Cyber Risk News

Ericom Appoints First Ever Chief Strategy Officer

Info Security - Tue, 01/05/2021 - 14:21
Ericom Appoints First Ever Chief Strategy Officer

Cybersecurity firm Ericom Software has announced the appointment of Dr Chase Cunningham as its first chief strategy officer. Joining from market research company Forrester, Cunningham will be responsible for shaping Ericom’s strategic vision, roadmap and key partnerships.

Cunningham has over 19 years of experience in the cybersecurity sector, with particular expertise in the area of zero-trust. At Forrester, he helped develop its zero-trust certification program and was the principal driving force for its zero-trust eXtended (ZTX) framework.

Before working at Forrester, he held the position of director of cyber-threat intelligence at Armor, where he was responsible for designing and managing the cloud security and intelligence engine for enterprise customers. Prior to this, he worked for a number of US government agencies, including the NSA, CIA and FBI, in the areas of cyber-forensic and cyber-analytic operations. There, he worked with clients to enhance their security architecture, such as optimizing security operations command systems and centers and installing encryption and analytic systems. Cunningham is also a retired US Navy chief.

Ericom hopes the appointment will enable it to expand its zero-trust secure web and application access solution portfolio.

Commenting on the announcement, David Canellos, CEO of Ericom, said: “Chase’s zero-trust vision and drive have had a major impact on the global cybersecurity market, and his passion, real world expertise and candor are valued and appreciated by industry executives and as well as government leaders. We believe that his insights and hands-on security expertise will enable the digital transformation that is crucial for our customers’ secure growth and success.

“His guidance and direction of our strategic programs and technology innovation will help us rapidly deliver more impactful cloud cybersecurity solutions for our customers and partners.”

Cunningham commented: “Ericom has a strong history of helping its customers establish secure connectivity and network access, and it has evolved into a nimble and highly innovative zero-trust security player.

“I look forward to helping the company ramp up that evolution and build out its security portfolio, providing an unmatched set of capabilities to help secure businesses as they digitally transform in the future.”

Categories: Cyber Risk News

Ransomware Surge Drives 45% Increase in Healthcare Cyber-Attacks

Info Security - Tue, 01/05/2021 - 12:15
Ransomware Surge Drives 45% Increase in Healthcare Cyber-Attacks

Cyber-attacks on global healthcare organizations (HCOs) increased at more than double the rate of those targeting other sectors over the past two months, according to Check Point.

The security vendor’s latest data covers the period from the beginning of November to the end of 2020, and compares it with the previous two months (September-October), a spokesperson confirmed to Infosecurity.

It revealed a 45% increase in attacks on the healthcare sector, versus less than half this figure (22%) for all other verticals. November was particularly bad, with HCOs suffering 626 weekly attacks on average per organization, compared with 430 in the previous two months.

Although the attacks span a variety of categories — including ransomware, botnets, remote code execution and DDoS — perhaps unsurprisingly, it is ransomware that displayed the largest increase overall and poses the biggest threat to HCOs, according to Check Point.

Ryuk and Sodinokibi (REvil) were highlighted as the main culprits.

In fact, financially motivated cyber-criminals have been going after the healthcare sector since the start of the COVID-19 crisis, well aware that hospitals and clinics are distracted with the huge surge in cases coming through their doors.

Microsoft revealed in April how these groups are increasingly using APT-style tactics to gain a foothold in networks, perform lateral movement and credential theft, and exfiltrate data before deploying their ransomware payload.

Central Europe experienced the biggest rise in cyber-attacks on its HCOs during the period (145%), followed by East Asia (137%) and Latin America (112%).

Europe recorded a 67% increase, although Spain saw attacks double and Germany recorded a 220% surge. Although North America (37%) saw the smallest rise regionally, Canada experienced the biggest increase of any country, at 250%.

“This past year, a number of hospital networks across the globe were successfully hit with ransomware attacks, making cyber criminals hungry for more,” explained Check Point manager of data intelligence, Omer Dembinsky.

“Furthermore, the usage of Ryuk ransomware emphasizes the trend of having more targeted and tailored ransomware attacks rather than using a massive spam campaign. This allows the attackers to make sure they hit the most critical parts of the organization and have a higher chance of getting their ransom paid.”

Check Point urged organizations to look for the presence of Trickbot, Emotet, Dridex and Cobalt Strike, as these often presage ransomware, and to be on their guard on weekends, when attackers often strike.

Virtual patching, employee education and anti-ransomware solutions are also crucial tools in the CISO’s armory, it added.

Categories: Cyber Risk News

Chinese APT Group Linked to Ransomware Attacks

Info Security - Tue, 01/05/2021 - 11:15
Chinese APT Group Linked to Ransomware Attacks

A well-known Chinese state-backed APT group is believed to have been responsible for multiple ransomware attacks against firms last year, according to new research.

