Info Security

Subscribe to Info Security  feed
Updated: 37 min 16 sec ago

Chinese Software Engineer Accused of US IP Theft

3 hours 20 min ago
Chinese Software Engineer Accused of US IP Theft

A Chinese software engineer is still on the run after being accused of stealing intellectual property for his new employer.

Xudong (“William”) Yao, 57, worked at a Chicago-based manufacturer of equipment for train engines from August 2014, according to a December 2017 indictment unsealed last week.

Yet after just two weeks in his role, Yao had downloaded 3000 files containing proprietary and trade secret information relating to the system that operates the manufacturer’s locomotives, the Department of Justice (DoJ) claimed.

Other information, including technical documents and source code, was also downloaded by Yao over the next six months. At the same time, he apparently reached out to and accepted a place at a Chinese firm that provides automotive telematics service systems.

After Yao’s employment was terminated for unrelated reasons in February 2015, he made copies of all the stolen trade secret info and traveled home to China to start his employment at the company there.

Flying from Chicago O’Hare airport in November that year, he is alleged to have had in his possession the stolen trade secrets, including nine copies of control system source code and system specs explaining how the code worked, according to the indictment.

Yao face a maximum 10 years behind bars if found guilty of the nine counts of theft of trade secrets. But it’s unlikely he will be caught, unless he makes the mistake of setting foot back in the US or an allied country.

China has long been considered a prodigious stealer of intellectual property, whether its state-backed cyber-espionage designed to give domestic companies an advantage, or the behavior of individuals looking to abuse their insider positions at Western companies.

In June, a Chinese engineer was found guilty of conspiring to illegally export US semiconductors with military applications back home.

Categories: Cyber Risk News

Japanese Exchange Bitpoint Hit By $32m Cyber-Attack

4 hours 14 min ago
Japanese Exchange Bitpoint Hit By $32m Cyber-Attack

Japan-based cryptocurrency exchange Bitpoint has become the latest to lose tens of millions of dollars in a cyber-attack.

The firm said it was forced on Friday to stop all services — including withdrawals, deposits, payments, and new account openings — while it investigated the incident. It has also notified the relevant authorities in Japan.

Hackers managed to steal funds not only from the firm’s hot wallets, but also its offline cold wallets. After first detecting an error in Ripple remittances, Bitpoint said it realized it had been the victim of a cyber-attack. It then took another three hours before the firm realized the attack also compromised funds stored in Bitcoin, Bitcoin Cash, Litecoin, and Ethereal.

A total of around 3.5 billion yen ($32 million) had been stolen, most ($23m) of which were customer-owned funds. The remainder belonged to Bitpoint, but it’s not clear at this stage whether the firm is planning to reimburse its customers.

The firm is the latest in a long line of cryptocurrency exchanges to come under the scrutiny of cyber-criminals. Last year, two Japanese exchanges were hit: Zaif lost 6.7bn yen ($60m) after hackers stole it from a hot wallet, while Coincheck lost 500m NEM tokens worth $530m at the time.

Just last month, Singaporean cryptocurrency exchange Bitrue was estimated to have lost around $4.5m in funds after hackers breached a hot wallet and moved the funds to other exchanges. A month previous, hackers stole in the region of $41m from Binance in a single hot wallet transaction.

In most incidents, at least the majority of stolen money is returned to customers.

Last month, Europol convened a meeting of cryptocurrency experts at its HQ in the Hague in a bid to share best practice and build partnerships to improve policing of digital crimes.

Categories: Cyber Risk News

Facebook Set For Record $5bn FTC Fine

5 hours 9 min ago
Facebook Set For Record $5bn FTC Fine

Facebook is reportedly set to be handed a record $5bn fine by a US regulator over privacy violations leading to the Cambridge Analytica scandal.

The Federal Trade Commission (FTC) is said to have made the decision following an investigation begun in March last year after sensational reports emerged of improper use of users’ personal data.

It turned out that the shadowy consultancy had managed to obtain data collected by a third-party app on 87m Facebook users and their friends and use it to profile and target wavering voters ahead of the 2016 Presidential election.

When it levied a maximum £500,000 fine under the pre-GDPR data protection regime last October, the UK’s Information Commissioner’s Office (ICO) argued that Facebook had processed user information “unfairly” by allowing developers to access this data without adequately “clear and informed consent.” It also criticized the social network for allowing developers to access the personal data of users who had not even downloaded the app but were friends of those who had.

The $5bn fine is unlikely to trouble a firm that made over $15bn in the first three months of 2019 alone, but it is believed to be the largest ever levied by the FTC against a tech firm and for privacy violations.

It is also around the amount Facebook predicted it would be fined a few months ago, according to Dan Goldstein, former attorney and owner of digital marketing agency, Page 1 Solutions.

