside the EU,” he said.
“Today’s decision of the EU court does not address these broader territorial issues.”
An APT campaign targeting US utilities firms with a remote access trojan (RAT) has now hit at least 17 firms, according to a new report from Proofpoint.
The security vendor first spotted phishing emails sent to three utilities providers in late July, although the campaign now appears much wider in scope after the discovery of more in August.
It begins with reconnaissance scanning for SMB over port 445, perhaps to identify targets with vulnerabilities in the protocol that could be exploited later on to help attackers spread laterally.
Then comes the delivery of the phishing email itself, using as a lure an invitation to take an exam run by licensing body Global Energy Certification (GEC), administered by the Energy Research and Intelligence Institution.
Emails include the subject line “Take the exam now” and a malicious Microsoft Word attachment named “take the exam now.doc” alongside a legitimate PDF for exam preparation hosted on the real GEC site. This helps to add legitimacy to the spoofed message.
“The attachments titled ‘take the exam now.doc’ contained VBA macros to install LookBack. The macros were mostly the same as those first observed in July and were similarly obfuscated with concatenation commands that made the macros difficult to detect with static signatures,” explained Proofpoint.
“When a user opens the malicious attachment and enables macros, the VBA macro within the Microsoft Word attachment installs several privacy-enhanced mail (PEM) files on the host. When decoded, we found these to be both malware modules and macro variables.”
The ultimate aim of the macro execution is to download LookBack, a modular RAT designed to find, read and delete files, start and delete services, take screenshots, and even move or click the victim’s mouse.
“The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset,” warned Proofpoint.
Andrea Carcano, co-founder of Nozomi Networks, argued that cyber-criminals will often look to exploit human weaknesses to reach targeted systems.
“Therefore, utility providers need to take the time to teach staff to recognize phishing emails and not to click on links or open attachments from unknown sources,” he said.
“In addition, the implementation of advanced cybersecurity technologies, such as machine learning and artificial intelligence, is a critical step towards safe and reliable critical infrastructure. These technologies provide utilities with the ability to jump start their visibility, situational awareness, and their capacity to detect and mitigate cyber-attacks.”
Microsoft has issued an emergency out-of-band patch for a critical remote code execution vulnerability in Internet Explorer.
CVE-2019-1367 is a bug in the browser’s scripting engine which affects how it handles objects in memory. Specifically, it could corrupt memory so as to allow an attacker to execute arbitrary code, according to a security update.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explained.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”
Redmond’s patch modifies how the scripting engine handles objects in memory, in order to fix the issue.
The vulnerability affects Internet Explorer versions 9-11.
The critical bug represents another good reason why IE users should migrate to a modern browser. Yet although Microsoft has been trying to push them towards its Edge offering, the latest stats show it trailing Internet Explorer, with less than half of the legacy browser’s 5.87% market share.
Trustwave’s director EMEA of SpiderLabs, Ed Williams, said the emergency update underlines the importance of good patch management.
“It also highlights the importance of regular asset identification and vulnerability scanning of environments, for example, knowing what to patch once a vulnerability has been identified. We know that attackers are flexible and dynamic and will be looking to further leverage this vulnerability to suit their needs, be it financial or otherwise,” he added.
“While Internet Explorer isn’t as popular as it once was, it is still a rich target for attackers, and with the release of this patch, further emphasizes why it is a business risk when compared to other browsers.”
An alderman in the Tennessee city of Germantown has been censured for not completing a 45-minute cybersecurity training course.
Dean Massey received the official rebuke from his fellow aldermen at a heated two-hour meeting of the administration, which took place last night. The censure, which was passed on a 3-2 vote, stipulates that Massey must complete the cybersecurity training by September 27, 2019.
Authored by Alderman Rocky Janda, the censure states: "Alderman Dean Massey willfully and intentionally placed and continues to place the City of Germantown at risk of a cybersecurity breach by refusing to take reasonable training measures to prevent online security attacks."
Massey and another alderman had their city email accounts restricted earlier this month after missing the deadline to complete the cybersecurity course, which Massey told Infosecurity Magazine was not designated as mandatory.
Instead of completing the training to regain access to his email account, Massey elected to create an alternative Gmail account through which to carry out official city business.
Describing what happened next, Massey told Infosecurity Magazine: "I never opposed or refused to take cyber-training. I requested that the IT director schedule time to publicly discuss cybersecurity and training with the Board of Mayor and Aldermen, but rather than simply honoring my request and acting in the public's interest, the administration went into cover-up mode and replaced my request for public discussion about cybersecurity policies with another alderman's request to censure me."
Official censures are typically reserved for conflicts of interest, misuse of public funds, and cases of sexual harassment.
Massey said that last night's meeting "should have been a meeting about the mayor's lack of a cyber policy" and described the censure as "completely self-serving and a total waste and abuse of taxpayer resources."
He said: "The administration has never implemented a cybersecurity policy and has failed to discuss the threats with aldermen for decades."
Since news of the restriction placed on Massey's city email account got out, the alderman has received what he describes as "harassing email and comments on social media."
One such comment, which Massey shared on the Facebook page Massey for Germantown, read "F**k you, you entitled pr*ck. Take the training. Oooh, you don't trust the IT department? You're an ignorant a**hole."
Massey feels that the actions of Germantown officials have put the lives of his family at risk.
He wrote on Facebook: "By ginning up unwarranted hatred for me through the government-sanctioned smear campaign, members of the administration made my family a target and put the lives of my wife and young son in danger."