A report from Security Joes and Pro reveals how the vendors uncovered the links after investigating an incident in which ransomware encrypted “several core servers” at an unidentified victim organization.

They found samples of malware linked to the DRBControl campaign which targeted major gaming companies and is associated with two well-known Chinese-backed groups, APT27 (aka Emissary Panda) and Winnti.

Specifically, they claimed to have detected an older version of the Clambling backdoor used in that campaign, an ASPXSpy webshell previously used by APT27, and the PlugX RAT which is often used in Chinese attacks.

Although Winnti is known for financially motivated attacks, APT27 is generally more focused on data theft. However, the latter has previously been linked to one ransomware attack, featuring the Polar variant.

“There are extremely strong links to APT27 in terms of code similarities and TTPs,” the report noted. “This incident occurred at a time when where COVID-19 was rampant across China with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising.”

The attack itself does not seem to have been particularly sophisticated.

The initial vector was a third-party service provider that itself had been infected by a third party, and the attackers used Windows own BitLocker encryption tool to lock down targeted servers.

ASPXSpy was deployed for lateral movement and PlugX and Clambling were loaded into memory using a Google Updater executable vulnerable to DLL side-loading. Popular open source tool Mimikatz was also used in the attack and a publicly available exploit for CVE-2017-0213 was used to escalate privileges.

Gaming firms are an increasingly popular target among financially motivated attackers, according to new research released yesterday by Kela. The threat intelligence firm claimed to have discovered one million compromised internal accounts from gaming companies on the dark web, and 500,000 breached credentials belonging to employees.

Categories: Cyber Risk News

HelpSystems Acquires FileCatalyst to Boost Data Transfer Portfolio

Info Security - Tue, 01/05/2021 - 10:22
HelpSystems Acquires FileCatalyst to Boost Data Transfer Portfolio

Software firm HelpSystems has announced the acquisition of FileCatalyst to boost the speed and security of its file transfer offerings.

FileCatalyst specializes in helping transfer extremely large files in organizations at hundreds of times faster than what the file transfer protocol allows. These include the sharing of video and other media-rich files, big data and extensive databases, which are particularly important for industries such as broadcast media and live sports.

This enables businesses to work more efficiently while avoiding latency and packet loss when moving around large amounts of data across global networks. 

This type of service has become increasingly important as a result of the shift to home working brought about by the COVID-19 pandemic, with file sharing often taking place across insecure channels, networks and devices. For instance, last year a study found that nearly half of SME businesses regularly share confidential files via email, including financial and employee data in spreadsheets.

Kate Bolseth, CEO of HelpSystems, commented: “Our customers and partners have expressed a growing need to move significant volumes of data more quickly than ever before, and FileCatalyst addresses this problem effectively for many well-known organizations.

“FileCatalyst is an excellent addition to our managed file transfer and robotic process automation offerings, and we are pleased to bring the FileCatalyst team and their strong file acceleration knowledge into the global HelpSystems family.”

Chris Bailey, CEO and co-founder of FileCatalyst, said: “We are thrilled to become part of a company with deep roots and expertise in both cybersecurity and automation. Our customers will find value in pairing our file transfer acceleration solutions with HelpSystems’ extensive solution suites.”

This announcement follows a number of other recent acquisitions by HelpSystems, including cloud-based data protection provider Vera last month and data classification companies Titus and Boldon James in June 2020.

Categories: Cyber Risk News

NYSE U-Turn Means Chinese Telcos Escape Delisting

Info Security - Tue, 01/05/2021 - 09:30
NYSE U-Turn Means Chinese Telcos Escape Delisting

The world’s largest stock exchange has reversed its decision to ban three Chinese telecoms companies after a Presidential order was issued late last year.

The New York Stock Exchange (NYSE) had issued its original decision to delist the firms on December 31 following President Trump’s executive order the month previously.

In it, Trump claimed that ostensibly civilian businesses in China are actually part of a giant military-industrial complex, and that by listing on US exchanges they are effectively raising funds from unwitting investors in order to modernize China’s military.

“Through the national strategy of military-civil fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” it said. 

“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence and security apparatuses and aid in their development and modernization.”

However, in a brief statement on Monday, the NYSE said it had reconsidered its decision regarding China Telecom, China Mobile and China Unicom.

“In light of further consultation with relevant regulatory authorities in connection with Office of Foreign Assets Control FAQ 857 … the New York Stock Exchange LLC announced today that NYSE Regulation no longer intends to move forward with the delisting action in relation to the three issuers enumerated below which was announced on December 31 2020,” it stated.

A link in the statement takes readers to a US Treasury FAQ page.

The move follows a tersely worded statement from the China Securities Regulatory Commission over the weekend, which claimed that the US continues to “groundlessly suppress foreign companies listed on the US markets.”

