Researchers have uncovered a Chinese APT campaign designed to compromise government websites in a Central Asian nation by targeting a key datacenter.
Kaspersky Lab explained that by compromising the national datacenter, the APT27/LuckyMouse/EmissaryPanda group was able to gain “access to a wide range of government resources at one fell swoop.”
It’s not clear how the attackers targeted the datacenter in the first instance. Although they have used weaponized documents exploiting CVE-2017-118822 in the past, Kaspersky Lab believes employees may have been targeted by watering hole attacks.
Interestingly, the main command and control IP address was traced back to a Ukrainian ISP running a Mikrotik router that was hacked “in order to process the malware’s HTTP requests.”
The websites themselves were compromised to redirect visitors to instances of both ScanBox and BEeF. The former is a reconnaissance framework that collects information about the victim’s machine, including operating systems, language and location.
BEeF — the Browser Exploitation Framework — is a pen testing tool focused on the browser.
“The TTPs for this campaign are quite common for Chinese-speaking actors, where they typically provide new solid wrappers (launcher and decompressor protected with shikata_ga_nai in this case) around their RATs (HyperBro),” Kaspersky Lab concluded.
“The most unusual and interesting point here is the target. A national datacenter is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.”
A leading cybersecurity firm has claimed that only around a quarter of the vulnerabilities found and reported to vendors by its researchers get resolved.
NCC Group analyzed nine years of vulnerabilities discovered by its team and found that only 26%, or 289, were classed as “closed,” meaning they were fixed or dismissed once the risk was accepted by the vendor.
Unsurprisingly, those classed as low risk took longest for vendors to fix, at an average of 96 days. Medium-risk and then critical vulnerabilities followed, taking 77 days and 74 days respectively.
NCC Group complained that too often vendors lack a clear point of contact for researchers to communicate with when they find a flaw, lengthening the delay. Sometimes out of desperation, researchers are even forced to contact the vendor’s social media team in order to find a secure communication channel, it added.
NCC Group research director, Matt Lewis, bemoaned the lack of established processes for vulnerability remediation and disclosure. Just 2.4% of the vulnerabilities found by his team and reported resulted in a CVE.
“There also seems to be a false sense of security among businesses when it comes to low-risk vulnerabilities. These are vulnerabilities nonetheless, and we’re seeing an increase in bug chaining attacks, which exploit multiple low-risk issues across infrastructure to achieve full, unauthorized control of the underlying system,” he added.
“The fact that the majority of vulnerabilities uncovered by our researchers over the past nine years have not been fixed demonstrates that there are likely far more zero-day vulnerabilities in existence than we might think.”
Research from Flexera earlier this year revealed discovered vulnerabilities hit an all-time-high in 2017 of over 20,000.
Separate research from Fortinet last year claimed that hackers are increasingly crafting exploits around old vulnerabilities, knowing that firms may leave them unpatched. It found that in Q2 2017, 90% of organizations recorded exploits for vulnerabilities that were three or more years old.
The WannaCry ransomware campaign of May 2017 highlighted just how many organizations fail to patch even critical bugs promptly.
Gloucestershire Police has been fined £80,000 by the Information Commissioner’s Office (ICO) after sending a bulk email in error which revealed the names of child abuse victims to strangers.
Two years ago, an officer sent an update on an ongoing case of historic child abuse to 56 recipients, but forgot to BCC them, meaning their names were exposed to the other recipients.
This meant that each recipient – which the ICO says “potentially included victims, witnesses, lawyers and journalists” – could see the full email address and name of the others on the same email.
Of the 56 emails sent, one was not deliverable and three were successfully recalled, after the police force identified the privacy snafu two days later. That means 56 names and email addresses were visible to up to 52 recipients, according to the ICO.
“This was a serious breach of the data protection laws and one which was likely to cause substantial distress to vulnerable victims of abuse, many of whom were also legally entitled to lifelong anonymity,” said ICO head of enforcement, Steve Eckersley.
“The risks relating to the sending of bulk emails are long established and well known, so there was no excuse for the force to break the law – especially when such sensitive and confidential information was involved.”
As the privacy leak occurred on 19 December 2016 the ICO fined the force under the Data Protection Act 1998, rather than the 2018 Act which effectively incorporates the GDPR into UK law. It’s unclear whether that meant a reduced fine for the police force.