"The real ‘teeth’ of this announcement will come not from the $5 billion settlement. Facebook is worth hundreds of billions of dollars, so this amount is practically a drop in the bucket. I am more curious about the regulations expected to accompany the terms of the settlement," he argued.

"If the financial losses don't paint a clear enough picture for the tech industry as a whole, perhaps new regulations for one of its key players will finally convince these companies to begin protecting users instead of exploiting them.”

Regulators outside the US are already coming down hard on data protection and privacy violations. Last week the ICO issued to huge fines to BA and Marriott International for cybersecurity failings that led to massive data breaches at their respective organizations.

Categories: Cyber Risk News

Attacks in Turkey Used Excel Formula Injection

Fri, 07/12/2019 - 16:41
Attacks in Turkey Used Excel Formula Injection

Having tracked the activities of threat actors suspected of being involved in a large number of malicious spam attacks targeting organizations based in Turkey, Sophos researchers determined that the attackers flew under the radar using Excel formula injections to deliver the payload. 

“The threat actor predominantly targets victims based in Turkey using malspam email messages written in the Turkish language. The spam author’s grasp of Turkish grammar, among other indicators, lends credibility to the hypothesis that both the origin and targets of this campaign are in Turkey,” wrote Sophos’s Gabor Szappanos in a July 12 blog post.

Researchers suspect that the method of attack may soon extend beyond the borders of the Türkiye Cumhuriyeti. “Successful ideas eventually infiltrate the entire crimeware ecosystem, and while this may not be the most effective tool for criminals, they can still use it like any other tool in the toolbox.”

While the attack itself wasn’t highly sophisticated, it used a novel means of delivering malware through simple email messages sent with Excel file attachments that carry out the attack, yet another example of the many ways attackers are evolving their methods to go unnoticed.

Several samples of phishing emails revealed the attackers followed the same structure in crafting the lures. “Later analysis revealed that the emails were generated by a builder that randomly selected from predefined sentence components, which explains the similarities,” Szappanos wrote.

As the email messages evolved, they grew more cryptic, which researchers suspect was due to the threat actor’s attempt for the message to appear less mechanical.

During analysis, researchers found Windows programs hosed on additional servers that were hosting the payload malware. 

“These files were not downloaded by the Excel files, but they must have been placed on the servers by the threat actor. We see no reason for storing them on the servers. The executables in question turned out to be builder programs that generate both the malicious attachment files and the randomized malspam message. These tools also have SMTP mailer functionality to send out the malspam with the attachment."

Categories: Cyber Risk News

Hacked Hair Straightener Could Set a Fire

Fri, 07/12/2019 - 16:19
Hacked Hair Straightener Could Set a Fire

Security researchers have hacked hair straighteners from Glamoriser, according to Pen Test Partners. The UK firm bills itself as the maker of the “world’s first Bluetooth hair straighteners,” devices that users can link to an app so that the owner can set the heat and style settings and switch the straighteners off from within Bluetooth range. 

Researchers found it relatively easy to send malicious Bluetooth commands within range, allowing them to remotely control the hair straighteners. The researchers demonstrated that they could send one of several commands over Bluetooth, lowering the temperature to 122°F and raising it as high as 455°F – higher than paper’s burning point. An attacker could remotely alter and override the temperature of the straighteners and how long they stay on. 

“Hair straighteners can cause house fires and skin burns if not used safely. We’ve shown that we can tamper with the temperature, so even if used safely by the user, a hacker can make them less safe,” the researchers wrote.

“It would have been so easy for the manufacturer to include a pairing/bonding function to prevent this. Something as simple as a button to push to put the straighteners in pairing mode would have solved it. Instead, we now have a method to set fire to houses.”

As the straightener is a Bluetooth, a malicious actor intending to start a fire would need to be in range in order to exploit this vulnerability, and Lamar Bailey, senior director of security research at Tripwire, said, “the probability of exploration from a hacker is very low, unless you make a sibling or neighbor (if you live in an apartment) mad at you. If you have this device, remember to be nice to anyone who could be within 33 feet of you straightening your hair.”

In order to mitigate the risks of these connected devices being compromised, Ben Goodman, CISSP, senior vice president of global business and corporate development at ForgeRock, said Glamoriser must hold themselves accountable for securely establishing and maintaining the full lifecycle of IoT devices. 

“IoT projects often prioritize connectivity and data consumption and look to security and privacy as afterthoughts. IoT is here to stay and the identities of connected devices, services and users and their associated credentials must be trusted and usable across numerous connected ecosystems to prevent man-in-the-middle as well as other types of attacks.”

Categories: Cyber Risk News

Healthcare Organizations Too Confident in Cybersecurity

Fri, 07/12/2019 - 15:46
Healthcare Organizations Too Confident in Cybersecurity

According to a survey of 100 healthcare professionals from hospitals to physician group practices, more than half of respondents are highly confident in the cybersecurity of their patient portals. 

