Info Security

Subscribe to Info Security  feed
Updated: 1 hour 29 min ago

National Guard Helps Maryland with Cybersecurity

Tue, 05/26/2020 - 16:12
National Guard Helps Maryland with Cybersecurity

The National Guard has been working to keep Maryland safe from cyber-attacks.

Maryland governor Larry Hogan called in the National Guard by executive order on March 12 to bolster the state's COVID-19 pandemic response. In addition to assisting the Old Line State with its coronavirus testing and screening program, the Guard has been helping out with cybersecurity assessments.

Baltimore, Maryland's largest city, was rocked by a catastrophic ransomware attack last year that prevented government officials from performing even basic tasks like sending an email. 

In an interview with Federal Computer Week, Colonel Reid Novotny, Maryland National Guard's joint staff (J6) lead for IT and cyber, said that surviving a major attack did not make Baltimore invulnerable to cyber-criminals. 

"During this crisis, we are in daily contact with them [in] an elevated status," said Novotny. “There have been ransomware attacks that have affected hospitals that are treating COVID patients."

Novotny wouldn't specify which hospitals had been targeted but said that attacks had been observed in Baltimore and Baltimore County.

"Yes, that stuff has actually happened, and the department of IT has responded back, and the Guard has supported that response," he said.

"Patients and the residents of that county that went to that hospital were assured that everyone was up and working."

The state's chief information security officer, Chip Stewart, said that malicious activity against Maryland had increased since the outbreak of COVID-19. 

"Maryland has noticed an increased frequency of attempted cyber-attacks as have many other states throughout the country, ranging from phishing emails to sophisticated attempts to bypass security measures," said Stewart.

To counter the threats, Maryland has established a security operations center to monitor attacks on its digital infrastructure.

According to Stewart, the National Guard is supporting the state's efforts to thwart cyber-attackers by performing "routine external assessments of the state's websites and networks to identify issues proactively."

As of May 15, the Maryland National Guard has supplied over 3,000 hours of support to four different state agencies across four of Maryland's counties. Novotny said the commercial value of the Guard's cyber-support was roughly $1m.

Categories: Cyber Risk News

New Version of Turla Malware Poses Threat to Governments

Tue, 05/26/2020 - 14:20
New Version of Turla Malware Poses Threat to Governments

Details of a new version of the ComRAT backdoor, one of the oldest malware families run by the notorious cyber-espionage group Turla, have been outlined by ESET. The findings will be of particular concern for government agencies, such as militaries and diplomats, with this updated backdoor able to use Gmail web UI to receive commands and exfiltrate data to try and steal confidential documents.

The Turla group, also referred to as ‘Snake,’ has been operating for at least 10 years, primarily targeting governments across Europe, Central Asia and the Middle East. It has breached a number of major organizations including the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

One method it uses to steal important information is the malicious backdoor, comRAT, which is believed to have been first released in 2007. “Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” noted Matthieu Faou, malware researcher at ESET.

ESET has found evidence the fourth version of the malware, which has attacked at least three government institutions since 2017, was still active in January 2020. The operators used public cloud services such as OneDrive and 4shared to exfiltrate data.

The new version uses a completely new code base and is far more complex than earlier incarnations. It can perform a number of new actions on compromised computers, such as executing additional programs and exfiltrating files, whilst having unique abilities to evade security software.

“This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” explained Faou. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain.”

Categories: Cyber Risk News

Customized Android Builds Drive Global Security Inequality

Tue, 05/26/2020 - 10:45
Customized Android Builds Drive Global Security Inequality

Security experts have warned that default regional settings and pre-loaded applications may be exposing Android devices in some countries to a greater risk of cyber-attack.

F-Secure claimed today that large numbers of pre-bundled apps can expand the attack surface of a device.

The impact is potentially worse when country-specific rules block access to Google Play, meaning that users have to rely on third-party stores curated by the phone manufacturers themselves.

F-Secure claimed it found multiple vulnerabilities in the Huawei AppGallery which could be used to “create a beachhead” to launch additional attacks, such as one targeting the Huawei iReader which could allow hackers to execute code and steal data from devices.

Meanwhile, a simple phishing email/message could be enough to compromise the default configuration on the Xiaomi Mi 9 for China, India, Russia and maybe other countries, the security vendor claimed.

In another case, the research team compromised a Samsung Galaxy S9 by exploiting the fact that the device changes its behavior according to which country issued the SIM inside it.

