Feed aggregator

German Automation Giant Still Down After Ransomware Attack

Info Security - 2 hours 31 min ago
German Automation Giant Still Down After Ransomware Attack

One of the world’s biggest producers of automation tools is still crippled over a week after it was hit by a ransomware attack.

German giant Pilz was forced to notify the prosecutor’s office and Federal Office for Security in Information Technology after suffering a targeted cyber-attack the Sunday before last.

However, despite setting up an incident response team to locate the source of the attack and resolve the disruption, it warned that outages will continue for several more days.

“Since Sunday, October 13, 2019, all server and PC workstations including the communication network of the automation company have been affected worldwide. The website is currently only partially functional,” it noted in a status update.

“As a precaution, the company has removed all computer systems from the network and blocked access to the corporate network.”

The IT disruption appears to have affected delivery of shipments and communications, although email came back online around the world on Friday. The last update from the company yesterday claimed that deliveries had restarted in “certain areas.”

It’s unclear which these are, however: Pilz operates in over 70 countries around the world, across Europe, Asia Pacific and the Americas.

The firm offers a range of products vital to automate industrial environments, including: configurable safety controllers; programmable safety systems; safety sensors; operator and visualization systems; networks; system and application software; drive technology; integrated standard and safety automation systems.

Pilz is the latest in a long-line of large enterprises targeted by ransomware authors looking for a big ROI on attacks.

Back in March, Norsk Hydro, the world’s number one aluminium producer, was hit by the LockerGaga variant in an attack which is said to have cost the firm at least $41m. More recently, US mailing technology company Pitney Bowes and French media giant Groupe M6 were both caught out.

Ransomware detections grew 77% from the second half of 2018 to the first six months of this year, according to Trend Micro.

Categories: Cyber Risk News

Ad Targeting Gamers Successfully Cuts Cybercrime

Info Security - Mon, 10/21/2019 - 19:20
Ad Targeting Gamers Successfully Cuts Cybercrime

An advertising campaign warning that DoS attacks are illegal has proved successful in reducing cybercrime. 

In a new study, researchers from the University of Cambridge and the University of Strathclyde looked at four different cybercrime prevention methods employed by law enforcement agencies in the US and UK. 

The results showed that while high-profile arrests caused only a two-week reduction in the number of cyber-attacks taking place, targeted messaging campaigns and the takedown of infrastructure led to a sharper and longer-term reduction in cybercrime.

Sentencing was found to have no widespread effect on reducing crime, perhaps because attackers in one country weren’t affected by sentences meted out elsewhere.

The research, which was presented today at the ACM Internet Measurement Conference in Amsterdam, focused particularly on denial of service (DoS) attacks. These attacks generate a large amount of traffic that overwhelms end users or web services, taking them offline. 

DoS attacks can be purchased easily from so-called "booter" service websites for just a few dollars. This cheap and accessible form of attack is popular within the gaming community as a way of wreaking revenge on another user. 

"Law enforcement are concerned that DoS attacks purchased from a booter site might be like a ‘gateway drug’ to more serious cybercrime," said Ben Collier from Cambridge’s Department of Computer Science & Technology, the paper’s first author. 

Collier and his colleagues from the Cambridge Cybercrime Centre used two datasets with granular data about the attacks from booter sites, and then modeled how the data correlated with different intervention tactics from the National Crime Agency (NCA) in the UK, the Federal Bureau of Investigation (FBI) in the US, and other international law enforcement agencies.

From late December 2017 to June 2018, the NCA targeted young gamers in the UK with Google adverts explaining that DoS attacks are illegal. The adverts would appear when a user searched for booter services.

"It’s surprising, but it seems to work, like a type of digital guardianship," said Collier. "At the exact moment you get curious about getting involved in cybercrime, you get a little tap on the shoulder.

"It might not work for people who are already involved in this type of cybercrime, but it appeared to dramatically decrease the numbers of new people getting involved."

Categories: Cyber Risk News

Avast Thwarts Cyber-spies in Suspected Second CCleaner Attack

Info Security - Mon, 10/21/2019 - 18:39
Avast Thwarts Cyber-spies in Suspected Second CCleaner Attack

Avast has fended off a sophisticated cyber-espionage attack with the help of Czech intelligence.

The global manufacturer of antivirus products announced today that its network had been breached, in what is thought to be an attempt to gain information regarding the company's CCleaner software.

Avast identified suspicious behavior on its network on September 23. Together with the Czech police's cybersecurity division and the Czech intelligence agency Security Information Service (BIS), the company launched what they describe as "an immediate, extensive investigation." 

Evidence gathered by Avast over the ensuing weeks, and verified by an external forensics team, pointed to an MS ATA alert of a malicious replication of directory services from an internal IP that belonged to the company's VPN address range. 

