Info Security

Subscribe to Info Security  feed
Updated: 1 hour 45 min ago

Mimecast Cert Abused to Target Inboxes in “Sophisticated” Attack

Wed, 01/13/2021 - 14:05
Mimecast Cert Abused to Target Inboxes in “Sophisticated” Attack

Mimecast has disclosed that some of its customers have been targeted by an advanced attack designed to compromise their Microsoft 365 (M365) environments.

The security vendor said in a brief statement yesterday that a “sophisticated threat actor” obtained one of its certificates used to authenticate Mimecast Sync and Recover, Continuity Monitor and IEP products to Microsoft 365 Exchange Web Services.

Although 10% of customers use this certificate, the attacker only targeted a “low single-digit number” of customer M365 tenants. These organizations have already been contacted by Mimecast to remediate the problem.

“As a precaution, we are asking the subset of Mimecast customers using this certificate-based connection to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate we’ve made available,” the statement continued.

“Taking this action does not impact inbound or outbound mail flow or associated security scanning.”

There’s no news yet on who might be responsible for this sophisticated attack and/or whether nation state actors were involved. SolarWinds revealed in a filing with the SEC last month that it had been notified by Microsoft of a compromise of its Office 365 emails via an unspecified “attack vector.”

“SolarWinds, in collaboration with Microsoft, has taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether this compromise is associated with the attack on its Orion software build system,” it explained at the time.

“SolarWinds also is investigating in collaboration with Microsoft as to whether any customer, personnel or other data was exfiltrated as a result of this compromise but has uncovered no evidence at this time of any such exfiltration.”

In the meantime, Mimecast said it has hired a third-party forensics firm to help with its investigation, and is working closely with Microsoft and law enforcement.

Categories: Cyber Risk News

#COVID19 Led to Surge in Malware Attacks Last Year

Wed, 01/13/2021 - 13:35
#COVID19 Led to Surge in Malware Attacks Last Year

Malware authors continued to successfully leverage the COVID-19 pandemic last year to launch a wide variety of attacks, according to the 2020 Avira Report on Cybersecurity.

The cybersecurity firm detected that cyber-attacks went up by 15% last year compared to 2019, observing that the rate of scams rose and fell at the same rate and time as the virus appeared across the world. The peak rate of blocked attempts was in April, during the first wave of the pandemic.

As COVID-19 cases rose again in the final quarter of 2020, malware attacks correspondingly went up rapidly, with a correlation found between the number of attacks launched and the number of people working from home.

One major tactic utilized has been the development of special variants of well-known malware families that use COVID-19 lures to entice unsuspecting users to install them on their devices. An example highlighted in the study was a variant of the Android banking Trojan ‘Cereberus,’ which in many cases was distributed via phishing messages under the name ‘Corona-App.apk.’ The total number of Andorid banking Trojans detected in 2020 went up by 35% year-on-year, which the authors partially attributed to increasing use of mobile banking during the pandemic.

Looking ahead to the coming year, Avira said it expects stalkerware to become increasingly prevalent. This form of spyware, which can be installed without the knowledge or consent of the device owner, secretly monitors users and spies on personal information such as pictures, videos, messages and location data. A stealth mode enables the app to hide itself while in use.

Alexander Vukcevic, director of Avira Protection Labs, commented: “For many years, authors of malware have been using psychological tricks to lure unsuspecting users. Currently, we are in a situation where many people are looking for answers and are worried because of COVID-19. The authors of malware are specifically exploiting this uncertainty.” 

He added: “Banking Trojans have always played an important role in the Android malware scene and this year they had an even bigger presence. In addition to the strategy of using COVID-19 as a cover, they also use the classic approach: they disguise themselves as a widely used app and ask for unusual permissions in order to obtain credit card data, for example.”

Categories: Cyber Risk News

#CES2021: Raising the Bar on Privacy and Trust Online in 2021

Wed, 01/13/2021 - 12:00
#CES2021: Raising the Bar on Privacy and Trust Online in 2021

Big tech companies need to “raise the bar” on enhancing privacy and trust in their services in 2021. This was the message from a panel discussion at the Consumer Electronics Show (CES) 2021, which included representatives from Google, Twitter and Amazon.

This need for greater transparency has emerged as a result of the growing reliance on digital technology to conduct everyday life since the start of the COVID-19 crisis last year. This includes for work purposes and to be able to stay in touch with friends and family, trends that are set to stay in place in the future, at least to some degree. Anne Toth, director of Alexa Trust-Amazon, explained: “We’re seeing more and more cases where people are using our product for very important interactions…those kind of use cases raises the bar on how to be transparent on the privacy controls and the trustworthiness of the product.”

While privacy online has been a major issue for a number of years, the events of 2020 have really brought it to the fore. Keith Enright, chief privacy officer at Google, commented: “Users are feeling more nervous than they have in the past; they’re relying on technology more than they have in the past to live their lives and to do the things that are important to them.”