“To perform this attack, an adversary must manipulate an affected Galaxy S9 user into connecting to a Wi-Fi network under their control (such as by masquerading as free public Wi-Fi),” F-Secure explained.

“If the phone detects a Chinese SIM, the affected component accepts unencrypted updates, allowing an adversary to compromise the device with a man-in-the-middle attack. If successful, the attacker will have full control of the phone.

F-Secure warned that as the number of customized Android builds grows, the white hat community needs to double down on research.

“It’s important for vendors to consider the security implications when they’re customizing Android for different regions,” added senior security consultant, Toby Drew.

“People in one region aren’t more or less entitled to security than another, and if you have the same device configured to provide a less secure experience to users in one region compared to another, it’s creating a type of inequality by increasing their exposure to attacks.”

Categories: Cyber Risk News

Data on 29 Million Indian Jobseekers Leaked

Tue, 05/26/2020 - 09:29
Data on 29 Million Indian Jobseekers Leaked

The personal details of over 29 million Indian jobseekers have been posted to a dark web site, free for anyone to access.

Cybersecurity firm Cyble, which discovered the trove on an unnamed hacking forum, has in turn added the compromised information to its breach notification site AmIBreached.

It claimed to have found the posting during a regular sweep of the dark and deep web. The 2.3GB file includes email, phone, home address, qualification, work experience, current salary, employer and other details on job-hunters from all over India.

“Cyber-criminals are always on the lookout for such personal information to conduct various nefarious activities such as identity thefts, scams and corporate espionage,” said Cyble.

The vendor claimed that the leak had originated from a CV aggregation service which collected the data from legitimate job portal sites. An update over the weekend clarified that the data may have been initially exposed by an unprotected Elasticsearch instance, subsequently made inaccessible.

It continues to investigate these claims.

In the meantime, it spotted another threat actor posting nearly 2000 Aadhar identity cards for free onto a hacking forum. They appear to originate from Madhya Pradesh state.

Also over the weekend, Cyble claimed that three hacking forums have themselves been breached, exposing user details and private chats.

The firm said it had been able to obtain databases related to Sinful Site, SUXX.TO and Nulled.

“All these hacking forums are based on general discussion and sharing of related resources. It is a place where users can find lots of great data leaks, hacking and cracking tools, software, tutorials, and much more. Along with that, over here the users can also take part in active discussions and make new friends,” it explained.

Specifically, the firm now has detailed info on users of SUXX.TO and Nulled, which were dumped on May 20, and private messages from Sinful Site, which were leaked on May 15.

Categories: Cyber Risk News

Lawyers Aim £18bn Class Action Suit at easyJet

Tue, 05/26/2020 - 08:37
Lawyers Aim £18bn Class Action Suit at easyJet

A specialist in group litigation has filed a potential £18bn class action claim against easyJet in London’s High Court, following the firm’s major data breach disclosure last week.

International law firm PGMBM said it had been contacted by “numerous affected people” and is urging more to come forward to join the case, which would pay out £2000 per impacted customer. 

It clarified that Article 82 of EU General Data Protection Regulation (GDPR) grants customers the right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.

The Luton-headquartered airline revealed last week that a “highly sophisticated” attack on its IT infrastructure had compromised email addresses and travel details of nine million passengers, as well as the credit card details of just over 2200.

Despite claiming that it had no evidence that any of the stolen info had been misused, the airline warned those affected about follow-on phishing attacks.

Although it notified UK regulator the Information Commissioner’s Office (ICO) back in January, at around the time of the incident, it took several months for the firm to come clean to customers.

PGMBM has also claimed that the exposure of customers’ travel plans could pose security risks to those individuals, as well as being a gross invasion of privacy.

“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers,” argued managing partner, Tom Goodhead.

“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of nine million customers from all around of the world.”

The case highlights the potentially serious financial repercussions of a major data breach, on top of the large fines GDPR regulators can theoretically impose.

The ICO has come in for some criticism recently after reports emerged that it may be considering a significantly lower fine than the £183.4m figure posted in a notice of intent last summer, in response to a major breach at British Airways.

Categories: Cyber Risk News

Mumbai Police Force Uses 'The Force' for Cyber-Safety Campaign

Fri, 05/22/2020 - 16:19
Mumbai Police Force Uses 'The Force' for Cyber-Safety Campaign

Police in Mumbai have recruited Baby Yoda to help raise awareness of the importance of cyber-safety. 

The law enforcement agency has earned a reputation online for delivering serious messages with humorous memes via social media app Instagram. It only seems appropriate that the force should use the power of 'The Force' to drive home a warning that passwords should be kept private.

