Two British men have been arrested in connection with an international investigation into the unauthorized access of Microsoft networks.
Detectives from the South East Regional Organised Crime Unit (SEROCU) arrested a 22-year-old man from Lincolnshire on suspicion of gaining unauthorized access to a computer, and a 25-year-old man from Bracknell under Computer Misuse Act offences.
Detective sergeant Rob Bryant from SEROCU’s Cyber Crime Unit claimed his team had been liaising closely with officers and colleagues in the East Midlands Special Operations Unit (EMSOU), Microsoft’s cyber team, the FBI, Europol and the NCA’s National Cyber Crime Unit (NCCU).
“This group is spread around the world and therefore the investigation is being coordinated with our various partners. We’ve made two arrests in the UK this morning and have seized a number of devices,” he explained in a statement.
“We are still in the early stages of this investigation and will work with our partners to ensure that cyber-criminals have no place to hide.”
The offences took place between January and March this year, but Bryant claimed it was too early to speculate on what info the group had accessed.
However, he reassured Microsoft customers that their personal details were safe.
A Microsoft statement claimed that the arrests mark an “important step” in the fight against cybercrime. It added:
“Stronger internet security depends on the ability to identify and prosecute cybercriminals. This requires not only a strong technical capability, but the willingness to acknowledge issues publicly and refer them to law enforcement. No company is immune from cybercrime…
"We have comprehensive measures in place to prevent, detect, and respond to attacks. We also have specialist teams focused on working with law enforcement to identify people who attack either us or our customers, and we're committed to fast and effective action against attackers."
Some organizations signed up to the government-backed Cyber Essentials security certification scheme are at risk of phishing attacks after a configuration error by a third-party software provider exposed their corporate email addresses.
The IASME Consortium is one of six organizations appointed by the government to certify firms according to the scheme, which aims to drive up security standards by focusing on five essential technical controls which it’s claimed would prevent most cyber-attacks.
It also runs the IASME Governance standard, marketed as “a realistic alternative to ISO27001.”
However, it has emerged that problems with the software platform used to assess Cyber Essentials compliance have led to an unintended data breach.
IASME sent Infosecurity Magazine the following statement:
“A configuration error in the Pervade Software platform used by IASME for Cyber Essentials assessments meant that some company names and corporate email addresses were made available to a third party. That error was fixed as soon as we realised the issue and all affected companies have been notified. We have notified the relevant authorities and are following their advice.
"We re-iterate that the assessment platform itself was not compromised.”
Organizations signing up to be assessed by IASME and certified as Cyber Essentials compliant will be disappointed to hear that doing so has put them at risk. However, security experts played down the seriousness of the incident.
Ilia Kolochenko, CEO of web security company, High-Tech Bridge, argued that it pales in comparison to some of the recent high-profile incidents which have led to the theft of billions of user details.
"Indeed, it can facilitate phishing attacks against the companies whose emails addresses were exposed, however virtually all this data can be gathered from public sources, albeit over a much longer period of time,” he added.
“Practically speaking and due to the nature of the Cyber Essentials accreditation, all the companies from the list should have capabilities to detect and mitigate phishing attacks. Additional vigilance would certainly do no harm though."
An online fraudster has been jailed after pocketing nearly £100,000 by exploiting a glitch in his online banking platform.
James Ejankowski, 24, defraud the Clydesdale Yorkshire Bank of more than £99,000 in December last year, according to the Teeside Gazette.
It was claimed at Teeside Crown Court that Ejankowski discovered a bug in the portal whereby he could transfer sums of money between current and savings accounts without the bank knowing – as long as he did so between the hours of midnight and 1am.
That meant he could ensure a credit balance in one account for that hour even if there was actually no money there.
Ejankowski is said to have transferred over £53,000 to his partner’s account and over £1300 to his father-in-law, whom he told he’d won the money on a scratchcard.
Some of the funds were reportedly used to pay off debts, given as gifts to family members, and to buy a Range Rover and BMW, as well as several facial tattoos.
When he finally handed himself in to police on Boxing Day he claimed there was just £40 left.
Ejankowski of Clarence Road, Bridlington, was jailed for 16 months after he pleaded guilty to fraud and his partner Charlotte Slater was handed six months suspended for 18 months with 30 days “rehabilitation activities” after admitting acquiring criminal property.
The jail term probably came as a result of Ejankowski having previously been convicted in 2015 for fraud related to selling items on the internet, for which he reportedly served community punishment.
The bank has apparently now fixed the online loophole which enabled the fraud.
Online banking fraud actually fell between 2015 and 2016, according to Financial Fraud Action UK. The payment industry body revealed earlier this year a drop of 24% to just £102m, while the number of cases increased slightly, by 2%.
Officials from the Department of Homeland Security (DHS) have confirmed reports that Russian attempts to swing the 2016 US presidential election also involved cyber-attacks against election infrastructure, but not vote tallying systems.
Appearing in public before the US Senate Intelligence Committee were Samuel Liles, acting director of the DHS Office of Intelligence and Analysis (I&A), Cyber Division, and Jeanette Manfra, acting deputy undersecretary for cybersecurity and comms at the DHS’ National Protection and Programs Protectorate.
