Info Security

Subscribe to Info Security  feed
Updated: 1 hour 59 min ago

2020 Tax Season Attacks Already Targeting Small Businesses

Wed, 02/19/2020 - 17:30
2020 Tax Season Attacks Already Targeting Small Businesses

The deadline for filing taxes in the United States is eight weeks away, but new research has shown that small businesses are already being hit by tax season–related cyber-attacks.

Research conducted by Proofpoint indicates that attackers are “aggressively jumping into tax season,” with the deployment of two main attack strategies. 

The first strategy is to send tax-themed emails with enticingly titled malicious attachments, such as "Important changes, filing due date and charges to form 1099."

The second tactic is to compromise legitimate tax-focused websites to deliver malware to people who visit the sites. Data gathered so far indicates that small businesses that specialize in tax preparation are a particular focus for website compromise cyber-attacks this tax season. 

“If you have the word 'tax' in your domain name, you're a target this year. And while the tax-themed email attacks hit businesses in all sectors, we also saw financial firms and construction industries targeted disproportionately,” said senior director of threat research and detection at Proofpoint, Sherrod Degrippo. 

Attackers were observed gaining access to legitimate tax-focused websites via unpatched and out-of-date WordPress and other content management system installations. Code planted by attackers on compromised sites downloads malware onto the systems of people who visit in an attempt to access and steal their data. Researchers noted that code was often hosted elsewhere to make the compromise harder to spot.

Degrippo said: “In these attacks, we’ve seen the sites of smaller tax preparation and accounting firms targeted and compromised. This makes sense because smaller companies often have fewer resources and less expertise to prevent these attacks and detect them when they’ve happened.”

Describing the most sophisticated threat observed by researchers and how dangerous such attacks can be, Degrippo told Infosecurity Magazine: "A recent attack observed spoofed the full branding of a very well-known tax preparation service in the US for both the lure and the landing page for credential phishing. If a threat actor is successful in obtaining an authentic W2, they can potentially file taxes on behalf of that person, receiving the refund to their own account instead of the actual taxpayer."

Degrippo warned that phishing emails are now dangerously sophisticated.

"With the introduction of social engineering, phishing emails have become nearly indistinguishable from legitimate emails. They use trusted brands, and the correct logos, format, and wording as an email that might be expected from that brand. 

"Attackers are adept at using LinkedIn and Google to conduct reconnaissance on potential individuals that have access to the information they want and are laser-focused on targeting them directly through email. And they are continuing to use email because it’s cheap, easy to use, and above all, effective."

Categories: Cyber Risk News

Air Force Gives Students a Second Crack at Cybersecurity Certification

Wed, 02/19/2020 - 16:54
Air Force Gives Students a Second Crack at Cybersecurity Certification

The United States Air Force is offering students who failed to gain cybersecurity certification the first time around a second opportunity to qualify.

Previously, students who didn’t pass the Security+ exam on their first go had to rethink their chosen area of specialization within the Air Force. The new Pathfinder program gives students a precious second chance to pursue their dream of working in cybersecurity.

To acquire the Security+ certification, students must prove that they have the necessary skills to perform in a security-based information technology career by passing the Security+ exam. 

“The exam is known to be complex and difficult and many Airmen fail and lost their designated career field,” said Airman 1st Class Seth Haddix, 81st Training Wing, Public Affairs.

Under the new program, selected re-classed students who failed to pass the exam the first time can retake the test during their first six months at their duty station. 

The program has worked out well for Senior Airman Jennica Ripoli, 21st CD communications technician at Peterson Air Force Base in Colorado.

“Missing my chance of getting my desired job in the Air Force crushed me. It felt like I wasn’t able to achieve what I worked so hard for, and I would never be able to follow the career I wanted,” said Ripoli. 

“Being able to eventually transfer over to cybersecurity after passing amazed me and made me feel like the Air Force is really trying to help me follow the right path.”

Being able to finally pass the exam and follow her dream career has been a real confidence boost for Ripoli.

She said: “This opportunity proved that I could overcome failure. I worked hard and continued to pursue the path I wanted, and I was successful.”

By switching fields, airmen who complete the Pathfinder program gain the distinction of possessing two Air Force Specialty Codes (AFSCs) instead of the usual one. 

The first airman to complete the Pathfinder program was Airman 1st Class Johnathan Garcia, 75th Communications Squadron client systems technician, Hill Air Force Base, Utah.

“I feel I am more qualified with the knowledge of two AFSCs,” Garcia said. “I have more knowledge working with the other cyber jobs on base.”

Categories: Cyber Risk News

Cyber-Flashing on UK Trains Doubles

Wed, 02/19/2020 - 15:55
Cyber-Flashing on UK Trains Doubles

British Transport Police have reported an alarming increase in the number of women being sent sexually explicit images by strangers while traveling via train.

In 2018, 34 cases of cyber-flashing offenses were reported to British Transport Police. In 2019, the number of recorded cases rose to 66, almost doubling over a one-year period. 