The incident, which took place on October 1, was originally dismissed as a false positive. However, a review found that a threat actor had compromised the credentials of an Avast user who was associated with the internal IP. 

The hacker then managed to complete a successful privilege escalation to obtain domain admin privileges and access the company's internal network, in an attack Avast has dubbed 'Abiss.' 

Avast researchers wrote: "The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider."

Analysis of the external IPs revealed seven attempts to gain access to Avast's network had been made between May 14 and October 4, 2019. 

Avast researchers wrote: "Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions."

To track the actor, Avast left a temporary VPN profile open while they took action to protect their software and their end users, including disabling and resetting all internal user credentials.

"From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure," wrote Avast researchers.

Categories: Cyber Risk News

Most Effective Phishing Tactic Is to Make People Think They've Been Hacked

Info Security - Mon, 10/21/2019 - 17:45
Most Effective Phishing Tactic Is to Make People Think They've Been Hacked

New research into phishing attacks has shown that the most clicked on email subject lines are those that relate to online security concerns.

report released today by security awareness training company KnowBe4 revealed that emails with titles that trick people into believing that they've already been hacked are the most likely to be opened. 

To produce the Q3 2019 Top-Clicked Phishing Tests Report, KnowBe4 researchers sent out thousands of simulated phishing emails with various subject lines, then observed which ones drew clicks. The organization also examined "in-the-wild" email subject lines that include actual emails users received and reported to their IT departments as suspicious. 

The results found that simulated phishing test emails with the subject "Password Check Required Immediately" were the most clicked on, with 43% of users falling for this security-based ruse.

The next most clicked on subject titles, which each lured in 9% of users, were "A Delivery Attempt was made" and "Deactivation of [[email]] in Process."

Interestingly, subject lines promising vast riches or the spiciest of romances were not among the top ten most clicked. Instead, people were hooked by work-based subject lines offering basic information or the promise of relatively modest gains. 

The subject line "New Organizational Changes" hooked 4% of users, and 7% couldn't resist clicking on an email with the subject line "Updated Employee Benefits." While 4% of users gave in to the urge to open a message titled "Staff Review 2018," 6% were intrigued enough by a message called "Revised Vacation & Sick Time Policy" to give it a click. 

A further tactic that proved successful was using the universal lure of food. Researchers found that 8% of users opened a simulated phishing email with the subject line "New food trucks coming to [[company_name]]." 

"As cybersecurity threats persist, more and more end users are becoming security minded," said Stu Sjouwerman, CEO of KnowBe4. 

"They have a vested interest in protecting their online lives, so a message that sounds urgent related to their password can entice someone to click. The bad guys are always looking for clever ways to trick end users, so [users] need to remain vigilant."

Categories: Cyber Risk News

Chartered Institute of Information Security Calls for Better Collaboration on Skills and Pathways

Info Security - Mon, 10/21/2019 - 12:28
Chartered Institute of Information Security Calls for Better Collaboration on Skills and Pathways

Speaking four months after the IISP was renamed as the Charted Institute of Information Security (CIIS), CEO Amanda Finch said the re-branding was “great for us, as it puts on the map” after three and a half years of application.

Speaking at Plymouth University's Secure South West conference, she said that chartered status was important as it is “recognizing us as a proper profession” and that the CIIS is “the only pure play information security institution to have been granted Royal Charter status and is dedicated to raising the standard of professionalism in information security.”

She said that cybersecurity is still “badly defined” as a term, and work is needed to make it a profession. Admitting that we cannot be “renaissance people who do everything,” the profession has grown from when you needed to be generalist to consider multi-disciplined areas, taking in physical science, psychology, legal, compliance and different skill sets.

The CIIS determines that professionalism depends on:

  • An agreed body of knowledge and skills that professionals need to have to work effectively in the field
  • Ways to provide those skills through education and training programs
  • Ways to accredit this process (both those identifying the body of knowledge and those teaching it) and attest that the individual has acquired those skills
  • The mastery of certain defined skill sets through these processes
  • Ways to demonstrate that practitioners have acquired those skills and can apply them competently
  • Ways practitioners can refresh that knowledge through continuing education
  • Codes of Ethics to ensure that practitioners act professionally

Finch argued that we need to recognize what we do have, and what we need to be developing to attract the best people. “We’ve been helping organizations to develop capabilities using development methodologies and frameworks” and also accrediting for competencies as, she said.

“So we developed a methodology to look at existing capabilities and skills and developing teams in this environment,” Finch said.

While companies may not always get “people with 100% of skills,” they should look at a person’s potential, “what basic skills you want them to have and upskill them.”

There will still be a need for specialists though, and to bring in expertise where it is needed, she said, concluding that we need to work as a community to bring the best talent in, and find good pathways to “demonstrate we’re a profession and make sure people come to us.”