Their joint testimony revealed that in September, investigators found “suspicious and malicious cyber activity targeting the US election infrastructure”, leading to a report published in October.
It had the following:
“While not a definitive source in identifying individual activity attributed to Russian government cyber actors, [the report] established that internet-connected election-related networks, including websites, in 21 states were potentially targeted by Russian government cyber actors… a small number of networks were successfully compromised, there were a larger number of states where attempts to compromise networks were unsuccessful, and there were an even greater number of states where only preparatory activity like scanning was observed.”
They clarified that the attacks are not thought to have been conducted against vote tallying machines but other parts of the election management infrastructure – perhaps to undermine voter confidence in the eventual result rather than actually alter the count.
The testimony continued:
“Further, we assessed that multiple checks and redundancies in US election infrastructure—including diversity of systems, non-internet connected voting machines, pre-election testing, and processes for media, campaign, and election officials to check, audit, and validate results—make it likely that cyber manipulation of US election systems intended to change the outcome of a national election would be detected.”
Also testifying at the committee was Bill Priestap, assistant director of the FBI’s counterintelligence division. He described Russia’s attempts to influence the election as its “boldest to date” in the US.
“Russia's activities included efforts to discredit Secretary Clinton and to publicly contrast her unfavorably with President Trump. This Russian effort included the weaponization of stolen cyber information, the use of Russia's English-language state media as a strategic messaging platform, and the mobilization of social media bots and trolls to spread disinformation and amplify Russian messaging.”
The testimony comes after a leaked NSA report published earlier this month confirmed that Russian intelligence officials at the GRU attacked VR Systems, a company that makes machines which authenticate voters on polling day, and then used that access to spear phish local election officials.
Microsoft has admitted interfering with third-party AV software running on Windows 10, but only if it is incompatible with the OS and needs updating.
The news came in a lengthy blog post by Rob Lefferts, partner director for the security and enterprise part of the Windows & Devices Group.
He revealed that following the Windows 10 Creators Update released on April 11, 95% of Windows PCs running third-party AV had a compatible application installed.
“For the small number of applications that still needed updating, we built a feature just for AV apps that would prompt the customer to install a new version of their AV app right after the update completed,” Lefferts explained.
“To do this, we first temporarily disabled some parts of the AV software when the update began. We did this work in partnership with the AV partner to specify which versions of their software are compatible and where to direct customers after updating.”
What’s more, Windows Defender doesn’t interfere with a user’s machine once a compatible AV app has been installed, he claimed.
“Microsoft’s own free, built-in Windows Defender Antivirus does not run periodic scans without explicit customer action or provide protection until the chosen third-party AV solution is no longer protecting the Windows 10 device due to expiration”. said Lefferts.
The Redmond security team has “worked closely with AV partners”, providing early builds of products for them to test as well as technical guidance, and regularly proposes new ideas on customer protection to the community of security partners, he added.
The blog could be seen as a response to accusations from Russian AV vendor Kaspersky Lab that it abuses its dominant position in the OS market to force its own AV on users.
Antitrust investigators are already probing the claims in Russia and Kaspersky Lab has filed lawsuits with the European Commission and German Federal Cartel Office.
A lengthy blog post published last November by CEO Eugene Kaspersky details the main points of contention, many of which Lafferts has now addressed.
“When you upgrade to Windows 10, Microsoft automatically and without any warning deactivates all ‘incompatible’ security software and in its place installs … you guessed it – its own Defender antivirus,” Kaspersky claimed.
“But what did it expect when independent developers were given all of one week before the release of the new version of the OS to make their software compatible? Even if software did manage to be compatible according to the initial check before the upgrade, weird things tended to happen and Defender would still take over.”
Kaspersky also claimed that Microsoft buries renewal notices for third-party AV, a point which Lafferts appeared to dispute.
“In the case of paid AV solutions, we worked with our AV partners to build a consistent set of notifications to inform customers if their license is about to expire and to present options to renew the license,” the Microsoft man said.
“Only when an AV subscription expires, and the AV application decides to stop providing protection to the customer, will Windows Defender Antivirus begin providing protection.”
Almost half (44%) of security professionals would rather have root canal surgery than make the dreaded walk of shame to the boardroom to explain that they’ve suffered a data breach, according to results from a survey carried out by malware protection firm Lastline at Infosecurity Europe 2017.
Lastline polled 326 information security professionals during the conference at London’s Olympia earlier this month and revealed the severity with which all organizations—regardless of size or industry—treat the prospect of a data breach..
“The fact that nearly half of cybersecurity professionals would prefer to undergo a painful dental procedure than face their board about a data breach just shows how seriously these attacks affect organizations today.
“On a more positive note, it does show that cybersecurity has risen up the board’s agenda,” he added.
Concerns have been raised for some time about how high up the priority list cybersecurity and data protection has been for boards within organizations, but it would appear that the unprecedented levels of data loss seen over the last 12-18 months has made information cybersecurity a top concern for all corners of a company.