The State of Patient Identity Management report, published by LexisNexis® Risk Solutions, revealed that healthcare organizations (HCOs) have great confidence in their cybersecurity preparedness. While confidence in their cybersecurity is high, the survey also found that most organizations are only using basic authentication methods despite the growing number of data breaches in which patient identity has been compromised. 

The survey found that 93% of HCOs rely on username and password authentication for patient portals, yet only 65% deploy multi-factor authentication. The results continued to dwindle when respondents were asked about addition authentication methods, according to a press release.

Only 39% of HCOs reported using a knowledge-based Q&A for verification and only 38% use email verification. However, as little as 13% deploy device identification.

Respondents are confident in the strength of their cybersecurity, yet 65% reported that their individual state budgets for patient identity management will not increase in 2019, according to the press release.

"There are some surprises in the results, particularly the higher than expected confidence that organizations have in regards to the security of their patient portal and telemedicine platforms given that only 65% deploy multi-factor authentication," said Erin Benson, director of market planning for LexisNexis Health Care.

"Multi-factor authentication is considered a baseline recommendation by key cybersecurity guidelines. Every access point should have several layers of defense in case one of them doesn't catch an instance of fraud. At the same time, the security framework should have low-friction options up front to maintain ease of access by legitimate users."

The report findings suggest that traditional authentication methods are insufficient, multi-factor authentication should be considered a baseline best practice and the balance between optimizing the user experience and protecting the data must be achieved in an effective cybersecurity strategy, the press release said.

Categories: Cyber Risk News

ZTE Aims to Win Over EU Lawmakers With New Lab

Fri, 07/12/2019 - 09:45
ZTE Aims to Win Over EU Lawmakers With New Lab

ZTE has launched a cybersecurity testing lab in Brussels in an attempt to improve transparency.

The firm’s new Cybersecurity Lab Europe is designed to alleviate lawmakers’ concerns over the security of its 5G equipment.

The lab, which joins similar facilities in Nanjing and Rome, will allow regulators to review source code and documents, and conduct black box and penetration testing.

“ZTE’s original intention of the Cybersecurity Lab Europe is to provide global customers, regulators and other stakeholders with great transparency by means of verification and communication,” said ZTE chief security officer, Zhong Hong. "The security for the ICT industry cannot be guarded by one sole vendor, or by one sole telecoms operator. ZTE is willing to play an important role in contributing to the industry's security along with its customers and all other stakeholders.”

The move can be seen in the context of escalating Sino-US tension over the potential for Chinese tech firms to introduce backdoors to new 5G networks, which could be seen as a national security risk.

Although ZTE and larger Shenzhen rival Huawei have both professed their innocence, US hawks warn that they would be powerless to resist an order from Beijing to provide access to such networks if one was issued.

While the US and Australia have banned Chinese companies from bidding for 5G network projects, the UK has still formally to choose a provider and many European countries are more willing to use Chinese equipment to build 5G.

However, ZTE has something of a chequered past, having been found guilty of breaching a US embargo on Iran by selling equipment to the Islamic Republic containing US components, and then lying to try and cover its tracks.

After Washington responded by banning US firms from selling the firm components it faced virtual collapse before Donald Trump decided to relax the moratorium as part of his ‘deal’ making.

The UK’s National Cyber Security Centre (NCSC) issued a damning report on ZTE last year, claiming that the national security risks of using its equipment in telecoms infrastructure “cannot be mitigated.”

Categories: Cyber Risk News

Sea Turtle DNS Hijackers Go After More Victims

Fri, 07/12/2019 - 09:15
Sea Turtle DNS Hijackers Go After More Victims

A notorious state-sponsored cyber-espionage campaign has expanded its operations with new victims and DNS hijacking techniques, according to Cisco Talos.

The security vendor claimed in a new blog post that the actors behind the Sea Turtle attacks - first revealed in April - have not been deterred by their new-found infamy.

The campaign has mainly been targeting military organizations and governments in the Middle East. Attackers get hold of DNS server credentials via phishing or vulnerability exploitation, then modify the records to point users to malicious servers in classic Man in the Middle attacks. These harvest credentials enabling them to log-in to prized accounts to steal sensitive data.

The new technique in question has been spotted just twice in the wild, hitting targets in 2018.

“In this case, the actor-controlled name server and the hijacked hostnames would both resolve to the same IP address for a short period of time, typically less than 24 hours. In both observed cases, one of the hijacked hostnames would reference an email service and the threat actors would presumably harvest user credentials,” Cisco explained.

“One aspect of this technique that makes it extremely difficult to track is that the actor-controlled name servers were not used across multiple targets — meaning that every entity hijacked with this technique had its own dedicated name server hostname and its own dedicated IP address. Whereas previously reported name server domains such as ns1[.]intersecdns[.]com were used to target multiple organizations.”