Tech companies therefore have a duty to help users feel safe online. As well as transparent privacy controls and data protection rules, Enright added it’s also vital to “work across industry and with regulators and others to identify opportunities where we can meaningfully improve the privacy and security that governs users’ behavior online.”

Additionally, the ways in which artificial intelligence (AI) and machine learning tools collect and share user data must be clearly displayed. Damien Kieran, chief privacy officer at Twitter, said: “As those technologies become more ubiquitous to everything that we’re using and doing online, I think transparency in that space is going to be incredibly important.”

Privacy-related events and updates last year are also likely to have big implications for consumer tech firms going forward. This includes the development of new privacy laws in countries like the US, following the implementation of the GDPR in Europe, which will need to be navigated. Another significant event last year was the ruling that the US-EU privacy shield mechanism for data transfers was unlawful.

Kieran highlighted how such trends offer the potential for greater “balkanization” of the internet, where data and privacy are managed differently across regions. He commented: “There is the potential for a damaging impact, both to industry and to trust for consumers in terms of how these products and services work every day.” He added that helping users understand these changes is currently a major focus of Twitter.

The panellists also expressed a wish for a US Federal privacy law to be enacted over the next couple of years to help address this issue, particularly with the various US state laws now creating a “patchwork” of privacy legislation.

Looking towards the incoming Biden administration, Enright said that Google is looking for “strong consistent protections for individual rights, uniformity of controls, as its useful if users have a consistent experience when they’re interacting with online services wherever they are in the world.”

In terms of actions by tech firms themselves, Toth added that she expects there to be a continuous progression of privacy protocols, noting that at Alexa, “every product released is coupled with a privacy feature release.”

Categories: Cyber Risk News

Microsoft Fixes Windows Defender Zero-Day Bug

Wed, 01/13/2021 - 11:20
Microsoft Fixes Windows Defender Zero-Day Bug

Microsoft has patched a zero-day bug in Windows Defender being actively exploited in the wild, as part of its monthly update round.

The first Patch Tuesday of 2021 featured fixes for 83 vulnerabilities in Windows OS, Edge, Office, Visual Studio, .Net Core, .Net Repository, ASP .Net, Azure, Malware Protection Engine and SQL Server.

Remote code execution bug CVE-2021-1647 is the most urgent, according to Chris Goettl, director of product management for security products at Ivanti. He recommended organizations ensure their Microsoft Malware Protection Engine is version 1.1.17700.4 or higher.

“Microsoft frequently updates malware definitions and the malware protection engine and has already pushed the update to resolve the vulnerability,” Goettl explained.

“For organizations that are configured for automatic updating no actions should be required, but one of the first actions a threat actor or malware will try to attempt is to disrupt threat protection on a system so definition and engine updates are blocked.”

Another CVE high up the priority list this month is CVE-2021-1648, a bug in the Windows splwow64 service that could allow an attacker to elevate their privilege level. Although publicly disclosed last month it isn’t thought to have been exploited yet.

Experts also highlighted CVE-2021-1666 as worthy of attention: the flaw in Microsoft’s GDI+ component impacts the unsupported Windows 7 and Windows Server 2008 products, as well as newer versions.

Allan Liska, senior security architect at Recorded Future, also flagged CVE-2021-1709, an elevation of privilege vulnerability in the Win32 kernel. The bug, which affects Windows 8-10 and Windows Server 2008-2019, should be prioritized despite its “Important” rating, he argued.

“Unfortunately, this type of vulnerability is often quickly exploited by attackers,” Liska warned. “For example, CVE-2019-1458 was announced on December 10 2019, and by December 19 an attacker was seen selling an exploit for the vulnerability on underground markets.”

Elsewhere, Adobe released fixes for vulnerabilities in its Adobe Bridge, Captivate, InCopy, Campaign Classic, Animate, Illustrator and Photoshop products. There was also a critical Mozilla Thunderbird update.

Categories: Cyber Risk News

Healthcare Hit by 187 Million Monthly Web App Attacks in 2020

Wed, 01/13/2021 - 09:53
Healthcare Hit by 187 Million Monthly Web App Attacks in 2020

Web application attacks in the healthcare sector surged in December as distribution of the first COVID-19 vaccines began, according to new data from Imperva.

The security vendor claimed that attacks jumped 51% last month from detected volumes in November in a vertical that has been bombarded by cyber-criminals over the past year.

Four specific attack types saw the largest increases: cross-site scripting (XSS) detections jumped 43%; SQL injection attacks surged 44%; protocol manipulation attacks soared 76%; and remote code execution/remote file inclusion detections increased 68% in December.

XSS and SQLi attacks represented the number one and two threats detected by volume.

Imperva SVP Terry Ray claimed it had been an “unprecedented year” of cyber activity, with global healthcare organizations (HCOs) experiencing 187 million attacks per month on average. That amounts to nearly 500 attacks per HCO each month — a 10% increase year-on-year.

The US, Brazil, UK and Canada were the top countries targeted last year.