Last month, a new law passed Congress which will force Chinese firms to comply with Public Company Accounting Oversight Board’s (PCAOB) audits or be delisted. Companies from many other nations do this in line with SEC rules to provide maximum transparency to investors, although China has resisted for over a decade.

The NYSE ended its brief statement by admitting that it will continue to assess the applicability of the executive order to the Chinese telcos and their listing status.

Categories: Cyber Risk News

Cyber-Attack on US Laboratory

Info Security - Mon, 01/04/2021 - 17:54
Cyber-Attack on US Laboratory

An American laboratory specializing in home phlebotomy has disclosed a cyber-attack that occurred five months ago after data stolen in the attack turned up online.

Apex Laboratory opened in 1997 and is based in Farmingdale, New York. The company has provided medical testing services to hundreds of home health agencies and thousands of physicians in New York and South Florida.

On July 25, 2020, Apex learned that it had become the victim of a cyber-attack that rendered certain files and systems inaccessible. Network access was restored along with the impacted data, and the company resumed normal operations on July 27. 

A third-party cyber forensic analyst was hired by Apex to investigate the attack. The investigation found no evidence of unauthorized access or acquisition of patient information, and Apex did not disclose the incident. 

However, Apex discovered last month that the cyber-criminals behind the attack had stolen "personal and health information for some patients" and posted it online on their blog. Information believed to have been taken includes patient names, dates of birth, test results, and, for some individuals, Social Security numbers and phone numbers.

Apex is yet to reveal how many patients were impacted by the incident, but the laboratory did say that the information stolen by the threat actors could have been pinched over a four-day period. 

"It is believed that this information may have been acquired from Apex’s systems between July 21, 2020 and July 25, 2020," stated Apex. 

From a notice of data event posted by Apex on December 31, the attack sounds like it might have involved ransomware.  

The notice states: "On July 25, 2020, Apex Laboratory of Farmingdale, NY ('Apex') discovered that it was the victim of a cyber-attack and that certain systems in its environment were encrypted and inaccessible."

Apex didn't say that it paid a ransom to the cyber-attackers; however, the speedy restoration of the impacted data and the removal of the stolen data from the hacker's blog might suggest some communication between the criminals and their victim has occurred. 

The company said that it is "unaware of any actual or attempted misuse of any information other than the extracting of this data as part of the cyber-attack."

Categories: Cyber Risk News

Netwrix and Stealthbits Announce Merger

Info Security - Mon, 01/04/2021 - 17:07
Netwrix and Stealthbits Announce Merger

American cybersecurity companies Netwrix and Stealthbits Technologies, Inc. announced today that they will be merging. 

The combined entity will operate as Netwrix, with Steve Dickson continuing to serve as its chief executive officer and on the company’s Board of Directors. Steve Cochran, founder and chairman of Stealthbits, will be an investor in Netwrix and will also serve on the new entity's Board.

Terms of the transaction were not disclosed.

Netwrix has scooped up over 150 industry awards since it was founded in 2006. The new incarnation of the company will employ over 500 people and serve customers in more than 50 countries. 

“We couldn’t be more thrilled to be merging with the people and products of Stealthbits," said Dickson.

"Our combined organization can now offer data security solutions for any organization anywhere in the world."

The combined entity will continue to offer Netwrix's complete portfolio of over half a dozen security solutions aimed at identifying and detecting data security risk as well as protecting against, responding to, and recovering from cybersecurity attacks.

Cochran said that the merger will give Stealthbits' customers access to a one-stop shop for all their data protection and cybersecurity needs.

“Stealthbits has always been driven to work with our customers to solve their most challenging credential and data security requirements," said Cochran. 

"Combining our breadth of products and depth of expertise with that of Netwrix means our customers can quickly strengthen their security posture and address multiple projects and requirements through a single provider."

A press release announcing the merger said that it would speak to the problem of fragmented solutions in the data security market preventing organizations from building comprehensive security strategies to protect sensitive and regulated data.

"To address this challenge, Netwrix and Stealthbits are joining forces to leverage each other’s expertise to broaden product capabilities and improve user experience," stated the release.

Stealthbits was founded by Cochran in 2001. The cybersecurity software company's focus is on protecting an organization’s sensitive data and the credentials attackers use to steal that data. 

Last year the company won the Best Cybersecurity Company and Best Privileged Access Management Product categories in the Cybersecurity Excellence Gold Awards.

Categories: Cyber Risk News

UK Rejects Assange Extradition Request

Info Security - Mon, 01/04/2021 - 16:34
UK Rejects Assange Extradition Request

A British court has ruled that WikiLeaks founder Julian Paul Assange should not be extradited to the United States to stand trial over the publication of thousands of classified diplomatic and military documents.

The US Department of Justice initially indicted Assange in April 2019 for conspiring with former US Army intelligence analyst Chelsea Manning to crack a password to a classified US government computer network, the Secret Internet Protocol Network (SIPRNet).