Speaking to Infosecurity Steve Durbin, managing director, Information Security Forum, said that the realities of operating in cyber space is that at some point things will go wrong—and that could mean a breach or loss of personal data.
“With regulators tightening their focus in this area, and with GDPR this will only increase, boards are at last beginning to realize that they have a key role to play in ensuring the security of the business,” he explained.
However, in many cases we are still a long way off the level of mutual trust and understanding required to ensure that cybersecurity is aligned with corporate strategy, Durbin added.
“Security leaders need to continue to develop their relationship with the board to explain, in business language, the implications of certain actions and the requirements for good cyber-hygiene across the business. This requires the commitment of the business and security to work collaboratively.
“Nobody likes to deliver bad news to the board, and let's face it, boards are not eager to hear such news, but a closer relationship based on regular updates and sharing of steps being taken to align security with strategic business direction will at least ensure a higher degree of understanding in the boardroom that whilst a breach of some nature may be inevitable.”
Japanese carmaker Honda has admitted it was forced to briefly shut down a manufacturing plant after finding WannaCry ransomware on its network weeks after the threat first struck around the world.
The firm is said to have pulled the plug at its Sayama plant on Monday after discovering a day earlier that the notorious ransomware was present on machines in Japan, North America, Europe, China and elsewhere.
A spokeswoman told Reuters that the firm had worked to patch systems against the threat when it emerged in mid-May.
Those efforts appear to have failed spectacularly, although the Sayama factory, which is said to produce 1000 vehicles per day, apparently reopened a day later and other plants were not affected.
WannaCry shook organizations across the globe when it landed on May 12, exposing poor patch management and a lack of basic security hygiene.
Official figures are difficult to come by, but two days after it broke, the threat had infected 200,000 victims in 150 countries, according to Europol.
Security experts were keen to stress the importance of prompt and comprehensive patching following the Honda incident.
“This latest incident reminds us that our efforts to defend our organizations against emerging threats is continuous. Regular review of all systems and their communication protocols is necessary and, more importantly, a thorough analysis of access controls,” advised One Identity UK director, Andrew Clarke.
“Often in organizations individuals are provisioned to access systems for short periods and are never deprovisioned, which means over time they get excessive access that can be damaging to the business if misused. Tools to control and manage overall access are critical. Malware such as WannaCry takes advantage of gaps in security so to be truly safe requires a continuous and thorough approach which embraces the multiple aspects of cyber security."
Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, added that Honda was right to cease production.
“The safety of employees should be of utmost concern,” she said. “However this incident could have been prevented with basic security hygiene, a patch management program and automatic updates to systems."
The ransomware that caused widespread disruption at two UK universities last week is now thought to have been spread via a much larger malvertising campaign, according to Proofpoint.
Kafeine, a researcher at the security vendor, explained that the C&C IP address for the ransomware in question is commonly associated with the Mole family and payloads linked to the Astrum exploit kit, a known favorite of the banking trojan group AdGholas.
“At that stage, we were almost convinced the events were tied to AdGholas / Astrum EK activity. We confirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com,” the blog post continued.
This host was apparently being used in a large scale malvertising campaign targeting the UK, Australia, Canada, Italy, Monaco, Liechtenstein, Luxembourg, Switzerland, Japan, Taiwan and the United States.
All compromised hosts are said to have contacted the Astrum C&C IP address.
“It appears that between June 14 and 15, Astrum was dropping Mole ransomware in the United Kingdom and likely in the US. Mole is a member of the CryptFile2/CryptoMix ransomware family. We do not know the payloads in other countries, but, based on past activity, we are confident they were banking Trojans. Unlike ransomware, bankers are generally less noisy and often remain unnoticed by victims,” Kafeine concluded.
“AdGholas malvertising redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today. Full HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets.”
The UK universities caught up in the campaign, UCL and Ulster University, appear to be back to normal now.
UCL’s IT team initially claimed a zero-day threat was the cause of the ransomware, which now seems wide of the mark. However, the drive-by nature of malvertising would have made this attack particularly hard to guard against.
The dwell time for hackers inside victim networks fell by nearly half over the past year, although the time from intrusion to containment of such threats remained virtually the same, according to Trustwave.
The security firm’s 2017 Trustwave Global Security Report is comprised of analysis from hundreds of data breach investigations around the world, as well as tens of millions of network vulnerability and web transaction scans.
It claimed that threat detection is getting better: the median number of days from an initial intrusion to detection of a compromise fell from 80.5 days in 2015 to 49 days last year. The figure was higher (65 days) for externally detected threats than internal (16).
However, values ranged from zero days to a whopping 2000, which is more than five years.
What’s more, despite organizations taking just 2.5 days to contain a detected threat, the median time taken from intrusion to containment remained virtually the same, at 62 days versus 63 in 2015.
Making the job of the white hats even harder, cyber-criminals are increasingly looking to hide their malware from security filters by using obfuscation techniques (83%) and/or encryption (36%), Trustwave claimed.