Cisco Talos also observed continuing activity against the ccTLD for Greece, enabling the attackers to perform DNS hijacking against three government entities.

Although most primary target organizations are based in the Middle East, new Sea Turtle victims have been spotted in the US and Sudan. Energy companies, think tanks, NGOs and even an airport have been hit.

Categories: Cyber Risk News

Apple Disables Walkie-Talkie App Over Privacy Concerns

Fri, 07/12/2019 - 08:55
Apple Disables Walkie-Talkie App Over Privacy Concerns

Apple has disabled a popular comms app on its watchOS after concerns were raised over users being able to eavesdrop on each other.

Available on the Apple Watch Series 1 or later with watchOS 5, the Walkie-Talkie app allows users “to get in touch with just one tap,” according to Apple.

However, the tech giant has been forced to switch the function off while it “quickly” fixes an emerging vulnerability.

“Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously,” it said in a statement. “We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologize again for this issue and the inconvenience.”

The function will be restored “as soon as possible,” Apple continued.

The news comes just a day after Cupertino issued a silent update for its Mac app to fix a widely reported privacy issue in conferencing service Zoom.

The vulnerability meant that any website could automatically open up a conference call on a user’s machine, switching on the webcam in the process. Even if users deleted their Zoom app, the service would keep a localhost web server running covertly on their Mac, so that if a link is clicked, the client would restart again without any user interaction.

Although Zoom finally patched the issue this week after dragging its heels for months, removing the localhost server, Apple seems to have been concerned that a large number of users may not apply the patch – potentially because they thought they’d already uninstalled Zoom.

Categories: Cyber Risk News

Kiosk Vulnerability Puts Customer Data at Risk

Thu, 07/11/2019 - 14:00
Kiosk Vulnerability Puts Customer Data at Risk

Researchers have discovered a vulnerability impacting a leading manufacturer of managed kiosks found in hotels, businesses, retail and other industries that could allow a malicious actor access to the cloud database, according to Trustwave.

Uniguest outsources secure, fully managed customer-facing technology solutions, but researchers reported that “based on the way their infrastructure is set up, it appears Uniguest actually manages the machines and not the hotel or whatever other business employs Uniguest software.”

Uniguest’s cloud database contains kiosk credentials, including admin, router, BIOS passwords and product keys for all of its customers. Armed with this information, an attacker could implant keyloggers and remote-access trojans to capture kiosk visitor activity such as printing boarding passes, hotel check-ins and online banking, according to the research.

Using a Google search, researchers discovered the publicly exposed website that contained the necessary tools a technician would use to deploy or manage a kiosk location.

“There was no authentication required, and among the pre-packaged kiosk software and manuals, SystemSleuth stood out. SystemSleuth is written in C# and is therefore trivially decompiled back to source code using something like dnSpy,” the researchers wrote.

The SystemSleuth application deployed to Uniguest’s legacy kiosks reportedly is used to collect information such as product keys, asset tags, passwords and various other data. “The data is sent up to a Salesforce API and of course, with the C# decompiler, it didn't take long to find the API credentials, hardcoded within the application,” the report said.

If an adversary were able to discover this information, the attacker could “deploy keyloggers, remote access trojans and various other forms of malware, attacking hotel guests or business patrons just passing through, the report said.”

Researchers contacted Uniguest and the company has placed the site behind an authentication portal, yet the researchers point out that “SystemSleuth and the API credentials (albeit disabled) may still be found on their managed systems, until Uniguest can go and reimage them all.”

Categories: Cyber Risk News

Buhtrap Group Using Zero-Day Attack in Windows

Thu, 07/11/2019 - 13:34
Buhtrap Group Using Zero-Day Attack in Windows

Microsoft has issued a patch to fix a zero-day exploit in Windows that was being deployed in a highly targeted attack in Eastern Europe, according to ESET researchers. ESET reported the exploit to the Microsoft Security Response Center, which fixed the vulnerability and released a patch.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft wrote in the vulnerability announcement.

An attacker would first need to log on to the system in order to exploit this vulnerability (CVE-2019-1132). If successful, “an attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.”

Researchers witnessed, for the first time, the cyber-criminal group using a zero-day attack as part of a campaign. They have attributed the activity to the Buhtrap advanced persistent threat (APT) and cyber-criminal group who have been conducting espionage operations in Eastern Europe and Central Asia for several years. 

Known for targeting financial institutions and businesses in Russia, the Buhtrap group has been active since late 2015, though researchers detected a notable change to the profile of the group’s traditional targets. 

“It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in target occurred before the source code leaked, we assessed with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in the targeting of governmental institutions,” says Jean-Ian Boutin, head of threat research at ESET.

“It is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,” he added.

