Cyber-criminals eased into the year with a somewhat quiet first and second quarter, but according to a new report from Malwarebytes, attackers made some noise in Q3 2018. In the Cybercrime, Tactics and Techniques Q3 2018, researchers found that business detections were up 55% compared to 4% for consumers, indicating that cybercriminals are targeting victims who promise a greater return on their investments.
One notable shift in tactics was with the use of traditionally consumer-leaning malware, which the report said are now being leveraged in business attacks. The number of Trojan detections for both businesses and consumers rose 86% from last quarter.
Ransomware, cryptojacking and adware also contributed to this increase in business attacks. In addition, older strains of banking Trojans experienced a comeback, and researchers discovered the emergence of new ones, making this form of malware the number-one detection for both businesses and consumers.
Information-stealing malware, like Emotet and LokiBot grew in Q3. Researchers reported an overall increase of 5% or 1.7 million more detections in Q3 than in Q2. Emotet detections rose by 37% and ranked in the top six malware for business.
Exploit kits also had a busy quarter, with Underminder and Fallout standing out among exploit kit activity. Though not used as a singular weapon, exploit kits were added as components of web-based attacks. Attackers notably targeted Asia and expanded from South Korea into Japan.
Ransomware attacks on businesses were up 88%. Although consumer detections decreased, researchers noted the development of 40 new ransomware variants, though not all were released into the wild. Gandcrab evolved to become more lethal, and Magniber expanded into new regions.
In related news, Malwarebytes researchers noted that over the last few months, MirkoTan (a Latvian company that makes routers and ISP wireless systems) has been dealing with a stream of attacks affecting its products’ operating systems. The string of attacks began in late April when a critical flaw in RouterOS was identified.
Jérôme Segura, lead malware intelligence analyst at Malwarebytes today wrote about a new attack that has emerged, with threat actors using social engineering to get users to install a fake update with a piece of malware that scans random IP ranges to identify vulnerable routers and exploit them. Once infected, the routers are injected with a Coinhive script that forces the users behind the router to mine for cryptocurrency while they browse the internet.
Build contacts, start or join a hacking society and follow security’s trends and news to get a good start in the industry.
Speaking at the Cyber Recoded conference in London, a panel of graduates in their first jobs spoke on the 'Getting Past the Gatekeepers' panel about their experiences on getting the necessary experience that employers are looking for.
The panelists, who came from a mixture of universities across the UK and from different academic backgrounds, talked of the need to gain contacts and get involved in local security groups in order to achieve mentoring and career advice opportunities.
Chloe Ungar, student at Leeds Beckett University and intern at Hedgehog Cyber Security, said that it is invaluable to have a network around you, such as a hacking society as it “takes away scary aspects [of security], gives you confidence and allows you to experience things” more than just doing a degree would. “Without the society, I would not have pushed myself to go to conferences where I met the company who would become my employer.”
Asked by moderator Daniel Nash if industry were interested in experience such as working with hacking societies, James Stevenson from BT said that “if you’re passionate about it, someone else will be passionate about it.”
In terms of finding work, Stevenson said he had been actively writing and producing podcasts before applying for jobs, and employers were more interested in that sort of work.
Ungar said she had identified the company she wanted to work for and met them having emailed, and heard back within half an hour, at 4 am. Brett Calderbank, who had worked in policy and governance before working in a SOC, said it was important to keep on top of what is happening in the industry, “as this is such an evolving industry.”
Nash concluded by saying that if there is no society then start your own, as while it is a lot of effort it will pay dividends for experience.
Infosecurity asked which of the panelists had picked the company they wanted to work for, and what qualities they were looking for in an employer? Ungar said she found her employer at a BSides London conference, and she was attracted to a smaller company “where every employee counts.”
Wilson explained he had started to look for a graduate scheme six months before graduating, and gathered enough information to determine what he liked and what they [potential employer] were looking for, while Stevenson said it was important to identify the company and even if they say no, take the feedback and improve yourself, and keep on applying.
The US Department of Defense has suffered a major breach of employee’s personal and financial information, according to reports.
An unnamed official told AP that the incident may have affected as many as 30,000 civilian and military personnel.
A statement seen by the newswire confirmed that the incident had been discovered at the beginning of October, although it’s not clear when the breach took place.
“The department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the department,” the statement noted. “This vendor was performing a small percentage of the overall travel management services of DoD.”