Elsewhere, the firm revealed an increase in incidents hitting Point of Sale (POS) systems, from 22% to 31%, while e-commerce attacks fell from 38% to 26%. Unsurprisingly, the US was the focal point of most POS attacks, likely a result of its sluggish adoption of EMV.
Trustwave CEO and president, Robert McCullen, argued that attackers are evolving their tactics with the efficiency of legitimate businesses, focusing on “extreme paydays.”
“Meanwhile security skills and talent remain scarce,” he added.
“As an industry, we must continue to focus on key areas like threat detection and response, security scanning and testing and cloud security services that provide meaningful layers of protection from constantly evolving threats.”
Microsoft has confirmed that it is dealing with an ongoing Skype outage with the communications app suffering connectivity issues.
Whilst the tech giant has yet to confirm what has caused the problem, some have claimed it was the result of a cyber-attack.
The failure started on Monday June 21 with Microsoft making the issue public on Twitter and its blog:
“Hello, we are aware of an incident where users will either lose connectivity to the application or may be unable to send or receive messages. Some users will be unable to see a black bar that indicates them that a group call is ongoing, and longer delays in adding users to their buddy list”, the firm explained.
Subsequent updates from Microsoft yesterday read:
[June 20, 14:00 GMT] “We're seeing improvements and users also signal us they can use Skype. However, there are still users that may experience the issue - we're working on that!
[June 20, 20:00] “We have made some configuration corrections and mitigated the impact. We are continuing to monitor and we will post an update when the issue is fully resolved.”
Suspicions have been raised that the outage was caused by some form of attack, DDoS being the most likely, speculations fueled by a Tweet emanating from the Twitter profile of “Mass Ddos Attacker” CyberTeam, who wrote:
[June 19] “Skype down by CyberTeam
Again, whilst this is yet to be confirmed, if indeed the source of the outage was DDoS, it is yet another example of the impact these attacks can cause.
“The bottom line is that DDoS attacks can take virtually any company offline – a reality that any business must be prepared to defend against,” said Stephanie Weagle, VP, Corero Network Security. “It isn’t just the giant attacks that organizations need to worry about. Small, sub-saturating attacks, which most IT and network security wouldn’t even recognize as a DDoS attack are more common than not. In fact, the majority of DDoS attacks are less than five minutes in duration and under 1 Gbps – these shorter attacks typically evade detection by most legacy and homegrown DDoS mitigation solutions.”
More than one in four organizations globally was affected by the Fireball or WannaCry attacks during May.
According to Check Point’s latest Global Threat Impact Index, two of the top three malware families that impacted networks globally were zero-day, previously unseen attacks. Fireball impacted one in five organizations worldwide, with second-place RoughTed impacting 16% and third-place WannaCry affecting nearly 8% of organizations globally.
These two malware variants, Fireball and WannaCry, rapidly spread worldwide throughout the month of May. Fireball takes over target browsers and turns them into zombies, which it can then use for a wide range of actions including dropping additional malware or stealing valuable credentials. WannaCry takes advantage of a Windows SMB exploit called EternalBlue in order to propagate within and between networks. WannaCry was particularly high profile, bringing down a myriad of networks worldwide.
By contrast, RoughTed is a large-scale malvertising campaign used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
In addition to the top three, there were also other new variants seen within the top ten of the index including Jaff, (No 8) another form of ransomware, demonstrating how profitable this particular attack vector is proving for malicious parties.
The top mobile malwares were Hummingbad, an Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises; Hiddad, an Android malware which repackages legitimate apps and then releases them to a third-party store; and Triada, a modular backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
“To see so many brand-new malware families among the world’s most prevalent cyberattacks this month underlines just how innovative cyber-criminals can be, and shows how dangerous it is for organizations to become complacent,” said Maya Horowitz, threat intelligence group manager at Check Point. “Organizations need to remember that the financial impact from cyber-attacks goes way beyond the initial incident. Restoring key services and repairing reputational damage can be a very long and expensive process.”
As our business and personal lives continue to be inundated with images and videos across mediums, McAfee has observed an increase in attackers leveraging these forms of content to pass malicious information by security protection systems without detection.
This is known as malicious steganography, the practice of concealing messages in images, audio tracks, video clips or text files to avoid detection by security systems. According to the McAfee Labs Threats Report: June 2017, this leaves consumers and enterprises exposed to viruses and malware that can either download software that steals information off of the infected system, or download ransomware that encrypts the PC’s information and holds it for ransomware until a user pays.
The first known use of steganography in a cyberattack was in the Duqu malware in 2011, McAfee said. When using a digital image, secret information is inserted by an embedding algorithm, the image is transmitted to the target system, and there the secret information is extracted for use by malware. The modified image is often difficult to detect by the human eye or by security technology.
“There are hundreds, if not thousands, of anti-security, anti-sandbox and anti-analyst evasion techniques employed by hackers and malware authors, and many of them can be purchased off the shelf from the Dark Web,” said Vincent Weafer, vice president of McAfee. “This quarter’s report reminds us that evasion has evolved from trying to hide simple threats executing on a single box, to the hiding of complex threats targeting enterprise environments over an extended period of time, to entirely new paradigms, such as evasion techniques designed for machine-learning-based protection.”