Categories: Cyber Risk News

Flaw in GE Anesthesia and Respiratory Devices

Thu, 07/11/2019 - 13:07
Flaw in GE Anesthesia and Respiratory Devices

Researchers have discovered a vulnerability that could allow an attacker to send remote commands that will interfere with the device’s normal working order in the protocol of in-hospital anesthesia devices, GE Aestiva and GE Aespire (models 7100 and 7900), according to the US Department of Homeland Security's Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT). 

Discovered by CyberMDX, the vulnerability was given a moderate severity CVSS of 5.3 because an attacker could “impair respirator functionality, changing the composition of aspirated gases — silencing alarms and altering time/date.” 

In a statement, GE Healthcare said it was aware of the vulnerability and had conducted a formal internal risk investigation.

Based on the findings of the investigation, GE Healthcare concluded, “the potential ability to remotely modify GE Healthcare anesthesia device parameters is an effect resulting from a configuration exposure through certain insufficiently secured terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks; while the anesthesia device is in use, the potential gas composition parameter changes, potential device time change, or potential remote alarm silencing actions will not interfere in any way with the delivery of therapy to a patient at the point of delivery, and do not pose any direct clinical harm; and the potential ability to modify GE Healthcare anesthesia device parameters or silence alarms does not demonstrate a vulnerability of the GE Healthcare anesthesia device functionality itself.”

However, GE’s response of “testing maximum variation in parameter modification” doesn’t sit well with Deral Heiland, Internet of Things research lead at Rapid7.

“It makes me wonder what level of control can be conducted over the network against the anesthesia and respiratory machines,” Heiland said. “My first thought is, if the device can accept commands over the network without authentication, then that would be a critical risk. Either way medical facilities should always maintain segmentation of their critical care networks from exposure and this may help mitigate many known and unknown risks.”

Categories: Cyber Risk News

Magecart Hackers Scan for Misconfigured S3 Buckets

Thu, 07/11/2019 - 09:59
Magecart Hackers Scan for Misconfigured S3 Buckets

Magecart hackers have compromised thousands of websites with digital skimming code by scanning for misconfigured Amazon S3 buckets, researchers have warned.

First discovered in May, the campaign is far more extensive that originally thought thanks to the automated scanning and exploitation of unsecured cloud storage accounts, explained RiskIQ’s Yonathan Klijnsma.

“These actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains. Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js),” he explained.

“They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket. This technique is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone.”

The attacks, which started in April, have managed to compromise a “vast collection of S3 buckets” related to over 17,000 domains, including some of the top 2000 Alexa-ranked websites in the world, Klijnsma said.

However, given the “spray-and-pay” nature of these attacks, the skimming code will not always load on a payment page.

Klijnsma urged organizations to improve security controls over S3 environments. This should include a whitelisting approach which details only the small number of users who should have access to buckets, reviewed periodically.

Write permissions should also be limited.

“The cause of the thousands of Magecart compromises we are now observing from S3 buckets is administrators setting the access control to allow anyone to write content to buckets,” explained Klijnsma. “Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content.”

Finally, administrators can block public access to prevent anyone in their account from opening a bucket to the public, regardless of S3 bucket policy.

The impact of Magecart on the bottom line and corporate reputation was highlighted this week when the ICO fined BA a massive £183m for a digital skimming attack last year that compromised data on 500,000 customers.

Categories: Cyber Risk News

Experts Raise Privacy Concerns Over NHS Alexa Tie-Up

Thu, 07/11/2019 - 09:44
Experts Raise Privacy Concerns Over NHS Alexa Tie-Up

Legal and security experts have raised concerns over a new NHS deal with Amazon which will allow patients to access health information through voice-assistant technology.

Announced on Wednesday, the tie-up is designed to help those who otherwise would find accessing the NHS website difficult, such as the elderly or blind.

In doing so, it could help to reduce the workload for GPs and pharmacists who have to take time out to field simple questions on common illnesses, the NHS argued.

“The public need to be able to get reliable information about their health easily and in ways they actually use,” claimed Matthew Gould, CEO of the new digital transformation unit NHSX. “By working closely with Amazon and other tech companies, big and small, we can ensure that the millions of users looking for health information every day can get simple, validated advice at the touch of a button or voice command.”

Marcus Vass, co-head of digital health at international law firm, Osborne Clarke, argued that the NHS website is already a popular source of info for patients, and enabling Alexa search is an extension of that.

Yet he added that patients and doctors will be keen to know whether any personal health data is being collected or used, and where it is stored.

“Details of any specific protections in place have not yet been disclosed – and in particular whether the NHS has agreed with Amazon any terms including enhanced security provisions over and beyond the obligations under GDPR and the Data Protection Act legislation,” he said.

“Any lack of clarity as to the use by Amazon of the personal data and health data would of course be subject to the valid consents of patients. Any concern from patients about the use of their health data would be corrosive to the trust in using voice assisted technology or other algorithms to access the NHS website.”