The vendor is not being disclosed for security reasons but the Pentagon is said to be taking steps to cancel its contract.
“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” the statement continued.
The news comes just days after a damning Government Accountability Office (GAO) report found critical vulnerabilities in nearly all weapons systems under development.
It claimed the Pentagon is only “just beginning to grapple" with the challenges highlighted in the report.
“One test report indicated that the test team was able to guess an administrator password in nine seconds,” the GAO claimed. “Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the internet and gain administrator privileges for that software.”
To add insult to injury, when confronted with the findings, weapons program officials are said to have dismissed some test results as “unrealistic.”
The infamous WannaCry ransomware campaign of 2017 caused losses in the region of £92m for the NHS, the government has revealed.
In a progress update titled Securing cyber resilience in health and care, the Department of Health and Social Care caveated the figures by saying they are only broad estimates.
Broken down further, around £19m was lost directly as a result of access to info and systems being unavailable, leading to cancelled appointments and similar.
Over 19,000 appointments and operations are said to have been cancelled as a result of WannaCry.
“It is anticipated that 1% of care was disrupted over a one week period, based upon an estimate of the average level of care provided by the NHS in a one week period,” the report explained. “It is estimated that there was approximately £19m of lost output. However demand for NHS services fluctuates, therefore this should only be considered an approximate estimate.”
A much larger £72m was lost in the aftermath with additional IT support drafted in to help restore data and systems.
“Assuming each of the 80 severely affected trusts would have required the equivalent of five days FTE additional resource of an IT specialist, the cost of IT support at the time of the attack would have been £0.5m,” the report explained.
“After the attack we have estimated an average level of resource required by organizations based upon their size and the severity of disruption. There were a few anecdotal reports of costs by individual organizations, but not enough data to make a robust estimate. Therefore the figures quoted below should be considered an approximate estimate.”
WannaCry is said to have disrupted services across one-third of hospital trusts and around 8% of GP practices.
Mollie MacDougall, threat intelligence manager at Cofense, argued that ransomware could have life-threatening consequences for patients.
“If there is one lesson healthcare organizations can learn from these trends, it is to have appropriate anti-phishing programs in place that build on existing security capabilities, to include augmenting incident response efforts with real-time human-intelligence,” she added.
“Phishing keeps proving itself to be a successful vehicle for delivering damaging malware like ransomware, and as threat actors continue to find ways to bypass automated defenses, so too must network users be educated and armed to be a successful last line of defense against them.”
A major breach announced by Facebook last month affected 20 million fewer customers than at first predicted, but for 14 million unlucky users hackers managed to access virtually all their profile info.
The social network’s VP of product management, Guy Rosen, explained in an update on Friday that of the 50 million people whose access tokens were thought to be affected, 30 million actually had the tokens stolen.
“For 15 million people, attackers accessed two sets of information — name and contact details (phone number, email, or both, depending on what people had on their profiles),” he said.
“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For one million people, the attackers did not access any information.”
So far, there’s no sign that the attackers accessed third-party apps, Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, or advertising/developer accounts.
There was also more info on exactly how the attackers managed to carry out the attack.
According to Rosen, they “already controlled” a set of accounts, and had developed an automated technique to move from one to another, stealing access tokens for the friends of those accounts, and the friends of these friends etc.
By doing this, they obtained access tokens for around 400,000 users. Then “the attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people,” said Rosen.
Customized messages will be sent to those affected over the next few days with advice on how to protect themselves from follow-on scams. Users can also check here to see if they were affected.
On October 11, 2018, WikiLeaks published AmazonAtlas, a 20-page document from late 2015 containing the addresses and operational details for more than 100 of Amazon’s data centers, one of which indicates an affinity for the comedy of Jerry Seinfeld.
In addition to revealing the information about the data centers, located in 15 cities across nine countries, WikiLeaks also created a map showing the exact locations of the centers. A center in Manassas, Virginia, operates under the pseudonym Vandalay Industries, a fictitious latex company made famous in a Seinfeld episode when an unemployed George Costanza assured the unemployment office that he was on the verge of landing a job.
According to WikiLeaks, “Amazon is known as Vandalay Industries on badges and all correspondence with building manager.” It’s not at all uncommon for Amazon to operate out of data centers that are owned by other companies. In fact, the intent is to have little to no indication that Amazon operates at the location, which lends to the secrecy of its whereabouts.