However, that charge was superseded in May 2019 by a new 18-count indictment alleging that beginning in late 2009, 49-year-old Assange and WikiLeaks actively solicited United States classified information, publishing a list of “Most Wanted Leaks” that sought classified documents. 

"Manning responded to Assange’s solicitations by using access granted to her as an intelligence analyst to search for United States classified documents, and provided to Assange and WikiLeaks databases containing approximately 90,000 Afghanistan war-related significant activity reports, 400,000 Iraq war-related significant activities reports, 800 Guantanamo Bay detainee assessment briefs, and 250,000 US Department of State cables," said the DOJ. 

The security incident, in which many documents classified at the Secret level were exposed, was described by the DOJ as one of the largest compromises of classified information in the history of the United States.   

In Westminster Magistrates' Court today, District Judge Vanessa Baraitser rejected the Trump administration's request to extradite Assange to the United States on mental health grounds. 

“That extradition should be refused because it would be unjust and oppressive by reason of Mr. Assange’s mental condition and the high risk of suicide pursuant to section 91 of the EA 2003,” Baraitser said.

Referring to the opinion of Professor Michael Kopelman, medical expert and emeritus professor of neuropsychiatry at King's College London, Baraitser said, “Taking account of all of the information available to him, he considered Mr Assange’s risk of suicide to be very high should extradition become imminent. This was a well-informed opinion carefully supported by evidence and explained over two detailed reports.”

Commenting on Baraitser's decision, the Freedom of the Press Foundation said: "This is a huge relief to anyone who cares about the rights of journalists.

"The extradition request was not decided on press freedom grounds; rather, the judge essentially ruled the US prison system was too repressive to extradite. However, the result will protect journalists everywhere."

Categories: Cyber Risk News

Microsoft: SolarWinds Attackers Viewed Our Source Code

Info Security - Mon, 01/04/2021 - 12:00
Microsoft: SolarWinds Attackers Viewed Our Source Code

Microsoft has revealed that the nation state group behind a recent global cyber-espionage campaign managed to view some of the firm’s source code.

The tech giant has provided several updates in the wake of the discovery of the campaign, which appears to have targeted mainly US government agencies and tech firms and has been linked to Russia.

In the spirit of cross-industry collaboration, its latest notice goes into more detail about the attack on its own systems, which was discovered when the firm found evidence of the malicious SolarWinds binaries used to target others.

“Our investigation has revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment,” it explained.

“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”

Microsoft claimed that its use of open source development practices and culture internally means that it does “not rely on the secrecy of source code for the security of products.

“So viewing source code isn’t tied to elevation of risk,” it added.

“As with many companies, we plan our security with an ‘assume breach’ philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.”

New victims of the campaign are emerging all the time.

In late December, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a new alert warning that the same threat actor is using the same vector (SolarWinds Orion) to target not just federal but also state and local governments, as well as critical infrastructure and private sector organizations.

Categories: Cyber Risk News

One Million Compromised Accounts Found at Top Gaming Firms

Info Security - Mon, 01/04/2021 - 10:34
One Million Compromised Accounts Found at Top Gaming Firms

Security researchers have warned gaming companies to improve their cybersecurity posture after discovering 500,000 breached employee credentials and a million compromised internal accounts on the dark web.

Tel Aviv-based threat intelligence firm Kela decided to investigate the top 25 publicly listed companies in the sector based on revenue.

After scouring dark web marketplaces, it discovered a thriving market in network access on both the supply and demand side.

This included nearly one million compromised accounts related to employee- and customer-facing resources, half of which were listed for sale last year.

Compromised accounts linked to internal resources like admin panels, VPNs, Jira instances, FTPs, SSOs, developer-related environments and more were found in virtually all of the top 25 gaming companies studied.

This could put these firms at risk of customer data theft, corporate espionage, ransomware and more. Kela said it had tracked ransomware attacks on four gaming companies in recent months.

“Credentials to internal resources of recently attacked companies – such as VPN, website management portals, admin, Jira and more – were put up for sale and hence were available for any potential attacker prior to the cyber-attacks that occurred,” it added.

“We also detected an infected computer (bot) which had credential logs to plenty of sensitive accounts that could be accessed by attackers upon purchase: SSO, Kibana, Jira, adminconnect, ServiceNow, Slack, VPN, password-manager and poweradmin of the company – all on a single bot. This strongly suggests that it’s used by an employee of the company with administrator rights. This highly valuable bot was available for sale for less than $10.”

Elsewhere, the researchers found half-a-million gaming employee credentials exposed on the dark web after breaches at third-party firms, many of which were available for free.

These could also provide attackers with a useful foothold in victim networks, they warned.

Kela urged gaming companies to invest in ongoing monitoring of their digital assets across the dark web, as well as enhanced staff training on things like password management, and deployment of multi-factor authentication (MFA).