Kaspersky principal security researcher, David Emm, called for greater transparency from Amazon on the deal.

“We know that people are relying on these devices more and more, and their popularity is growing. They do have their benefits, and they are convenient, however, they are, at their core, smart listeners and have made headlines in recent times because of this – leaving a scepticism around them,” he argued.

“We also know that Amazon is storing and analyzing data that these devices collect, which also raises cybersecurity alarms when it comes to how this data will be used. They will be privy to sensitive health data, and so it must be made clear to the public how our data will be protected.”

Synopsys senior security engineer, Boris Cipot, warned that internet-connected services should always be treated with caution by users.

“If an insurance provider gains access to the user-specific data, they could potentially categorize users into risk categories based on the advice they sought which could also lead to increased insurance rates for those deemed high risk,” he added.

“Doctor-patient privacy could also be circumvented through this method of data collection since a doctor isn’t actually involved; therefore, nullifying patient privacy protection policies.”

Categories: Cyber Risk News

Agent Smith Android Malware Downloaded 25m+ Times

Thu, 07/11/2019 - 08:58
Agent Smith Android Malware Downloaded 25m+ Times

Researchers are warning of a new Android malware campaign that has already compromised a staggering 25 million devices via a popular third-party app store.

Dubbed “Agent Smith” by Check Point, the threat spreads by disguising itself as a legitimate Google application made available on the 9Apps marketplace run by Alibaba’s UCWeb.

If downloaded, it replaces legitimate apps on the phone with malicious versions which display fraudulent pop-up ads to generate illicit profits for the malware authors.

The vast majority (15m+) of infected devices are located in India, followed by Bangladesh (2.5m) and Pakistan (1.7m), although over 300,000 are located in the US and a large number of UK users are also affected.

Those behind the threat have worked hard to circumvent Android security controls, weaponizing multiple loopholes in a three-stage infection chain similar to malware like CopyCat, Hummingbad and Gooligan, according to Check Point.

The first stage involves a dropper app designed to lure the victim into downloading – usually a “barely functioning” photo utility, game or sex-related application.

Once downloaded, this app will decrypt and install a core malicious APK which carries out the updates to legitimate apps on the user’s phone. This malware is disguised as a Google Update app or similar.

“The core malware extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from C&C server), it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update,” Check Point continued.

“Agent Smith repacks its prey apps at smali/baksmali code level. During the final update installation process, it relies on the Janus vulnerability to bypass Android’s APK integrity checks. Upon kill chain completion, Agent Smith will then hijack compromised user apps to show ads.”

Although first detected as simple adware back in 2016, the threat evolved into something far more sophisticated a couple of years later. It has been traced back to a Chinese company which Check Point claimed has a legitimate front-end business promoting local Android developers on overseas platforms.

Tellingly, the Guangzhou-based firm is said to have advertised for Android reverse engineers in 2018.

Although the current version of the threat monetizes infection through ads, things could get worse, Check Point warned.

“With the ability to hide its icon from the launcher and hijack popular existing apps on a device, there are endless possibilities to harm a user’s digital [and] even physical security,” the vendor argued. “Today this malware shows unwanted ads, tomorrow it could steal sensitive information; from private messages to banking credentials and much more.”

Various elements of Agent Smith have also been discovered in apps on Google Play, indicating the malware authors are looking to spread their campaign even further. Check Point notified Google of 11 such apps, including two Jaguar Kill Switch infected apps which had already garnered 10 million downloads.

These have all now been removed, but the researchers urged greater use of on-device threat prevention and “attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time.”

Categories: Cyber Risk News

New Version of FinSpy Steals Info on iOS, Android

Wed, 07/10/2019 - 16:07
New Version of FinSpy Steals Info on iOS, Android

A new version of the advanced malicious surveillance tool, FinSpy, has been observed stealing information from global governments, law enforcement and NGOs, according to new research from Kaspersky.

“The new implants work on both iOS and Android devices and can monitor activity on almost all popular messaging services, including encrypted ones, and hide their traces better than before,” the July 10 press release said.

The implants are able to hide signs of jailbreak on iOS and gain root privileges on an unrooted Android device. “The Android implant has similar functionality to the iOS version, but it is also capable of gaining root privileges on an unrooted device by abusing the DirtyCow exploit, which is contained in the malware. FinSpy Android samples have been known for a few years now. Based on the certificate data of the last version found, the sample was deployed in June 2018,” researchers wrote.

A highly effective software tool used for targeted surveillance, FinSpy is being used by operators who tailor the behavior of each malicious implant to a specific target or group of targets, allowing attackers to steal information from devices the world over. Several dozen devices have reportedly been infected over the past year.