According to the data protection watchdog there were 957 reported incidents in the last quarter, a 17% increase on the previous three months.
Of those, failure to use BCC when sending emails was one of the top five data security incident types.
A company that handles millions of health savings accounts (HSAs) has suffered a data breach in which the information of 23,000 was compromised.
On 11 April, the email account of a HealthEquity employee was accessed by an unauthorized person. Two days later, the malicious activity was discovered, at which point the Utah-based firm – a custodian of more than 3.4 million HSAs – expunged the mailbox and contacted a forensics firm. HealthEquity has reportedly offered five years of credit monitoring and identity theft protection in response to the incident.
Health Data Management reported that the information compromised via the email account included not only the names of members but also their HealthEquity member IDs, along with the names of their employers and their employers' HealthEquity IDs. Also included in the stolen data were various types of healthcare accounts, deduction amounts and Social Security numbers for some Michigan employees.
“The healthcare industry is a growing target for cyber-attacks because of the highly valuable information stored within these organizations," said Tim Erlin, VP product management and strategy, Tripwire.
“The biggest risk for those affected is identity theft, given that Social ecurity numbers were compromised," Erlin continued. "HealthEquity seems to realize this fact and as offered identity theft monitoring services in addition to the usual credit monitoring. The fact that this breach was detected two days after it occurred is notable and a sign that HealthEquity was paying attention.”
News of the breach comes only days after Cynerio published new research, Healthcare Hacking Trends on the Dark Web. Released 11 June, the research found that the buying and selling of protected health information is a troubling problem in dark web marketplaces.
The healthcare industry is one of the most frequently targeted sectors, as cyber-criminals exploit known weaknesses where they can gain access to highly sensitive information that has great value on the dark web.
"The fact that healthcare providers’ databases can be hacked, dumped and sold to the highest bidder (with the lowest morals), is quite troubling," the report states. "Healthcare systems store some of the most sensitive and private information about us, and this information is exposed to a wide range of cyber-attacks on a huge attack surface."
Information security professionals are preparing for the worst as this year's FIFA World Cup kicks off. The World Cup of football (a.k.a., soccer in the US) is set to take center stage in Russia. The tournament kicks off tonight between Russia and Saudi Arabia. While it's highly anticipated by football fans and hackers alike, security professionals believe that some sort of cyber-attack will occur on the 2018 FIFA World Cup football network, according to a recent survey.
The survey, conducted by Lastline at Infosecurity Europe 2018, found that 72% of security professionals believe an attack is likely given the fact that attacking high-profile international events is trending among cyber-criminals.
Of the professionals who expect an attack, 70% anticipate that the attack vector will focus on network infrastructure with a distributed denial-of-service (DDoS) attack or an attempt to disrupt social media channels. Less than half (44%) believe that email correspondence is at risk and only 47% suspect threats to mobile devices.
“Cybercriminals do not exist in a vacuum,” said Andy Norton, director of threat intelligence at Lastline. “They will be aware of the immense media scrutiny the World Cup will be under, and will be hoping to capitalize on this as well as the financial opportunities such a unique event presents.”
The world has seen DDoS attacks at global sporting events before, as was the case with the Winter Olympics in South Korea, and some fear that these threats are becoming the new normal. "It’s hardly surprising that further attacks are being forecast for the FIFA World Cup that kick-off today,” said Andrew Lloyd, president of Corero Network Security. “Given current geopolitics, the football World Cup does present an opportunity for nation-state–sponsored attacks on political foes that will make Eurovision tactical voting look like a playground scuffle."
"We note that today’s opening ceremony is followed by a Russia vs. Saudi Arabia match that I’m sure will pique interest in Iran and elsewhere," Lloyd continued. "Beyond attacking the FIFA infrastructure, other risk areas with a higher commercial impact include live broadcast streams and highly lucrative in-game betting. These threats further add to the pressure on digital enterprises to invest in real-time defenses that automatically detect and mitigate attacks allowing them to stay online and open for business during a cyber-attack.”
In an effort to address growing concerns over the looming skills gap, leading military colleges and universities in the US have moved to establish cyber institutes. Among the senior military colleges (SMCs) are The Citadel, the University of North Georgia, Norwich University, Texas A&M, Virginia Military Institute and Virginia Tech, according to Citadel Today.