Though Amazon has long been a leading cloud provider for the intelligence community, the leaked locations could potentially compromise the company’s status as a leading contender for a $10 billion contract with the Department of Defense (DOD).
“Amazon is one of the only companies with the certifications required to host classified data in the cloud. The Defense Department is looking for a single provider and other companies, including Oracle and IBM, have complained that the requirements unfairly favor Amazon,” WikiLeaks wrote.
“While one of the benefits of the cloud is the potential to increase reliability through geographic distribution of computing resources, cloud infrastructure is remarkably centralized in terms of legal control. Just a few companies and their subsidiaries run the majority of cloud computing infrastructure around the world. Of these, Amazon is the largest by far, with recent market research showing that Amazon accounts for 34% of the cloud infrastructure services market.”
Prior to the leak, the locations of the cloud infrastructure controlled by Amazon were hidden. In revealing the locations, WikiLeaks also create the Quest of Random Clues, a puzzle game that encourages players to find the data centers while highlighting various concerns, one of which includes contracts with the intelligence community.
Infosecurity Magazine contacted Amazon for comment, but the company has not responded.
A new variant of the Magecart attacks has been targeting smaller e-commerce operations, according to The Media Trust’s digital security and operations (DSO) team.
Researchers found a new type of malware that targets payment pages on legitimate Magento-hosted retail sites. Dubbed CartThief, the malware’s behavior is similar to that of the current iteration of the Magecart malware.
As soon as credit card information is entered into a checkout page and a payment is submitted, the malware collects, encrypts and sends personally identifiable (PII) and financial information to the malicious actors’ command-and-control server.
What sets this malware apart is the method used to encode or obfuscate the malicious domain and the PII data collection activity. To avoid arousing suspicion and sneak past many blocking technologies, there are no user-identifying cookies or source codes to set off alarms for users. The absence of cookies is one feature that differentiates CartThief from other Magecart variants.
“The fact that the malware targets sites using a variety of payment gateway providers calls into question the effectiveness of PCI DSS security standards for online businesses, in particular the absence of a requirement for businesses to know and manage all third-party code present on their sites and apps,” wrote Michael Bittner, digital security and operations manager at The Media Trust.
By exploiting vulnerabilities in web applications, bad actors were able to attack Magento-hosted e-commerce sites and insert rogue files into legitimate HTML code, granting them access to the payment page. Because the activity has only been executed on a handful of smaller e-commerce sites, researchers believe that the attackers are intentionally flying under the radar while testing the malware before staging a larger-scale attack, which they suspect could come during the holiday shopping season.
“Given increasing malicious activity and the advent of financial penalties, e-commerce operations should police their digital ecosystem for any unauthorized activities and actors by continuously scanning their sites. Doing so will help them pre-empt any security issues,” Bittner wrote.
In analyzing global cybercrime patterns ThreatMetrix found that identity spoofing, fueled by stolen identity data, is the most prevalent attack vector for the gaming and gambling industry.
Additionally, the Q2 2018 Gaming & Gambling Report discovered that location (IP) spoofing attacks increased 257% year-over-year, making it the fastest growing attack vector in the space. Because more sophisticated location spoofing tools are available, fraudsters are making frequent attempts to disguise their true location and launder money.
Distinguishing trusted users from fraudsters is made increasingly more challenging with malicious account takeovers (ATOs) and the use of collusive play and self-excluders.
“Rising cybercrime levels is no small issue for a sector that enjoys a truly global customer base,” said Ellie Burns, fraud and identity manager at ThreatMetrix, in a press release. “With more than two billion gamers worldwide, nearly 60% of the industry's traffic is cross-border.
"Operators must contend with a rapidly evolving regulatory landscape and stringent new anti-money laundering laws, making the verification of the true location of a transacting gamer a vital component in authenticating identity.”
An additional contributor to the growth of IP spoofing attacks is that users are trying to access services that might be restricted in their locations, which is one factor driving the high volume of cross-border traffic.
Increased mobile transactions were also a key finding in the report, resulting from more people placing bets and accessing accounts from their smartphones. The report revealed that 71% of all gaming and gambling transactions are now made via mobile devices, which is a 45% increase year-on-year. Not surprisingly, mobile payments are attacked more often than any other transaction. Hackers have realized that mobile serves as a door of opportunity where they are able to monetize stolen credentials.