Malware developers began experimenting with ways to evade security products in the 1980s, when a piece of malware defended itself by partially encrypting its own code, making the content unreadable by security analysts. The term evasion technique groups all the methods used by malware to avoid detection, analysis and understanding. McAfee classifies these evasion techniques into three broad categories:
Anti-security techniques: Used to avoid detection by antimalware engines, firewalls, application containment, or other tools that protect the environment.
Anti-sandbox techniques: Used to detect automatic analysis and avoid engines that report on the behavior of malware. Detecting registry keys, files, or processes related to virtual environments lets malware know if it is running in a sandbox.
Anti-analyst techniques: Used to detect and fool malware analysts, for example, by spotting monitoring tools such as Process Explorer or Wireshark, as well as some process-monitoring tricks, packers, or obfuscation to avoid reverse engineering.
McAfee sees network steganography as the newest form of this discipline, as unused fields within the TCP/IP protocol headers are used to hide data. This method is on the rise because attackers can send an unlimited amount of information through the network using this technique.
Aside from the steganography analysis, the report also found that in the first quarter of 2017, there were 244 new threats every minute, or more than four every second. McAfee also counted 301 publicly disclosed security incidents in Q1, an increase of 53% over the Q4 2016 count. The health, public and education sectors comprised more than 50% of the total.
New malware samples rebounded in Q1 to 32 million. The total number of malware samples increased 22% in the past four quarters to 670 million known samples. New ransomware samples rebounded in Q1 primarily due to Congur ransomware attacks on Android OS devices. The number of total ransomware samples grew 59% in the past four quarters to 9.6 million known samples.
Mobile malware reports from Asia doubled in Q1, contributing to a 57% increase in global infection rates. Total mobile malware grew 79% in the past four quarters to 16.7 million samples. The largest contributor to this growth was Android/SMSreg, a potentially unwanted program detection from India.
Also, during the past three quarters, new Mac OS malware has been boosted by a glut of adware. Although still small compared with Windows threats, the total number of Mac OS malware samples in the fourth quarter of 2016 was 460,000.
Girls Scouts USA (GSUSA) is ready to turn out some budding white-hats along with those delicious cookies: The group will soon begin offering badges on cybersecurity.
As most of us know, Girl Scout badges are insignia that participants earn and display on their uniforms to demonstrate their mastery of a given topic. GSUSA is partnering with Palo Alto Networks on a national badge system that aims to help girls explore opportunities in science, technology, engineering and math (STEM) while developing problem-solving and leadership skills. There will be 18 new badges in all, to be made available to its 1.8 million participants in grades K-12 (ages 5 to 18). The first in the series will debut in September 2018.
According to the latest Cybersecurity Jobs Report by Cybersecurity Ventures, the worldwide deficit of qualified cybersecurity professionals will reach 3.5 million by 2021. A deficit of this magnitude can inhibit the industry's ability to prevent cyber breaches, and the challenge is compounded by the growing frequency and sophistication of cyber-attacks. Getting ahead of tomorrow's threats requires a larger, diverse and innovative team of problem solvers—and more diversity.
A study by (ISC)², Global Information Security Workforce Study: Women in Cybersecurity, shows that women remain vastly underrepresented in the cybersecurity industry, holding just 11% of jobs globally. Plus, according to research by the Computing Technology Industry Association, 69% of women who have not pursued careers in information technology attribute their choice to not knowing what opportunities are available to them.
"At Girl Scouts of the USA, we recognize that in our increasingly tech-driven world, future generations must possess the skills to navigate the complexities and inherent challenges of the cyber-realm,” said Sylvia Acevedo, CEO of GSUSA, which recently marked its 100-year anniversary. “From arming our older girls with the tools to address this reality to helping younger girls protect their identities via internet safety, the launch of our national cybersecurity badge initiative represents our advocacy of cyber preparedness, and our partnership with Palo Alto Networks makes a natural fit for our efforts. It is our hope that our collaboration will serve to cultivate our troops' budding interest in cybersecurity by providing access to invaluable knowledge that may otherwise not be available to girls in communities across the United States."
The national effort is meant to be a step toward eliminating traditional barriers to industry access, such as gender and geography, but the new badges also will deepen the existing commitment that Girl Scouts has made to STEM by using the organization's "fun with purpose" K–12 curriculum that inspires girls to embrace and celebrate scientific discovery in their lives at all ages.
"Our mission to prevent cyberattacks and restore trust in the digital age is only achievable if we make meaningful investments not just in technology but also in people,” said Mark McLaughlin, chairman and CEO at Palo Alto Networks. “Our collaboration with Girl Scouts of the USA to develop curriculum for the first-ever national cybersecurity badges will positively influence the future of our industry by helping build tomorrow's diverse and innovative team of problem solvers equipped to counter emerging cyberthreats."
The Mexican government is likely behind a major targeted surveillance campaign using sophisticated exploits developed by a notorious Israeli company to spy on journalists, lawyers and even children, according to Citizen Lab.