Cyber-flashing occurs when a sexual predator sends an unsolicited pornographic image or video to a stranger via the iPhone file-sharing function AirDrop.   

Police fear the actual figures could be vastly higher as most incidents of cyber-flashing go unreported. Reasons for this could include the fear and/or embarrassment experienced by the victim, the difficulty in identifying the offender who sent the image, and a lack of serious consequences for offenders who are caught cyber-flashing. 

AirDrop allows files to be sent anonymously, allowing offenders to harass women with impunity. All that victims receive is a preview of the image and the name of the phone being used to commit the crime. 

Despite a huge increase in the number of recorded cases of this particular crime on British trains, only one sexual predator was arrested for cyber-flashing in 2019. Although the crime creates a sickening imposition upon women who enter what should be a safe public space, police don't always take reports of this crime seriously.

Last year, a woman who reported a cyber-flashing incident that occurred while she was traveling on London's Bakerloo line was told by the British Transport Police officer that the crime was impossible to investigate. The officer belittled the victim's experience by suggesting to her that it was "just photos." 

Under current British law, cyber-flashing is not considered a sexual offense. However, it's not hard to imagine that offenders who can violate a woman's privacy through cyber-flashing, and who are not caught and punished, could go on to commit sexual offenses.   

ESET cybersecurity specialist Jake Moore said: "I recommend people set up AirDrop for contacts only to stop people you don’t know sending you unsolicited messages—or even better just turn it on when you need it."

Moore said that women could reduce their chances of receiving unwanted porn while going about their daily lives by pretending that they are not female. 

Shifting the onus onto women to take preventative actions against this unwarranted and abhorrent behavior by men, he said: "Another way of mitigating the chance of being sent an unsolicited message could be to change the name on your device to something neutral, rather than your name."

Categories: Cyber Risk News

Medical Devices Intro Major Bluekeep Risk to Hospitals

Wed, 02/19/2020 - 12:00
Medical Devices Intro Major Bluekeep Risk to Hospitals

Medical devices represent a major risk to healthcare organizations (HCOs), and are twice as likely as standard network devices to be vulnerable to Bluekeep, according to CyberMDX.

The security vendor’s 2020 Healthcare Security Vision Report claimed that a third (30%) of US HCOs have experienced a cyber-attack in the past 12 months.

Connected devices are an increasing source of risk, as many are left unpatched and unmanaged, the report claimed. For example, 55% of imaging devices run unpatched or outdated Windows versions which could leave them vulnerable to Bluekeep.

This is an RCE flaw in Windows Remote Desktop Services (RDS) which could enable an attacker to take complete control of a machine to spread malware or launch info-stealing attacks. It affects Windows XP to Windows 7 and Server 2003 to Server 2008 R2 computers, and could spread without user interaction in a way similar to the EternalBlue exploit that enabled WannaCry to do so much damage to the NHS.

CyberMDX uncovered a range of security issues among HCOs, claiming that 11% don’t patch devices at all, and that a typical hospital will have patched only 40% or fewer vulnerable devices four months after a bug disclosure.

There’s more: a quarter (25%) don’t possess a full inventory of connected devices, while a further 13% admit theirs is unreliable. A third (34%) say they don’t identify, profile or continuously monitor medical devices and a further 21% do this manually, which is is not sustainable given the explosion in such endpoints.

It’s perhaps no surprise that the average hospital has lost track of 30% of its devices, according to the report.

The challenges extend to staff cybersecurity training and awareness: 23% of respondents said they have no such program in place and 17% claimed they do but it hasn’t launched yet.

Over a third (36%) still lack a formal BYOD policy.

According to IBM’s latest Cost of a Data Breach report, HCOs suffered the highest cost of a breach – nearly $6.5m on average – for the ninth year in a row in 2019. CyberMDX also claimed that at least 10 hospitals had to turn away patients last year due to ransomware attacks.

Categories: Cyber Risk News

US Gas Pipeline Shut After Ransomware Attack

Wed, 02/19/2020 - 10:30
US Gas Pipeline Shut After Ransomware Attack

A US natural gas facility was forced to shut down operations for two days after becoming infected with commodity ransomware, the Department of Homeland Security (DHS) has revealed.

The unnamed “natural gas compression” plant was first targeted with a spear-phishing email, allowing the attacker to access its IT and then pivot to its OT network, according to the technical alert from the DHS’s Cybersecurity and Infrastructure Security Agency (CISA).

The ransomware used was not named, but described as a “commodity” type designed to infect Windows systems, rather than the new strain spotted recently that had ICS-specific functions.

As such, it didn’t manage to impact any of the programmable logic controllers (PLCs) responsible for directly reading and manipulating physical processes. Still, the ransomware was able to compromise human machine interfaces (HMIs), data historians and polling servers on the OT network.