The Fiscal Year 2019 National Defense Authorization Act (NDAA), which has been tabled for the fall, attempts to “authorize appropriations for fiscal year 2019 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes.” Congressional leaders are hoping to include within that act an amendment that authorizes the Secretary of Defense to establish cyber institutes at SMCs.
Initiated by the University of North Georgia, the collaborative group of institutions has the support of Sen. Lindsey Graham (R-South Carolina) and Sen. Tim Scott (R-South Carolina). The amendment, sponsored by Rep. Jody Hice (R-Georgia) was also included in the Senate Armed Services Committee FY19 NDAA, which is currently up for consideration on the senate floor.
“Future cyber leaders must be able to empower their teams to foresee and resolve complex, and often threatening, problems,” Graham told Citadel Today. “Our Senior Military Colleges are already deeply invested in this type of national security education. They provide the discipline, ethics training and academic rigor the next generation of cyber leaders need. They are ready for this step.”
“With cyber threats affecting nearly every sector of our society, we need capable and trained professionals in our Department of Defense and other agencies who are prepared to proactively and effectively counter this dangerous trend,” Scott reportedly said.
“We need our nation’s cyber training facilities, especially our Senior Military Colleges, to train the next generation of leaders to help secure Americans’ information and to further advance our overall national security. I was glad to have worked with my colleague Sen. Graham to advocate for the inclusion of the Senior Military Colleges Cyber Institute Amendment in the Senate version of the FY19 NDAA,” said Scott.
Apple has confirmed that a forthcoming update will fix a security vulnerability known to be used by police to crack seized devices.
The tech giant’s update will ensure that third parties can’t access and transfer a handset’s data by connecting via the Lightning port, if the phone has been locked for more than an hour.
Controversial smartphone cracking companies like Grayshift and Cellebrite are thought to exploit the flaw in order to circumvent device security which locks users out and/or erases data once the limit is reached on passcode entry attempts.
Their services are often sought by police in the US and elsewhere looking to crack devices for use in investigations.
Once the update is applied, law enforcers will only have an hour to get into a device after it was last locked, using these same techniques.
"At Apple, we put the customer at the center of everything we design," the firm said in a statement. "We're constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data. We have the greatest respect for law enforcement, and we don't design our security improvements to frustrate their efforts to do their jobs."
Despite its reassurances, the move is likely to reopen the war of words between the Cupertino giant and the FBI, which has tried and failed to force it to engineer a de facto backdoor into its software so investigators can access specific devices.
It’s thought the FBI eventually turned to Cellebrite two years ago after failing in a legal challenge to Apple.
Alex Rice, CTO of HackerOne, argued that Apple is right to fix known vulnerabilities, even if they are used by police.
"Back in 2016, when the FBI revealed it utilized third parties to help break into iPhones, a new issue presented itself — there was a known vulnerability being exploited that wasn't shared with the only organization in the world that could fix it,” he explained.
“There are over 700 million iPhones in the hands of consumers. Patching any and all vulnerabilities as quickly as possible is necessary for a mature security posture and the only responsible path to protect the public."
The UK’s traffic control and transport systems are the latest piece of critical infrastructure (CNI) experts are warning could be sabotaged by nation state hackers.
The comments came initially from Christopher Deverell, the commander of Britain’s Joint Forces Command, on BBC Radio 4’s Today program.
“There are many potential angles of attack on our systems. A lot of our capabilities in society depend on our control systems which are accessible by cyber-space,” he argued.
"So you can imagine threats to power stations, threats to air traffic control, threats to transport systems. We need to be able to defend ourselves against them.”
Michael Fabien, principal consultant at Synopsys, argued that the precedent for disruption of CNI via cyber-attacks has already been set globally.
"What we can take away as a positive is that officials are aware of the potential risks, and we can hope they are actively pursuing remediation programs to improve the security of their operations, keeping the UK’s core infrastructure safe,” he added.
Russia has famously been behind much of that disruption, infiltrating the US energy grid, attacking UK telecoms, media and energy sectors and most recently compromising routers and NAS devices with destructive malware.
It has also been blamed for the 2015 and 2016 attacks on Ukrainian power stations that left hundreds of thousands in the dark.
Sean Newman, director at Corero Network Security, argued that connecting operational and IT networks can improve efficiency but also expose firms to the risk of attack from the public internet.