“To deal with these challenges, gaming and gambling operators must incorporate dynamic digital identity intelligence that pieces together key indicators, such as device intelligence, true geo-location, online identity credentials and threat analysis, to better inform risk decisions. The key is to be able to effectively differentiate trusted users from fraudsters and understand changes in trusted user behavior, without adding unnecessary friction,” said Burns.
Trade association UK Finance has called for a new tax on payments to create a fund that banks can use to compensate victims of fraud.
CEO of the banking lobby, Stephen Jones, made the proposals before a Treasury Select Committee this week, reportedly claiming that a “tiny levy” on each payment could help to break the stand-off between financial institutions and other stakeholders over authorized push payment (APP) fraud.
“Customers will pay if the banks have to pay,” he’s reported to have said. “There’s no such thing as a free lunch here. It’s a question of how can the cost be fairly distributed across the system.”
APP occurs when a scammer tricks their victim into making payments to an account controlled by them. Banks argue that they shouldn’t be responsible for compensating the consumer if they’ve basically met their level of care.
A third of fraud losses in the UK last year were down to APP, amounting to £236m.
However, earlier this year the Financial Ombudsman Service (FOS) revealed that in disputes it is called upon to arbitrate, banks often try to blame customers — which it said is increasingly difficult to do given the growing sophistication of online scams.
The heated debate is part of an overall attempt to draw up an industry code governing how APP victims should be compensated.
Brooks Wallace, head of EMEA for cybercrime and fraud prevention at Trusted Knight, argued that Jones’ proposals could set a dangerous precedent and claimed the banks were trying to “shift financial responsibility to the customer before [fraud] really starts to impact their bottom line.”
“This statement demonstrates two things - firstly, that banks are starting to feel the burden of hefty fraud losses through more sophisticated online crime. Secondly, that they are becoming increasingly unwilling to foot the bill,” he added.
"This is a risky route to go down. While some fraud is not the fault of the bank, often fraud could have been halted if the bank had better fraud prevention in place for its customers. While the banks could argue that losses are down to third-parties — such as payment details being stolen in retailer data breaches — ultimately, financial organizations need to have more rigorous procedures for identifying and stopping fraudulent transactions taking place.”
A leading fitness software company may have exposed millions of customer records by failing to protect a cloud database.
Researcher Bob Diachenko said he found the exposed database hosted on AWS via a simple Shodan search for unsecured Elasticsearch instances which could be targeted by ransomware attackers.
He found the cloud store of 119GB of data belonging to Fitmetrix, with two identical sets of data and two IP addresses. Interestingly one was labelled as “compromised” as it contained a ransom note from an ultimately unsuccessful attempt to extort the company.
“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note,” Diachenko wrote.
“This script sometimes fails and the data is still available to the user even though a ransom note is created.”
The exposed data included name, gender, email address, birth date, home and work phone, height, weight and much more.
The total number of records affected topped 122 million, although it’s unlikely that all of these contain customer data, according to Diachenko, who estimated that “millions” were still likely to have been affected.
Parent company Mindbody, which acquired the firm earlier this year, finally responded and secured the database five days after first being contacted, on October 10.
Balaji Parimi, CEO of CloudKnox Security, said these incidents are occurring more frequently as complex multi-cloud environments become more popular.
“The most likely scenario in this case is that a FitMetrix employee changed the privacy configuration for these servers to share access and simply forgot to change it back when the task was completed. These incidents are rarely malicious. They are the result of what’s emerging as the biggest cyber-threat facing enterprises today: the complexity of and lack of visibility organizations have into their own infrastructure,” he argued.
“In order to mitigate these types of mistakes and the threat they pose, it’s critical for companies to devote cybersecurity resources to gaining better visibility. That means understanding which employees have the types of privileges that can affect the company’s security posture and limiting those privileges to properly-trained, security-conscious employees. With proper visibility and authorization settings, organizations can put real guard rails in place to help prevent these types of mistakes.”
Bloomberg this week doubled down on its blockbuster report of Chinese spy chips inserted into the supply chain of a leading US server provider, claiming a leading telco found evidence of tampering.