The victim organization was ill-prepared for such an attack: a worrying sign that some critical infrastructure providers still haven’t evolved their threat modelling to take account of modern black hat techniques.

Specifically, the organization failed to implement robust segmentation between IT and OT networks, allowing the attacker to infect both. It also did not build cyber-risk into its emergency response plan, focusing solely on threats to physical safety.

“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyber-attacks,” the CISA alert noted.

“The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”

CISA urged critical infrastructure organizations to: add cyber-risk planning to their incident response strategies, practice failover to alternate control systems, use tabletop exercises to train employees, identify technical and human points of failure for operational visibility and recognize the safety implications of cyber-attacks, among other steps.

Among the physical security controls it recommended were network segmentation, multi-factor authentication, regular data backups, least privilege access policies, anti-phishing filters, AV, whitelisting, traffic filtering and regular patching.

Categories: Cyber Risk News

AdSense Extortionists Threaten to Trigger Google Fraud Alarms

Wed, 02/19/2020 - 09:50
AdSense Extortionists Threaten to Trigger Google Fraud Alarms

Security experts are warning of a new extortion email campaign threatening to bombard websites using AdSense with fake traffic, thereby triggering Google’s anti-fraud systems.

A website owner wrote to journalist and researcher Brian Krebs claiming to have received just such a threat. The extortionists demanded $5000 in Bitcoin, or else they would bombard the site with bot-driven traffic.

This in turn, they claimed, would set off alarm bells with Google and force the tech giant to suspend the web owner’s AdSense account, depriving him of valuable advertising revenue.

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended,” the email reportedly argued.

“It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to a second AdSense ban that could be permanent.”

Google itself claimed such threats are rare, and in any case it has the tools to detect and prevent sabotage like this from succeeding.

It urged any web owners that have been the subject of such threats to fill in an online form, and/or to visit its help page on sabotage.

Jake Moore, cybersecurity specialist at ESET, urged users to treat these extortionists as they should ransomware authors, by refusing to engage.

“I would firmly advise people not to pay any extortionists as there is no guarantee that this will stop the traffic. If anything, these criminals will likely place your name on their suckers list, and possibly come back with higher payment demands,” he added.

“This should be reported to the police, and I suggest you do not communicate with these attackers.”  

Categories: Cyber Risk News

Intentional Malicious Insider Breaches Increased Between 2019 and 2020

Wed, 02/19/2020 - 09:05
Intentional Malicious Insider Breaches Increased Between 2019 and 2020

The concern about intentional data breaches has increased year-on-year, with 75% of IT leaders believing that employees have put data at risk intentionally.

According to research by Egress of 528 CSOs and IT leaders, 97% of respondents said “insider breach risk” is a significant concern. Of those surveyed, 78% said that employees have put data at risk accidentally, while 75% believed employees have put data at risk intentionally. This is a rise of 14% since last year’s research.

Chief marketing officer, Tim Pickard, said he was not surprised that 97% of CISOs and IT leaders would be concerned, and too many companies are relying on employees to report breaches.

Egress CEO Tony Pepper added that the “severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider data breaches.”

Of those employees that have accidentally leaked data, 41% said it was due to a phishing message, 31% said that this was due to information being sent to the wrong recipient and 29% said that they or a colleague had intentionally shared data against company policy in the last year.

Looking at the causes of an intentional breach, 32% of those polled said that this was due to employees sharing data to personal systems, while 22% blamed employees leaking data to a contractor and 21% said that employees share data directly to cyber-criminals. Also, 18% said that employees take data to a new job, with only 4% saying that they “don’t have malicious insider breaches.”

Speaking to Infosecurity at the launch of the research, Pickard said that, from a point of view of intentionally leaking data, “there is a general awareness around the potential risks that exist from employees, and it doesn’t have to be malicious to be intentional, it could be mis-guided by someone trying to get their job done and putting data at risk.

“There are a number of elements at play, as none of us see the work environment getting any easier and there will be increased pressure at work for most people,” Pickard argued. “People have access to all sorts of technologies that IT leaders would rather they did not have, and cloud is a great thing, but it makes available some powerful technologies to people for a very small amount of money.”

Speaking to Infosecurity, Panaseer CEO Nik Whitfield cited the case of Sergey Aleynikov who was charged with stealing code from Goldman Sachs and giving it to his next employer. “There are different types of insider: some help themselves while some do it maliciously – but to them it is normal behavior,” he said. “Malicious insiders are also being placed by cyber-criminals and getting jobs in companies to steal information or to do corporate espionage.”

Categories: Cyber Risk News

US Teen Arrested Over Alleged Swatting and Cyberstalking

Tue, 02/18/2020 - 17:33
US Teen Arrested Over Alleged Swatting and Cyberstalking

A 19-year-old American man has been arrested for allegedly engaging in a six-year cybercrime wave that involved swatting, computer fraud, and the stalking of multiple victims, including a New York schoolgirl.