Categories: Cyber Risk News

Chinese National Gets 40 Months for Exporting US Military Kit

Info Security - Mon, 10/21/2019 - 10:30
Chinese National Gets 40 Months for Exporting US Military Kit

A Chinese national will spend over three years behind bars after pleading guilty to conspiring to illegally export US military technology back home.

Tao Li, 39, violated the International Emergency Economic Powers Act and was sentenced to 40 months behind bars last week.

Between December 2016 and January 2018, he’s said to have worked with others back in China to buy radiation-hardened power amplifiers and supervisory circuits — components used for military and space applications due to their ability to withstand extreme heat and high levels of radiation.

These components would ordinarily require a license to export out of the US, although the Commerce Department does not grant such licenses to China.

To try and circumvent the ban, Li used various aliases to contact individuals in US companies, seeking to obtain the parts, agreeing to pay a “risk fee” to the firms if they agreed to export the components to China.

Li wired funds from an account in China to a bank in Arizona to complete a deal, before undercover agents stepped in, lured him to the US and arrested him at Los Angeles International Airport in September 2018. Agents from Homeland Security Investigations (HSI) and the Office of Inspector General’s Defense Criminal Investigative Service (DCIS) led this operation.

“This case is one of many involving illegal attempts to take US technology to China. Li attempted to procure highly sensitive US military technology in violation of our export control laws,” said assistant attorney general John Demers

“Such laws are in place to protect our national security, and the Department of Justice will continue to vigorously enforce them. We don’t take these crimes lightly and we will continue to pursue them.”

The news comes just days after a new CrowdStrike report revealed the true extent of China’s efforts to gain a technological and military advantage over the US. It detailed a multi-year campaign involving forced technology transfer, joint ventures, physical theft of IP from insiders and cyber-enabled espionage which helped a state-run company build the C919 commercial airliner.

Categories: Cyber Risk News

Trojanized Tor Browser Steals Users’ Digital Currency

Info Security - Mon, 10/21/2019 - 09:15
Trojanized Tor Browser Steals Users’ Digital Currency

Researchers have discovered a Trojanized version of the popular Tor Browser, which has already stolen tens of thousands of dollars’ worth of digital currency from users.

Targeted at Russian users, the malicious variant is distributed via spam messages on local forums and in Pastebin posts which have been SEO-d to rank high for users searching for terms including drugs, cryptocurrency, censorship bypass, and Russian politicians, according to Eset.

Two domains registered in 2014 are used to spread the malware; tor-browser[.]org and torproect[.]org. In essence, the package is a version of the popular anonymizing tool from 2018 (v 7.5) with some of its default browser settings and extensions altered to disable updates and ensure the malware authors can modify the product.

The hackers also modified the HTTPS Everywhere add-on included with the browser to add a content script (script.js) that will be executed in every webpage.

“The only JavaScript payload we have seen targets three of the largest Russian-speaking darknet markets. This payload attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets,” explained Eset senior malware researcher, Anton Cherepanov.

“Once a victim visits their profile page in order to add funds to the account directly using bitcoin payment, the Trojanized Tor Browser automatically swaps the original address to the address controlled by criminals.”

At the time of writing, Eset had discovered at least 500,000 downloads of the Trojanized Tor browser and three bitcoin wallets under the control of the hackers filled with around 4.8 bitcoin ($40,000). However, they are also likely to have generated a pile of QIWI cash from victims.

The scheme takes advantage of the fact that the Putin regime is increasingly pushing Russia to adopt an online censorship apparatus akin to China’s. Earlier this year, Putin signed a new law that could allow the government to cut access to foreign servers.

Categories: Cyber Risk News

US Lawmakers Call on Apple to Reverse Hong Kong App Ban

Info Security - Mon, 10/21/2019 - 08:45
US Lawmakers Call on Apple to Reverse Hong Kong App Ban

A group of US lawmakers has criticized Apple’s decision to withdraw an app used by Hong Kong protesters at the behest of Beijing, branding it “deeply concerning.”

The tech giant pulled HKmaplive from the App Store last week, claiming that it was used by the demonstrators to target police officers, and was therefore endangering their physical security.

However, its decision to censor after pressure from the Chinese government has angered senators and representatives in the US, including Ron Wyden, Marco Rubio, Ted Cruz and Alexandria Ocasio-Cortez.

They argued in an open letter that the move contradicts Apple’s purported belief that “our values drive our curation decisions.”

“You have said publicly that you want to work with China’s leaders to effect change rather than sit on the sidelines and yell at them,” it read. “We, too, believe that diplomacy and trade can be democratizing forces. But when a repressive government refuses to evolve or, indeed, when it doubles down, cooperation can become complicity.”

