The Seattle-based retailer suffered a data breach in which a wide range of personal information was exposed. In addition to disclosing employee names, their Social Security numbers and dates of birth, checking account and routing numbers, salaries and more were also revealed.
Co-president Blake Nordstrom reportedly apologized to employees in an email in which he had notified staff about the data breach. According to a statement from the company, the anomalous activity was detected on October 9, 2018, after a contract worker had inappropriately handled some Nordstrom employee data.
What followed was what Terry Ray, CTO at Imperva, said was protocol worthy of a pat on the back. “Employee data was collected and given to a third party, most likely to manage direct deposits of wages, certainly not unusual in business and a necessary reason to gather such data.”
While the contract worker inadvertently exposed data, Nordstrom reportedly has taken appropriate action in responding to the incident, which is currently being investigated.
"Nordstrom’s own security team became aware of the exposure in a reasonable time. Many breaches and exposures aren’t identified for months or years and, often times, not disclosed in a reasonable amount of time," said Ray.
"Additionally, most breaches are identified by external researcher or law enforcement before the company; however, this is not the case with Nordstrom. Nordstrom knows what was exposed – employee data (names, addresses, banking details) – not customers' [data]. In more than half of breaches and exposures companies do not know what data was exposed or stolen. Nordstrom then took immediate steps to remediate, removing the contract worker and putting additional controls put in place."
Though no evidence of data theft has been discovered, the company has been proactive about notifying all employees of the incident.
"Taking that a step further, Nordstrom offered affected employees two years of identity theft protection, which companies often only offer post breach, for exposure. All in all, Nordstrom appears to be handling this exposure very responsibly. Kudos to them,” Ray said.
A security researcher at Imperva recently identified a vulnerability within Facebook that could have allowed other websites to extract private information about users and their contacts.
Discovered by Imperva security researcher Ron Masas, the vulnerability reportedly preyed on the unique cross-origin behavior of iframes, which embeds another HTML page into the current page. By manipulating Facebook’s graph search, it was possible to craft search queries that reflected personal information about the user.
“A unique feature of the uncovered bug is the exploitation of the iframe element within Facebook’s search feature. This allowed information to cross over domains, essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” said Masas.
“Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company. Interestingly, the vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends.
Warning that the technique could increase in popularity throughout 2019, Masas added, "Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook’s use of iframes to leak the user's personal information. Interestingly, this technique leaves almost no trace unlike authentication bypasses.”
According to Imperva, the vulnerability was reported to Facebook under its responsible disclosure program in May 2018. Masas worked with the Facebook security team to mitigate regressions and ensure that the issue was thoroughly resolved.
In a statement shared with TechCrunch, Facebook spokesperson Margarita Zolotova wrote, “We appreciate this researcher’s report to our bug bounty program. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”
In an attempt to develop a set of shared principles for securing cyberspace, France’s president, Emmanuel Macron, launched the Paris Call for Trust and Security in Cyberspace at yesterday’s UNESCO Internet Governance Forum (IGF).
The Paris Call has the backing of more than 50 countries. Notably missing from the list are Russia, China and the United States. In addition to the many countries that have signed the declaration, private and civil organizations have made a commitment to support the collective effort to work on several initiatives, which include increasing prevention against and resilience to malicious online activity, protecting the accessibility and integrity of the internet and cooperating in order to prevent interference in electoral processes, according to the France Diplomatie.
“We condemn malicious cyber activities in peacetime, notably the ones threatening or resulting in significant, indiscriminate or systemic harm to individuals and critical infrastructure and welcome calls for their improved protection. We also welcome efforts by States and non-state actors to provide support to victims of malicious use of ICTs on an impartial and independent basis, whenever it occurs, whether during or outside of armed conflict,” wrote the Paris Call.
The willingness of supporting states to work together to prevent and recover from malicious attacks is indeed an admirable promise, but Paul Bischoff, privacy advocate at Comparitech.com said, “To be clear, countries who signed the pact did not agree to any specific rules, goals, or penalties. Instead, they agreed to figure all that out together at a later date. So the pact is mostly symbolic.”
A realistic concern Bischoff noted is the strong likelihood that Russia and China will not sign. “Many of the pact's measures imply taking action against them. Russia and China are the source of most of the world's malware and cyber-attacks, many of which are state sponsored. Russia in particular is at the forefront of everyone's mind when it comes to election hacking. The pact says it will try to 'prevent malign interference by foreign actors.' Who does 'foreign actors' refer to if not the Russians? 'Prevent ICT-enabled theft of intellectual property' is a finger-wag at China.