“The developers behind FinSpy constantly monitor security updates for mobile platforms and tend to quickly change their malicious programs to avoid their operation being blocked by fixes,” said Alexey Firsh, security researcher at Kaspersky, in the press release. 

“Moreover, they follow trends and implement functionality to exfiltrate data from applications that are currently popular. We observe victims of the FinSpy implants on a daily basis, so it’s worth keeping an eye on the latest platform updates and install them as soon as they are released. Regardless of how secure the apps you use might be, and how protected your data, once the phone is rooted or jailbroken, it is wide open to spying.”

Categories: Cyber Risk News

Big Banks Vulnerable to Web, Mobile Attacks

Wed, 07/10/2019 - 15:47
Big Banks Vulnerable to Web, Mobile Attacks

Nearly all of the largest 100 banks are vulnerable to web and mobile attacks, which give hackers access to sensitive data, according to ImmuniWeb.

“We leveraged an enhanced methodology from our previous research that covered web and mobile application security of the world largest companies from the FT 500 list,” the report said. “For the purpose of this research, we carefully studied external web applications, APIs and mobile apps of the S&P Global list that contains the world's largest financial organizations from 22 countries.”

According to the findings, 85 e-banking web applications failed a GDPR compliance test and 49 failed a PCI DSS test. “Only three main websites (Credit Suisse, Danske Bank and Handelsbanken) out of 100 had the highest grades 'A+' both for SSL encryption and website security,” the report said.  

“Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security,” said Ilia Kolochenko, CEO and founder of ImmuniWeb.

“Most of the data breaches involve or start with insecure web and mobile apps that are too frequently under prioritized by future victims. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority and simply lack available resources to tackle other essential tasks. Eventually, they become low-hanging fruits for cybercriminals.”

Researchers detected 29 active phishing campaigns targeting customers of the financial institutions. “Phishing websites either spread banking malware aimed to steal e-banking credentials or provide fraudulent login forms aimed to steal victim’s credentials. Most of the malicious websites were hosted in the US,” the report said.

In related news, an audit of employees’ security awareness across 16 industries, conducted by Proofpoint, found that one in every four questions regarding phishing was answered incorrectly. However, finance was the best performing industry, with end users answering 80 percent of all questions correctly, according to the 2019 Beyond the Phish report.

“Cybercriminals are experts at gathering personal information to launch highly targeted and convincing attacks against individuals,” said Amy Baker, vice president of security awareness training strategy and development for Proofpoint in a press release

“Implementing ongoing and effective security awareness training is a necessary foundational pillar when building a strong culture of security. Educating employees about cybersecurity best practices is the best way to empower users to understand how to protect theirs and their employer’s data, making end users a strong last line of defense against cyber attackers.”

Categories: Cyber Risk News

Third-Party Risk, Bug Submissions Up for Healthcare

Wed, 07/10/2019 - 15:02
Third-Party Risk, Bug Submissions Up for Healthcare

Healthcare providers are finding it increasingly more difficult to assess and understand the risks posed by vendors, according to a new report released today by Censinet and the Ponemon Institute

The report, The Economic Impact of Third-Party Risk Management in Healthcare, surveyed 554 healthcare IT and security professionals and found that these challenges are becoming more costly for healthcare providers, with the yearly hidden costs of managing vendor risk reportedly ringing in at $3.8 million per healthcare provider. On average, each healthcare provider has 1,320 vendors under contract, yet only 36% of respondents said they are able to effectively prioritize vendor risks and only 27% said they assess all of their vendors annually.

That cost from third-party risks is in excess of the $2.9 million that a data breach costs providers; however, the report also stated that over the last two years, 56% of healthcare organizations have experienced a data breach that had been introduced by one or more third-party vendors. As a result, the cost across the healthcare industry is $23.7 billion per year, according to the report. 

“This research confirms that healthcare providers require a better, more cost-effective approach to third-party risk management,” said Ed Gaudet, CEO and founder of Censinet. “The adoption of technology in healthcare is more rapid and complicated than ever before. As an industry, we must help providers safely enable cloud applications and medical devices optimized to deliver the quality of care hospitals and their patients expect.”  

“It’s clear that healthcare providers are in a tough spot. The number of vendors they rely on is increasing at the same time the threats those vendors pose are escalating in frequency and severity, so it’s easy to see how managing these risks has become an overwhelming problem,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “But it’s not all bad news – we can very clearly see an opportunity with automation for healthcare providers to monitor, measure and mitigate the scourge of third-party breaches that continues to plague their industry.”

In related news, new research, The State of Healthcare Cybersecurity, from Bugcrowd found that vulnerability submission in the healthcare industry jumped 340.5% over the past year. “While we see an uptick in submissions in Q2 year-on-year, we are on track to see a steady increase in vulnerability again this year. Across programs run by healthcare organizations, more than 12% of all submissions are classified by the organization as P1 submissions, the most critical vulnerabilities, and the majority of the vulnerability submissions fall in the P3 level of criticality, just over 42%,” a Bugcrowd spokesperson wrote in an email.