The app is nothing more than a tool for law-abiding protesters “defending their promised autonomy” to avoid clashes with an increasingly aggressive local police force, they said. One teenage protester was shot point blank by an officer earlier this month, despite the latter carrying non-lethal deterrents to repel violent demonstrators.

“We urge you in the strongest terms to reverse course, to demonstrate that Apple puts values above market access, and to stand with the brave men and women fighting for basic rights and dignity in Hong Kong,” the letter concluded.

However, it’s unlikely to sway the Cupertino giant, which has already banned thousands of apps from its China App Store, including various VPNs and titles designed for use by ethnic Tibetan and Uyghur minorities.

The news comes as an emboldened Beijing grows increasingly intolerant of any views seen as critical of its repressive one-party regime.

An NBA team is facing substantial financial losses after a player came out in support of Hong Kongers, while game developer Blizzard said it was banning a player and taking his prize money after he expressed similar views. The group of lawmakers penned a separate letter to the latter company, which is part-owned by Chinese giant Tencent.

Categories: Cyber Risk News

US Girl Scouts Launch First National Cybersecurity Challenge

Info Security - Fri, 10/18/2019 - 17:54
US Girl Scouts Launch First National Cybersecurity Challenge

Girls across the United States of America will take part in the country's first ever National Girl Scouts Cyber Challenge tomorrow. 

Over 3,000 girls have signed up to practice their cybersecurity skills by solving a hypothetical ransomware attack on a moon base. Participants will form an incident response team that must find out who hacked the system and how they did it.

The adrenaline-filled simulation will incorporate both “plugged” stations that will require the girls to utilize traditional coding and hacking skills on laptops and tablets, as well as “unplugged” stations where they must solve written codes. 

The exciting event will allow girls to gain first-hand experience of how coding and cybersecurity are applied in the real world. No prior cybersecurity experience is necessary to take part, as organizers hope to inspire girls who haven't ever tried their hand at cybersecurity to give it a go and see if they like it. 

The challenge is being piloted at participating councils in Georgia, Colorado, Maryland, Texas, California, Arizona, Alabama, Ohio, Massachusetts, and Florida. If it proves successful, Girl Scouts of the USA (GSUSA) plans to roll the event out to all 111 of their councils.  

Presenting the challenge is US defense contractor Raytheon, which in November 2018 committed to a multi-year partnership with GSUSA to encourage girls to pursue computer science careers. Last year, with Raytheon's support, GSUSA launched its first ever national computer science program for middle and high school girls.

A spokesperson for Raytheon said: "Our future needs innovators, engineers and cybersecurity experts and we're finding them right here in today's Girl Scouts. They are cracking cyber challenges while fulfilling their potential. 

"Thanks to events like the Girl Scouts Cyber Challenge brought to you by Raytheon, more girls are seeing themselves as tomorrow’s innovators, engineers, cybersecurity experts and tech leaders."

A spokesperson for GSUSA said: "Raytheon is collaborating with Girl Scouts to help close the gender gap in STEM fields by helping prepare girls to pursue careers in fields like cybersecurity, computer science, artificial intelligence, and robotics. 

"Together, Raytheon and Girl Scouts are reaching girls during formative school years, where research shows peer pressure can sometimes deter girls from pursing their interest in STEM." 

Categories: Cyber Risk News

Italians Rocked by Ransomware

Info Security - Fri, 10/18/2019 - 16:55
Italians Rocked by Ransomware

Italy is experiencing a rash of ransomware attacks that play dark German rock music while encrypting victims' files. 

The musical ransomware, called FTCode, was detected by security analysts at AppRiver in malicious email campaigns directed at Italian Office 365 customers. 

Targeted inboxes have received emails with malicious content posing as resumes, invoices, or documents scans. The emails include a Visual Basic script (.vbs) file that downloads and blasts out Rammstein hits while encrypting files on the victim's computer. 

"The .vbs file initially launches PowerShell to download and play an mp3 file from archive.org. At first glance, we suspected it was just a renamed file extension for malware, a common practice to help evade some network gateways. However, we were amused to find it launches a Rammstein song mix," wrote AppRiver researchers.

As victims are treated to rousing renditions of "Du Hast" and "Engel," the script reaches out to a different domain to pull down a Jasper malware loader. This .vbs file enables threat actors to load additional malware of their choosing.

Once the files on the user's computer have been encrypted, a note is left on the victim's desktop, directing the user to download, install, and visit an onion site for further instructions. 

In an attempt to establish trust with the user and show that decryption is actually possible, the onion site offers the visitor a chance to test file decryption with one file before they pay the full ransom. 

The cost of the ransom is set at $500 if paid within the first three days, after which it rapidly increases to $25,000. 