Categories: Cyber Risk News

NYSE to Delist Chinese Telcos on National Security Grounds

Info Security - Mon, 01/04/2021 - 09:30
NYSE to Delist Chinese Telcos on National Security Grounds

The New York Stock Exchange (NYSE) has begun delisting three Chinese telecoms giants because of their alleged ties to the country’s military.

The exchange released a brief statement on December 31 outlining the process, which came in response to an executive order signed by outgoing President Donald Trump in November last year.

The three affected companies are China Telecom, one of the world’s largest telcos, China Mobile and China Unicom Hong Kong. All are based in the People’s Republic (PRC) and make the vast majority of their revenue outside the US.

“The order prohibits, beginning 9:30 a.m. eastern standard time on January 11, 2021, any transaction in publicly traded securities, or any securities that are derivative of, or are designed to provide investment exposure to such securities, of any Communist Chinese military company, by any United States person,” the note explained.

Trump’s November executive order claimed that Beijing is increasingly “exploiting United States capital” to modernize its military. Even Chinese companies which appear to be private in fact are conscripted into supporting these strategic goals, it said.

“Through the national strategy of military-civil fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” it alleged. 

“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence and security apparatuses and aid in their development and modernization.”

As a result, these and other Chinese firms listed on US exchanges constitute an “unusual and extraordinary threat” to US national security and foreign policy and the country’s economy.

Other Chinese firms set for the same treatment include Huawei and surveillance giant Hikvision.

Last month a new bill was passed by the House of Representatives which will require all foreign firms to comply with US auditing rules or delist from the country’s exchanges. This could lead to a number of Chinese firms pulling out, as Beijing has been refusing such scrutiny on national security grounds for over a decade.

Categories: Cyber Risk News

Hacker Earns $2m in Bug Bounties

Info Security - Thu, 12/24/2020 - 18:22
Hacker Earns $2m in Bug Bounties

An ethical hacker from Romania has become the first person to earn $2m in bug bounties through the bounty hunting platform HackerOne.

Talented hacker Cosmin Lordache, also known by his HackerOne handle @inhibitor181, hit his first significant earning milestone almost a year ago when he became the seventh person to pass the million-dollar earning milestone by reporting 468 flaws through the bug bounty hunting platform.

Today, HackerOne announced on the social media platform Twitter that Lordache’s all-time earnings had reached the $2m mark.

The company said: "334 days ago we announced Lordache as the 7th hacker to reach $1 million dollars in earnings. Today we celebrate his achievement to be the FIRST to reach $2 million! Please join us in congratulating @inhibitor181!"

Lordache, who is 30 and now lives in Germany with his wife and two dogs, started hunting for bug bounties just three years ago while working as a full-stack developer. Since taking up bug bounty hunting, he has been crowned The Assassin at both the h1-65 live hacking event in Singapore and last year's h1-4420 live hacking event in London. 

Santiago Lopez, whose hacker handle is @try_to_hack, was just 19 when he became the first bug bounty millionaire. Today, his name is joined by eight others on the bug bounty millionaire list. 

Australian Nathaniel Wakelam, known to the hacking community as @nnwakelam, is the second-highest bug bounty earner behind Lordache. To date, Wakelam has earned $1.8m, making him just $200k shy of his next major money milestone.

Demonstrating excellent sportsmanship, Wakelam shared Twitter's post regarding Lordache's achievement along with the comment "Beat me by $200k. Congratulations to @inhibitor181!"

The Aussie even encouraged his bug bounty hunting rival to keep up the good work, adding: "See you at 3M."

In 2019, HackerOne reportedly paid out approximately $40m in bug bounties, with most hackers earning under $20k per year from detecting and reporting bugs. So far, the platform has paid ethical hackers in over 170 different counties a total of $82m.

The platform currently has more than six million bug bounty hunters—a figure that has nearly doubled over the past 12 months—and hosts bug bounty hunting programs for more than 1,700 government agencies and companies. 

Categories: Cyber Risk News

White Ops Acquired by Goldman Sachs

Info Security - Thu, 12/24/2020 - 17:07
White Ops Acquired by Goldman Sachs

American cybersecurity company White Ops announced today that it has been acquired by Goldman Sachs' Merchant Banking Division in partnership with ClearSky Security and NightDragon

Terms of the transaction, which follows Goldman Sachs’ and ClearSky’s initial investment in White Ops earlier this year, were not disclosed.

The business was acquired from previous investors Paladin Capital Group, Grotech Ventures, and other shareholders.

White Ops was founded in 2012 and is based in New York City. The company's core focus is protecting enterprises from fraud and sophisticated bot attacks, including account takeover, automated account creation, and web scraping, by verifying interactions. 