“The US is also involved in a fair deal of cyber-espionage, and it has its own interests to worry about. The US is home to most of the world's largest and most profitable tech and internet giants, many of which served as a medium for previous election hacking campaigns. This pact could seek to regulate them. And after seeing Trump walk away from the Paris Climate Accord, I'm not sure why anyone would be surprised at this result."
Though the intent of the call is to apply international humanitarian law to cyberspace, Colin Bastable, CEO of Lucy Security, said, “This is grandstanding by a politician, a nothingburger, made no more appetizing when juxtaposed with today’s other, more ominous, announcement that French civil servants will be embedded in Facebook. We can rest assured that personal cyber insecurity, the consumer issue of our times, will not be enhanced by either of these announcements from Paris.”
New research from SailPoint has revealed that poor staff cybersecurity behaviors within organizations are getting worse, despite a greater focus on security awareness in the workplace.
The firm quizzed 1600 global employees, discovering that 75% of respondents reuse passwords across both personal and professional accounts, a figure up from 56% in 2014. Interestingly, the percentage of 18-25-year-olds who admitted reusing passwords was even higher (87%), suggesting employees’ approaches to security are worsening as more millennials enter the workforce.
What’s more, almost a quarter (23%) of all those polled said they only change their work password two times or fewer a year and 15% would consider selling their workplace passwords to a third party.
In terms of frictions between the IT department and the rest of the workforce, more than half of respondents considered IT to be “a source of inconvenience,” whilst 13% would not immediately inform IT if they had been hacked.
Furthermore, SailPoint’s research suggested that new technologies are creating new areas of risk for organizations. Nearly half (48%) of respondents use or are planning to use AI chatbots/personal assistants at work, and 31% had deployed software without IT’s help.
Speaking to Infosecurity Bruce Hallas, security awareness, behavior and culture expert, and owner & principal consultant, Marmalade Box, said that password management is probably one of the security policies that employees receive consistent training on, so when 75% of employees reuse passwords across personal and professional accounts it raises questions about the effectiveness of current awareness raising and behavior improvement methods.
“Where organizations rely on employees to remember and then change their password periodically in line with policy, without a system prompt, you’re statistically likely to a high level of non-compliance,” he added.
“If 23% of respondents change their passwords twice or fewer times a year, but this is in line with their organizational policy, then that’s fine, but probably not ideal. If the 23% are in breach of their organization’s password policy then you’ve got to focus on why those behaviors prevail. A simple starting point might be [to ask] ‘do they even remember the policy’ after they’ve had their training.”
Juliette Rizkallah, CMO, SailPoint advised: “By taking an identity-centric approach to security, IT can gain full visibility and control into which applications and data that users, including both human and non-human bots, are accessing to do their jobs. This approach allows enterprises of all sizes to confidently address the tension between enablement and security exposed in our Market Pulse Survey.”
Security experts and trade unions have expressed doubts and concerns over some firms’ reported plans to microchip their employees.
Swedish firm Biohax is said to be in talks with several legal and financial firms in the UK to fit the rice grain-sized chips, which are implanted into the flesh between the thumb and forefinger.
They could then be used as an authentication device to enable or restrict access to certain parts of a building or facility.
“These companies have sensitive documents they are dealing with,” Biohax founder, Jowan Österlund is reported as saying. “[The chips] would allow them to set restrictions for whoever.”
The firm has already partnered with US firm Three Square Market in a voluntary scheme to chip its employees.
Another firm, UK-based BioTeq, has already chipped 150 users, although most are individuals, according to the Guardian.
However, both the CBI and TUC reportedly expressed concerns over the practice: the former arguing that “firms should be concentrating on rather more immediate priorities,” while the latter claimed it could be abused by employers to give them “even more power and control over their workers.”
In a longer article, the TUC went further, arguing: “we’d like to hear what security concerns could possibly justify the use of such technology on staff.”
It added that with costs per chip potentially reaching £260, the economic case for microchipping employees is also pretty flimsy.
“Intrusive surveillance undermines trust in the workplace by making people feel they’re always being watched,” it concluded.
“So instead of microchipping their workforce, bosses need to start engaging with staff and unions to make new technology work for everyone.”
Security experts were also unconvinced.
Outpost24 CSO, Martin Jartelius, argued that the chips could drive a dangerous false sense of security.
“While there is no doubt that this may ease the problem of employee two-factor tokens, as the chip is implanted under their skin and cannot be easily stolen, the assumption that something is less likely to be hacked because it’s under your skin is flawed and dangerous,” he added.