David Pickett, security analyst at AppRiver, warned users not to take risks on links sent by strangers and to be particularly wary of any content that asks to be enabled. 

He said: "Users should be vigilant to never click on or open unsolicited links or documents, especially with file types they aren’t familiar with, such as script files (.vbs, .js, .ps1, .bat, etc.).  

"Any Office file that, once opened, urges the user to Enable Content or Enable Editing should be treated with the utmost caution and verified from the sender out of band before doing so. If the file is malicious, enabling content or editing disables Microsoft’s protected view and can allow a malicious payload contained within to execute."  

Categories: Cyber Risk News

Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

Info Security - Fri, 10/18/2019 - 15:49
Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

Five months on from a ransomware attack that brought the city to its knees, Baltimore has purchased cyber-insurance for the first time.

On May 7, Baltimore became the second US city to fall victim to a new strain of ransomware called RobbinHood. The attack took all the city's servers offline with the exception of essential services. As a result, real estate transactions were suspended, water billing was disrupted, and city employees were unable to access key documents and email. 

While Baltimore's mayor, Bernard C. "Jack" Young, won praise for not paying hackers the $76,000 ransom they demanded to decrypt the files affected by the attack, the city now faces a massive recovery bill. So far, the attack is estimated to have cost the city $18m in direct costs and lost or delayed revenue, and the figure is expected to rise. 

In a bid to protect itself from future threats, on Wednesday Baltimore approved not one but two cyber-insurance policies, each of which offers $10m in liability coverage and has a $1m deductible. 

After a competitive bidding process involving 17 different carriers, Baltimore opted to purchase a plan from Chubb Insurance costing $500,103 in premiums and a second plan from AXA XL Insurance for $335,000. Each policy will provide the city with coverage against cyber-attacks for a period of one year. 

Lester Davis, a spokesman for Mayor Young, said: "The city is going to reassess every year. They will have to go through this process again when the terms are nearing maturity."

Mayor Young said that having cyber-insurance did not dictate how Baltimore would respond to future cyber-attacks. 

Asked whether the city was more likely to pay hackers now that it had coverage, Young said: "I would talk to my team and decide that way."

Frank Johnson, who was Baltimore's chief information officer at the time of the attack, stepped down permanently from the role earlier this month after being placed on unpaid leave in September. Todd Carter, who was acting as interim CIO for the city, has now taken on the CIO position full time. 

Categories: Cyber Risk News

UK Government Announces Major New Cybersecurity Partnerships

Info Security - Fri, 10/18/2019 - 09:26
UK Government Announces Major New Cybersecurity Partnerships

The UK government has revealed it is working with chip-maker Arm on a £36m initiative to make more secure processors.

Although details are few and far between at this stage, the government claimed that the project could help to protect more UK businesses from remote cyber-attacks and breaches, while boosting new business opportunities and productivity.

According to the government’s own data, around 60% of mid-sized and 61% of large businesses in the UK have suffered a cyber-attack or breach over the past year.

The Arm tie-up is part of the government’s Digital Security by Design initiative, also backed by Microsoft and Google.

"Achieving truly robust security for a world of a trillion connected devices requires a radical shift in how technology companies approach cyber-threats. Research into new ways of building inherently more cyber-resilient chip platforms is critical,” explained Arm chief architect, Richard Grisenthwaite.

“Our first step is to create prototype hardware, the Morello Board, as a real-world test platform for prototype architecture developed by Arm that uses the University of Cambridge’s CHERI protection model. It will enable industry and academic partners to assess the security benefits of foundational new technologies we’re making significant investments in.”

Alongside this push, the government announced a further £18m through its Strategic Priorities Fund, designed to help tackle online fraud, privacy abuses and misinformation online.

The government also announced six new “prosperity partnerships” — a £40m project designed to bring public and private sector bodies together with academia to develop emerging technologies. On board so far are Jaguar Land Rover, Eli Lilly and Company, Toshiba Research Europe, Microsoft, M Squared Lasers, Siemens and Nikon.

The first partnership, announced today, is between Toshiba Research Europe, University of Bristol, GCHQ and Roke Manor Research and will aim to develop more resilient wireless networks to tackle financial extortion, terrorism and destructive attacks.

“Secure Wireless Agile Networks (SWAN) and the wider Prosperity Partnership initiatives bring together a cadre of engineers from industry, government and academia with invaluable commercial insights and in-depth technical skills capable of delivering holistic solutions for a productive, healthy, resilient and connected nation,” said professor Mark Beach of the University of Bristol.

"This UKRI scheme uniquely brings together partnerships who are ideally positioned to deliver technology for the wider benefits of society."

Categories: Cyber Risk News

New US Privacy Bill Would Intro Jail Time for CEOs

Info Security - Fri, 10/18/2019 - 09:05
New US Privacy Bill Would Intro Jail Time for CEOs

A US senator has introduced a new privacy bill which he claims goes further than the EU’s GDPR, introducing prison sentences for culpable CEOs.