The news site is under pressure after all main parties it claimed had been affected by the alleged sophisticated spying campaign vigorously denied the report. These included the server company itself, Supermicro, and customers Amazon and Apple — who were also backed by the UK’s GCHQ and the US Department of Homeland Security (DHS).
The unnamed telco was apparently hired by Yossi Appleboum, a former Israeli army tech specialist and now co-CEO of US-based Sepia Systems, to scan its datacenters.
According to the report, he uncovered “unusual communications” from a Supermicro server. A further inspection revealed an “implant” built into the Ethernet connector which appeared similar to other manipulations he’d seen by Chinese suppliers.
Supermicro claimed to have no knowledge of any unauthorized components and complained it was not given enough time or info to respond to the new allegations.
The latest hardware manipulation is different from the microchips alleged to have been placed on motherboards subsequently sold unwittingly to 30 major tech companies.
However, they had the same purpose, of providing unauthorized access to the network the server is installed on, and “were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China,” according to Bloomberg.
Experts have criticized the original story for containing few named sources. Apple has denied the allegations in the strongest terms, taking the unprecedented step of writing to lawmakers on the House and Senate commerce committees to reiterate these sentiments.
However, for some, it’s a timely reminder of the risks posed by modern global supply chains.
“It doesn’t require an implant from a nation state adversary,” argued Chris Day, chief cybersecurity officer at Cyxtera. “Organizations must protect themselves by practicing defense-in-depth, especially across their supply chain.”
Although the telco was unnamed, AT&T, Verizon and Sprint told Bloomberg it wasn’t them.
With “well over” 1% of the world’s top one million websites still using a Symantec certificate, Mozilla has suspended plans to distrust the TLS certificates issued by the Symantec Certification Authority, which is now a part of DigiCert.
According to a statement by Mozilla’s certification authority program manager Wayne Thayer, so many websites continue to use these certificates that moving from Firefox 63 Nightly into Beta “would impact a significant number of our users.”
Thayer said that “it is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free.”
He added: “We prioritize the safety of our users and recognize the additional risk caused by a delay in the implementation of the distrust plan. However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users. This change will remain enabled in Nightly, and we plan to enable it in Firefox 64 Beta when it ships in mid-October.
“We continue to strongly encourage website operators to replace Symantec TLS certificates immediately. Doing so improves the security of their websites and allows the 10’s of thousands of Firefox Nightly users to access them.”
In a previous update in July, Thayer that 3.5% of the top one million websites were still using Symantec certificates that were due to be distrusted in September and October. Firefox 60 displayed an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1 2016 that chains up to a Symantec root certificate as part of the consensus proposal for removing trust in Symantec TLS certificates that Mozilla adopted in 2017.
“This proposal was also adopted by the Google Chrome team, and more recently Apple announced their plan to distrust Symantec TLS certificates,” he said.
New findings from Confense have revealed that one in ten reported emails in 2018 were malicious, with more than 50% of those linked to fraudulent attempts to gather login and system information from users – known as credential phishing.
As detailed in its report The State of Phishing Defense 2018: Susceptibility, Resiliency, and Response to Phishing Attacks the firm analyzed more than 135 million phishing simulations, 800,000 reported emails and nearly 50,000 real phishing campaigns targeting organizations in 23 industries ranging from healthcare, financial services to manufacturing.
Key findings discovered that 21% of reported crimeware emails contained malicious attachments whilst the term ‘invoice’ was one of the most-used phishing subjects, appearing in six of the 10 most effective phishing campaigns this year.
However, on a more positive note, Cofense claimed the overall phishing resiliency of users had improved in the last few years with reporting rates up 14% from three years ago. Interestingly, organizations in the utilities and energy industries were noted as building the most resiliency to phishing over time, but Cofense warned that overall industries involved with critical infrastructure still have work to do.
“We founded Cofense on the principal that the human element, the users who are targeted, are a critical factor in defending against phishing threats,” said Aaron Higbee, co-founder and CTO of Cofense.
“We see phishing emails bypass technology controls every day and more and more end-users recognizing and reporting these threats that slipped past million-pound defenses. The results of our research detailed in the ‘State of Phishing Defense’ shows that resiliency is building across key industries thanks to those same people that were once deemed as the weakest-links in an organization. These trends are powerful and reinforce that humans are a key element to a successful security program.”
More Brits under-21 are falling victim to identity fraud and acting as money mules than ever before, according to new figures from Cifas.