“It’s reasonable to assume that when something is implanted into a person it is less likely to be forgotten and to be stolen, but it doesn’t mean ‘because the microchip is in my thumb it’s less likely to get hacked.’ The very location of a microchip in your hand may actually lead to increased exposure, as the hands form the basis of our physical interaction with our surroundings.”
Some 60% of European retailers have seen an increase in fraud over the past year, despite the vast majority having prevention systems in place, according to Adyen.
The payments platform provider polled 5000 consumers and 500 retailers in the UK, Spain, France, Germany and the Nordics to compile its 2018 European retail report.
Over three-quarters said they “are prepared” for fraud or have active fraud prevention systems in place, with a majority looking to biometrics like fingerprint scanners (57%) and voice authentication (56%) to improve resilience.
However, current solutions appear to be failing given the rise in fraud across a majority of retailers surveyed. That’s bad news as consumer expectations around security grow higher.
Some 69% of European shoppers polled said they would avoid any brands hit by a data breach, for example.
The research also highlighted potential regulatory concerns in the market.
The EU’s Second Payment Service Directive (PSD2) mandates strict new authentication standards to help minimize fraud as well as implementation of 3D Secure 2.0 by 2019. However, while over 20% of retailers said they already comply and 27% are planning to in the next 12 months, nearly a quarter (24%) said they don’t have plans to do so.
“As technology makes the shopping experience more engaging and convenient, it also powers the sophisticated fraudsters. Retailers need to walk a very fine line of doing everything in their power to help prevent fraudulent transactions and protect their customers, but they also don’t want to be overly cautious and decline legitimate transactions,” explained Adyen’s UK MD, Myles Dawson.
“Payments technology is key in this regard. Machine learning and advanced data analysis plays a vital role in accurately identifying the shopper behind each transaction to reduce chargebacks and false positives.”
UK identity fraud fell in the first half of 2018 for the first time in five years, but fraud against online retail accounts rose by 24% year-on-year, alongside fraudulent applications for credit and debit cards (12%), according to Cifas.
Cyber-attacks are the number one business risk in the regions of Europe, North America and East Asia and the Pacific, according to a major new study from the World Economic Forum (WEF).
Its Regional Risks for Doing Business report highlights the opinions of 12,000 executives from across the globe.
While “unemployment or underemployment” and “failure of national governance” take first and second place respectively, cyber threats have moved from eighth in last year’s report to fifth this year.
It tended to be viewed as a greater risk in more advanced economies: 19 countries from Europe and North America plus India, Indonesia, Japan, Singapore and the United Arab Emirates ranked it as number one.
In Europe, the UK and Germany both placed cyber-attacks as the number one risk.
“When looking at the causes of breaches, it’s evident that email attachments, links and downloads are the most common methods used by hackers. Be it HR professionals opening infected CVs from unknown sources, or employees clicking links on malware-riddled social media sites on their lunch break, users provide hackers with an easy route to bypass security,” he added.
“These simple attack methods are still effective because the architecture cybersecurity is built on is fundamentally flawed, as it overwhelmingly relies on detecting these threats. We’re increasingly seeing zero-day and other polymorphic malware being used to evade detection. Even the more sophisticated detection-based tools that utilize machine learning, AI and behavioral analytics to identify anomalies and patterns can potentially struggle to determine what is good and what is bad – and are certainly never able to be 100% accurate.”
Mimecast cyber-resilience expert, Pete Banham, argued that attacks represent a clear risk to productivity and growth.
“New cyber-threats will continue to adapt to take advantage of weaknesses in systems and procedures, especially as global cloud computing vendors aggregate IT risks,” he said.
“Business continuity and cybersecurity are together now major boardroom issues. The only way to mitigate these new risks is to adopt a strategy of cyber-resilience that brings together threat protection, durability and recoverability.”
WannaCry ransomware is still the most widespread cryptor family and has hit almost 75,000 users as of Q3 2018, according to new research from Kaspersky Lab.
The firm discovered that since the WannaCry outbreak in May 2017 that cost the NHS £92m, the ransomware has affected 74,621 users across the globe and is still active one and half years on, accounted for 28% of all cryptor attacks in Q3 2018, a growth of more than two-thirds compared to Q3 2017.
“It is concerning to see that WannaCry attacks have grown by almost two-thirds compared to the third quarter of last year,” said David Emm, principal security researcher at Kaspersky Lab. “This is yet another reminder that epidemics don’t cease as rapidly as they begin – the consequences of these attacks are unavoidably long-lasting.”
Despite the WannaCry attacks highlighting the importance of patching to resist the EnternalBlue exploit that the ransomware leverages, Kaspersky Lab’s findings show that there still remain plenty of unpatched computers worldwide and that criminals continue to target them.