Introduced by Ron Wyden, the Mind Your Own Business Act would create a national “Do Not Track” system enabling consumers to stop companies from tracking them online, selling or sharing their data, or targeting ads based on personal information.

Like the GDPR, it would issue maximum fines of up to 4% of annual revenue to non-compliant firms, but unlike the EU law, could also levy 10-20 year criminal sentences for executives who knowingly lie to the FTC.

“Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government,” Wyden said.

“I spent the past year listening to experts and strengthening the protections in my bill. It is based on three basic ideas: consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information.”

Other provisions in the bill include: the levying of new tax penalties on CEOs who lie about privacy protections; a requirement for firms to conduct privacy assessments on the algorithms that process consumer data; and the establishing of new privacy and cybersecurity standards.

However, it’s unlikely the legislation will become law. In the meantime, states are enacting their pwn privacy laws, with California leading the way.

Categories: Cyber Risk News

DNC Russian Hacking Group Makes a Comeback

Info Security - Fri, 10/18/2019 - 08:33
DNC Russian Hacking Group Makes a Comeback

Security researchers have uncovered new activity from the notorious Kremlin-backed APT29, or Cozy Bear, group, in an information-stealing campaign targeting foreign governments.

APT29 was pegged for the infamous cyber-attacks on the Democratic National Committee (DNC) in the run-up to the 2016 US Presidential election, which many believe helped to install Donald Trump in the White House.

However, up until now there had been little other evidence of activity from the group except from a phishing campaign in November last year.

Now ESET researchers claim to have uncovered a new operation from the group dating back to 2013, after it discovered three new malware families: PolyglotDuke, RegDuke and FatDuke.

Targets for Operation Ghost include foreign ministries in at least three different countries in Europe and a Washington DC-based embassy of a European Union country.

The vendor claimed to have discovered multiple attack techniques often used by the group, including use of Twitter and other social sites to host C&C URLs; steganography in images to hide payloads/C&C comms; and use of WMI for persistence.

In addition, the researchers found that some machines infected with PolyglotDuke and MiniDuke had been infected with CozyDuke just months earlier.

“We found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation, however, this campaign started while only a small portion of the Dukes’ arsenal was known,” explained ESET.

“In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now.”

The group’s MO is to steal credentials and move laterally through networks, sometimes using admin credentials to compromise machines. PolyglotDuke uses social sites for C&C as well as steganography; RegDuke uses Dropbox as a C&C server; MiniDuke is a second stage backdoor; and FatDuke represents the third stage, featuring functionality to steal logins and data.

Categories: Cyber Risk News

A New Strain of Malware Is Terrorizing Docker Hosts

Info Security - Thu, 10/17/2019 - 18:25
A New Strain of Malware Is Terrorizing Docker Hosts

For the first time in history, researchers have discovered a crypto-jacking worm that spreads via unsecured Docker hosts. 

Researchers at Unit 42 said that the new strain of malware has spread to more than 2,000 Docker hosts by using containers in the Docker Engine (Community Edition).

The new worm has been named Graboid after the fictional subterranean sandworms that made a fairly poor show of hunting humans in nineties flick Tremors. Just like its onscreen predecessors, the Graboid is quick but relatively incompetent. 

Graboid is designed to work in a randomized way that researchers said holds no obvious benefits. The malware carries out both worm-spreading and crypto-jacking inside containers, picking three targets at each iteration.

Researchers wrote: "It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target. This procedure leads to a very random mining behavior. 

"If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts." 

Graboid doesn't hang around for long, mining cryptocurrency Monero for an average of just over four minutes before picking new vulnerable hosts to target. The worm works by gaining an initial foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host. 

Researchers warned that Graboid's nip could potentially turn into a powerful bite and advised organizations to safeguard their Docker hosts. 

Researchers wrote: "While this crypto-jacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored." 

Tim Erlin, VP, product management and strategy at Tripwire, advised developers to tackle security sooner rather than later. 

He said: "DevOps tends to favor velocity over security, but when you have to stop what you’re doing to address an incident like this, you’re losing the velocity gains you might have experienced by leaving security out of the DevOps lifecycle. Addressing security through incident response is the most expensive method to employ."

Categories: Cyber Risk News

Imposter Emails Plague Healthcare Industry

Info Security - Thu, 10/17/2019 - 17:15
Imposter Emails Plague Healthcare Industry

A study looking at cyber-attacks on the healthcare industry has found that 95% of targeted companies encounter emails spoofing their own trusted domain. 

To create the Protecting Patients, Providers, and Payers 2019 Healthcare Threat Report, cybersecurity company Proofpoint analyzed nearly a year’s worth of cyber-attacks against care providers, pharmaceutical/life sciences organizations, and health insurers.