Tristan Rowe was arrested on February 12 after allegedly threatening to kill one victim and bomb their school. Cops say he sent multiple disturbing messages to the victim, including one depicting a knife accompanied by the words "you don't deserve to live."

Another chilling message allegedly sent by Rowe showed a detailed map from Tennessee to a victim's home address in the Bronx, New York. 

Rowe, who refers to himself as Angus, is alleged to have engaged in a persistent online stalking and harassment campaign against one particular victim. Police say he hacked online accounts belonging to the victim and to members of their family and even hacked into the computer systems of the victim's former high school to interfere with the grading system.

Tennessee resident Rowe is further accused of orchestrating multiple incidents of swatting, sending armed police to respond to false reports of an emergency at a victim's residence.  

One such incident, brought about by 19-year-old Ohio gamer Tyler Barriss, resulted in the death of Kansas father 28-year-old Andrew Finch, who was shot and killed by a member of the responding SWAT team in 2017. Rowe allegedly used this potentially fatal tactic not only to terrorize his intended victim, but also to stage swatting incidents at the homes of the victim's friends and family. 

In a message that demonstrated he was fully aware of the danger to life caused by swatting, Rowe allegedly told the victim, "Your choice u can wind up dead cause the armoured cops will come raid u."

Cops say that evidence obtained from Rowe's computer indicates that he conducted a number of computer intrusions of government and private-sector websites. They say Rowe was planning to compromise, or had already compromised, an inmate tracking website used by federal and local law enforcement, a police department website, the website of a hospital in New York, and a website for a state Department of Motor Vehicles. 

Rowe has been charged with one count of cyberstalking and one count of unauthorized access to a computer. He faces a ten-year custodial sentence if convicted on both counts.

Categories: Cyber Risk News

Indian Arrested Over Sale of Illegal Drugs Disguised as Sex Aids on Dark Web

Tue, 02/18/2020 - 16:16
Indian Arrested Over Sale of Illegal Drugs Disguised as Sex Aids on Dark Web

India has made its first arrest of an alleged dark web narcotics vendor. 

Recent Amity University graduate Dipu Singh was taken into custody in Alambagh, Lucknow, on February 9 by India’s Narcotics Control Bureau (NCB). The 21-year-old is accused of selling psychotropic drugs disguised as erectile dysfunction remedies on dark web marketplaces in exchange for cryptocurrency.

Singh, whom the NCB described as "a major player on the dark net," allegedly sold illegal drugs to clients in several European countries, including Romania and Spain, and to customers in the UK and the US. 

The illegal pills were mostly sold through dark web sites Majestic Garden and Empire Market, then shipped via global post offices and international courier services. The NCB suspects Singh also made sales via WhatsApp.

"Singh had mastered the technique to disguise the identity while making a shipment. It was learnt that the said parcel was devoid of KYC details," said deputy director general of operations at the NCB, Rajesh Nandan Srivastava.

In three seizures, NCB’s Mumbai Zonal Unit recovered 33,000 Tramadol and Zolpidem tablets, which they claim can be linked to Singh’s alleged drug dealing operation. Another 22,000 tablets were seized by the Delhi team.

A total of 55,000 psychotropic tablets, which include tramadol, zolpidem, and alprazolam, were seized as part of a two-month-long operation into Singh's alleged activities. 

Singh gained a bachelor’s degree in Hotel Management last year. To help fund his studies, Singh accepted a part-time job at a legitimate internet pharmacy in 2018. There he earned a commission from the sale of fitness supplements and erectile dysfunction medicines, but the NCB alleges that the then student was lured over to the dark side by the promise of more money.

An NCB spokesperson said Singh "further learnt that the major profit is in the sale of controlled psychotropic medicines."

Singh allegedly worked with an associate, who took orders for the drugs and shared details of where to deliver each package. After using couriers to collect the drugs from various cities in India, Singh is accused of sending them out to his customers packaged as erectile dysfunction medicine.

If convicted, Singh is likely to face a stiff sentence.

Categories: Cyber Risk News

Dell in Talks to Sell RSA Cybersecurity Firm

Tue, 02/18/2020 - 15:02
Dell in Talks to Sell RSA Cybersecurity Firm

Dell is said to be finalizing a $2bn deal to sell its RSA cybersecurity company to a private equity firm, according to the Wall Street Journal

Citing sources “familiar with the matter,” the Journal reported Monday that a deal concerning the sale of RSA Security LLC could be finalized as early as today between Dell Technologies Inc. and STG Partners LLC.

Multiple award-winning security company RSA is best known for its software tokens, which generate random codes to enable access to corporate networks. According to its website, the firm has 30,000 customers around the globe. 

RSA Security was founded as an independent company in 1982 and was acquired by EMC Corporation in 2006 for $2.1bn. Dell acquired RSA a decade later with the purchase of EMC.

Reports that Dell was considering divesting the security company were first shared back in November 2019 by Bloomberg. Back then, RSA Security was expected to fetch at least $1bn, including debt.  