“Cyber-attacks of this type can be so severe that it’s necessary for companies to take adequate preventive measures before a cyber-criminal acts – rather than focus on recovery,” added Emm.
Kaspersky Lab’s advice for effective ransomware defense included:
- Updating your operating system to eliminate recent vulnerabilities and using a robust security solution with updated databases. It is also important to use a security solution that has specialized technologies to protect your data from ransomware
- If you have bad luck and all your files are encrypted with cryptomalware, it is not recommended to pay cyber-criminals, as it encourages them to continue their dirty business and infect more people’s devices. It is better to find a decryptor on the internet
- It is also important to always have fresh backup copies of your files to be able to replace them in case they are lost, and store them not only on the physical object but also in cloud storage for greater reliability
- To protect the corporate environment, educate your employees and IT teams, keep sensitive data separate, restrict access and always back up everything
- Last, but not least, remember that ransomware is a criminal offence. You shouldn’t pay. If you become a victim, report it to your local law enforcement agency
The implementation of major EU-wide security legislation took a major leap forward on Friday as the government officially identified the organizations that will be required to comply with the NIS Directive.
Known in full as the directive on the security of network and information systems, the law will be applied slightly differently by each member state.
A key driver for the directive is to improve baseline security among providers of critical infrastructure, known as “operators of essential services” (OES). It will help to do this with GDPR-like maximum fines of £17m or 4% of global annual turnover, and mandatory 72-hour notifications of serious incidents.
Although the directive came into force on May 10, Friday was the deadline for governments to identify these OES organizations, which cover several sectors: energy, transport, healthcare, water and digital infrastructure.
“The number of targeted intrusions into the UK’s critical infrastructure is increasing. Employing preventative cybersecurity solutions that seamlessly integrate security into control systems is therefore essential,” argued Palo Alto Networks CSO, Greg Day.
“The NCSC has made effective implementation of NIS a priority since it came into effect in May, issuing detailed guidance for both businesses and implementing agencies. Today’s step, whereby the UK government informs those entities considered operators of essential services, is another important milestone in the UK’s efforts on the hugely important issue of cybersecurity.”
Matt Walmsley, EMEA director at Vectra, welcomed the latest deadline as helping to force operators in key sectors to focus on improved security.
“Bad actors, and particularly those of nation states, are well-resourced, innovative and highly motivated, and organizations have limited time, finite human and technical resources and capabilities with which to protect their rapidly expanding attack surface,” he added.
“Nation states, or their sponsored proxies, have broad motivations, and expecting the unexpected is a difficult task. All organizations therefore need to realize that breaches are a case of if not when and so equip themselves to identify and respond to attacks to remediate them in their early stages before damage is done. It’s a tough and never-ending task for the defenders, and one increasingly requiring levels of automation and empowerment from artificial intelligence.”
A Chinese headmaster has been fired after secretly mining cryptocurrency using his school’s electricity supply, according to reports.
Hunan man Lei Hua had dismissed reports from teachers of excessive power consumption in the building as the fault of air conditioning units and heaters, according to the BBC.
However, when they found the eight cryptocurrency mining machines he had hooked up to the power supply, the game was up.
They reportedly ran up an electricity bill of 14,700 yuan (£1600) mining Ethereum 24 hours a day.
After laying out 10,000 yuan on just one mining machine and seeing the exorbitant electricity costs that resulted, Hua apparently decided to minimize his overheads by moving the operation to the school in summer 2017.
However, it not only ended up costing the school a fortune in energy bills but also reportedly overloaded the network, interfering with teaching.
Hua was fired last month, while his deputy, who tried to get in on the scheme by buying and plugging his own machine into the school computer room, was given an official warning.
The case highlights the impact of cryptocurrency mining on organizations, especially those whose servers may have been hijacked in cryptojacking attacks.
A Canadian university was forced to shut down its entire IT network recently after discovering the malware on its systems.
Those attacks are on the rise. McAfee revealed that coin mining malware detections rose 629% in the first quarter to more than 2.9 million samples, while Trend Micro reported a massive 956% increase between the first half of 2017 and the same period this year.
"Just like in this school, cryptomining operations could be running within your organization’s network — draining vast amounts of energy without your knowledge. IT teams need to be vigilant,” argued Barry Shteiman, VP of research and innovation at Exabeam.
“The best thing to do is look for anomalies in your electricity bill. You should also measure changes in your HVAC usage for heat dissipation, although this will be more difficult. Beyond that, look for sudden changes in capacity or usage, as well as significant deviations in pattern and velocity.”