Hundreds of millions of malicious emails later, it was clear to researchers that cyber-criminals were not just attacking infrastructure, but were also using email to directly target people.

Analyzing data spanning the second quarter of 2018 to the first quarter of 2019, researchers found that at each healthcare organization attacked, an average of 65 staff members were targeted. 

Researchers observed a preference for certain keywords in the spoof emails attackers sent when attempting to con money or information out of the patients and business partners of healthcare organizations. When sending emails designed to look like they came from a healthcare provider, criminals commonly used the words "payment," "request," and "urgent" in the subject line.

Healthcare organizations targeted by impostor emails received 43 messages of this type in Q1 2019—a 300% jump from a year ago and more than five times the volume in Q1 2017. Not a single organization analyzed in the study saw a decrease in impostor attacks over that period, and more than half were attacked more often in Q1 2019 than they were in Q1 2017. 

The average impostor attack spoofed 15 healthcare staff members on average across multiple messages. 

According to researchers, threat actors were adept at knowing just what to put in an email to spur healthcare staff into transferring money or sharing sensitive information.

Researchers wrote: "Attackers have grown skilled at researching their targets and using social engineering to exploit human nature. Some lures are just too well researched, expertly crafted, and psychologically potent to resist every time.

"Social engineering works because it taps into the way the human brain works. It uses deep-rooted impulses—such as fear, desire, obedience, and empathy—and turns them against you. And it hijacks your normal thought process to spur you to act on attackers’ behalf."

Morning was the attackers' favorite time to strike, with the largest volume of imposter email sent between 7 a.m. and 1 p.m. in the time zone of the targeted organization. 

Categories: Cyber Risk News

Recruitment Sites Expose Personal Data of 250k Jobseekers

Info Security - Thu, 10/17/2019 - 16:08
Recruitment Sites Expose Personal Data of 250k Jobseekers

The personal details of 250,000 American and British jobs seekers have been exposed after two online recruitment companies failed to set their cloud storage folders as private. 

Names, addresses, contact information, and career histories were compromised as a result of the oversight by US jobs board Authentic Jobs and UK retail and restaurant jobs app Sonic Jobs.

Each company stored the resumes of hopeful job applicants in cloud storage folders known as buckets. The buckets were provided by the world's biggest cloud service, Amazon Web Services (AWS), which stores data in servers connected to the internet.

Applicants' data was exposed when both companies set the privacy settings on their buckets to public instead of private. This error meant that the resume of someone who applied for a job could be viewed and also downloaded by anyone who knew the location of the buckets.

Authentic Jobs, whose client list includes accounting firm EY and newspaper the New York Times, made at least 221,130 resumes publicly accessible. A further 29,202 resumes were exposed by app Sonic Jobs, which international hotel chains Marriott and InterContinental often use to recruit new staff. 

According to Sky News, which revealed the bucket-related breaches yesterday, the total number of resumes exposed may be higher. 

After being warned of the exposure by Sky News, both companies changed their bucket settings to private. 

"We take security and privacy very seriously and are looking into how this happened," Authentic Jobs said in an email.

Security researcher Gareth Llwellyn, who discovered the bucket breaches, said: "By finding and closing these buckets we can protect people who placed their trust in these businesses and—hopefully—start drawing attention to the dangers of storing personal data in a woefully insecure manner."

Authentic and Sonic will now join Verizon, Dow Jones, GoDaddy, and WWE on a growing list of organizations that have exposed data via publicly configured AWS buckets. 

Llewellyn said that the onus is on companies to ensure the data that they store in the cloud is being stored safely.  

"Just because they leveraged a service like AWS, or even outsourced to a third party entirely, doesn't preclude them from ensuring the data entrusted to them is safe," he said.

Categories: Cyber Risk News

Rogue Mobile App Fraud Soars 191% in 2019

Info Security - Thu, 10/17/2019 - 11:01
Rogue Mobile App Fraud Soars 191% in 2019

Global fraud attacks soared by 63% from the second half of 2018 to the first six months of this year, with fake mobile applications a growing source of malicious activity, according to RSA Security.

The firm’s Quarterly Fraud Report for Q2 2019 is a useful snapshot of current trends based on detections by the vendor.

Phishing, including vishing and smishing, continues to be the biggest source of fraud — representing over a third (37%) of attacks in Q2, with attacks climbing 6% from 2H 2018 to 1H 2019.

Canada, Spain and India were the top three countries targeted by phishing, accounting for 61% of total attack volume.

However, it is attacks via rogue mobile applications that present the fastest-growing threat, soaring 191% over the same period. These attacks, which involve the spoofing of brands to trick users, now account for 29% of the total.