Like organizations in many sectors, HCOs have been looking to digital transformation to help them survive and adapt through an extraordinary year. However, their reliance on third-party applications to save time and money may also have exposed them, according to Ray.

“While there are sometimes business advantages to third-party applications, the risks include: patching only on the vendor’s timeline, known exploits that are widely publicized and constant zero-day research on widely used third-party tools and APIs,” he argued.

“Reliance on JavaScript APIs and third-party applications creates a threat landscape of more complex, automated, and opportunistic cybersecurity risks that are increasingly challenging for all organizations to detect and stop. And while ransomware attacks commonly land healthcare organizations in the news, it’s only the vulnerable application front-end to all healthcare data that experiences the variety and volume of daily attacks noted above.”

Ray also warned that many organizations may have a nasty surprise waiting for them as they start 2021, when the impact of December attacks start to become clear. HCOs’ focus in 2020 on supporting remote working and coping with the surge in COVID patients means less time may have been spent on incident response, he added.

In just the first three days of 2021, Imperva saw a 43% increase in data leakage.

Categories: Cyber Risk News

Cybereason to Adopt Intel’s PC Hardware Ransomware Solution

Wed, 01/13/2021 - 09:14
Cybereason to Adopt Intel’s PC Hardware Ransomware Solution

Cybereason has announced a new partnership with Intel to add new ransomware protections to its multi-layered defense platform.

Under the agreement, Cybereason will adopt Intel’s Hardware Shield protections for ransomware that are available on the 11th Gen Intel Core vPro mobile platforms. As a result, it can leverage Intel’s threat detection technology, enabling CPU-based behavioral prevention of ransomware. This solution is the first occasion in which PC hardware plays a direct role in ransomware cyber-defense.

It can now form part of Cybereason’s defense platform which combines detection and response, next gen anti-virus and proactive threat hunting.

The move comes amid rising and increasingly sophisticated ransomware attacks, with numerous high profile attacks recorded last year. Suspected victims of such attacks included a Massachusetts power station, French container shipping giant CMA CGM and English football club Manchester United. A study in October last year found that ransomware was the most observed threat in 2020.

Cybereason expects to be able to bring this collaboration to market during the first half of 2021.

Lior Div, CEO and co-founder, Cybereason, commented: “This collaboration with Intel to add CPU based threat detection bolsters our long history and industry-leading capabilities in detecting and eradicating ransomware. The combination of best-of-class hardware, software, and security know-how provides defenders with full-stack visibility critical to ending the era of double extortion that is currently costing organisations hundreds of millions each year.”

Stephanie Hallford, client computing group vice-president and general manager of business client platforms at Intel, said: “Ransomware was a top security threat in 2020, software alone is not enough to protect against ongoing threats. Our new 11th Gen Core vPro mobile platform provides the industry’s first silicon enabled threat detection capability, delivering the much needed hardware based protection against these types of attacks. Together with Cybereason’s multi-layered protection, businesses will have full-stack visibility from CPU telemetry to help prevent ransomware from evading traditional signature-based defenses.”

Last month, Cybereason announced it has adopted the Oracle Cloud Infrastructure to run its automated Cyber Defense Platform.

Categories: Cyber Risk News

World's Largest Illegal Dark Web Marketplace Taken Down

Tue, 01/12/2021 - 19:25
World's Largest Illegal Dark Web Marketplace Taken Down

What could be the world's largest illegal marketplace on the dark web has been taken offline in an international operation involving law enforcement agencies in Australia, Denmark, Germany, Moldova, Switzerland, Ukraine, the United Kingdom, and the USA. 

At the time of its closure, DarkMarket had almost half a million users and more than 2,400 vendors selling a broad range of illicit merchandise. Among the goods advertised for sale were stolen credit card details, illegal drugs, counterfeit money, anonymous SIM cards, and malware. 

At least 320,000 transactions were carried out via the marketplace, involving the transfer of more than 4,650 bitcoin and 12,800 monero (a sum equivalent to more than $170m). Because of its location on the dark net, DarkMarket was accessible only to internet users with specialized identity-cloaking tools.

The Central Criminal Investigation Department in Oldenburg, Germany, took down the site and turned off its servers on Monday. The shutdown followed the weekend arrest near the German–Danish border of a 34-year-old Australian citizen who is the alleged operator of the site.

German prosecutors in the cities of Koblenz and Oldenburg said on Tuesday that they had shut down what was "probably the largest illegal marketplace on the Darknet."

In a statement released today, Europol said: "The investigation, which was led by the cybercrime unit of the Koblenz Public Prosecutor's Office, allowed officers to locate and close the marketplace, switch off the servers and seize the criminal infrastructure—more than 20 servers in Moldova and Ukraine—supported by the German Federal Criminal Police office (BKA).

"The stored data will give investigators new leads to further investigate moderators, sellers, and buyers."

German authorities say the probe that uncovered DarkMarket was the result of a months-long joint effort by international law enforcement agencies. The law enforcement action against DarkMarket sprung from a larger investigation that saw the takedown of website hosting provider CyberBunker in southwestern Germany in September 2019.