“The question now, is more around who is bold enough, rather than capable of, carrying out such attacks, and risking the likely repercussions,” he said.
“It’s reasonable to assume it’s more a matter of [when], than if, so the operators of such systems need to be fully cognisant of the potential risks and deploy all reasonable protection to minimize it.”
Nozomi Networks’ Andrea Carcano argued that the UK’s critical infrastructure is being “probed and poked” by nation states, cybercrime groups and hacktivists every day.
“The challenge for those charged with protecting our critical infrastructure is visibility, as you can’t protect what you don’t know exists. Some 80% of the industrial facilities we visit do not have up-to-date lists of assets or network diagrams,” he continued.
“Ironically, this doesn’t pose a problem to criminals who are using readily available open source tools to query their targets and build a picture of what makes up their network environment and is potentially vulnerable — be it a power plant, factory assembly line, or our transport infrastructure.”
It is hoped the NIS Directive, which came into force in early May, will help drive improvements in baseline security for certain CNI providers including those in the transport sector.
Kaspersky Lab has been forced to pull out of cross-industry collaborative efforts at a European level after the European Parliament passed a resolution calling for a ban on its products.
The resolution in question, which was passed by 476 votes to 151, focused on the EU’s foreign and security policy.
“Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab.”
Although non-binding, the resolution could lead to more EU member states taking action to clamp down on sales of the Russian AV vendor’s products.
As a result, the firm has pulled out of co-operative efforts with Europol and the No More Ransom initiative “until the withdrawal of the European Parliament decision.”
“Why ban the company protecting Europeans from 320K malicious threats a day? A backwards step voted on this week in @Europarl_EN weakening #cybersecurity across the EU,” tweeted CEO Eugene Kaspersky.
“We get a ‘media-ocracy’ – with ‘news’ that isn’t news at all, just a vehicle for instilling in readers’ minds images of an ‘enemy’; then the 'news' are used to justify high-level political moves against the next-in-line-to-be-out-of-favor company.”
The move follows a ban on the use of Kaspersky Lab products for US and UK government use, and their removal from the shelves in some US stores such as Best Buy.
However, those in the industry jumped to the firm’s defense on Twitter — taking issue with the fact that lawmakers seem to believe the products are confirmed as malicious.
“Proposed EU parliament resolution refers to Kaspersky’s products matter-of-factly as ‘confirmed as malicious’. This is not the way to improve EU cyber defence, especially when the resolution otherwise commendably emphasizes co-operation,” tweeted F-Secure’s Artturi Lehtiö.
Noted security researcher Kevin Beaumont added that Kaspersky Lab is facing an execution without trial.
“The EU parliamentary wording re Kaspersky, which has been voted through, is crossing another bad rubicon in cyber security regarding collaboration and – frankly – law and evidence,” he argued.
The transportation industry is midway through the CALSTART 2018 Cyber Truck Challenge, and Heavy Duty Trucking (HDT) has announced that the University of Tulsa (TU) is working to develop a truck cybersecurity device.
Cyber Truck Challenge, established to help develop the next generation of the trucking workforce, runs through 15 June. CALSTART, in conjunction with the Michigan Economic Development Council (MEDC), TARDEC and the National Motor Freight Traffic Association (NMFTA) are working to raise cybersecurity awareness in the trucking and transportation industry.
“Cyber security awareness and action is critical as electrification and connectivity grows across the industry and we are working to establish a community of interest for heavy vehicle cyber that transcends individual companies or departments and reaches across disciplines and organizations to make a more universal and experienced base of engineers and managers,” CALSTART wrote.
This week more than 35 students from across the country have gathering in Warren, Michigan. Students have gone through two days of instruction and are in day two of the cybersecurity assessment of five medium- and heavy-duty trucks. The week will culminate with a student report.
They aren't the only students actively working to secure trucking fleets, though. A group of students from the University of Tulsa, along with faculty from the department of mechanical engineering, is also joining forces with NMFTA in an effort to improve the security of electronic logging devices (ELDs) through the use of a controller area network (CAN) data diode hardware device, HDT reported.
According to the Federal Motor Carrier Safety Administration (FMCSA), new mandatory ELD regulations are “intended to help create a safer work environment for drivers, and make it easier and faster to accurately track, manage, and share records of duty status (RODS) data. An ELD synchronizes with a vehicle engine to automatically record driving time, for easier, more accurate hours of service (HOS) recording.”