In a year that has seen many businesses struggle and fail, White Ops has grown the number of customers it serves by 40%. To deal with the extra workload, the company increased the number of people it employs by 25% to 170.

According to statements made on its website, White Ops currently verifies over 10 trillion interactions per week.

CEO and co-founder of White Ops Tamer Hassan said that the acquisition will help White Ops to accelerate its expansion into new markets. 

“Goldman Sachs, ClearSky, and NightDragon are ideal partners to support the next phase of the Company’s evolution and growth across multiple markets, use cases and geographies,” said Hassan.

“Their continued support of our mission to disrupt the economics of cybercrime, global network of relationships, and market expertise provides a very strong foundation to execute on our vision to enable collective protection for the internet.”

Jay Leek, managing partner at ClearSky, said that the strength and quality of White Ops' platform was impressive. 

"As fraud and abuse become increasingly prevalent across the digital ecosystem, enterprises and internet platforms require sophisticated threat protection now more than ever," said Leek. 

"White Ops has proven that it can stop fraud and abuse at tremendous scale."

Leek, along with representatives from Goldman Sachs, will join the Board of Directors representing ClearSky. Founder and managing director of NightDragon Dave DeWalt will join the Board of Directors representing NightDragon and serve as White Ops' vice chairman.

Categories: Cyber Risk News

SolarWinds Hackers "Impacting" State and Local Governments

Info Security - Thu, 12/24/2020 - 16:39
SolarWinds Hackers "Impacting" State and Local Governments

America's Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over the widespread impact of a recent hacking attack that compromised the SolarWinds Orion software supply chain.

The assault on SolarWinds hit the headlines earlier this month after it was discovered and disclosed by researchers at FireEye. The advanced persistent threat (APT) group behind the attack was able to compromise government agencies, critical infrastructure, and private-sector organizations.

Recognizing the serious nature of the attack, CISA put out an emergency directive on December 13 calling “on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”

On Wednesday, the agency described the pervasive campaign as a "significant cyber incident" and said that it is affecting US government at all levels. 

In a statement posted to its website, the agency said that it "is tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations."

CISA stated that the APT actor responsible for compromising the SolarWinds Orion software supply chain has also carried out widespread abuse of commonly used authentication mechanisms and is well resourced. 

The agency then went on to warn organizations to focus on handling the threat posed by this particular campaign before tackling any other cybersecurity issues.   

"This threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked," warned the agency. 

"CISA urges organizations to prioritize measures to identify and address this threat."

The agency has teamed up with the Federal Bureau of Investigation (FBI) and the Office of the Director of National Intelligence (ODNI) to form a Cyber Unified Coordination Group (UCG) that will coordinate a whole-of-government response to the SolarWinds attack.

CISA said that it remains available to help organizations victimized by the incident.

The agency said that it "remains in regular contact with public and private sector stakeholders and international partners, providing technical assistance upon request, and making information and resources available to help those affected to recover quickly from incidents related to this campaign."

Categories: Cyber Risk News

HelpSystems Acquires Vera to Expand Data Security Offerings

Info Security - Thu, 12/24/2020 - 12:30
HelpSystems Acquires Vera to Expand Data Security Offerings

HelpSystems has announced the acquisition of cloud-based data protection provider Vera.

The IT software firm said the deal will enable it to expand its data security portfolio and help meet a growing demand for solutions that can protect information throughout the full data lifecycle. This includes data classification, file transfer, data loss prevention and encryption.

The need for improved data security has been driven by the shift to remote working in many organizations as a result of the COVID-19 pandemic this year. With sensitive data now being managed across multiple networks and devices rather than within the secure perimeter walls of corporate buildings, organizations have become more vulnerable to breaches. Increasingly, businesses are using cloud technology to store sensitive IP, and keeping this secure is crucial.

Vera helps address this issue by enabling organizations to secure, track, audit and revoke data access at any time by attaching military-grade encryption, access controls, security and policy directly to data.

Kate Bolseth, CEO of HelpSystems, commented: “The market for data security is evolving fast to require a comprehensive approach to discovery, detection, classification and dynamic encryption. Vera seamlessly integrates and expands HelpSystems data security solution offerings and we welcome the Vera employees and their expertise to the global HelpSystems family.”

Shri Dodani, Vera president and CEO, said: “I’m pleased Vera is joining a global company with a comprehensive set of solutions empowering customers to strengthen their approach to data security.

“Vera solutions extend HelpSystems’ existing data security portfolio meeting the needs of our combined customers and partners.  We have been working together at some of our largest customers and have proven the joint value proposition and look forward to expanding our go-to-market leveraging HelpSystems global footprint and resources.” 

It is the latest move by HelpSystems to expand its information security options following the acquisition of two data classification companies in June.