The DarkMarket taken down over the weekend is separate from an earlier dark web marketplace, Darkmarket, that was shut down in 2008 after an FBI agent infiltrated it. 

Categories: Cyber Risk News

Twitter Cites Capitol Protests in Suspension of 70,000 User Accounts

Tue, 01/12/2021 - 15:03
Twitter Cites Capitol Protests in Suspension of 70,000 User Accounts

Social media company Twitter has cited the recent protests at the United States' Capitol building in its decision to permanently suspend tens of thousands of user accounts. 

On January 6, protestors forced their way into the Capitol building, interrupting a Joint Session of Congress in which the results of the 2020 US presidential election were being certified. Five people died in the violent assault.  

In a blog post uploaded late on Monday night, Twitter announced that it had suspended 70,000 user accounts associated with the QAnon movement.

“Given the violent events in Washington, DC, and increased risk of harm, we began permanently suspending thousands of accounts that were primarily dedicated to sharing QAnon content on Friday afternoon,” stated Twitter.

“These accounts were engaged in sharing harmful QAnon-associated content at scale and were primarily dedicated to the propagation of this conspiracy theory across the service."

Among the circulated images of individuals who stormed the Capitol was a photo of Jake Angeli, a well-known supporter of QAnon who refers to himself as the QAnon Shaman. 

QAnon followers hold a series of beliefs widely discredited as conspiracy theories, one of which is that President Donald Trump is fighting against a group of prominent Democrats, Hollywood elites, and "deep state" allies who engage in the sexual abuse of children.

The movement began in 2017 with some posts on the message board 4chan by an individual who signed themselves "Q." 

In August 2020, Facebook removed or restricted over 10,000 groups, pages, and accounts across the social network and Instagram linked to QAnon as part of a move to crack down on "militia organizations and those encouraging riots, including some who may identify as Antifa.”

YouTube has removed tens of thousands of QAnon videos. In October 2020, the company announced that it had expanded its hate and harassment policies to prohibit content that targets an individual or group with conspiracy theories that have been used to justify real-world violence. 

"One example would be content that threatens or harasses someone by suggesting they are complicit in one of these harmful conspiracies, such as QAnon or Pizzagate," said YouTube.

Categories: Cyber Risk News

Location Data from Muslim Prayer App Sold to Data Broker

Tue, 01/12/2021 - 15:02
Location Data from Muslim Prayer App Sold to Data Broker

A well-known Muslim prayer app has been recording and selling the location data of users, leading to fears this information will be abused.

This is according to a report by Vice, which said granular location data from Salaat First, an app that reminds Muslim users of when to pray, is being sold to a data broker who in turn sells it on to other clients.

The data broker, Predicio, has been linked to a supply chain of data involving a US government contractor that has worked with security agencies including Customs and Border Protection and the FBI.

The story emerged after a large dataset of raw, precise movements of app users was obtained by Motherboard. The leaked data contained users’ precise latitude and longitude, their phone model, operating system, IP address, a timestamp and their unique advertising ID.

Such information could potentially be used to track the day-to-day movements of Muslims, such as when they visit their places of worship.

Vice stated that the developer behind Salaat First, which has been downloaded more than 10 million times on Android, confirmed to them that the app sent users’ location data to Predicio. While the privacy policy on Salaat First’s website does mention it shares anonymized location data with third parties for “ads and to improve our services,” there is no mention the app sells users’ location data itself.

Since the story was published, Predicio released a statement on its website saying: “Predicio does not support any governmental, commercial, or private use cases that aim to use business intelligence data to identify ethnic, religious or political groups for human tracking or people identification of any sort. We do not tolerate the abuse of our solutions for the use cases that do not follow our global moral, social and ethical code of conduct.”

As quoted by Vice, Nihad Awad, national executive director of the Council on American Islamic Relations, said: “In light of these latest revelations, the owners of all major Muslim applications should thoroughly investigate how their companies handle user data. The companies should publicly acknowledge any identified sale of user data that could have been obtained by government entities, and then take transparent steps to ensure that it never happens again.”

Categories: Cyber Risk News

Signal's Downloads Up 4200%

Tue, 01/12/2021 - 14:00
Signal's Downloads Up 4200%

Rivals of messaging service WhatsApp are experiencing a surge in popularity following the app's announcement of a new data-sharing agreement with parent company Facebook.

On January 6, WhatsApp informed its users outside the UK and European Union that they would lose access to their accounts on February 8 unless they agreed to let Facebook and its subsidiaries collect WhatsApp data that includes users' phone numbers, contacts' phone numbers, and locations.

Two years after WhatsApp was purchased by Facebook in 2014, users were given a one-time opportunity to opt out of sharing their data with Facebook. A spokesperson for Facebook told The Register that while this 2016 opt-out decision will be honored going forward, other users will not be offered the same choice over whether to share their data with Facebook.