The Canadian research center at the University of Toronto claimed that a previously reported “exploit framework” developed by the NSO Group has been uncovered via links in over 76 messages to various targets investigating government corruption and human rights abuses in the country.
That framework includes “The Trident” – a chain of iOS zero-day exploits – and Pegasus spyware both discovered last year when they were sent to activist Ahmed Mansoor in the UAE.
Although attribution back to the Mexican government is not possible, Citizen Lab said circumstantial evidence points to involvement.
For example: the SMS content is Mexico-specific; all targets were investigating government and powerful vested interests in the country; and multiple agencies are reportedly NSO Group customers.
“The targets received SMS messages that included links to NSO exploits paired with troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats. The operation also included more mundane tactics, such as messages sending fake bills for phone services and sex-lines. Some targets only received a handful of texts, while others were barraged with dozens of messages over more than one and a half years. A majority of the infection attempts, however, took place during two periods: August 2015 and April-July 2016.”
In August 2015 one targeted journalist was questioning the government’s role in extrajudicial killings, while the President was exonerated from his part in the ‘Casa Blanca’ house buying scandal uncovered by another target.
During the second period a range of controversial stories apparently came to light including government involvement in human rights abuses, illegal killings, bribery and corruption, Citizen Lab claimed.
Its work was co-authored by rights groups R3D, SocialTic and Article 19.
A South Korean web hosting firm has agreed to pay over $1m in Bitcoins (BTC) to regain access to its files after it and thousands of businesses it supports were hit by ransomware last week.
Nayana was infected by the Erebus ransomware, hitting 153 of its Linux servers and over 3400 customer websites, according to Trend Micro.
The attackers initially demanded 550 BTC ($1.6m) for the all-important decryption key, but in an update last week Nayana CEO Hwang Chil-hong claimed to have negotiated a payment just under 400 BTC, a little over a million dollars at the time of writing.
According to its updates, the firm appears to be paying the extorters in instalments and recovering the servers in batches, which seems to be going pretty smoothly, although Trend Micro warned that there’s still the chance that the firm could be blackmailed a second time.
That happened in the past to Kansas Heart Hospital in Wichita.
Erebus was first spotted at the end of 2016 spreading via malvertisements and re-emerged in February this year, bypassing Windows’ User Account Control to infect victim machines.
The AV giant continued:
“As for how this Linux ransomware arrives, we can only infer that Erebus may have possibly leveraged vulnerabilities or a local Linux exploit. For instance, based on open-source intelligence, Nayana’s website runs on Linux kernel 184.108.40.206, which was compiled back in 2008. Security flaws like Dirty Cow that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to.
"Additionally, Nayana’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006. Apache vulnerabilities and PHP exploits are well-known; in fact, there was even a tool sold in the Chinese underground expressly for exploiting Apache Struts. The version of Apache Nayana used is run as a user of nobody(uid=99), which indicates that a local exploit may have also been used in the attack.”
Erebus is largely confined to South Korea, scrambles files in “layers of encryption algorithms”, and encrypts 433 file types; particularly web servers and the data stored on them, said Trend Micro.
Organizations running Linux deployments could increasingly be in the cross-hairs of ransomware authors, making regular back-ups and best practice steps such as network monitoring and segmentation, frequent patching of servers and endpoints, and IPS/IDS essential, the firm advised.
There was good news from jobs site Indeed this week as new stats suggested the UK’s cybersecurity skills gap may have eased, although the long-term trend remains dire.
The global recruitment business claimed in January that the UK has the second worst skills gap in the world after Israel, based on the number of roles advertised and the number of clicks from candidates.
However, it now claims that the shortage of people with the most in-demand skills has eased by 36%, from Q1 2015 to the first three months of 2017.
Over that two-year period, the share of cybersecurity job postings increased by 2.8%, but the share of candidate clicks soared by 40.3%, according to Indeed.
However, demand is still more than double supply, with a 42.7% mismatch recorded in Q1 2017.
The biggest skills gap was found in the category of 'cloud security', where the mismatch between supply and demand was recorded at 13.4%, and in 'disaster recovery' and 'malware' categories demand outstripped supply by a factor of four to one.
Mariano Mamertino, EMEA economist at Indeed, argued that the WannaCry ransomware epidemic in May and allegations of election hacking have hit the headlines in a big way, encouraging people to consider cybersecurity as a career.
“The jump in interest from candidates is offering some relief to the thousands of British businesses struggling to find people with the skills and experience they need to keep cyber-criminals at bay,” he added.
“But while the skills gap has narrowed, demand from recruiters is still double the supply of candidates, forcing many at risk companies to offer increasingly attractive packages to woo the talent they need to protect one of their most precious assets – data.”
In February, industry non-profit (ISC)² warned that UK firms were heading for a security skills “cliff edge” due to the number of professionals set to retire without adequate numbers of younger replacements coming through the ranks.
It claimed that two-thirds of UK companies have too few cybersecurity employees, with 47% claiming the reason is a lack of qualified applicants.
Personal data on nearly 200 million US voters—representing 61% of the total population and the majority of eligible voters of the count—was discovered to be stored on an insecure Amazon server and thus exposed to potential compromise.