He added that “entity analytics” tools could also be used to help spot the irregular network behavior indicative of a cryptomining attack.
The Bank of England (BoE) held a one-day “cyber resilience” exercise on Friday designed to test the UK banking sector’s ability to withstand a major attack.
In a brief statement, the BoE explained it had partnered with the Treasury, regulator the Financial Conduct Authority (FCA) and other industry bodies to run the event.
“This exercise forms a vital part of the sector-wide biennial process that seeks to ensure the industry is prepared for — and can respond effectively to —any major disruption stemming from a cyber incident, protecting the financial system on which the public relies,” it said. “The exercise will help authorities and firms identify improvements to our collective response arrangements, improving the resilience of the sector as a whole.”
The BoE’s Systemic Risk Survey for the first half of 2018 placed cyber incidents in joint second alongside geopolitical risk, with 62% of financial institutions citing them as a major risk to the UK’s financial system. That figure apparently stands at an all-time high.
Released in June, the study also revealed an increase in the number of respondents claiming that cyber-attacks are the risk most challenging to manage, to over half (51%).
The continued focus on industry-wide cyber stress tests like this was welcomed by industry experts, including ESET’s Jake Moore.
“Cyber-attacks aren’t a possibility, they are an eventuality, so we will never have enough people, systems or money to prevent or detect an attack,” he argued. “Therefore, you need to invest in training as well as multiple prevention techniques to make it work. However, it is not always as simple as that, so making training engaging and even fun adds impact to the way it sinks in and quickly makes it second nature.”
Pete Banham, cyber resilience expert at Mimecast, claimed that other sectors should think about running similar initiatives.
“The fact that firms aren’t being tested on a pass or fail basis is significant as it means they will be transparent about their current capabilities, rather than worrying about being exposed as unprepared. This will help them work towards being adequately prepared for large-scale cyber-attacks and ensure they have the right cyber-resilience strategy in place,” he argued.
“Hackers are always lying in wait, so we need to see more instances of sectors uniting to combat malicious attacks.”
Cryptocurrency mining has become a fairly easy way to manufacture currency, and according to Trend Micro, a new cryptocurrency-mining malware uses evasion techniques, including Windows Installer, as part of its routine.
In the cryptocurrency miner identified as Coinminer.Win32.MALXMR.TIAOODAM, researchers noted the use of multiple obfuscation and packing routines. The malware leverages the Windows platform, and though it has an overall low risk rating, the damage potential scored in the medium range.
While the results might be lucrative, the process is actually quite resource-intensive, which is one reason malicious actors continue to find ways to exploit other machines using mining malware. These malware have been largely successful in avoiding detection, particularly when combined with obfuscation routines, according to Trend Micro.
Credit: Trend Micro
Dropped by other malware or downloaded from the internet, the coinminer infects the user system after arriving as a Windows Installer MSI file. It then drops multiple files in the directory as part of its process and uses the CryptoNight algorithm for its coin-mining routing. Included in the files are a .bat file that shuts down any anti-malware program running on the machine, an .exe unzipping tool and a password-protected zip file that appears to be an icon (.ico) file.
Two additional files were revealed after the icon.ico was unpacked before the next part of the installation process began creating copies of the kernel file and a Windows USER component. Researchers noted that the installation uses Cyrillic rather than English text, though there is no concrete evidence indicating the region of origin.
“To make detection and analysis even more difficult, the malware also comes with a self-destruct mechanism,” the authors wrote. “It deletes every file under its installation directory and removes any trace of installation in the system. One notable aspect of the malware is that it uses the popular custom Windows Installer builder WiX as a packer, most likely as an additional anti-detection layer. This indicates that the threat actors behind it are exerting extra effort to ensure that their creation remains as stealthy as possible.”
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Department of Homeland Security (DHS), has issued a US-CERT alert for the JBoss Verify and EXploitation (JexBoss) tool, an open-source tool often used by red teams.
According to the alert, malicious actors are using JexBoss to test and exploit vulnerabilities not only in the JBoss Application Server (JBoss AS) but also in a variety of Java applications and platforms.
Written in the Python programming language, the JexBoss tool used in threat hunting automates all the phases of a cyber-attack, making it a powerful tool when used by threat actors. Attackers have reportedly used JexBoss in the SamSam ransomware campaign that targeted the healthcare industry.
Able to run from most standard operating systems, JexBoss allows an attacker to execute arbitrary OS commands on the target host, the CERT said. Through either installing a webshell, blindly injecting commands, or establishing a reverse shell, the attacker is able to submit OS commands.