In the days following WhatsApp's announcement, data gathered by app-analytics firm Sensor Tower revealed a 4,200% week on week increase in downloads of rival encrypted messaging service Signal

"From January 6 to January 10, Signal saw approximately 7.5 million installs globally from across the App Store and Google Play," a Sensor Tower representative told Business Insider.

Over the same period, another encrypted messaging service, Telegram, experienced a growth of 91%, attracting 9 million new users. 

The majority of new users of both apps were located in India, where 2.3 million installations of Signal and 1.5 million downloads of Telegram took place.

America, where around 1 million downloads occurred, accounted for Signal's second-biggest market. 

Signal was recently endorsed by the world's richest man, Tesla billionaire Elon Musk, who posted a tweet to his 42 million followers on January 7 that simply read "Use Signal." On the same day, Freedom of the Press president Edward Snowden tweeted that he uses Signal every day. 

The sudden increase in downloads caused a temporary slow-down of Signal's verification service.

On January 7, Signal tweeted: "Signal Verification codes are currently delayed across several providers because so many new people are trying to join Signal right now (we can barely register our excitement). We are working with carriers to resolve this as quickly as possible. Hang in there."

Categories: Cyber Risk News

Two-Thirds of Employees Don’t Consider Security Whilst Home Working

Tue, 01/12/2021 - 13:01
Two-Thirds of Employees Don’t Consider Security Whilst Home Working

More than two-thirds (68%) of UK workers do not consider the cybersecurity impact of working from home, according to a new study by

The survey of 2043 employees in the UK demonstrated a lack of awareness about how to stay secure whilst working remotely, which is putting businesses at risk of attacks. The shift to home working as a result of COVID-19 means that staff in many organizations are operating across insecure devices and networks, providing opportunities for cyber-criminals.

Although 71% of workers do not think about the implications a cybersecurity breach could have on their work and job security, when asked, 45% said they could lose their job if their working device’s security was compromised.

VPNOverview calculated that home workers are risking an average of £2100 in company hardware and unnamed sums in company data by not undertaking basic security practices. These include not having password protection for working devices (34%), leaving working devices in plain view of windows (32%), not using password-protected Wi-Fi while working from home (26%) and not operating on secured servers, databases or cloud systems (24%).

The industries in which the highest rates of cybersecurity errors were made were manufacturing and utilities (65%), construction and engineering (61%) and recruitment (57%).

In addition, 17% of all employees polled admitted to breaking confidentiality and non-disclosure agreements (NDAs) by discussing work matters with friends and family.

David Janssen, security researcher and founder,, commented: “It’s worrying to see how many workers aren’t taking into consideration their security and cybersecurity, even after almost a year of working from home. With home working unlikely to end any time soon, and a lot of business committing to a hybrid working system when offices can reopen, ensuring these security systems are in place is vital for workers and businesses alike.”

“Businesses and employees need to work together to ensure they are taking the necessary precautions to keep their work devices protected from attacks – by using passwords, secured servers and VPN networks – to make sure jobs are not unintentionally being put at risk.”

Categories: Cyber Risk News

New Zealand Central Bank Breach Hit Other Companies

Tue, 01/12/2021 - 12:20
New Zealand Central Bank Breach Hit Other Companies

A data breach at New Zealand’s central bank affected other customers of a file-sharing service, potentially exposing sensitive information, it has emerged.

The Reserve Bank of New Zealand issued a brief statement on Sunday noting that the incident affected a third-party file-sharing service used by the institution.

Although the breach has been contained, an urgent investigation into the unauthorized access has begun.

However, in an update on Monday, it revealed the name of the vendor affected: Accellion. The Palo Alto-headquartered firm’s File Transfer Application (FTA) was targeted by malicious third parties, presumably going after the sensitive info stored and shared via the service.

“We are actively working with domestic and international cybersecurity experts and other relevant authorities as part of our investigation. This includes the GCSB’s National Cyber Security Center which has been notified and is providing guidance and advice,” said governor Adrian Orr, in a statement.

“We have been advised by the third-party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.”

Reports claim that a vulnerability in the legacy FTA product was patched by Accellion in mid-December, hinting that those customers affected in this attack may not have updated their systems.

“Many organizations in New Zealand are still quite conservative when it comes to cyber-protection – with increased infrastructure complexity and dependencies on modern systems, this makes them more susceptible to external attacks and to internal mistakes caused by the human factor,” argued Acronis CISO, Kevin Reed. 

“New Zealand is still ranked among the top 50 countries for cybersecurity, and has been stepping up on measures to boost its cyber-defenses, taking part in intelligence sharing with other major countries around the world – which, ironically, makes it a juicy target for attackers.”

Categories: Cyber Risk News

Third Malware Strain Discovered as Part of SolarWinds Attack

Tue, 01/12/2021 - 11:25
Third Malware Strain Discovered as Part of SolarWinds Attack

Security researchers have uncovered yet another malware strain used by Russian attackers to compromise SolarWinds.

Sunspot was used by attackers to inject the Sunburst backdoor code into the vendor’s Orion platform without setting off any internal alarms, CrowdStrike said in a blog post yesterday.