The non-profit fraud prevention service revealed new figures today claiming its members have identified a 24% increase in young victims of so-called “impersonation fraud” in the first nine months of the year, versus the same period in 2017. This type of fraud occurs when scammers use a victim’s identity to open new accounts, hijack existing ones or buy products in their name.
The largest segment of impersonation fraud affecting this age group related to payment cards (34%), an increase of 79% over the same nine-month period last year.
But the under-21s aren’t just victims of fraud, they’re increasingly also helping online scammers to launder money — a vital role in the cybercrime ecosystem.
Cifas noted a 26% rise in the identification of money mules: individuals who, often unwittingly, are recruited to receive stolen funds, withdraw them and then wire to another account, often abroad.
Although the crime carries with it a maximum penalty of 14 years behind bars, it appears many young bank account owners are attracted by the opportunity to make money quickly and easily.
Cifas CEO, Mike Haley, called for a broader education effort on the part of parents, teachers and banks.
“As the rise in money mules demonstrates, many young people seem unaware of the risks they’re running and the consequences it can have not only for the individual concerned but for society as a whole. More needs to be done to raise awareness about the harm of fraud and financial crime,” he added.
“We’re calling on banks in particular to ensure that they are providing young people with the necessary knowledge to prevent them falling victim to fraud — or becoming fraud perpetrators.”
The latest figures from Cifas released in August revealed identity fraud had fallen for the first time in four years, by 5% in the first six month of 2018 versus the same period last year.
However, identity fraud against online retail accounts rose by 24% during the period, while Cifas also recorded a rise in fraudulent applications for credit and debit cards (12%).
In April, Cifas claimed identity fraud had hit an all-time-high in the UK.
The number of compromised credentials detected in North American botnets has soared 141%, according to the latest quarterly analysis from Blueliv.
The cyber-threat intelligence vendor scans the open, deep and dark web for signs of stolen log-ins for its clients, so that they can take action before the cyber-criminals have had a chance to monetize their wares.
The large rise between the March to May and June to August quarters this year came alongside declines in other regions.
Europe and Russia saw a decrease of 22%, while compromised credentials geo-located to Asian botnets dropped by 36%. A sharp drop of detections (33%) in July and August in Europe and Russia matched a 77% increase in Asia, indicating a botnet may have been taken down in Europe while Asian campaigns thrived, according to the firm.
“All it takes is a single good credential for a threat actor gain access to an organization and cause havoc,” argued Blueliv CEO, Daniel Solís.
“We are observing a booming market for credential theft, and the latest statistics show that this sort of cybercrime is a truly global enterprise. By understanding the lifecycle of the compromised credential, CISOs seeking to protect their business and analysts looking for IOCs gain valuable information to shrink their attack surface.”
According to the firm’s recent report, The Credential Theft Ecosystem, once attackers have infiltrated targeted organizations via compromised credentials, they can access customer databases to harvest PII and/or user log-ins to sell on the dark web or use directly to commit identity theft.
Other potential impacts of corporate credential theft include blackmail, BEC, espionage, hacktivism and more.
“As long as credentials remain the preferred way for companies to authenticate their employees and customers, they’ll continue to be the weakest link in the cybersecurity chain,” the firm noted.
In terms of credential-harvesting malware, Pony, KeyBase and LokiPWS (also known as Loki Bot) were most popular, with Pony out in front, although LokiPWS samples increased 91% quarter-over-quarter.
The US authorities have arrested and charged an alleged officer in China’s Ministry of State Security (MSS) with trying to steal aviation secrets from American firms, in a move likely to enrage Beijing.
The charges were announced on Wednesday and reveal the alleged intelligence officer as Yanjun Xu (aka Qu Hui, aka Zhang Hui), a deputy division director with the MSS Jiangsu State Security Department, Sixth Bureau.
They claim that from at least December 2013 until his eventual arrest in Belgium, Xu targeted experts working at US aviation firms including GE Aviation. He recruited them to travel to China, often under the pretense of giving a university presentation, before paying travel costs and stipends.
The individuals were then allegedly asked to provide blueprints and other materials, which were handed over to engineers at a leading Chinese university.
“Innovation in aviation has been a hallmark of life and industry in the United States since the Wright brothers first designed gliders in Dayton more than a century ago,” said US attorney for the Southern District of Ohio, Benjamin Glassman.