That makes it the largest leak of voter data of all time.
The information, compiled at the behest of the Republican Party, includes home addresses, birthdates and phone numbers, plus analytics data that suggests who a person is likely to vote for and why, along with their stances on hot-button issues like the Second Amendment, stem cell research and abortion. Ethnicity and religious data was also included.
Deep Root Analytics, a conservative marketing firm contracted by the Republican National Committee, stored the internal documents on a publicly accessible Amazon server for 12 days. The data totaled more than a terabyte, and was stored without password protection—it could be accessed by anyone who found the URL. It had collated the information from a variety of sources, including Karl Rove’s super-PAC American Crossroads, Kantar Media and even the American Civil Liberties Union.
“We take full responsibility for this situation,” said Deep Root founder Alex Lundry told Gizmodo. “Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access…Based on the information we have gathered thus far, we do not believe that our systems have been hacked.”
UpGuard cyber-risk analyst Chris Vickery discovered Deep Root’s data by simply searching for data publicly accessible on Amazon’s cloud service.
Paul Fletcher, cybersecurity evangelist at Alert Logic, told us that the issue really doesn’t revolve around the use of the public cloud, but rather how that cloud was used.
“The fact that this exposure was discovered on a public cloud site is irrelevant,” he said. “In fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided. The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly setup, maintained and audited by the organixation (and in this case), the organization’s customer—the GOP. Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.”
It’s significant that, once again, a third party is the weak link.
“When hackers are after your data, they’ll target trusted relationships, usually through a third-party with access to your network,” said Fred Kneip, CEO at CyberGRX, via email. “In the case of the Target breach, it was a small HVAC vendor who may not have viewed information security as a core competency or high priority. The fact that exposure can occur even through a big data firm versed in data security best practices goes to show that all third parties, regardless of the resources they have to secure your data, are potential attack vectors.”
While no formal assessment has been made as to whether the information actually has been tapped by bad actors, “the potential for this type of data being made available publicly and on the Dark Web is extremely high,” said Fletcher. “The collection (or aggregation) of PII only helps attacks build a more precise social engineering attack, especially using customized social media and phishing attack scenarios. This only aids the attacks approach and messaging because the specificity of the details increases the temptation for many people to click on the link."
ISACA has installed its 2017-2018 Board of Directors.
At its annual general meeting, Theresa Grafenstine, inspector general of the US House of Representatives (who served as vice chair the previous term), was elected to lead ISACA’s board as chair.
Over the past 25 years, Grafenstine has served in the inspector general community in both the legislative and executive branches of the U.S. federal government. As the inspector general, she is responsible for planning and leading independent, non-partisan audits, advisories and investigations of the financial and administrative functions of the House.
ISACA also named Robert Clyde, managing director of Clyde Consulting LLC, as vice-chair. Clyde is an NACD Board Leadership Fellow and serves as executive chair of the board of directors for White Cloud Security, and executive advisor to HyTrust and BullGuard Software. He previously served as the CEO of Adaptive Computing and the CTO of Symantec.
In total, 13 individuals were installed on the 2017-2018 ISACA Board of Directors during the Saturday meeting in Chicago. In addition to Grafenstine and Clyde, the named directors are:
- Brennan P. Baybeck, vice president of Global IT Risk Management for Oracle Corp.
- Zubin Chagpar, head of Amazon Web Services’ public-sector business in the Middle East and Africa
- Peter Christiaans, senior manager of Deloitte Consulting LLP
- Hironori Goto, principal consultant of Japan’s Five-I LLC
- Michael Hughes, partner with Haines Watts in the UK
- Leonard Ong, associate director at Merck & Co.
- RV Raghu, director of Versatilist Consulting India Pvt. Ltd.
- Jo Stewart-Rattray, director of information security and IT assurance at Australia’s BRM Holdich
- Theodore H. Wolff, head of IT & Security Global Assurance practices in Vanguard’s Global IT & Security Risk and Control group
- Tichaona Zororo, IT advisory executive with EGIT | Enterprise Governance of IT (Pty) Ltd. of South Africa
- Matt Loeb, ISACA CEO
“I am grateful for the opportunity to help lead the organization that has provided me so much fulfillment,” said Grafenstine. “I am privileged to work with and on behalf of our global professional community to advance the positive potential of technology in the professions that we serve and society as a whole.”
Prior to joining the House Office of Inspector General (OIG), Grafenstine was in the Department of Defense (DoD) OIG, where she led acquisition audits of major weapon systems and was selected to respond to high-profile Congressional audit requests.
“Terry’s passion for ISACA, breadth of experience and dedication to our global professional community make her ideally suited to provide inspired leadership for our board and the entire organization,” said Loeb. “It is a privilege to work with her and the entire board as we advance our efforts to maximize ISACA’s impact, support the professions we globally serve, and deliver on the positive potential of technology.”
A cadre of Nigerian hackers has successfully stolen sensitive commercial data from industrial firms around the world.