On Monday, Mumbai Police shared an image of a popular meme that uses characters from TV space Western series Star Wars: The Mandalorian. In the meme, the show's lone gun fighter shares an amusing exchange with the famous character Baby Yoda.

The meme shows the fighter telling Baby Yoda to close his eyes, after which he asks him, "What do you see, bro?"

Yoda shutters his peepers and replies, "Nothing, bro."

In an amusing edit to the next line of dialogue, Mumbai Police tweaked the meme so that the fighter tells Yoda: "That's your bank balance after you shared your password with me, bro."

Along with the meme, Mumbai Police share the following caption with their 126K Instagram followers: "Share password, do not. There is no question of do."

The funny post was a hit with netizens who expressed their appreciation by filling the comments section with compliments. 

Instagram user rohitksp wrote, "Mumbai police is getting cooler day by day," while user tanabhy punned, "Mumbai police, Yoda best."

User dandekarvaibhav added: "Mumbai Police shared a Star Wars themed meme... My day is made."

User uppalakshit took the joke one step further, quipping, "That's the Bank balance during Lockdown..."

Not every heart was won by the force's attempt to raise awareness of cybersecurity in a humorous way. One user expressed the view that Mumbai police ought to be focusing their resources elsewhere. 

User ashwitha4real wrote in the comments: "Memes are great but there are groups on telegram that are sexually assaulting women, making videos and sharing it. Kindly do something about it."

At time of publication, the Baby Yoda post had garnered 23,291 likes on Instagram and attracted 209 comments.

Categories: Cyber Risk News

North Dakota's Contact Tracing App Sends User Data to Third Parties

Fri, 05/22/2020 - 15:14
North Dakota's Contact Tracing App Sends User Data to Third Parties

A cybersecurity company has claimed that a contact tracing app introduced by North Dakota is sending data to third parties and exposing users' identities.

Like South Dakota and Utah, North Dakota has built its own contact-tracing app, Care19, in an effort to monitor the spread of the novel coronavirus.

Jumbo Privacy alleges that the Care19 app, created by ProudCrowd LLC to track the spread of COVID-19 in The Peace Garden State, is sharing user data with Foursquare and other third-party services.

Foursquare is a location service that provides advertisers with tools to reach audiences who have been at specific locations.

Users of the Care19 app are told in the privacy policy that their "location data is private to you and is stored securely on ProudCrowd, LLC servers. It will not be shared with anyone including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulations.”

North Dakota claims that users of the app cannot be individually identified. On the state's website in the app FAQ section it states that “the application does not have any information that is tied to an individual person” and information uploaded via the app is "100% anonymous." 

Jumbo disputes this assertion, claiming instead that users accessing the app via the iOS on their iPhone can be unmasked through the Identifier for Advertisers (IDFA) on their device. 

The IFDA is an ad-tracking device that enables an advertiser to understand when a phone user has taken an action like a click or an app install.

"They share the IDFA with Foursquare, which means it’s not anonymous,” said Jumbo Privacy CEO Pierre Valade. "It’s a unique ID tied to your phone.”

Foursquare confirmed in a statement that it receives Care19 data. However, the company said it promptly discards the information sent via the app and doesn't use it for anything. 

The Care19 privacy policy indicates that “Your data is identified by an anonymous code.” Jumbo found that, along with the IDFA, this anonymous code was transmitted to Foursquare. The code was also being sent, together with the name given to the phone by the user (e.g., Paul's phone), to remote logger Bugfender.

Categories: Cyber Risk News

Businesses Could Face Influx of Attacks When Offices Reopen

Fri, 05/22/2020 - 15:00
Businesses Could Face Influx of Attacks When Offices Reopen

Cyber-criminals could be poised to trigger a wave of attacks on businesses when workers return to offices and reconnect to corporate networks, Redscan has warned. As many countries such as the UK prepare to ease COVID-19 lockdown restrictions and allow more people to return to physical workplaces, the cybersecurity firm said organizations need to take action to defend themselves against potential hackers lying dormant on employee devices.

There has been a substantial rise in threat activity over recent months, with cyber-criminals looking to exploit the sudden rise in remote working during the pandemic and the resultant lack of protection. In this period, Redscan has observed a surge in activity such as malspam, external scanning attempts to identify weaknesses in the use of remote access tools and account login attempts from unknown locations.