The ELD final rule was published 16 December 2015 and continues to be implemented with the end goal of full compliance and the mandatory use of ELDs set for 16 December 2019.
ELDs with weak cybersecurity safety measures can often be used as points of entry to critical systems of a truck, and the CAN diode is intended to mitigate this risk. The CAN data diode will deliver a low-cost network isolation solution, which is good news for commercial vehicle operators with limited resources.
The device “will help carriers comply with mandatory ELD regulations while also protecting onboard vehicle networks that could be compromised by a cracked ELD,” Jeremy Daily, TU associate professor whose technology designs the CAN data diode is based on told HDT.
Whether its ransomware or phishing attempts, email threats are a top risk to organizations' security. According to new data from Dimensional Research and Barracuda Networks, email threats are rising and remain a top concern for businesses.
More than 600 executives, individual contributors and IT security team managers from organizations large and small across all sectors and around the globe participated in the study. The 2018 Email Security Trends report found that email threats continue to increase, which is increasingly impacting the productivity of employees.
When asked about the understood pervasiveness of email security threats, 87% of respondents said their company faced an attempted email-based security threat in the past year. More than one third of those surveyed admitted that they have already experienced a ransomware attack, yet the threat of ransomware remains a concern for 88% of respondents.
Over the past year, the number of email-based attacks has increased for 81% of the survey participants, with a quarter of respondents reporting a dramatic increase and more than half (51%) identifying attacks have somewhat increased.
“Poor employee behavior is the main concern for most, not the tools that organizations have in place to stop threats. This has always been conventional wisdom; the data now backs it up,” the report said.
An overwhelming majority (90%) of professionals said email archiving is critical, as it delivers the benefits of maintaining an audit trail for compliance purposes and affords them the ability to investigate suspicious activity while cutting costs for e-discovery requests.
“Larger businesses are more concerned about Office 365 email security; smaller businesses are less concerned. While the differences are fairly minor, this could be because larger companies have more data at risk in Office 365, due to having broader deployments rolled out that include SharePoint, OneDrive and other applications,” Barracuda wrote in a press release.
In considering how to mitigate the risks of email-based threats, participants of the study unanimously agreed that end-user training is important to preventing attacks. Tactics that the professionals identified as two most beneficial aspects of end-user training include phishing simulations and social-engineering detection, with nearly all respondents (98%) agreeing that end users find little relevance in traditional classroom-based education.
For organizations that were hoping to see a decline in malware threats, there is no sign that crypto-mining malware will be going away anytime soon. In fact, crypto-mining malware continues to dominate among hackers while also sneaking its way into more mobile apps.
“May 2018 marked the fifth consecutive month where crypto-mining malware dominated Check Point’s Top Ten Most Wanted Malware Index. Coinhive retained the top spot as the most prevalent malware as another crypto-mining malware, Cryptoloot, ranked second with a global reach of 11%,” Check Point wrote.
Cyber-crooks around the world are reportedly leveraging unpatched server vulnerabilities in Microsoft Windows Server and Oracle Web Logic in order to mine crypto-currency. The research also found that despite these patches being available for at least six months, organizations continue to be vulnerable.
While the instances of crypto-mining malware infection has increased by a reported 4,000% in Q1, according to News BTC, the problem is also spreading through mobile apps. Apple recently released new guidelines to thwart the spread of crypto-mining apps.
On 4 June Apple updated its app store review guidelines to include guidelines that would secure its products from malicious mining practices. The company mandated to developers, “Design your app to use power efficiently. Apps should not rapidly drain battery, generate excessive heat, or put unnecessary strain on device resources. Apps, including any third party advertisements displayed within them, may not run unrelated background processes, such as cryptocurrency mining.”
Additionally, Apple clarified that apps may not mine for cryptocurrencies unless the processing is performed off device – in cloud-based mining, for example.
Still, Amazon is fighting to extinguish the infections spreading through Fire TV and its stick devices. A variant of a malware worm has reared its crypto-mining head in Amazon Fire TVs and Fire TV Sticks. “The worm is not specifically targeting Fire TV devices, but they are vulnerable because of their Android-based operating system,” said AFTVnews.