Kaspersky Lab said that while there were indications last autumn and dating back to 2015 that there was an ongoing phishing campaign aimed at this sector, new evidence shows that the attack is much more widespread than originally thought: There have been more than 500 attacked companies in more than 50 countries so far—and most are industrial enterprises and large transportation and logistics corporations.
The emails used in such attacks are made to look as legitimate as possible so that the employees who receive them open the accompanying malicious attachments without giving them much thought. The emails were sent on behalf of various companies that did business with potential victims: suppliers, customers, commercial organizations and delivery services. The emails asked recipients to check information in an invoice as soon as possible, clarify product pricing or receive goods specified in the delivery note attached.
The accompanying malware belongs to at least eight different trojan-spy and backdoor families, Kaspersky said, and are designed primarily to steal confidential data and install stealthy remote administration tools on infected systems. The payloads include ZeuS, Pony/FareIT, LokiBot, Luminosity RAT, NetWire RAT, HawkEye, ISR Stealer and iSpy keylogger.
“The phishers selected a toolset that included the functionality they needed, choosing from malware available on cyber-criminal forums,” the firm said in an analysis. “It is worth noting that a complete set of malware for carrying out this type of attack usually costs no more than $200.”
Once in, the attackers can carry out any number of nefarious deeds. In some cases, they gained unauthorized access to the legitimate websites of industrial companies and used them as a platform for hosting malware and C&C servers. The websites were accessed using credentials stolen earlier from infected computers used by the companies’ employees.
In other cases, the spyware programs sent a variety of information from infected machines to C&C servers, including information on industrial companies’ operations and main assets, including information on contracts and various cost estimates and project plans for some of the current projects at victim enterprises.
Kaspersky also said that in a worst-case scenario, cyber-criminals can gain access to computers that are part of an industrial control system (ICS) as well, gaining remote access and unauthorized control over industrial processes. Remote access to SCADA machines enables attackers to simply switch industrial equipment off or change its settings.
Although attacks on the industrial sector smack of nation-state activity, in this case they appear to be financially motivated. The most common pathology for the attack results in criminals redirecting legitimate business transfers of money or payments into their own accounts.
“They make screenshots of the correspondence using malware or set up hidden redirection of messages from the attacked computer’s mailbox to their own mailbox,” Kaspersky explained. “This enables them to track which transactions are being prepared in the company. After selecting the most promising transaction among those in the pipeline, the attackers register domain names that are very similar to the names of the seller companies. Using the newly registered domains, the cyber-criminals are able to carry out a man-in-the-middle attack: they intercept the email with the seller’s invoice and forward it to the buyer after replacing the seller’s account details with the details of an account belonging to the attackers.”
The firm also noted that in the event of a successful attack, the company making a purchase not only loses money but also fails to receive the goods they need on time. This can be critical for industrial companies: if the goods are raw materials used in manufacturing or spare parts needed to repair equipment, their non-delivery can result in downtime or failure to perform scheduled maintenance or commissioning and start-up work.
"The main motivator for cyber-criminals in today’s world is profit, and consequently by targeting the major corporations they raise the potential revenue value,” said Luda Lazar, security research engineer at Imperva, via email. “Nigerian hackers, like other cyber-criminals, are opportunistic, thus they tried to attack some major corporations during 2016 and apparently succeeded. Therefore, it is reasonable to expect an increase in such attacks on industrial companies in [the] future.”
British officials appear to have come to the same conclusions as several IT security vendors: the WannaCry ransomware attacks were launched by North Korea-linked hacking group Lazarus.
Security sources told the BBC on Friday that they suspect the group, which has most famously been blamed for the destructive cyber-attack against Sony Pictures Entertainment in 2014 and an $81m heist from the Bangladesh Bank last year.
The National Cyber Security Centre (NCSC), which has been leading the investigation, is likely to have based its findings on a “wider set of sources” than several private sector assessments which have come to the same conclusion, the report claimed.
That’s because it’s technically part of spy agency GCHQ, and therefore will have access to a huge surveillance and intelligence-gathering apparatus.
At the time of writing there were $134,000 in Bitcoin payments made to the addresses linked to WannaCry, but no withdrawals, according to UK firm Elliptic, which monitors illicit activity on the Bitcoin blockchain.
That could indicate that the hackers were not financially motivated in their attack, or that the campaign is under too much scrutiny now for them to transfer the funds.
At the end of May Symantec released some detailed findings claiming to support the hypothesis that Lazarus was behind WannaCry.
This includes Lazarus-linked malware – Trojan.Volgmer and two variants of the disk-wiping Backdoor.Destover – being left on victim networks in February.
However, cybersecurity thinktank the Institute for Critical Infrastructure Technology (ICIT), has warned against “premature, inconclusive and distracting attribution.”
It claimed that evidence linking the North Korean group to the attacks is circumstantial at best.
WannaCry ripped through hundreds of thousands of victims in 150 countries worldwide last month, exploiting a Windows SMB vulnerability by leveraging a pair of NSA exploits.
The NHS was one early victim organization heavily impacted, with scores of Trusts forced to cancel patient appointments as IT systems were taken offline.