It therefore believes there could be an influx of attacks when staff reconnect to company networks after returning to their workplaces, with attackers ready to launch attacks including ransomware across a company network. In order to prevent this situation occurring, Redscan said firms should sanitize all endpoints on the return to the office as well as closely monitor networks for evidence of compromises.

George Glass, head of threat intelligence at Redscan, said: “During the COVID-19 pandemic there has been a steady stream of organizations reporting cyber-attacks. However, this is only likely to be the tip of the iceberg. Many more organizations are certain to have been targeted without their knowledge.

“As employees return to work post-lockdown and connect directly to corporate networks, organizations need to be alert to the possibility that criminals could be lying dormant on employee devices, waiting for the opportunity to move laterally through a network, escalate privileges and deploy ransomware.”

Redscan provided other recommendations to companies to tackle this type of threat, including updating anti-virus signatures, connecting all devices to remote networks and educating staff about the latest risks.

Categories: Cyber Risk News

Data Breach Afflicts Ohio’s Unemployment Office

Fri, 05/22/2020 - 14:29
Data Breach Afflicts Ohio’s Unemployment Office

A data breach at the Ohio Department of Job and Family Services (ODJFS) has exposed the personal data of Pandemic Unemployment Assistance (PUA) claimants. 

Personal information including names, Social Security numbers, home addresses, and claim receipts was exposed to other claimants due to a security vulnerability detected by Deloitte Consulting on May 15. Deloitte is the technology vendor for PUA systems in several states, including Ohio. 

“A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website,” Deloitte said in the statement.

In a breach notification email sent to PUA claimants on May 20, ODJFS said the breach was fixed within one hour of discovery. 

The department stated: “Over the weekend, Deloitte notified ODJFS that about two dozen individuals inadvertently had the capability to view other PUA claimants’ correspondence.” 

According to the department there is no evidence to suggest that any "widespread data compromise" had occurred. 

More than 161,000 Ohioans have applied for unemployment assistance offered in the wake of COVID-19. ODJFS has not revealed how many of these claimants were affected by the data breach. 

Perhaps tellingly, every single Ohioan who has claimed PUA is being offered free credit monitoring by Deloitte Consulting for 12 months.

“A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website,” Deloitte said in the statement. "Within an hour of learning of this issue, we identified the cause and stopped the unauthorized access to prevent additional occurrences.

Frustrated claimants, some of whom are still waiting to receive financial assistance under the PUA program, reported the breach on social media. 

ODJFS said action had been taken to ensure that the data breach was a one-off.

The department stated: “ODJFS holds the confidentiality of claimant data in the highest regard and agreed with the immediate steps Deloitte took to prevent any unauthorized PUA access in the future."

Unemployment claims in Ohio since the start of the coronavirus crisis passed the 1 million mark at the end of April, putting pressure on an archaic system.

Categories: Cyber Risk News

Non-Cybersecurity Incidents Outnumber Cyber-Attacks in ICO Report

Fri, 05/22/2020 - 11:15
Non-Cybersecurity Incidents Outnumber Cyber-Attacks in ICO Report

The Information Commissioner’s Office (ICO) has disclosed that reported non-cyber incidents outweighed cyber-incidents in Q4 of 2019.

In its report on incident trends, the ICO said there were 2629 incidents reported to it in Q4 2019, of which 337 were due to “data emailed to incorrect recipient,” 265 were due to “data posted or faxed to incorrect recipient” and 213 due to “loss/theft of paperwork or data left in insecure location.” Meanwhile, the main cyber-incidents were 280 as a result of phishing and 175 regarding unauthorized access. 

As a result, the ICO issued two fines. The first was £500,000 to DSG Retail Limited in January after a point of sale computer system was compromised as a result of a cyber-attack, affecting at least 14 million people. Also, in March, the ICO fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed.

ZIVVER’s CEO and founder Rick Goud pointed out the number of reported data leaks decreases every quarter in the UK, while other countries like Germany, the Netherlands, Denmark and Sweden have shown more than 50% increases. “Per inhabitant, the UK was already reporting about 10-times less data leaks than the 'top'-countries,” he said. “This is not due to less data leaks, but – instead – due to a decrease in reporting culture, possibly prompted by the lack of action shown by the ICO since GDPR came into force.”

In an email to Infosecurity, BH Consulting CEO Brian Honan said the report reinforces the fact that most security breaches are not due to “sophisticated attackers” but are the result of failings in basic security controls.

He added: “Accidental data leakage is one of the key sources for breaches and these can result from the lack of appropriate training to staff on how to handle and process data, from weak security controls that don’t prevent or alert to breaches, or a combination of both.