A month later, PE Hub reported that Morgan Stanley had been engaged by Dell to complete the sale of RSA in a deal estimated at the time to be worth $3bn.  

News of the possible finalization of the transaction comes one week before RSA's annual conference is due to take place in San Francisco. The conference hit the headlines last week when major sponsor IBM Corporation withdrew its support from the event, citing concerns over the spread of the coronavirus. 

If given the green light, the RSA deal will be the latest in a string of acquisitions of cybersecurity companies by private equity firms. In January, Insight Partners shelled out $5bn to acquire Swiss cloud data management company Veeam Software Inc and set aside a further $1.1bn in an agreement to acquire Armis Inc. 

Then, earlier this month, news broke that PE firm Advent International and Crosspoint Capital Partners would be acquiring Forescout Technologies Inc for $1.9bn

Currently Dell has two different endpoint security products. The computer manufacturer bought a controlling stake in Secureworks in 2011 and through its acquisition of EMC, the company owns 81% of VMware, which last year bought Carbon Black for $2.1bn.

Categories: Cyber Risk News

Two-Thirds of CISOs Struggling with Skills Shortages

Tue, 02/18/2020 - 12:01
Two-Thirds of CISOs Struggling with Skills Shortages

Two-thirds (66%) of global CISOs say they are struggling to recruit the right talent and a similar number believe shortages will only get worse, according to a new study from Marlin Hawk.

The global executive recruiter surveyed 500 cybersecurity leaders working in businesses with 500 or more employees across the US, Europe and APAC, to compile its report, Global Snapshot: The CISO in 2020.

It found CISOs in APAC are encountering most difficulties with recruitment: 91% of respondents there said it was hard to find the right talent, versus 61% in the UK and 54% in the US. Globally, the main challenges revolved around candidates lacking the right technical knowledge (34%), the right experience (30%) and being the right culture fit (10%).

Although 73% of respondents are under 45-years-old, there may be long-term trouble ahead for many companies. The average tenure as CISO is four years globally, and 85% of respondents said they are actively looking for a new role or would consider one if approached.

The report warned in particular of a “brain drain” from the public sector, where over a quarter of respondents are actively pursuing new roles. Over half (52%) said they wanted a new challenge whilst 37% pointed to better compensation.

A further 62% of CISOs think the global cybersecurity talent shortage will get worse over the next five years.

This chimes with data from other sources, including the (ISC)2, whose most recent study reported a global shortfall in security professionals in excess of four million. This included 561,000 in North America and a 2.6 million shortfall in APAC, while the shortage in Europe rose by over 100% from the previous year to 291,000.

Ron Green, CSO at Mastercard, argued that the right technology could help to alleviate skills challenges.  

“Machine learning and automation are going to be really helpful to current and future CISOs,” he said.

“Businesses are still going to need smart humans on security but already the humans that are in our security operations centers are being overwhelmed with things they have to monitor and you can't simply keep putting in more people because there aren't enough.”

Categories: Cyber Risk News

Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Tue, 02/18/2020 - 11:00
Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Security researchers are warning of a new plugin vulnerability which is exposing over 200,000 WordPress sites to the risk of being remotely wiped by an attacker.

The problem lies with versions 1.3.4 and above and 1.6.1 and below of the ThemeGrill Demo Importer plugin, according to WebARX.

The firm said that the bug could allow any unauthenticated user to wipe the entire database to its default state and then log in as administrator.

“The prerequisite is that there must be a theme installed and activated that was published by ThemeGrill. In order to be automatically logged in as an administrator, there must be a user called ‘admin’ in the database. Regardless of this condition, the database will still be wiped to its default state,” the firm explained.

“Based on the SVN commit history, this issue has existed in the code for roughly three years, since version 1.3.4.”

WebARX warned that the vulnerability is particularly dangerous as it doesn’t require a suspicious-looking payload to exploit. For that reason, firewalls are not likely to block attacks by default and security admins would need to create a special rule for them to do so.

ThemeGrill is a popular provider of WordPress themes which users can deploy to customize their websites. The plugin in question can be used to demo content, widgets and theme settings quickly and easily.

The vulnerability is the second in the space of a month which could allow attackers to effectively wipe targeted WordPress sites.

Back in January, Wordfence warned of critical flaw CVE-2020-7048 which affects the WP Database Reset plugin that has been installed over 80,000 times.

“Without proper security controls in place, the WP Database Reset plugin contained a serious flaw that allowed any unauthenticated user the ability to reset any table in the database,” the firm explained. “This reset would result in a complete loss of data availability. An attacker could send a simple request and a site would be completely reset to the WordPress standard defaults.”

Categories: Cyber Risk News

Iranian Hackers Backdoored VPNs Via One-Day Bugs

Tue, 02/18/2020 - 10:12
Iranian Hackers Backdoored VPNs Via One-Day Bugs

Security researchers have joined the dots on a long-running Iranian cyber-espionage campaign that targeted unpatched bugs in VPN and RDP to infiltrate target organizations globally.