In an email sent to Massey on September 20 and shown to Infosecurity Magazine, Vice Mayor Mary Anne Gibson wrote, "As a parent, I often reminded my children that actions have consequences," before describing the media attention Massey as received as "a circus of your own creation."
An American transport authority has responded to a malware attack by permanently closing its online store.
The Southeastern Pennsylvania Transport Authority (SEPTA) shuttered the site Shop.SEPTA.org within an hour of discovering that the personal data of 761 customers had been stolen in a data-skimming Magecart attack.
Hackers were able to steal shoppers' credit card numbers, names, and addresses during an online crime spree thought to have begun on June 21 and ended on July 16. The store, which sold online travel tickets along with SEPTA-branded mugs and clothing, was hosted by Amazon Web Services.
SEPTA was alerted to the attack on July 16 by a user who received a malware warning while browsing the online store. However, the transport authority waited until September 5 to inform customers affected by the attack by letter that a breach had taken place.
Asked what had caused the two-month time lag, SEPTA spokesperson Andrew Busch told Infosecurity Magazine: "Customers were notified as soon as SEPTA was confident that it had gathered accurate information regarding the individuals who were affected. SEPTA followed proper reporting protocols as soon as the breach was discovered by notifying the FBI and the Pennsylvania Department of Transportation."
The revelation that the online store had been permanently closed in an effort to prevent any future malware attacks only came to light on September 19 when it was reported by The Philadelphia Inquirer.
Explaining SEPTA's arguably extreme approach to cybersecurity, Busch told Infosecurity Magazine: "The primary reason for shutting it down was to eliminate the potential for any additional customer information to be compromised.
"In addition, the site was mostly used for purchases of fare products that have or are being phased out with SEPTA’s modernized fare system, the SEPTA Key, and in general it was not widely used. The SEPTA Key has a separate e-commerce site, and that site was not breached."
Busch confirmed that SEPTA has not suffered any further attacks since closing its online store, whose quiet death failed to arouse much notice.
Describing the impact of SEPTA's decision to axe the store, Busch said: "There has not been a significant amount of customer feedback."
Countries around the world have joined forces to declare that they are fed up with the lawless state of cyberspace.
As the newest frontier to be riddled with humanity, it's perhaps no surprise that while cyberspace has brought with it some positives like the promotion of free expression, it has also given rise to behavior that goes way beyond bad.
In a joint statement published yesterday at the United Nations, 27 countries pledged their support to clean up an arena that has become the digital equivalent of the old Wild West.
The statement, which was affirmed by Australia, Belgium, Canada, Colombia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, the Netherlands, New Zealand, Norway, Poland, the Republic of Korea, Romania, Slovakia, Spain, Sweden, the United Kingdom, and the United States, declared: "State and non-state actors are using cyberspace increasingly as a platform for irresponsible behavior from which to target critical infrastructure and our citizens, undermine democracies and international institutions and organizations, and undercut fair competition in our global economy by stealing ideas when they cannot create them."
Signatories called for nations to act online in accordance with international laws reflecting the voluntary norms of responsible state behavior in peacetime, before stating that "there must be consequences for bad behavior in cyberspace."
The countries said that they would work together to hold states accountable for their digital misdeeds. No specific countries were named and shamed in the statement; however, the digs about undermining democracies could be construed as a reference to Russia, which has been accused of meddling in elections in the US, the Ukraine, and France.
"The recently issued statement still does not clarify how and when attribution can be effectively used in cyberspace," Isidoros Monogioudis, senior security architect at Digital Shadows, commented to Infosecurity Magazine. "Furthermore, some topics are still in the negotiation phase, so the concept of 'responsible state behavior' is still not fully defined. This might ultimately create challenges."
Noting which countries had not signed the statement, Chris Morales, head of security analytics at Vectra, told Infosecurity Magazine: "This is a document that doesn’t include the most cyber-capable countries, such as Russia, China, and Iran, who are constantly engaged in cyber-warfare. Frankly, I’m not sure what impact, if any, this will have."
Ransomware attacks have disrupted operations at 49 US school districts and educational institutions, making the sector the second most popular for attackers after local government municipalities, according to Armor.
The cloud security vendor analyzed publicly reported attacks since January 2019 to better understand the scale of the threat facing the education industry.
It claimed that attacks may have compromised as many as 500 K-12 schools in the first nine months of 2019, versus just 11 last year.
In a little over a week in mid-September, nine new school districts and one college were hit, affecting around 100 K-12 schools, the firm said.
Crowder College, which reported an attack on September 11, claimed the ransom was a massive $1.6m, the first $1m+ demand since Monroe College in New York was hit with a $2m ransom note in July.
According to the school, there’s evidence that hackers had been inside the Crowder College IT systems since November last year. This would make sense if it was one of the five targets hit by Ryuk ransomware this year, as these infections are typically preceded by Emotet or Trickbot trojans, which often lay the groundwork for the ransomware.
Connecticut has the dubious honor of being the state with the most number of compromised school districts, with seven hit, covering 104 schools.
It’s unclear whether the rash of attacks over recent weeks was designed to cause maximum disruption during the busy back-to-school period.
“Educational institutions, municipalities and other organizations whose infrastructure is critical to their communities host a variety of data, most of which is sensitive,” said Chris Hinkley, head of threat resistance at Armor.
“Cyber-criminals know these organizations can’t afford to shut down, they are often using out-of-date hardware and software, and they have few security measures in place. This is a deadly combination in the case of a ransomware attack, which provides for a high sense of urgency and a high probability of large payments.”