“Ensuring staff are properly trained in the handling and processing of personal data, the technologies they use as part of their daily work and have effective security awareness training is crucial to preventing these type of errors.”

Honan also pointed out that the blame cannot be solely put down to human error, and we need to ensure our systems and platforms provide staff with a safety net in the event they make a mistake. “This means security professionals also need to ensure the basics are covered and that systems are properly patched, effective email security to protect against phishing attacks and data leakage are in place, and that data is encrypted at rest and in transit,” he said.

“It is also important to remember that no matter what controls are in place a breach can still happen and that staff and the company need to be prepared on how to deal with it and know when and how to report breaches to the ICO, or any other relevant Data Protection Supervisory Authorities or other regulatory bodies.”

Categories: Cyber Risk News

RagnarLocker Ransomware Hides in Virtual Machine to Escape Detection

Fri, 05/22/2020 - 10:45
RagnarLocker Ransomware Hides in Virtual Machine to Escape Detection

Security researchers are warning of a new ransomware attack technique which deploys the malware as a virtual machine (VM) in order to evade traditional defenses.

Sophos revealed that it recently detected a RagnarLocker attack in which the ransomware was hidden inside an Oracle VirtualBox Windows XP VM.

It said the attack payload was a 122MB installer, with a 282MB virtual image inside concealing a 49KB executable.

“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,” Sophos director of engineering, Mark Loman, explained.

The MSI package contained an Oracle VirtualBox hypervisor and a virtual disk image file (VDI) named micro.vdi, which was an image of a stripped-down version of the Windows XP SP3 operating system.

“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,” said Loman.

The attack appears to have been highly targeted, as the ransom note contained the victim’s name.

RagnarLocker has been in action recently, after it was deployed against Portuguese energy giant Energias de Portugal (EDP) group in an attack demanding a payment of €10m ($11m).

As Loman explained, the group behind the ransomware typically targets managed service providers (MSPs) and exploits holes in Windows Remote Desktop Protocol (RDP) to gain a foothold into organizations.

“After gaining administrator-level access to the domain of a target and exfiltration of data, they have used native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across the network to Windows clients and servers,” he said.

Categories: Cyber Risk News

Japan Probes Theft of Hypersonic Missile Plans – Report

Fri, 05/22/2020 - 09:10
Japan Probes Theft of Hypersonic Missile Plans – Report

The Japanese government is investigating a potentially serious breach of national security after a cyber-attack on Mitsubishi Electric earlier this year which may have yielded top secret missile plans.

The tech giant said in a statement earlier this week that it reported an incident to the Defense Ministry in February, in which sensitive information including personal data on 8000 employees may have been stolen, according to AP.

Chief cabinet secretary Yoshihide Suga is said to have told reporters that the government is now investigating “the possible impact of the information leak on national security.”

The stolen data is thought to relate to a prototype missile that Mitsubishi was bidding to build. The firm didn’t win the bid but held sensitive documents related to the design as part of the process.

Russia, the US and China appear to be in an arms race to build these hypersonic glide vehicles (HGVs), which are said to combine the speed of a ballistic missile with the maneuvering capabilities of a cruise missile, making them incredibly difficult for conventional defense systems to track.

Given that the missiles were apparently intended to be deployed in Japan’s southern islands to ward of the threat from an increasingly assertive China, it would seem that Beijing-backed hackers are likely to be behind these latest cyber-espionage efforts.

It’s unclear whether the reported incident relates to one revealed by Mitsubishi Electric in January, which took place back in June 2019.

At the time reports suggested likely Chinese hackers had stolen 200MB of data from the firm.

However, Mitsubishi claimed that, although personal and corporate confidential information may have been taken, “sensitive information on social infrastructure such as defense, electric power and railways, highly confidential technical information, and important information concerning business partners has not been leaked."

Categories: Cyber Risk News

Wishbone Breach: 40 Million Records Leaked on Dark Web

Fri, 05/22/2020 - 08:15
Wishbone Breach: 40 Million Records Leaked on Dark Web

A prolific dark web trader has leaked what they claim to be 40 million user records from popular mobile app Wishbone.

The individual known as “ShinyHunters” posted the data to RaidForums, claiming that, “since people are starting to resell wishbone we’ve decided to leak it for free.”

The post was shared by security vendor Cyble and indicates ongoing tension in the cybercrime community. Previously, the database was thought to be selling on the dark web for thousands of dollars.