Categories: Cyber Risk News

Cyber-Attacks Cost Global Firms $45bn in 2018

Wed, 07/10/2019 - 09:55
Cyber-Attacks Cost Global Firms $45bn in 2018

Cyber-criminals are getting better at monetizing their attacks, with $45bn lost last year alone in two million incidents, according to Internet Society’s Online Trust Alliance (OTA).

The group’s new Cyber Incident & Breach Trends Report comprises information from the FBI, Risk Based Security, the Identity Theft Resource Center and other sources.

It paints the picture of a rapidly maturing cybercrime economy in which both tried-and-tested and emerging techniques are being used in highly effective ways to generate illicit profits for the black hats.

One example of this is ransomware: although overall infections declined 20% from 2017 figures, losses spiked by 60% as attackers focused on higher value business targets.

As reported by the FBI, Business Email Compromise (BEC) has also become a major money-maker for cyber-criminals, netting them $1.3bn in 2018 – double the figure of a previous year.

The report also warned of a 78% increase in digital supply chain attacks of the sort seen with groups using Magecart code to infect e-commerce sites. It claimed that two-thirds of organizations have suffered an attack costing on average $1.1 million, and estimated that half of all cyber-attacks last year involved the supply chain.

Credential stuffing attacks were also highlighted as an urgent threat to address, given figures claiming there were 30bn malicious log-in attempts last year.

On the plus side, there was a 3.2% decrease in reported data breaches last year, and the number of exposed records also dropped in 2018 from the previous year.

Still, the Internet Society claimed that 95% of breaches are preventable. It urged all organizations to put in place a tested incident response plan, to train employees on an ongoing basis and to continually review security, data management and privacy practices.

The report contains a handy checklist for organizations to help them get “incident ready."

"While it’s tempting to celebrate a decreasing number of breaches overall, the findings of our report are grim,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance. “Cyber-criminals are using their infiltration ability to focus on new, more lucrative attacks. Staying up-to-date on the latest security safeguards and best practices is crucial to preventing attacks in the future.”

Categories: Cyber Risk News

Two Zero-Days Fixed in This Month’s Patch Tuesday

Wed, 07/10/2019 - 09:13
Two Zero-Days Fixed in This Month’s Patch Tuesday

Microsoft patched 77 vulnerabilities yesterday including two zero-day flaws, one of which was being used in a targeted attack bearing the hallmarks of Russian state hackers.

The monthly update round saw Redmond fix privilege escalation vulnerabilities CVE-2019-0880 and CVE-2019-1132.

The latter was discovered by ESET researchers as part of a targeted attack in eastern Europe, using techniques similar to the infamous Kremlin group APT28 (aka Fancy Bear, Sednit).

“For example, the Sednit group’s local privilege escalation exploit we analyzed in 2017 used menu objects and exploitation techniques, which are very similar to the current exploit,” ESET researcher Anton Cherepanov explained.

Although, like the other zero-day, it requires an attacker to first establish a presence on an infected system, it could enable full system access when chained with other flaws.

CVE-2019-0880 is an elevation of privilege vulnerability in splwow64.exe.

“According to the advisory, the vulnerability could be combined with a remote code execution or a separate elevation of privilege vulnerability to gain arbitrary code execution,” explained Tenable senior research engineer, Satnam Narang. “Because it was exploited in the wild, it is likely it was paired with another vulnerability, but those details are not currently available.”

Those two zero-days were rated important. However, there are 15 classed as critical and a further four flaws which had been publicly disclosed in advance, potentially allowing black hats to work on exploits.

“One of the most critical vulnerabilities this month is present in Microsoft DHCP Server (CVE-2019-0785). This memory corruption vulnerability affects all versions of Windows Server from 2012 - 2019 and it is remotely exploitable,” argued Recorded Future senior solutions architect, Allan Liska.

“It allows an attacker to send a specially crafted packet to a DHCP server and, if successful in exploitation, execute arbitrary code. While this is a critical vulnerability, with a CVSS Score of 9.8, a very similar vulnerability, CVE-2019-0725, was announced in May. To date, Recorded Future has not seen any evidence of attackers exploiting this vulnerability in the wild. That does not mean organizations should not prioritize patching this vulnerability.”

Others highlighted by Liska included: RDS remote code execution (RCE) flaw CVE-2019-0887, which affects all versions of Windows from Windows 7-10 and Windows Server 2008-2019; memory corruption bug CVE-2019-1001 which affects Microsoft ChakraCore Scripting Engine, Internet Explorer 11, and Microsoft Edge; and an RCE flaw (CVE-2019-1072) in Azure DevOps Server and Team Foundation Server (TFS).

Categories: Cyber Risk News