The Android malware known as ADB.Miner has spawned a new version that started spreading earlier this year, reportedly disguising itself as an app called “Test” with the package name “com.google.time.timer.” After infecting Android devices, it not only begins mining for crypto but also spreads itself to like devices on the same network.
Legal firms in the UK could improve their efficiency by 50% by using the artificial intelligence (AI) technology available to them, according to Drooms.
The data room provider claimed that, whilst automated machine processes are becoming more and more common place for a variety of industries, in the legal sector, companies have been skeptical regarding the value technology provides and therefore slower in adopting new methods.
“The legal sector is a traditionally conservative market that, with some notable exceptions, has remained largely unchanged for decades,” said Jan Hoffmeister, co-founder of Drooms. “One of the biggest roadblocks to greater adoption of AI technology is the industry’s widespread skepticism which, ironically, is strongest among those who could benefit the most from it.”
However, recent Drooms research of its customer base of due diligence professionals discovered that 72% of respondents said AI technology had sped up the due diligence process, with over half (52%) stating it has the potential to completely transform the work.
“The benefits are clear for in-house counsel having to perform under ever tighter time constraints,” Hoffmeister added. “But some legal firms that charge on an hourly basis might think that using technology threatens their revenue streams. However, using intelligent software to automate due diligence can allow them to focus their efforts on billing for more qualified and detailed advice.”
Microsoft has fixed a half century of vulnerabilities for this month’s patch update round, including one publicly disclosed bug and one being exploited in the wild.
Adobe patched zero-day vulnerability CVE-2018-5002 in an out-of-band update last week so admins are urged to apply Flash Player update APSB18-19 as soon as possible to fix this and three other bugs.
RCE flaw CVE-2018-8267 is a Scripting Engine Memory Corruption Vulnerability disclosed without a patch on June 1. Affecting all version of Internet Explorer, it should also be prioritized.
Allan Liska, senior solutions architect at Recorded Future, claimed that Windows Domain Name System (DNS) bug CVE-2018-8225 could allow an attacker to take control of an affected machine and should also be put high on the to-do list.
He also flagged Edge vulnerability CVE-2018-8229.
Ivanti director of product management, Chris Goettl, pointed to new Meltdown and Spectre mitigations against Spectre Variant 4 (CVE-2018-3639) vulnerabilities.
“This was the series of 8 additional Spectre vulnerabilities discovered a few weeks ago that allow for Speculative Store Bypass,” he added. “Similar to the last round of Meltdown and Spectre fixes the guidance from Microsoft is to apply the OS updates, apply latest microcode\firmware updates, then turn on mitigation for Variant 4. They do warn about the possibility of performance impact once again.”
Millions of Dixons Carphone customers have had their financial and personal data illegally accessed after a major breach at the UK company.
The high street retailer claimed in a notice today that “there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores.”
However, it was quick to add that 5.8 million of these cards had chip and PIN protection, and that the data stolen did not include pin codes, card verification values (CVV) or authentication data – making it more difficult for the hackers to monetize the breached data.
Only 105,000 non-EU issued payment cards are at risk as they aren’t chip and PIN protected, meaning they could be cloned.
“As a precaution we immediately notified the relevant card companies via our payment provider about all these cards so that they could take the appropriate measures to protect customers,” the firm said. “We have no evidence of any fraud on these cards as a result of this incident.”
The electronics retailer also admitted that hackers have accessed but not exfiltrated personal data on 1.2 million customers including names, addresses and email addresses.
“We have no evidence that this information has left our systems or has resulted in any fraud at this stage,” it confirmed.
Given the small number of affected cards and the fact that personal data did not leave the network, it’s unlikely the firm will be in for a major GDPR fine, unless it emerges that the hackers took advantage of serious deficiencies in the firm’s cyber-defenses.
Dixons Carphone CEO, Alex Baldock, revealed that the firm has added extra security measures, informed the relevant authorities and is communicating with affected customers.
“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here,” he added. “We’ve taken action to close off this unauthorized access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”
Yahoo has been fined £250,000 by UK privacy regulator the Information Commissioner’s Office (ICO) following a 2014 Russian state-sponsored attack which resulted in the compromise of 500 million accounts.
The incident, which was only reported two years later by the internet pioneer, led to the compromise of over 500,000 Yahoo UK accounts.
The personal data involved included names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.
According to reports the accounts were co-branded with Sky but Yahoo UK was the data controller and so had responsibility for their security under previous data protection laws.