ShinyHunters has been linked to multiple previous sales of breached data including Home Chef, which this week revealed that it had suffered a serious cybersecurity incident thought to have affected millions of customers.

Popular with youngsters, Wishbone is an iOS and Android app which allows users to “compare anything.”

The trove of data now available to all-comers includes usernames, email addresses, mobile numbers, gender, date-of-birth, Facebook and Twitter access tokens, MD5-hashed passwords and more.

This could provide fraudsters with plenty of information to carry out follow-on phishing attacks, credential stuffing and more.

Trevor Morgan, product manager at comforte AG, argued that tokenizing or securely encrypting the data could have helped Wishbone mitigate the impact of the breach.

“Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password hashing which can be decoded by malicious actors and therefore monetized through sale on hacking forums,” he explained.

“Encrypted or tokenized data, however, could not be listed for sale on the dark web because it becomes undecipherable without the necessary key, therefore reducing the likelihood of data exposure during a breach, and maintaining the security of valuable personal information.

He urged organizations to rethink their security and data protection processes or risk becoming the next Wishbone.

This isn’t the first time Wishbone has been caught out. A 2016 breach affected 9.4 million records with 2.2 million unique email addresses, according to HaveIBeenPwned.

Categories: Cyber Risk News

Zoom Meetings Bombed with Child Sexual Abuse Material

Thu, 05/21/2020 - 18:20
Zoom Meetings Bombed with Child Sexual Abuse Material

The disruption of nearly 200 Zoom meetings with images of child sexual abuse has prompted the FBI to issue a warning.

In recent months, schools, councils, businesses, and the general public have been using the videoconferencing app to communicate after social distancing and lockdown measures introduced to slow the spread of COVID-19 made face-to-face interaction difficult.  

However, as the number of legitimate users has risen, so too has the number of Zoom-bombing incidents in which malicious users hack meetings to subject attendees to unwanted language and images. 

While some Zoom-bombings consist of little more than a schoolboy prank, others are seriously offensive, featuring lewd imagery, expletives, and racist language. According to the FBI, a growing number of these cyber-attacks now feature material depicting the sexual abuse of minors. 

"During the last few months, the FBI has received more than 195 reports of incidents throughout the United States and in other countries in which a Zoom participant was able to broadcast a video depicting child sexual abuse material (CSAM)," wrote the FBI in a statement released yesterday.

"The FBI considers this activity to be a violent crime, as every time child sexual abuse material is viewed, the depicted child is re-victimized. Furthermore, anyone who inadvertently sees child sexual abuse material depicted during a virtual event is potentially a victim as well."

The Bureau asked any Zoom hosts or administrators who have had a meeting disrupted by the broadcast of CSAM to contact the FBI and to keep a record of what occurred. 

The FBI warned Zoom users to consider the privacy of any videoconferences they schedule. 

"Links to many virtual events are being shared online, resulting in a lack of vetting of approved participants," said the FBI. "Do not make meetings or classrooms public. Do not share a link to a teleconference or classroom on an unrestricted, publicly available social media post. Provide the link directly to specific attendees." 

The Bureau advised users to make their Zoom meetings private either by requiring attendees to enter a meeting password or by using the waiting room feature to control the admittance of guests.

To limit the risk of abusive content being shown, hosts can change the screen-sharing options to "Host Only." 

Categories: Cyber Risk News

Raytheon's Board Takes Voluntary Pay Cut

Thu, 05/21/2020 - 17:34
Raytheon's Board Takes Voluntary Pay Cut

Raytheon Technologies’ board of directors is taking a voluntary pay cut as the United States continues to be impacted by COVID-19. 

The board has reduced non-employee director compensation by an amount equal to 20% of the director cash retainer. The pay cut will apply for the annual term ending at the 2021 Annual Meeting of Shareowners.

The defense giant, which is headquartered in Waltham, Massachusetts, announced the board's gesture on May 14. 

News of the resolution follows a decision by CEO Greg Hayes to institute a temporary 10% base pay reduction for all salaried employees across the company's Pratt & Whitney and Collins Aerospace Systems businesses as well as its corporate offices. 

Raytheon employs 195,000 people across four industry-leading businesses―Collins Aerospace Systems, Pratt & Whitney, Raytheon Intelligence & Space, and Raytheon Missiles & Defense. 

Temporary reductions in pay announced by Raytheon last month will go into effect from June and remain in place until the end of the year. 