In an exploit attempt, researchers were successful in the delivery, exploitation, installation, command-and-control and action on objectives phases, and NCCIC determined that JexBoss operates at all seven phases of the Cyber Kill Chain framework.
“It is very concerning to see that an open source tool created to detect vulnerabilities is now being used to test and exploit vulnerabilities in JBoss AS,” said Justin Jett, director of audit and compliance for Plixer.
“It is critical that IT professionals monitor the traffic on their servers where JBoss is installed. Specifically, they should be sure to take advantage of network traffic analytics to determine when non-authorized users or IPs are connecting to these devices directly and to ensure that firewall rules are being properly enforced. Should malicious actors gain access to the server, they can easily determine which vulnerabilities are available to exploit, and more importantly they may be able to change the behavior of the application. This could cause irreparable damage if the application is customer facing or contains sensitive information.”
Best practices for mitigation include ensuring that servers are not vulnerable to the exploits JexBoss uses. The NCCIC also recommends that users and administrators review AR18-312A for more information.
To more accurately assess the threats of cyber vulnerabilities, the National Institute of Standards and Technology (NIST) has partnered with IBM to use Watson’s artificial intelligence (AI) with scoring bugs.
The Common Vulnerabilities and Exposures (CVE) system assigns publicly known security vulnerabilities a score based on the severity of the flaw. The Common Vulnerability Scoring System (CVSS) qualifies the degree of the threat with a numerical ranking between 0.0 and 10.0. In order to evaluate the severity of the growing number of vulnerabilities reported each week, NIST announced that it will use IBM’s Watson. Relying on AI to assess the potentiality of exploitation and assign a CVSS will help to expedite the scoring process.
Because the number of vulnerabilities disclosed has skyrocketed from a couple hundred to several thousands per week, keeping pace with scoring the disclosures has become both laborious and time consuming, according to NextGov.
"With the mounting number of CVEs that enterprises are facing, utilizing Watson would allow enterprise CISOs to better navigate which CVEs are most likely to impact their organizations and apply resources to remediation on those controls. Knowing where to focus your time and budget as a CISO is key,” said George Wrenn, CEO, CyberSaint Security.
"We've seen firsthand the benefits of adopting the NIST Cybersecurity Framework (CSF) and the enormous agility benefits that AI-powered automation enables, particularly in helping avoid misdirecting time, unnecessary manual effort, and resources. We've also seen the power of dynamic threat intelligence that's identified and 'injected' into compliance programs on a control-by-control basis. This is a level of risk analysis that can only be done through the use of breakthrough tech and AI. It is no surprise NIST is delving into this area."
Matthew Scholl, chief of the NIST’s computer security division, reportedly said that Watson is expected to be assigning CVSS scores to most publicly reported vulnerabilities by October 2019 and that the AI system will replace the work of numerous human analysts.
“Applying AI, and in particular Watson, to the scoring of vulnerabilities will be useful for keeping up with the increased NIST work load. However, I don’t foresee this addressing the issue of organizations still not patching their systems in time,” said Gabriel Gumbs, VP of product strategy, STEALTHbits Technologies.
Rating the severity of publicly reported vulnerabilities has the potential to help prioritize which systems are patched first and how soon those patches are applied. Said Gumbs, “This program could go a step further and score both the inherent risk and the residual risk of vulnerabilities when other controls are in place. This would allow for real-world patch prioritization scenarios where organizations can apply controls that can be rolled out faster than a patch and in cases where patches do not [yet] exist still reduce their exposure.”
Sextortion, spam, phishing and crypto scams dominated Q3 in email security, with phishing attempts soaring by 30 million, according to Kaspersky Lab.
The Russian AV company’s latest spam and phishing report revealed that its products had blocked 137 million redirects to phishing sites in the period, a 28% increase on the previous quarter.
Global internet portals (32%) and banks (18%) were the most abused types of business in these attacks. In some cases, hackers are taking advantage of the pop-up notifications that some browsers employ.
“It is mainly deployed by websites that collaborate with various partner networks. With the aid of pop-up notifications, users are lured onto ‘partner’ sites, where they are prompted to enter, for example, personal data. The owners of the resource receive a reward for every user they process,” the vendor explained.
“By default, Chrome requests permission to enable notifications for each individual site, and so as to nudge the user into making an affirmative decision, the attackers state that the page cannot continue loading without a little click on the Allow button. The danger is that notifications can appear when the user is visiting a trusted resource.”
Elsewhere, Kaspersky Lab noted the usual phishing ploy of capitalizing on newsworthy events to trick victims into clicking: such as the new iPhone launch.