“US aerospace companies invest decades of time and billions of dollars in research. This is the American way. In contrast, according to the indictment, a Chinese intelligence officer tried to acquire that same, hard-earned innovation through theft. This case shows that federal law enforcement authorities can not only detect and disrupt such espionage, but can also catch its perpetrators.”
The arrest of a Chinese intelligence officer is unprecedented: the US has indicted PLA officers in the past for allegedly hacking American companies, but that’s where it ended, as the individuals reside in China.
The latest move will do little to calm boiling tensions between the two superpowers, which are involved in a de facto trade war, amidst widely disputed reports that Chinese spies have infiltrated the supply chain for server components in a major espionage campaign against government and corporate targets.
If the news is true, it would seem to sound the death knell for an agreement between former President Obama and Xi Jinping in which China agreed to cease economic cyber-espionage.
Dmitri Alperovitch, co-founder of CrowdStrike, confirmed China's re-emergence as the world's most prolific cyber-espionage actor.
"From a cyber perspective, China is actively engaging in targeted and persistent intrusion attempts against multiple sectors of the economy, including biotech, defense, mining, pharmaceutical, professional services, transportation, and more. Currently, the MSS is the primary government agency engaged in the majority of cyber-attacks ... CrowdStrike has observed multiple intrusions demonstrating their sophisticated tradecraft," he explained.
"We believe China poses a long-term and strategic threat to the global economy, and today’s arrest of a senior MSS officer responsible for industrial espionage is an important deterrence tool in keeping the perpetrators accountable.”
Blockchain is revolutionizing the global economy, according to Nitin Uttreja and Ashish Dwivedi of CA Technologies. In their session, How Blockchain Is Revolutionizing Cybersecurity, Uttreja and Dwivedi said that blockchain companies enable banks to transact with other banks for improved efficiency of cross-border transactions.
“The distributed-ledger technology is not just restricted to the banking or financial world. Blockchain technology has the potential to disrupt nearly every industry, including healthcare, supply chain management, media, advertising, gambling, cloud and cybersecurity,” the presenters wrote.
Because it is so difficult to change or remove data once it is entered into the blockchain, the technology mitigates the risk of a single point of failure. It is a distributed database with a decentralized ledger database that is continuously growing. The technology is chronological and secured using cryptography.
Any changes are stored in a new block. “A small change in the input would give a completely different hash, making it infeasible to find two messages that produce the same hash,” Uttreja said. Attempting to make changes would produce a completely different hash, which would not match, so all the subsequent blocks would become invalid.
Yet “securing data by this technique is not good enough,” said Uttreja. “To counter we use proof of work or mining, which slows down the calculation of blocks. What we do in mining is take index, previous hash, timestamp and try to create a hash that specifies a certain criteria.”
As far as the application to cybersecurity, Dwivedi said that there are real-time use cases of blockchain in cybersecurity, including decentralized identity, cloud storage, passwords and securing IoT.
"The key challenge with digital is that individuals have no control over their personal data and do not know when it is shared with other institutions," the presenters wrote. Users leave personal information on complex servers. If that server is compromised, the user’s data is at risk. There are also challenges of centralized identity with storing personally identifiable information (PII) on a central depository and the potential of third parties accessing data without subject’s knowledge.
The blockchain solution is that the data becomes decentralized across a distributed database with peer-to-peer transmissions that use cryptographic hashing, Dwivedi said.
“Blockchain enables the creation of a decentralized distributed storage marketplace, with complete decentralization and true redundancy, total privacy, resulting in cost reductions.”
In welcoming attendees, CFO Debra Taylor said, “We recognize the important role we play and the obligation we have as an organization to be inclusive, respectful and free from bias or discrimination but also to develop a community that reflects the diverse public we serve.”
The event's focus was both inclusion and diversity, and attendees were asked to brainstorm the ways that organizations can create a more inclusive and diverse workforce. Deidre Diamond, co-founder and CEO of CyberSN, said that when she thinks about inclusion, she thinks about the GQ skills – the emotional intelligence.
“It’s been really cool to watch our industry put value to emotional intelligences,” Diamond said. “The reality is that studies have proven that diverse groups make better decisions because they can see a 365-degree view. Diverse groups bring more money to organizations.”