According to the security firm, which did not attribute the attack to anyone, the attackers went to great lengths to “ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers.”

Sunspot worked by sitting on SolarWinds’ build server and monitoring running processes for instances of MsBuild.exe, which is part of Microsoft Visual Studio development tools. If it saw that Orion software was being built, it would hijack the operation to insert Sunburst.

The resulting Trojanized version of Orion was then installed on SolarWinds customer systems. Around 33,000 such customers exist around the world, but only a relatively small handful were singled out by the attackers for the next stage of the campaign.

These victims, including multiple US government entities such as the Department of Justice, were monitored by Sunburst and then hit with a secondary Trojan, Teardrop, which delivered further payloads.

According to a timeline from SolarWinds released yesterday, the attackers first accessed its internal systems in September 2019, and around a week later they injected test code to effectively check the efficacy of Sunspot.

Sunburst was then compiled and deployed into the Orion platform in February 2020, although it was only in December, when FireEye discovered it was hit in the same campaign, that the whole story started to become clear.

Also yesterday, Kaspersky released new research indicating that the Sunburst malware contains multiple similarities with the Kazuar remote access backdoor previously linked to the long-running Russian APT group Turla.

Categories: Cyber Risk News

Chinese Startup Leaks Social Profiles of 214 Million Users

Tue, 01/12/2021 - 10:45
Chinese Startup Leaks Social Profiles of 214 Million Users

A cloud configuration error at a Chinese startup exposed the personal data of at least 214 million social media users including celebrities, researchers have warned.

The privacy snafu occurred at social media management firm Socialarks, which suffered a similar incident in August last year when 150 million users were exposed, according to Safety Detectives.

This time, a team led by Anurag Sen came across an Elasticsearch database left completely open without any password protection or encryption, during a routine IP scan.

The 408GB trove contained over 318 million records in total, although the exact number of users affected is still not known given the size of the leak. What the researchers do know is that it was illegally scraped from social media profiles on Facebook, Instagram and LinkedIn, contrary to the policy on those sites.

They discovered nearly 12 million Instagram user profiles, including names, phone numbers, usernames, email addresses, profile pictures and locations.

The trove also contained data on 82 million Facebook profiles including full names, email addresses, phone numbers, Messenger IDs, pictures and more.

Finally, the researchers uncovered 66 million LinkedIn user profiles containing full names, email addresses, job profiles and company names, amongst other data points.

Safety Detectives said it was unclear how private information such as phone numbers and email addresses were obtained by Socialarks, given its scraping tools should have lifted only publicly available information.

“In some cases, scraped data can be weaponized to carry out a specific goal of extracting personal information for criminal purposes. Potential ramifications of exposing personal information include identity theft and financial fraud conducted across other platforms including online banking,” the firm warned.

“Contact information can be harnessed to target people with targeted scams including sending personalized emails containing other personal information about the target, thereby gaining their trust, and setting the stage for a deeper intrusion into their privacy.”

Although Socialarks never replied to the research team, it remediated the leak on December 14, the day it was notified.

Categories: Cyber Risk News

Big Tech Bans Social Networking App

Tue, 01/12/2021 - 10:01
Big Tech Bans Social Networking App

A social networking app used by millions is seeking a new home after being suspended by big tech over claims of failure to remove egregious content from its platform.

Parler was launched in 2018 as an antidote to sites like Twitter and Facebook that take action to censor particular content and suspend or block user accounts based on the perceived nature of content posted.

Amazon said it had made the decision to block Parler from using its AWS hosting services over concerns regarding “violent content.”

In an email, Amazon’s AWS Trust and Safety team informed Parler’s chief policy officer Amy Peikoff that the social network “does not have an effective process to comply with the AWS terms of service.”

“AWS provides technology and services to customers across the political spectrum, and we continue to respect Parler’s right to determine for itself what content it will allow on its site,” the letter said.

“However, we cannot provide services to a customer that is unable to effectively identify and remove content that encourages or incites violence against others.”

Google removed Parler from its app store on Friday, and on Saturday Apple followed suit. 

Parler’s chief executive John Matze described the concurrent actions of Google, Apple, and Amazon as “a coordinated attack by the tech giants to kill competition in the marketplace.”

Responding to Google’s ban, Matze said: “We won’t cave to politically motivated companies and those authoritarians who hate free speech.”

The move to silence Parler’s approximately 10 million users comes after an executive order on preventing online censorship was issued by President Donald Trump on May 28 2020.

Categories: Cyber Risk News

Lack of Funding Could Lead to “Lost Generation” of Cyber-Startups

Tue, 01/12/2021 - 09:15
Lack of Funding Could Lead to “Lost Generation” of Cyber-Startups

Early-stage cybersecurity companies in the UK have seen a year-on-year funding decline of 96% since March 2020, a trend which threatens to significantly curtail advancements in the sector. This is according to a new analysis by innovation center Plexal and database for fast-growth companies, Beauhurst, which found that cybersecurity startups seeking funding for the first time received only £11.9m in investment since the start of the COVID-19 lockdowns. This compares to £265m during the same period in 2019.