Building on previous research from Dragos, which named the campaign “Parasite” and attributed it to the state-backed APT33 group, ClearSky has gone further with more details.

Its new report claimed the three-year-long campaign “Fox Kitten” is most likely the product of APT33 (Elfin) and APT34 (OilRig) and APT39 (Chafer).

Dozens of companies working across IT, telecoms, oil and gas, aviation and defense industries were affected by the campaign, which is said to have been focused on reconnaissance and planting backdoors to create a “long-lasting foothold” in the target companies.

The initial incursion into these organizations was achieved by exploiting one-day vulnerabilities in VPN services, such as those offered by Pulse Secure, Fortinet and Palo Alto Networks’ Global Protect.

The Pulse Secure vulnerability is also thought to have been exploited by ransomware attackers to compromise Travelex, among other victims.

“Upon gaining a foothold at the target, the attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets,” the report noted.

“At the final stage, after successfully infiltrating the organization, the attackers have performed a routine process of identification, examination and filtering of sensitive, valuable information from every targeted organization. The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks.”

The groups used a combination of open source tools such as Juicy Potato and Invoke the Hash, and custom malware like open ports mapping tool STSRCheck and RDP over SSH tunneling backdoor POWSSHNET.

Although the purpose of the operation appears to be reconnaissance, there’s a concern that the same attack infrastructure could be used in the future to spread destructive malware like ZeroCleare and Dustman, which has been previously linked to APT34.

Categories: Cyber Risk News

Six-Year-Old Brits Suspects in Sexting Offenses

Mon, 02/17/2020 - 18:40
Six-Year-Old Brits Suspects in Sexting Offenses

British police have been investigating children as young as six over their involvement in sexting offenses. 

Figures released by London's Metropolitan Police Service reveal that between January 2017 and August 2019, a total of 353 children aged from six to thirteen were investigated in relation to sending and receiving sexual images. 

Sexting investigations involving children under age 14 have increased dramatically since figures began to be recorded two and a half years ago. In 2017, 92 under-14s were investigated. In 2018, the figure rose to 151, and in the first six months of last year, 110 under-14s were recorded as sexting suspects.

The true figures could be far higher, said the Met, which is not seeking to prosecute children, but to raise awareness among kids and their parents about the law. 

"We do not want to criminalize young people unnecessarily—we want to educate them so that they can be better informed about the legal position and mindful about the potential pitfalls of an activity many of them might regard as nothing out of the ordinary," said Detective Superintendent Zena Marshall.

The Met said that many youngsters had no idea that taking, sharing, or possessing sexually explicit pictures of children under age 18 was a crime. Others said that images of them had been distributed without their consent. 

"We know that many young people do not realize that creating or sharing explicit images of an under-18 is against the law, even if the persons doing it are children themselves, and as police we have a duty to record allegations concerning sexting when they are reported to us," said Marshall.

"Someone could be classed as a victim, witness or suspect, depending on the circumstances."

Scotland Yard—the Met's London headquarters—said that the force received sexting reports involving children from a number of sources, including parents, schools, youth clubs, local authorities, and the children themselves. 

report published by the Internet Watch Foundation (IWF) last month found that a third of child sex abuse images online are originally posted by the children themselves in the hopes of winning social approval.

The Met said that the exchange of sexually explicit images amongst teenagers was now a "societal norm," and that online indecent image offenses as a whole had risen by 130 percent since 2016.

Categories: Cyber Risk News

Personal Data of 144K Canadians Breached by Federal Government

Mon, 02/17/2020 - 17:49
Personal Data of 144K Canadians Breached by Federal Government

New figures tabled in Canada's House of Commons have revealed that at least 144,000 Canadians have had their personal information mishandled by federal departments and agencies over the past two years. 

The figures were part of an 800-page document written in response to an Order Paper question filed last month by Conservative MP Dean Allison. No information as to how the data came to be mishandled was included in the federal government's lengthy answer.

In total, 7,992 breaches were found to have occurred at 10 different agencies and departments. The errors range in severity from minor infractions to serious data breaches that resulted in the exposure of sensitive personal information. 

The Canada Revenue Agency (CRA) was the worst offender, with 3,020 breaches affecting 60,000 Canadians recorded between January 1, 2018, and December 10, 2019. 

A spokesperson for the CRA, Etienne Biram, said: "Two-thirds of the total individuals affected were as a result of three unfortunate but isolated incidents."

One of those three major incidents occurred when some CRA employees were accidentally given access to a hard drive containing personal information belonging to 11,780 individuals in January 2019. 

Biram said that no evidence had been uncovered that indicated the files had actually been accessed by any unauthorized personnel. 

Over the same time period, 122 breaches affecting 24,000 people were reported by Health Canada. In one breach, a government employee received an email containing personal information.

Health Canada spokesperson Tammy Jarbeau said: "The majority of the reported breaches were the result of human error and did not release sensitive personal information."