Diamond talked about the benefits of win-win communication, a skill long taught in sales but that has been absent across other silos. One attendee, who noted that he benefits from being a fourth-generation college-educated white male, said, “That’s really what we have to break away from.”
Another attendee talked about a session on STEAM (science, technology, engineering, ARTS, and math) that she had attended and the benefits of bring the arts into the cybersecurity field. “At the end of the day, if they’re an arts major, music major, why aren’t we bargaining and pitching to them? It’s about widening the pool,” said Kyle Kennedy, president of Brainbabe.
A common concern among the attendees was the ways in which the résumé limits a candidate's potential of actually getting hired because we are all judged by the content we share. “If the content doesn’t match the content of what hiring managers are looking for on their list, you’re not even in the pool,” Diamond said.
Changing the way that human resources crafts job descriptions and the way that hiring managers thing about the skills that are essential to the projects will open the door to a wider pool of candidates who bring more than technical expertise to their roles.
“DevOps is critical in the sense of introducing automation. Automation is important for managing complexity and minimizing human error, but the security team needs to be thinking about how to work with the DevOps teams so that they have an appreciation for security,” Shema said.
In the end, the apps that DevOps are building are being created for people, so it’s important to be working with them, working for them and building for them. While it’s easy to dismiss users and their behavior as foolish, it’s also sometimes true that developers are lazy and both behaviors create risk, Shema said.
In order to bring security to where the developers are, there needs to be a common language, particularly in meetings. By focusing on communication and having a clear framework for what needs to be discussed, Shema said, it is possible to turn DevOps in to DevSecOps.
“Putting security in the middle is intentional because you can’t tag security on at the end. Security is what ties the two together,” Shema said.
A good sense of a shared vocabulary between developers and security does exist with OWASP. “Those are really quick, off-the-cuff terms we can throw out so security practitioners and DevOps teams can quickly understand whether something is high risk or low risk, but there is a need for having a shared vocabulary in the meetings with DevOps in order to make the meetings more successful,” Shema said.
Different end users pose different risks, so the teams need to have discussions about the different ways to look at threat models that include the end user. To that end, Shema offered suggestions on how to make meetings more successful.
“Things like tabletop role-playing games that promote social interaction. They require people to get together and move toward a common goal,” he said. In many games, players encounter fights that happen between monsters and heroes, and they learn the skills necessary to overcome different challenges. Those skills translate over to dealing with people.
The coder or sysadmin play the barbarian, DevOps becomes the fighter, red teams morph into thieves while blue teams take on the role of clerics and the CISO plays the bard.
“It’s about ensuring that everyone gets a turn around the table so that there’s not one person monopolizing the conversation. When a single person is the only one talking, it erases other people’s voices,” Shema said. "Having an agenda keeps the meeting focused and avoids people going off topic. Then you can pull people in to make sure their voices are heard."
While these tactics are not revolutionary, Shema's purpose is to remind DevOps to rely on people when it comes to security policies.
UK supermarket giant Morrisons is in the Court of Appeal this week fighting to have overturned a judgement that it should compensate employees after a major insider data leak.
A High Court judge ruled last year that the company was “vicariously liable” for the actions of one of its employees, former internal auditor Andrew Skelton, who published the personal details of 100,000 employees online and sent them to several newspapers.
The leaked data included NI numbers, birth dates and bank account details, and Skelton was eventually jailed for eight years back in 2015.
Morrisons argued at the time that it had already paid around £2m to mitigate the breach. However, it was also awarded £170,000 in compensation, while employees got nothing.
In the UK’s first class action lawsuit, over 5000 of these employees subsequently took the supermarket chain to court, demanding compensation for the “upset and distress” caused by disgruntled insider Skelton’s actions.
The retailer’s lawyers are arguing this week that their client cannot be held “vicariously liable” because the Data Protection Act 1998 — the legislation in place at the time of the incident — excludes vicarious liability.
Representing the claimants, JMW Solicitors data privacy specialist, Nick McAleenan, argued that Morrisons is looking to protect its £374m annual profits rather than recognize the impact of the breach on its employees.
“This is a classic David and Goliath case — the victims here are shelf-stackers, checkout staff and factory workers; just ordinary people doing their jobs,” he reportedly said.
“They were obligated to hand over sensitive financial and personal information to Morrisons — including national insurance numbers, dates of birth and bank account details — and had every right to expect that information to be kept confidential.”