Elsewhere, there were also significant increases in detections of financial malware (up 80%) and social media attacks (37%).

In the e-commerce space, RSA noted that 57% of fraud transaction value in Q2 2019 came from a new device but trusted account. In online banking 88% of payment fraud attempts originated from the same combination: trusted account and new device. That is a significant increase from Q1 figures of just 20%.

This highlights the continuing popularity of account takeovers as a highly successful threat vector, RSA said.

Daniel Cohen, director of the Fraud and Risk Intelligence Unit at RSA Security, argued that digital transformation is introducing new risks that organizations must manage.

“From one-click payment buttons to mobile apps from our favorite retailers, spending our money has never been easier. However, while the growth of digital might be good for our busy schedules, it has also opened up numerous new avenues for fraudsters,” he added.

“The fact that fraud via fake mobile applications tripled in the first half of 2019 is testament to how perpetrators will constantly seek out weak points by exploiting consumers’ growing trust in mobile apps.”

Banks need to layer up protection, while consumers must play their part by understanding the tell-tale signs of phishing and taking time out to verify application publishers before downloading, Cohen advised.

Categories: Cyber Risk News

World’s Largest Child Exploitation Site Shut After Bitcoin Analysis

Info Security - Thu, 10/17/2019 - 09:45
World’s Largest Child Exploitation Site Shut After Bitcoin Analysis

Global investigators have traced Bitcoin payments to locate and shutdown the dark web’s largest child exploitation website, arrest hundreds of users and rescue dozens of abused children, according to unsealed court documents.

On March 5 2018, agents from Homeland Security Investigations (HIS), Internal Revenue Service, Criminal Investigation (IRS-CI), the UK’s National Crime Agency (NCA) and Korean National Police arrested Jong Woo Son, 23, for operating the Welcome to Video site, according to the indictment.

The raid led to the seizure of round 8TB of child exploitation videos, and the arrest of over 300 alleged users of the site, believed to be the largest of its kind in terms of material stored. They hailed from the US, UK, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia, and have all been charged.

Some 23 children were also rescued from abuse by users of the site in the US, UK and Spain.

The vital intelligence behind the successful operation was generated by technology which enabled investigators to trace Bitcoin payments made by users of the site — each of whom had a unique cryptocurrency address assigned on registering an account, in order to buy videos.

The site is said to have had capacity for at least one million such addresses.

Investigators used a product known as Chainalysis Reactor to analyze the flow of digital funds to and from the site, via Bitcoin exchanges.

“Because exchanges typically perform Know Your Customer (KYC) processes, many were able to provide copies of identification, addresses, and other relevant transactions associated with those accounts,” explained Chainalysis.

“While in many cases the information supplied by the exchanges was enough to identify WTV users, in other cases IRS-CI was able to combine the account information with open source intelligence and standard investigative techniques to identify users.”

The firm was also able to break down regionally-specific information for investigators to enable global arrests, it said.

Son is already serving time in South Korea where he was convicted of charges relating to the dark web site.

Categories: Cyber Risk News

US Ordered Secret Cyber-Strike on Iran: Report

Info Security - Thu, 10/17/2019 - 08:55
US Ordered Secret Cyber-Strike on Iran: Report

The US ordered a secret cyber-attack on Iranian IT systems in response to the alleged Tehran-backed September 14 attacks on Saudi Arabian oil facilities, according to a new report.

Two anonymous US officials told Reuters that the attacks were targeted at Iranian hardware in an operation focused on limiting the Islamic Republic’s ability to spread propaganda.

There are few other publicly available details about the raid, although it appears to have been a much smaller-scale and less sophisticated effort than the infamous Stuxnet operation which disrupted Iran’s nuclear program almost a decade ago.

It would make sense though, given President Trump’s reluctance to get embroiled in a full-scale conflict with the country. He is reported to have called off air strikes on Iranian facilities following the June downing of a US Navy drone, for fear of escalating the stand-off.

Dave Palmer, director of technology at Darktrace, argued that nation states are increasingly turning to cyber-strikes to launch attacks on physical hardware, making it more important than ever that such infrastructure is well protected.

“We have entered a new age of cyber warfare, where sophisticated groups are using advanced software that is capable of going under the radar of traditional security controls, plants itself in the heart of critical systems and uses that knowledge to its advantage,” he said.

“Relying on human security teams will not be enough to resist attackers that are backed by nation states and therefore highly sophisticated. The only way to combat these attacks will be with AI that can automatically respond to attacks before any damage is done.”

A Tripwire study from earlier this month revealed that 93% of security professionals in transportation, manufacturing and utilities fear cyber-attacks shutting down operations, with two-thirds (66%) claiming that it could have catastrophic consequences, such as an explosion.

Categories: Cyber Risk News