The figure of 144,000 tabled in the House was based on estimates, meaning the real number of breaches could be higher. Not all the departments were able to state with accuracy how many people were affected by individual breaches or how many breach victims were contacted after a particular breach had occurred. 

Under current law, federal departments are only obliged to notify individuals in the event of a breach affecting large numbers of people or in the event of "material" breaches, in which sensitive personal information that could reasonably be expected to cause serious injury or harm to an individual is exposed.

Categories: Cyber Risk News

New York Post Reporter Investigated Over Leaks

Mon, 02/17/2020 - 17:03
New York Post Reporter Investigated Over Leaks

New York cops, on the hunt for a source of leaked police photographs, have subpoenaed the Twitter account of a journalist at the New York Post.

The New York Police Department (NYPD) sought access to the Twitter data of New York Post police bureau chief Tina Moore after the reporter displayed an almost uncanny knack for sniffing out photos of the latest scoops.

In a subpoena dated December 9, police demanded that Twitter turn over information connected to the account @tinamoorereport from October 9 to October 14, 2019. 

Around that period, Moore tweeted a series of gory crime scene photos depicting a massacre in a Harlem gambling den that left three dead and four injured. 

Twitter was ordered to give the police access to all email accounts, servers, and internet protocol addresses associated with Moore's social media account, along with info on any connected devices.

Strangely, the Patriot Act—a post-9/11 anti-terrorism piece of legislature—was cited as a reason for Twitter to comply with the request.

Police told Twitter not to inform anyone about the subpoena for 90 days after its date of issue. Disclosing its existence could, they said, impede the course of any investigation.  

Twitter appears to have ignored this advice, however, as the subpoena ended up in the hands of the New York Post, which published the document in full on its website on Thursday, February 13. 

The NYPD withdrew the subpoena on Wednesday after lawyers from the Post contacted the department.

"We are conducting an investigation to identify the person who leaked crime scene photos," said the NYPD in a statement. 

"Tina Moore was never the focus of our investigation."

The wording of the subpoena implied that the police were more interested in obtaining information about the devices that Moore used to connect to Twitter than in discovering information regarding the account itself. 

News that Moore's records had been the subject of a subpoena came just days after the NYPD placed two officers on modified duty for allegedly leaking video of a dramatic shooting incident that took place inside a Bronx station house.

Categories: Cyber Risk News

PhotoSquared: App Leaks Data on Thousands of Users

Mon, 02/17/2020 - 11:30
PhotoSquared: App Leaks Data on Thousands of Users

A popular photo app has leaked the personal data and images of thousands of customers via an unsecured Amazon Web Services (AWS) storage bucket, it has emerged.

Researchers at vpnMentor discovered the misconfigured S3 database, which was left without any password protection, belonged to PhotoSquared, a company which creates printed photo boards for users that send in their digital images.

They found a 94.7GB trove containing over 10,000 records dating from November 2016 to January 2020. The data included user photos, order records and receipts and shipping labels.

As such, a hacker with access to the database could harvest full names and home delivery addresses from customers.

This doesn’t just present a reputational risk for PhotoSquared, which vpnMentor notes is operating in a crowded marketplace, and possible compliance fines, but a serious security risk for its customers.

This could include follow-on phishing and identity fraud as well as potential physical attacks.

“By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes,” argued vpnMentor.

“Meanwhile, PhotoSquared customers could also be targeted for online theft and fraud. Hackers and thieves could use their photos and home addresses to identify them on social media and find their email addresses, or any more Personally Identifiable Information (PII) to use fraudulently.”

Discovered by a simple port scanning exercise, the leak was eventually fixed by PhotoSquared on February 14, 10 days after the firm was contacted by the researchers.

The app has over 100,000 installs on Google Play.

PhotoSquared joins multiple other brands that vpnMentor has found to have leaked data in a similar way, including Yves Rocher, Freedom Mobile and LightInTheBox.

Categories: Cyber Risk News

IBM Confirms #RSAC Withdrawal Over Coronavirus Fears

Mon, 02/17/2020 - 10:55
IBM Confirms #RSAC Withdrawal Over Coronavirus Fears

IBM has confirmed that it plans to not participate in next week’s RSA Conference in San Francisco.

Citing the “health of IBMers” as its primary concern, the company said it is continuing to monitor upcoming events and travel relative to Novel Coronavirus (COVID-19) and as part of that, “we are cancelling our participation in this year’s RSA conference.”

In a statement, RSA Conference said that “we understand and respect their decision” and that “RSA Conference is still planning to proceed as scheduled.” It has also confirmed that eight exhibitors have canceled their participation, six of whom are from China. Also, the number of individuals, including those from IBM, who have canceled their registration is approximately 0.79% of the total number of expected attendees.

In an update released last week, RSA Conference said that approximately 83% of its current registered attendees are from the US, as are 82% of the exhibiting organizations.