There’s also been an uptick in phishing attacks targeting global universities for academic research and personal student data. The firm recorded attacks against 131 universities in 16 countries worldwide.
Q3 saw a surge in sextortion spam in which the malicious email uses some of the victim’s real details such as name, password or phone number, which have been bought off the dark web. This lends greater credibility to the emailer, who typically claims they have webcam pics of the user watching pornography and demands a Bitcoin payment to avoid them sending the footage to friends, family and contacts.
Finally, Kaspersky Lab noted a campaign using fake news content designed to trick users into transferring cryptocurrency into an account controlled by the hackers.
The top sources of spam in Q3 were China (13%), the US (11%) and Germany (10%)
A notorious cyber-criminal who went under the online moniker 'DerpTrolling' has pleaded guilty to a series of distributed denial of service (DDoS) attacks dating back almost five years.
Utah resident, Austin Thompson, 23, pleaded guilty this week in a federal court in San Diego to a charge of “damage to a protected computer.”
The attacks, which took place between December 2013 and January 2014, were targeted at online gaming companies including Sony Online Entertainment.
Thompson typically used the @DerpTrolling Twittter account to announce his intended corporate victims and to post screenshots confirming his handiwork.
According to the Department of Justice plea agreement, Thompson forced gaming servers and other equipment out of action for hours at a time in some cases, causing at least $95,000 in damages.
“Denial-of-service attacks cost businesses millions of dollars annually,” said California US attorney Adam Braverman. “We are committed to finding and prosecuting those who disrupt businesses, often for nothing more than ego.”
The maximum penalty for Thompson’s crime is a decade behind bars and a $250,000 fine.
Kirill Kasavchenko, EMEA principal security technologist at Netscout Security, claimed that online gaming is a top target for DDoS-ers.
“Online gaming is a well-documented motivation for DDoS attacks. According to our annual Worldwide Infrastructure Security Report, it was ranked the top attack motivation in the service provider space, leaving extortion attempts and attack capability demonstration behind. Anyone who might be considering taking this wrong path needs to understand that they can be caught and held to account,” he argued.
“In the past, notorious hacking groups evaded justice despite causing huge disruption and financial damage. This plea deal hammers home the very real risk of launching a cyber-attack. Tracking techniques are evolving all the time, so there should be no doubt that you can be prosecuted for such malicious actions."
A Canadian university shut down its entire network last week in response to a cryptomining attack, highlighting the potential disruption that can be caused by this relatively new strain of malware.
St Francis Xavier, which claims to offer the country’s “premier undergraduate experience,” explained in an update on Sunday that it was bringing systems back online in a staggered approach following the outage.
“On Thursday, IT Services, in consultation with security specialists, purposefully disabled all network systems in response to what we learned to be to be an automated attack on our systems known as ‘cryptocoin mining’,” the update continued.
“The malicious software attempted to utilize StFX’s collective computing power in order to create or discover bitcoin for monetary gain. At this time, there is no evidence that any personal information within our network was breached, however, ITS will continue to analyze and monitor for suspicious activity in the days and weeks ahead. ITS has also implemented heightened security measures in response to this event.”
All network passwords were also reset as part of the response to the attack.
Cryptocurrency mining is on the increase. McAfee noted that detections of coin mining malware rose 629% in the first quarter to more than 2.9 million samples, while Trend Micro claimed detections rose 956% between the first half of 2017 and the same period this year.
Don Duncan, director at NuData Security, explained that it’s an increasingly lucrative way to make money without drawing attention to the attack, as ransomware does.
“They just infect users like this college network, and then siphons off power to mine cryptocurrencies. You would not necessarily notice it until all systems start to slow down.
There is also the potential that this breach can be used for other purposes later on, especially if it downloaded another type of malware at the same time, he added.
“The university had no choice but to deprive these hijackers further access by shutting down systems to understand the scope of the issue. In situations such as this real-time visibility into the status of existing systems is critical as it helps to identify potential threats early mitigating future damage.”
In addition to its 2014 attack on Sony Pictures, the Lazarus Group, also known as Hidden Cobra, has been attacking the ATMs of Asian and African banks since 2016, and today Symantec revealed that the group has been successful in its “FASTCash” operations by first targeting the banks' networks.
“The operation known as 'FASTCash' has enabled Lazarus, to fraudulently empty ATMs of cash. To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the switch application servers handling ATM transactions,” Symantec wrote in today’s blog post.
“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.”
By injecting a malicious Advanced Interactive eXecutive (AIX) executable into a legitimate process on the switch application of the network that handles ATM transactions, the attacker is able to monitor incoming messages and intercept fraudulent, attacker-generated transaction requests, preventing them from reaching the switch application.