The lengthy ICO investigation found that Yahoo UK “failed to take appropriate technical and organizational measures” to protect the data and ensure it complied with data protection standards. It also failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo employees who had access to customer data.
These deficiencies were present in the company “for a long period of time” without being addressed, the ICO argued.
ICO deputy commissioner of operations, James Dipple-Johnstone, argued that organizations not only need to shut the door but also lock it and “check the locks.”
“Since our investigation, the law has changed. Under the General Data Protection Regulation and the new Data Protection Act 2018, individuals have stronger rights and more control and choice over their personal data,” he added. “If organizations, especially well-resourced, experienced ones, do not properly safeguard their customers’ personal data, they may find customers taking their business elsewhere.”
Last year the Department of Justice charged two Russian FSB officers and hacker-for-hire Alexsey Belan for conspiring to break into Yahoo to obtain information on persons of interest to the Kremlin.
Also in 2017, Yahoo admitted that a previous 2013 breach of one billion accounts actually affected three times that amount.
Banco de Chile publicly disclosed on 28 May that it had detected a virus, presumably from international networks, that affected thousands of its workstations. Now the bank has learned that the cyber-attack was malware and resulted in attackers transferring approximately $10m via the bank's SWIFT international money transfer systems.
Most of the money has been traced to locations in Hong Kong, and it is believed that a criminal group from Eastern Europe or Asia is responsible for the attack.
In its public declaration, Banco de Chile wrote, "Although these measures affected the quality of our services, they made it possible to ensure the integrity of the information and data at all times, so that the security of the transactions, funds and records of our clients will never be affected. "
As the investigation unfolded, though, it learned that the user accounts were never the target of the attack. The cyber-attack corrupted the master boot records (MBRs) of 9,000 PCs and servers, leaving them unable to be rebooted. Multiple branch computer systems were inoperable, though online systems remained up and running, according to Computing.
What appeared to be a virus was actually MBR Killer malware, according to Trend Micro. Presumably the malware was used as a distraction, and the bank responded as the attackers had hoped: It acted to protect customer accounts. Last weekend, the general manager of Banco de Chile, Eduardo Ebensperger, told La Tercera Pulso, "The event was intended to harm the bank, not the customers."
Because the bank took measures to safeguard customer accounts by disconnecting approximately 9,000 workstations believed to be infected, attackers were able to steal millions of dollars from the bank.
"We found some strange transactions in the SWIFT system (where banks internationally remit their transactions to different countries). There we realized that the virus was not necessarily the underlying issue, but apparently they wanted to defraud the bank, " Ebensperger said in an interview with El Pulso.
Calling the attack the first of this magnitude, Ebensperger said it comes as a harbinger of the changing threat landscape and that institutions like Banco de Chile must now rethink how they approach cybersecurity.
“We banks have turned to innovation, it seems that we have to go a little more carefully because the issue of cybersecurity must be untransferable. For us it was, it still is, but we must advance in more sophisticated things that we have not seen before, like this attack,” Ebensperger said.
Nefarious actors who successfully exploit a newly discovered vulnerability in Apple code signing can potentially deceive third-party tools into believing their code is Apple approved. Today, the Okta Research and Exploitation (REX) researcher who uncovered the security issue publicly disclosed the vulnerability that could allow threat actors to bypass a core security function to impersonate Apple.
Once researcher Josh Pitts contacted Apple, the CERT Coordination Center and all third-party developers, he recommended that a public blog post was the best means of reaching third parties that use code signing application programming interfaces (APIs) in a private manner.
Code signing is the process by which public key infrastructure is used to digitally sign compiled code and scripting languages in order to validate that the code has not been modified. Pitts discovered a vulnerability that breaks the trust in code signed by Apple used in MacOS security.
Recognizing that code signing has had a slew of security issues, Pitts wrote in his public disclosure, "Unlike some of the prior work, this current vulnerability does not require admin access, does not require JIT’ing code, or memory corruption to bypass code signing checks. All that is required is a properly formatted Fat/Universal file and code signing checks return valid."
If exploited, all third-party security, forensic, and incident response tools that use the code-signing API would be affected, along with the millions of consumers and businesses that use Mac machines.