To deal with concerns, it has added several new health and safety measures for the event including: disinfecting registration counters and floors continuously throughout the event, offering disinfectant wipes at all check-in counters, in each session room for the speaker computers and microphones and adding hand sanitization stations and disinfectant wipes near each touch screen interactive campus map and wayfinding station.

The news follows the cancelation of a March Facebook conference, due to also be held at San Francisco’s Moscone Center, due to fears over the virus.

Meanwhile, Mobile World Congress, which was due to take place next week in Barcelona, has also been canceled after exhibitors including BT, Facebook, LG, Nokia, Sony and Vodafone pulled out of the annual event.

Categories: Cyber Risk News

UK Anti-Doping Agency Deflects 11,000+ Malicious Emails in Q4

Mon, 02/17/2020 - 10:30
UK Anti-Doping Agency Deflects 11,000+ Malicious Emails in Q4

The UK’s anti-doping agency has been on the receiving end of over 11,000 malicious emails in the final three months of 2019, according to new Freedom of Information (FOI) data.

Think tank Parliament Street collected the FOI evidence from UK Anti-Doping (UKAD) and found the agency had been bombarded by 11,148 spam and malicious emails in Q4 last year.

Over a fifth (21%) were phishing emails, while the number of messages containing malware rose from just four in October to 41 in December, totalling 52 for the entire quarter.

Fortunately, UKAD believes none of the attempts were successful, although it would certainly be on the radar of state-sponsored attackers.

Russian hackers from the infamous Fancy Bear group (aka APT28, Sofacy) that hacked the Democratic Party officials ahead of the 2016 US Presidential election were named by the UK’s National Cyber Security Centre (NCSC) as behind attacks on UKAD’s global equivalent, WADA.

They were looking for internal data to damage the agency’s reputation for fairness after it banned Russian athletes from competing globally as punishment for a major doping operation orchestrated by the Kremlin.

Those hackers were apparently at it again when Russian athletes received a new four-year ban, which will cover the 2020 Olympics and 2022 FIFA World Cup.

“These figures are a reminder of the cybersecurity hurdles faced by athletics and sports organizations tasked with managing the confidential data of high-profile individuals. Many of these agencies require staff members to travel regularly, meaning mobile devices like laptops and tablets are a top target for hackers and opportunistic thieves,” explained Absolute Software VP Andy Harcup, of the FOI data.

“Addressing this problem requires all organizations to embrace a resilience-first approach to cybersecurity. This means making critical apps self-healing and gathering insights to remedy end-point vulnerabilities, so that hackers are kept locked out. Additionally, having the ability to track, freeze and wipe lost devices will guarantee that lost or stolen devices containing highly confidential data are protected at all times, in all circumstances.”

Categories: Cyber Risk News

Cyber-Attack Takes Down Redcar Council Services

Mon, 02/17/2020 - 09:35
Cyber-Attack Takes Down Redcar Council Services

A local authority in the north-east of England appears to have suffered a major ransomware attack, leaving online public services down for 135,000 locals, for over a week.

At the time of writing, the website of Redcar & Cleveland Borough Council was still down.

An update on the council’s official Twitter account as of February 13 said: “We are still experiencing issues with our IT systems, which means we are working with a reduced capacity. We are able to receive and answer limited calls and emails and we will be prioritizing urgent messages.”

According to reports, the council’s IT systems were attacked at 11am the previous Saturday, with external cybersecurity experts including those from the National Cyber Security Centre (NCSC) drafted in to help.

Although the council refuses to publicly specify whether it was a ransomware raid or not, the attack has all the hallmarks.

Council leader, Mary Lanigan, told the BBC that systems had been taken offline and are “being rebuilt.

“We have a massive team here — including cybersecurity experts — working around the clock flat out to get it fixed,” she added.

“They have to go through [IT systems] bit by bit to make sure everything is clean. A lot of our staff are not able to work without computers but they are coping quite well here. The main problem is that we have no email systems. So we have extra phone lines for residents.”

The council is using its social media pages to update residents with phone numbers to call if they need to book appointments, make payments and more.

Council tax payments are apparently unaffected, but online bookings for appointments, social care systems, council housing complaints and other services have been knocked offline.

In response to one concerned resident’s tweet, the council claimed that “as it stands, we have no evidence so far of any data being lost.”

UK councils will be hoping Redcar isn’t the first salvo in a new onslaught by cyber-criminals that has already seen municipalities across the US suffer a barrage of outages.

Mimecast head of e-crime, Carl Wean, argued that an attitude of “it will always happen to someone else, not us” can’t be allowed to persist.

“Ransomware continues to be the preferred attack method for threat actors due to the monetary gains available if successful,” he added. “It should be considered a key threat across all regions, not just in the UK, as criminal seeks to exploit the perceived success of this form of cyber-attack before significant regulatory and industry-based resilience measures render this attack more difficult to carry out.”

Categories: Cyber Risk News