This is despite UK cybersecurity startups as a whole securing £651m since the pandemic struck, which represents a year-on-year rise of 52%. While average investment in these companies was larger, with a wider range receiving capital compared to 2019, funding was almost entirely targeted towards businesses with a proven track record. This included a number of very large follow-on investments to companies such as OneTrust (£224m), Synk (£154m) and Privitar (£70m).

This imbalance has led to fears of a “lost generation” of cyber-startups, which could be damaging to the industry over the long-term.

Saj Huq, director of innovation at Plexal and director of the London Office for Rapid Cybersecurity Advancement (LORCA), commented: “While increased total funding demonstrates the relevance of cybersecurity and shows that the UK’s cyber-industry has not been impacted to the same extent as others, the almost complete absence of backing for early-stage firms puts the sector’s future at risk. It is these companies that we will ultimately rely on to solve the inevitable new cyber-challenges arising from a society that is increasingly digital-first.

“COVID-19 has accelerated digital transformation, increased the demand for digital services and reinforced the relevance of security as a crucial business enabler. More cybersecurity companies are receiving investment as a result, but the caution exercised by investors is preventing the UK’s cyber-sector from becoming the key driver of the economic recovery that it should be. Investors, industry, academic institutions and government must come together to safeguard the future of our brightest, early-stage cyber-startups or they could become a lost generation.”

The analysis of nearly 40,000 startups and fast-growth businesses also showed that the cybersecurity startups had faired substantially better than counterparts in other sectors. While the number of deals involving cybersecurity startups went up by 33% since March 2020, deals across all sectors fell by 26% in the same period.

Last year, LORCA revealed that cybersecurity startup and scaleup firms that have progressed through its innovation program have collectively raised over £150m in investment in two years, 280% above its original target.

Categories: Cyber Risk News

Francisco Partners Completes Forcepoint Acquisition

Mon, 01/11/2021 - 18:13
Francisco Partners Completes Forcepoint Acquisition

Cybersecurity vendor Forcepoint has been acquired from defense contractor Raytheon Technologies by global investment firm Francisco Partners.

The firm announced the closing of the transaction today. The financial details of the deal were not disclosed.

Forcepoint, formerly known as Websense, provides behavior-based cybersecurity solutions that protect the critical data and networks of thousands of customers worldwide by adapting to risk in real-time. 

Four appointments were made by Forcepoint to coincide with the transaction's closing. Dave Stevens was named senior vice president of strategy and execution, John DiLullo is the company's new chief revenue officer, and Sean Berg has been promoted to president of global governments and critical infrastructure from his previous role as senior VP and general manager for Forcepoint’s business unit.

The company’s board of directors has appointed Manny Rivelo as chief executive officer with immediate effect. Previous executive roles held by Rivelo include chief customer officer at Arista Networks, president and CEO as well as executive vice president, security, service provider and strategic solutions at F5 Networks, president and CEO of AppViewX, and various senior leadership roles at Cisco Systems.

“Cybersecurity has never been more important for businesses and governments around the world,” said Rivelo. "As we continue to see broad-scale global attacks, the cybersecurity industry needs to evolve to deliver security capabilities to match those of today’s sophisticated threat actors."

Rivelo added that all organizations need to evolve their security posture so that cybersecurity is holistically integrated across their business operations and into their culture. 

"It can no longer be viewed as ‘just an IT issue’,” said Rivelo.

As CEO, Rivelo intends to focus the company’s strategy on accelerating enterprise and government-agency adoption of emerging Secure Access Service Edge (SASE) architecture.

“I look forward to solidifying Forcepoint’s leadership position as the global cybersecurity partner of choice for enterprises and government agencies,” said Rivelo.

Founded in 1999 and based in San Francisco, Francisco Partners specializes in partnering with technology and technology-enabled businesses. Since its launch, the firm has raised over $24bn in committed capital and invested in more than 300 technology companies.

Categories: Cyber Risk News

(ISC)² Offers Online Exam Proctoring

Mon, 01/11/2021 - 17:41
(ISC)² Offers Online Exam Proctoring

The largest non-profit association of certified cybersecurity professionals in the world is launching an online exam proctoring pilot program.

(ISC)²'s new program, announced today, will embrace the association's entire portfolio of cybersecurity certifications, including the famed independent information security certification CISSP.

As of July 1, 2020, there were 141,607 (ISC)² members holding the CISSP certification worldwide.

Offering certification online is part of the association's efforts to counter the effects of the global outbreak of the novel coronavirus on the lives of security professionals.

“In the wake of COVID-19, (ISC)² has spent considerable time and effort to ensure the integrity of our exam process while taking into consideration that many candidates are facing extraordinary uncertainty and restrictions due to the pandemic,” said Dr. Casey Marks, chief product officer and vice president, (ISC)². 