Previously, CEO Greg Hayes and executive chairman Tom Kennedy had volunteered to slash their salaries by 20% for the same period.

In a statement released May 14, Raytheon said: "Raytheon Technologies continues to monitor the crisis and is responding as needed to ensure the wellbeing of its employees, customers and suppliers, while protecting the long-term financial strength of the business."

Raytheon Technologies Corporation was formed in 2020 through the combination of Raytheon Company and the United Technologies Corporation aerospace businesses. 

This week, the company confirmed that it is closing an office in Albuquerque, New Mexico, where 200 people are currently employed. 

Raytheon spokeswoman Heather Uberuaga said the company is seeking to streamline its capabilities and relocate support for key capabilities and customer programs to alternative facilities elsewhere in the United States.

"We think this move is in the best interest of our customers as we look to further integrate and streamline our capabilities with pursuits and programs located at other sites while working with employees on a case-by-case basis to explore their individual employment options going forward,” Uberuaga wrote in an email to the Albuquerque Journal.

Categories: Cyber Risk News

Cybersecurity Company Sues Private Equity Firm for Backing Out of Buyout

Thu, 05/21/2020 - 15:54
Cybersecurity Company Sues Private Equity Firm for Backing Out of Buyout

Cybersecurity firm Forescout Technologies Inc. yesterday sued a private equity firm for backing out of a $1.9bn buyout.

Advent International Corporation agreed to buy Forescout back in February 2020, but four days before the takeover was due to be completed, the firm announced it would no longer be closing the deal. 

According to California company Forescout, Advent said it was reneging on the deal because of the impact of the global outbreak of COVID-19. 

The takeover had been scheduled to go ahead on Monday, May 18. On May 20, Forescout filed a lawsuit in the Delaware Court of Chancery requesting that Advent be ordered to complete the buyout.

In a statement released yesterday, Forescout accused Advent of violating the terms of their merger agreement.

A spokesperson for the aggrieved cybersecurity company said: "Advent’s purported excuse for its wrongful conduct is that a closing condition to the transaction has not been satisfied because a 'material adverse effect' has occurred at Forescout.

"Forescout believes that no material adverse effect has occurred, that all closing conditions are satisfied, and that Advent is obligated to close the transaction."

The cybersecurity company said that the effects of COVID-19 had been factored into negotiations and that Advent "has relied on meritless excuses" to wriggle out of the deal.

"The merger agreement explicitly allocated the risk of any impacts from COVID-19 to Advent," said Forescout.

Theresia Gouw, chair of the Forescout board, described Advent's getting cold feet over the planned buyout as highly disappointing. 

“The only change since the merger agreement was jointly executed in February is the deepening of the COVID-19 pandemic, which has significantly impacted global macro-economic conditions," said Gouw. 

"All companies have been challenged by this pandemic, and it is highly disappointing that Advent would attempt to exploit market volatility to renege on its contractual obligations, particularly when the merger agreement explicitly excludes the effects of a pandemic as a material adverse event."

The surprising turn of events sent Forescout's shares tumbling to an all-time low yesterday. Shares were at just $18.33 when trading opened. Advent International agreed on February 6 to pay $33 a share to take Forescout private.

Categories: Cyber Risk News

Winnti Group Targets Video Game Developers with New Backdoor Malware

Thu, 05/21/2020 - 12:00
Winnti Group Targets Video Game Developers with New Backdoor Malware

Researchers from ESET have discovered a new modular backdoor used by the Winnti Group to target several video game companies that develop MMO (massively multiplayer online) games.

As explained in a blog post, the malware, dubbed ‘PipeMon’ by ESET, targeted companies in South Korea and Taiwan. The video games developed by these companies are distributed all around the world, are available on popular gaming platforms and have thousands of simultaneous players.

According to researchers, the new modular backdoor is signed with a code-signing certificate likely stolen during a previous campaign and shares similarities with the PortReuse backdoor.

In at least one case, the attackers compromised a company’s build orchestration server, allowing them to take control of the victim’s automated build systems. This could have allowed the attackers to Trojanize video game executables, although there’s no current evidence that has occurred. In another case, attackers compromised a company’s game servers. With this attack, it would be possible to manipulate in-game currencies for financial gain, ESET explained.

“Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the command and control domains used by PipeMon were used by Winnti malware in previous campaigns,” said Mathieu Tartare, malware researcher at ESET. “Furthermore, in 2019, other Winnti malware was found at some of the same companies that were later discovered to be compromised with PipeMon in 2020.”