Categories: Cyber Risk News

Government Security Experts Issue Farmers with New Advice

Info Security - Thu, 12/24/2020 - 11:30
Government Security Experts Issue Farmers with New Advice

The UK’s National Cyber Security Centre (NCSC) has issued its first ever guidance for farmers, in a sign of the growing cyber-threat facing rural businesses.

Published on Tuesday, Cybersecurity for Farmers is a comprehensive guide to best practices covering everything from spotting suspicious emails and phone calls to password management, device security and the importance of backing up.

The UK’s farms are increasingly run with the aid of technologies such as automated machinery, smart security cameras and back-office management and productivity software, the NCSC claimed.

National Farmers’ Union (NFU) deputy president, Stuart Roberts, warned that this makes the sector attractive to cyber-criminals.

“Cyber-attacks can be devastating for businesses and the individuals who are victims to fraudulent activity. It can affect agricultural businesses in a number of ways, including leaking of confidential data or financial losses,” he argued.

“As farms rely more on technologies such as GPS, remote sensing and unmanned vehicles, the risks increase. Cyber-criminals are becoming increasingly sophisticated and savvy, finding new ways to exploit us or find vulnerabilities in our technological security to steal passwords, money or data.”

The guide urges farmers to: regular patch any software, replaced/update operating systems and devices when they reach end-of-life, switch on password protection and use encryption tools to protect devices and ensure firewalls and anti-malware are on and up-to-date.

There was also advice for creating strong passwords and supplementing this with two-factor authentication, as well as anti-phishing, smishing and vishing tips.

“Technology plays a huge role in modern farming and offers many benefits that will help the industry to thrive in the 21st century,” said NCSC deputy director for economy and society, Sarah Lyons.

“We are teaming up with the NFU to share best online practice to the sector, as an increased use of technology also sees an increased risk of being targeted by cyber-criminals.”

Categories: Cyber Risk News

Misconfigured AWS Bucket Exposes Hundreds of Social Influencers

Info Security - Thu, 12/24/2020 - 10:30
Misconfigured AWS Bucket Exposes Hundreds of Social Influencers

A misconfigured cloud storage bucket has exposed the personal details of hundreds of social media influencers, potentially putting them at risk of fraud and harassment, according to researchers.

A team at vpnMentor discovered the AWS S3 bucket wide open with no encryption or password protection, back in early November. Action has apparently yet to be taken by the company responsible, Barcelona-based “social commerce” company 21 Buttons.

For a commission, influencers upload their photos to the firm’s app and link to the e-commerce stores where users can buy the clothes they’re wearing.

According to vpnMentor, the firm has around two million monthly active users and partnerships with many of the biggest brands in Europe.

Of the 50 million files exposed in the snafu, which were mainly influencer photos and videos, the research team discovered hundreds of invoices said to relate to payments made to these social media stars.

Among the personally identifiable information (PII) exposed were full names, postal codes, bank details, national ID numbers, PayPal email address and value of sales commissions.

Those caught in the data leak included Carlota Weber Mazuecos, Freddy Cousin Brown, Marion Caravano, Irsa Saleem and Danielle Metz – influencers that between them have millions of followers on the site.

The vpnMentor team warned that if cyber-criminals get hold of the PII, the victims could be exposed to follow-on phishing scams designed to obtain more bank and card details, identity fraud and stalking.

“If somebody shared the invoices publicly, bad actors would have plenty of material to identify any private accounts held by influencers, as well as their homes and workplaces,” it claimed.

“This doesn’t just make the people affected vulnerable to phishing and fraud. They’re also at risk from an invasion of privacy, doxing, stalking and harassment – both online and offline.”

Categories: Cyber Risk News

New Lawsuit Takes Aim at Ring After Smart Doorbell Hijacking

Info Security - Thu, 12/24/2020 - 09:30
New Lawsuit Takes Aim at Ring After Smart Doorbell Hijacking

Dozens of customers of a popular smart doorbell are suing the Amazon-owned manufacturer after their devices were hijacked, according to a new class action lawsuit.

The new legal case joins together complaints filed by over 30 users in 15 families who say that their devices were hacked and used to harass them.

They allege that the company has failed to update its security measures in the aftermath of these incidents and that it “blamed the victims, and offered inadequate responses and spurious explanations,” according to The Guardian.

A notable case last year involved a Ring camera which was installed in an eight-year-old girl’s room by her parents. It was subsequently hijacked by a man claiming to be Santa Claus who played unsettling music through its speaker, taunted the child and asked her if they could be friends.

Other incidents cited in the case involved users being threatened with sexual assault, murder, racial slurs and blackmail, according to the report.

Although Ring’s position has been to blame users for not setting up strong enough passwords on their devices, thereby allowing attackers to brute force or guess them, the suit alleges that the company itself should have required strong passwords and two-factor authentication (2FA) out-of-the-box.

It also claims that Ring may be to blame for a 2019 incident in which compromised usernames, camera names and passwords for over 3600 users were found online.