“Our pilot test program will enable us to gather the data we need to weigh the integrity and effectiveness of the exams while making them more easily accessible during these unprecedented times.”

Under the pilot test, a maximum of 2,000 total examinations will be delivered. Candidates can register for the (ISC)² online proctoring pilot test beginning today. 

In this pilot program, test deliveries are being limited to candidates who are located within the United States and who have no past (ISC)² disciplinary actions on record. Tests will only be available in the English language.

The pilot program will be exclusively administered through Pearson VUE, which will offer exam appointments on a first-come, first-served basis.

Online examinations for the CAP, CCSP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP, and SSCP certifications will be administered February 15, 2021 – February 21, 2021. Online CISSP examinations will be administered February 22, 2021 – February 28, 2021. 

The cost for examinations offered online as part of the pilot scheme has been set at the same rate charged for test center–delivered examinations. But, where test center candidates typically receive diagnostic information regarding how they performed in their tests, online candidates will only be given a pass/fail result.  

(ISC)², which has a membership of more than 140,000 security professionals, celebrates its 30th anniversary this year.

Categories: Cyber Risk News

Bridewell Appoints Martin Riley as Director of Managed Security Services

Mon, 01/11/2021 - 15:40
Bridewell Appoints Martin Riley as Director of Managed Security Services

Bridewell Consulting has announced the appointment of Martin Riley as its director of managed security services.

Riley, who has joined Bridewell’s board from today, is tasked with leading the expansion of the cybersecurity and data privacy consultancy’s managed security service (MSS) portfolio. This includes its 24/7 security operations center (SOC) and managed detection and response (MDR) service.

Riley comes with nearly 20 years of experience in helping scale up organizations’ security infrastructure and digitalization as well as leading enterprise managed services.

Most recently, Riley held the position of chief technology officer at Timico, where he led the strategic direction and digital transformation of the business. He was also previously head of infrastructure at cloud services and integrator company Adapt.

Scott Nicholson, director, Bridewell Consulting, comment: “Martin brings tremendous expertise and experience to our business and will be instrumental in helping us deliver on our ambitious growth strategy. Our 24/7 managed detection and response capability around Azure Sentinel and Defender XDR is already best in class across the industry, but with Martin’s support, we hope to strengthen this further and deliver high end security automation and operations across critical national infrastructure.”

Speaking on his new position, Riley said: “I have been passionate about the role cybersecurity plays in infrastructure and cloud services for many years and am excited to work for an ambitious and fast growth business like Bridewell. Managed security services continues to be one of the biggest growth areas in IT and I look forward to helping develop opportunities to expand Bridewell’s services, mature our capabilities and strengthen our position in the security market.”

Anthony Young, director, Bridewell Consulting, added: “When first meeting Martin, it was clear to see he had passion for cybersecurity and delivering an excellent service to customers which aligns with our values. That, coupled with his experience across managed services and scaling businesses through technology automation, makes him a brilliant addition to the board and will help us deliver on our growth plans.”  

Categories: Cyber Risk News

US Announces Controversial State Department Cyber-Bureau

Mon, 01/11/2021 - 12:06
US Announces Controversial State Department Cyber-Bureau

The US government has announced the creation of a new cybersecurity agency to align with the country’s diplomatic efforts.

The Bureau of Cyberspace Security and Emerging Technologies (CSET) was finally approved by outgoing secretary of state, Mike Pompeo — over a year-and-a-half after Congress was first notified of the plans.

A brief statement from the department explained that the need to “reorganize and resource” the government’s cybersecurity and diplomacy has become even more critical in the intervening months. China, Russia, Iran, North Korea and “emerging technology competitors and adversaries” were name-checked in the note.

“The CSET bureau will lead US government diplomatic efforts on a wide range of international cyberspace security and emerging technology policy issues that affect US foreign policy and national security, including securing cyberspace and critical technologies, reducing the likelihood of cyber-conflict, and prevailing in strategic cyber-competition,” it continued.

“The secretary’s decision to establish CSET will permit the department to posture itself appropriately and engage as effectively as possible with partners and allies on these pressing national security concerns.”

However, the reason for that 18-month delay to the creation of CSET was former House Foreign Affairs Committee chairman Eliot Engel, who argued at the time that its focus was too narrow.

A 2018 bipartisan bill, the Cyber Diplomacy Act, sets out to establish not a bureau but an Office of International Cyberspace Policy at the State Department.

“While Congress has pursued comprehensive, bipartisan legislation, the State Department has plowed ahead in its plan to create a bureau with a much narrower mission focused only on cybersecurity,” Engel is reported saying at the time.

“This move flies in the face of repeated warnings from Congress and outside experts that our approach to cyber-issues needs to elevate engagement on economic interests and internet freedoms together with security.”

A former State department cybersecurity diplomat under Obama and Trump also dismissed the move.

“Laughable that this is done @ the 11th hr when this was not adequately resourced or prioritized for four yrs,” tweeted Chris Painter. “Also, this formulation only preserves stovepipes rather than coordination.”

Categories: Cyber Risk News