"By exploiting this vulnerability, threat actors can trick even the most security-savvy people and bypass a core security function that most end users don’t know or think about as they go about their digital activities. And, with the proliferation of apps for the workplace and personal use in everybody’s daily lives, bad actors can easily abuse this vulnerability," Matias Brutti wrote in an Okta REX blog post today.
On 22 February 2018, Pitts submitted a proof of concept that was able to bypass third-party security tools, and Apple responded on 1 March advising the researcher to use kSecCSCheckAllArchitectures and kSecCSStrictValidate with SecStaticCodeCheckValidity, adding that API and developer documentation will be updated.
Despite additional information submitted on 6 March and 16 March to it, Apple stated on 20 March that it did not see this as a security issue that needed to be directly addressed. According to Pitts, on 29 March, "Apple stated that documentation could be updated and new features could be pushed out, but: '[…], third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.'”
While mobile app security is an issue across all sectors, 50% of apps that come from media and entertainment businesses are putting users at risk. New research from BitSight found that a significant percentage of mobile apps across multiple industries have high-severity vulnerabilities.
“Mobile apps pose significant risks, such as data leakage, credential theft and unencrypted personally identifiable information when not properly secured,” Dan Dahlberg, technical director, Bitsight, said in an email.
Analyzing data from over 10,000 companies across the categories of business services, finance, tech, education and media, BitSight learned that more than half of the music, news, media, publishing and entertainment companies failed their high-severity tests. Over 10% of those media and entertainment apps that failed have unencrypted location data, which could allow attackers to access a user’s GPS location.
In addition, the research suggested that because one in four finance companies offers risky mobile apps, there is potentially higher risk of bank accounts being accessed without proper authorization.
“The Finance industry had the highest rate of broken SSL configurations (invalid TLS/SSL certificates): over 34% of applications that failed high severity tests in the Finance industry could be vulnerable to man-in-the-middle (MITM) and other attacks that can compromise data,” BitSight wrote in today’s blog post.
In the business services and education industry, 32% of the mobile apps BitSight tested are not encrypting end-user data, including the devices' IP addresses.
"Businesses need comprehensive, objective visibility into the security performance of the third and fourth parties they do business with. This includes understanding whether they offer apps that are predisposed to vulnerabilities, which could be detrimental to the entire vendor network, if compromised," Dahlberg wrote.
In related news, despite the woes of mobile app security the market is swiftly burgeoning. Today ABNewsWire announced that the global mobile application security market forecasts a compound annual growth rate (CAGR) of 25.96%. The new report, Application Security Market 2018 Global Analysis, Growth, Trends and Opportunities Research Report Forecasting to 2023, looks at what is both driving and restricting the demand of application security.
The US government has slapped sanctions on a further five Russian organizations and three Russian nationals in response to recent Kremlin-sponsored cyber-attacks including NotPetya.
The Treasury Department took action under Executive Order 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities, and Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), which was passed last year despite protests from President Trump.
It claimed that one of the “designated entities” named in the order, Kvant Scientific Research Institute (Kvant), is controlled by and has provided material and technological support to Russia’s Federal Security Service (FSB).
Two others, Divetechnoservices and Digital Security, are said to have provided the FSB with material and technological support. The other two organizations, Embedi and ERPScan, are apparently owned by Digital Security.
The Treasury notice drew attention to recent Russian attempts to destabilize its geopolitical rivals in the West including the NotPetya ransomware campaign, attacks on the US energy grid and the VPNFilter campaign to compromise network devices around the world.
It also called out Russian efforts to track the underwater communication cables that carry most of the world’s telecommunications data.
“The United States is engaged in an ongoing effort to counter malicious actors working at the behest of the Russian Federation and its military and intelligence units to increase Russia’s offensive cyber capabilities. The entities designated today have directly contributed to improving Russia’s cyber and underwater capabilities through their work with the FSB and therefore jeopardize the safety and security of the United States and our allies,” said Treasury secretary Steven Mnuchin.
“The United States is committed to aggressively targeting any entity or individual working at the direction of the FSB whose work threatens the United States and will continue to utilize our sanctions authorities, including those provided under CAATSA, to counter the constantly evolving threats emanating from Russia.”
The move comes as Donald Trump continues to advocate closer ties with the Putin administration. This week he called for Russia to be re-admitted to the G7 group of leading nations and blamed his predecessor Barack Obama for the country’s annexation of the Crimea.