The firm has denied that it was breached, claiming the list could have been compiled from compromises elsewhere. However, the addition of Ring camera names to the trove would seem to rule out standard credential stuffing.

Other key contention of the lawsuit is that Ring “has not sufficiently improved its security practices or responded adequately to the ongoing threats its products pose to its customers.”

The smart device market is increasingly in need of regulation to mandate baseline security for users. The UK is taking a lead on this, by forcing all consumer devices to require unique passwords which are not resettable to factory defaults, alongside other measures.

However, there’s no mention of how strong these passwords need to be, and 2FA seems to have been left out of the law.

The US lawsuit apparently covers the tens of thousands of customers who bought a Ring doorbell between 2015 and 2019, even if they were not hacked. Lead attorney on the case, Hassan Zavareei, has claimed that there may be many more users affected who don’t yet know they were hacked.

Categories: Cyber Risk News

US Teen Accused of Deadly Cyber-stalking Campaign

Info Security - Wed, 12/23/2020 - 18:58
US Teen Accused of Deadly Cyber-stalking Campaign

A man from New York City has been charged with waging a grim cyber-stalking campaign against a female college student. 

Desmond Babloo Singh allegedly created over 100 accounts on social media platforms and email services and used them to harass a former classmate of his sister for whom he claimed to have developed romantic feelings. 

Nineteen-year-old Singh professed his love to the unnamed victim via an Instagram story in February 2020. When she didn't return his affections, Singh allegedly accessed several of the victim's electronic accounts without authorization, changing her passwords to lock her out of the accounts.

Singh then allegedly posted offensive images and statements to the victim's accounts without authorization. Among the sentiments allegedly shared by Singh were racial slurs and express and implied threats of sexual violence, bodily injury, and death. 

The New Yorker is further accused of stealing images stored privately in the victim's Snapchat account then posting them on social media and sending them to the victim and her family members via text message.

According to the affidavit filed in support of the criminal complaint against Singh, the teen then solicited others to rape, murder, and decapitate the victim in exchange for Bitcoin. He is further accused of causing the police to show up at the victim's residence in Baltimore County, Maryland, by emailing a hoax bomb threat in a "swatting" attack. 

Singh's alleged cyber-stalking campaign went on from around April 18, 2020, to November 24. According to the affidavit, Singh also "doxed" the victim, publicly posting her personal information on several occasions, and encouraged others to harass her. 

The victim's family and an ex-boyfriend whom the Department of Justice believe Singh viewed as a romantic rival were allegedly also targeted. The affidavit states that Singh doxed the victim's family members and sent her ex harassing messages, and also posted messages attacking him online. 

The complaint against Singh was filed on December 14 and unsealed yesterday. Singh is accused of the federal charges of cyber-stalking, causing intentional damage to a protected computer, aggravated identity theft, e-mailing a hoax bomb threat, and murder for hire. 

If convicted on all counts, Singh could be sentenced to a maximum of 32 years in prison.

Categories: Cyber Risk News

Lazarus Attacks Vaccine Research

Info Security - Wed, 12/23/2020 - 18:14
Lazarus Attacks Vaccine Research

The infamous advanced persistent threat group (APT) Lazarus is behind two recent cyber-attacks that targeted two separate entities related to COVID-19 research.

In one attack, a Ministry of Health body was hit with malware. The other incident involved the use of a different kind of malware against a pharmaceutical company that is developing a vaccine for the novel coronavirus. The company is authorized to produce and distribute the vaccine.

The attacks, which both occurred in the fall of 2020, were identified by researchers at Kaspersky. Despite the use of different tactics, techniques, and procedures (TTPs) in each assault, the researchers have now assessed "with high confidence" that both malicious activities can be attributed to the Lazarus group.

"Both attacks leveraged different malware clusters that do not overlap much," wrote researchers. "However, we can confirm that both of them are connected to the Lazarus group, and we also found overlaps in the post-exploitation process."

Researchers found that on October 27, two Windows servers belonging to the Ministry of Health entity were compromised with sophisticated malware known to Kaspersky as "wAgent." Closer analysis found that the malware used against the public health office had the same infection scheme as Lazarus’ previous attacks on cryptocurrency businesses.

The attack on the pharmaceutical company took place on September 25. Researchers found that the threat actor deployed Bookcode malware in a supply-chain attack through a South Korean software company. This particular type of malware has been previously reported by security vendor ESET to be connected to Lazarus.

Bookcode and wAgent malware have similar functionalities, with both boasting a full-featured backdoor. After deploying the final payload, the malware operator can take control of the victim’s machine.

“These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19,” said Seongsu Park, security expert at Kaspersky. “While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well." 

Park went on to issue a grave warning to all organizations striving to put an end to the long-running global health pandemic. 

"We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyber-attacks,” said Park.

Categories: Cyber Risk News