The malware also contains logic that generates one of three responses to the attacker-generated transaction requests, according to Symantec.
In early October, the Department of Homeland Security (DHS), in combination with the Department of the Treasury (Treasury) and the FBI, identified malware used by the North Korean-linked hacking group, renowned for its cyber-espionage operations, in a US-CERT alert.
According to the alert, the FASTCash schemes “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The US Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.”
On the heels of the US-CERT report, Symantec uncovered the successful tactics used in the financially motivated attacks that allowed Lazarus to steal tens of millions of dollars from ATMs in over 30 different countries. Highly successful and motivated by their continued success and financial earnings, the Lazarus Group poses serious threats to the financial sector, particularly as these FASTCash attacks are not considered part of the group’s core activities.
Based on the results of a new survey, the vast majority of IT security pros fail to understand the actual risks of short-lived but dangerous phishing attacks on the web, said SlashNext.
Conducted over a five day period, a query of 300 IT security decision makers in midsized firms in the US found that 95% of respondents underestimate threats from phishing, revealing a lack of understanding and gaps in protection against modern, fast-moving phishing attacks.
According to the SlashNext 2018 Phishing Survey, most companies do not have adequate defenses against phishing threats on the web, a growing threat that many security pros fail to fully understand. Modern phishing tactics are commonly used to breach networks, a reality that only 5% of survey participants recognize, the report found.
The survey found that 14% of respondents think they experience in excess of 500 phishing attacks per month, while 45% of participants believe they are targeted with more than 50 phishing attacks per month. Yet, phishing attacks on the web differ from the more commonly understood phishing emails. The survey noted the particular distinction between the two is the short-lived duration of today’s fast-moving phishing threats on the web.
Targeted phishing attacks have expanded into ads as well as coming in through search results, pop-ups, social media, IM and chat applications, rogue browser extensions and apps. Given the increasing frequency with which these threats on the web or in free apps occur, more than half of the survey respondents identified phishing attack vectors beyond email as their third most concerning threat. Only 32% of survey participants said their existing threat feeds and block lists provide sufficient protections.
Coming in as the top two concerns with regard to phishing attacks were spoofed websites and insufficient employee training. More than half (64%) of respondents expressed concerns with their existing employee awareness training.
“Phishing tactics have evolved to using very fast-moving phishing sites and attack vectors that evade existing security controls. And with such legitimate-looking phishing sites manipulating users, there is little to protect employees, not even phishing awareness training,” said Atif Mushtaq, CEO and founder of SlashNext, in a press release. “The solution involves a phishing detection system that can analyze and detect malicious sites like a team of cybersecurity researchers, but do it in real time to protect users.”
While it is likely that the breach activity of 2018 won’t reach the level of 2017, a look back at the first nine months suggests that 2018 is on pace to be another significant year for breaches, according to Risk Based Security.
The 2018 Q3 Data Breach QuickView Report found that 3,676 data compromise events were disclosed between 1 January and 30 September, exposing 3.6 billion records. However high those numbers might seem, and despite the consistent pace at which disclosures are reported, 2018 is not expected to see the record number of breaches reported in 2017. In fact, the report found that when compared to the same point in 2017, the number of reported breaches fell by 8%, and the number of exposed records decreased by 49% from 7 billion.
“The number of reported breaches shows some improvement compared to 2017 and the number of records exposed has dropped dramatically,” said Inga Goddijn, executive vice president for Risk Based Security, in a press release. “However, an improvement from 2017 is only part of the story, since 2018 is on track to have the second most reported breaches and the third most records exposed since 2005. Despite the decrease from 2017, the overall trend continues to be more breaches and more ‘mega breaches’ impacting tens of millions, if not hundreds of millions, of records at once.”
The report looked at breaches by sector and found that business made up 38% of reported breaches. Though 43% of reported breaches couldn’t be classified into a sector category, the research did find that government represented 8.2% of the overall breaches while medical trailed slightly behind at 7.8%. The education sector represented only 3.9% of the classifiable breaches.
Of the 3.6 billion records exposed, 63.6% were from the business sector, and 100 million or more records were stolen in only seven of the 3,676 breaches. In addition, the 10 largest breaches accounted for 84.5% of the records exposed year to date.
According to the report, criminals often used fraud, which was in the top spot for the breach type compromising the most records and accounting for 35.7% of exposed records, while hacking led the pack in number of incidents, accounting for 57.1% of reported breaches.
An additional key finding of the report noted the lack of transparency that continues to reign among breached organizations in 2018, with 34.5% of impacted companies unwilling or unable to disclose the number of records exposed.