Categories: Cyber Risk News

Flight Risk Employees Account for Most Insider Threats

Thu, 05/21/2020 - 11:00
Flight Risk Employees Account for Most Insider Threats

Employees or contractors identified as a “flight risk” are linked to 60% of insider threat cases, increasing the likelihood that such incidents will involve theft of sensitive corporate data, according to Securonix.

The vendor’s 2020 Securonix Insider Threat Report was distilled from over 300 real-life insider incidents across multiple sectors.

It revealed that over 80% of staff members deemed likely to terminate their employment will take data with them, anywhere between two weeks and two months prior to them leaving. Flight risk can be determined from web browsing and email behavior, Securonix said.

Unsurprisingly, therefore, data exfiltration is the number one insider threat, with email the most popular vector for data loss, followed by web uploads and cloud storage sites.

Account sharing and shadow IT, especially the prevalence of cloud collaboration tools, are compounding the problem for IT security operations teams, the report claimed.

“Data aggregation and snooping of sensitive data is still prominent in most organizations, however tools to detect such behavior still lag behind. This is primarily due to organizations struggling to classify data that is deemed sensitive, combined with data being vastly distributed across networks and systems,” it explained.

“The circumvention of IT controls is prevalent across all organizations. IT security operations teams, especially ones from large enterprises, are finding it difficult to draw conclusions about such incidents mostly due to lack of, or differences between, policies and procedures for each line of business.”

Pharmaceutical firms accounted for the largest number of data exfiltration incidents analyzed by Securonix, which is understandable considering the highly sensitive IP handled by these organizations.

Behavioral analytics were used most often to detect abnormal user behavior and flag violations.

However, data theft is only one of many risks posed by employees. Many of these stem from negligence rather than deliberate malice. Human error, including misconfiguration of cloud systems and misdelivery of emails, accounted for 22% of breaches analyzed by Verizon in its latest report.

Categories: Cyber Risk News

IT Asset Management Forum Launches to Enhance Sector

Thu, 05/21/2020 - 10:15
IT Asset Management Forum Launches to Enhance Sector

A not-for-profit body for the asset management sector has been established to advance the overall reputation and recognition of the IT Asset ManagEment (ITAM) industry while providing a collaborative space for ITAM leaders to come together.

The ITAM Forum launches with a board of 15 trustees from across the ITAM industry – representing IT end users, resellers, tool providers and independent consultants, with two objectives:

  • To educate and evangelize – to encourage more companies to practice ITAM and to attract new professionals into the industry
  • To promote best practice – provide a collaborative, global forum for ITAM leaders to come together and share ideas for the advancement of the ITAM industry (eventually establishing a globally-recognized Organizational certification for ITAM)

Founder Martin Thompson said that with more focus on asset management, due to the COVID-19 pandemic driving more employees to work remotely, “IT Asset Managers have a huge role to play in documenting and unpicking this rapid and unplanned investment. 

“The smart management of assets is a shrewd business practice which delivers benefits far beyond IT. ITAM therefore has a rightful place outside of the niche IT/ITSM domain from where it started, and as a boardroom priority in its own right. The ITAM Forum is here to help it achieve this goal, by raising the profile of the ITAM discipline as much more than a compliance exercise and demonstrating its value to every organization looking to better manage its assets.”

In an email to Infosecurity, Lenny Zeltser, CISO of asset management vendor Axonius, said it was encouraging to see the increasing importance that cybersecurity professionals have been assigning to IT asset management in recent years.

“Security teams recognize that ITAM is a foundational aspect of a security program,” Zeltser said. “We need to know what devices, systems, users and applications we have, so we can implement the appropriate safeguards for them. Industry frameworks such as ISO 27001, CIS Critical Controls and NIST Cybersecurity Frameworks have included the need for ITAM for years. In recent years I've seen security professionals pay much closer attention to this requirement.”

Zeltser also noted that more and more enterprises are recognizing that they don't need yet another source of asset data, and instead look for ways to gather information about IT assets from the various IT data silos, such as the CMDB, network scanners, cloud instrumentation tools, Active Directory and so on. “Each of these sources of data has partial visibility into the organization's assets. By combining this data, organizations are able to get a comprehensive view into their ITAM posture.” 

The ITAM Forum also announced a longer term objective to create a new certification program for ITAM, based on the global ISO standard for the ITAM industry – ISO19770 – which was first published in 2006. 

“By certifying organizations against the ISO standard, the ITAM Forum will look to provide the highest measure of quality to demonstrate the competence of an ITAM department in the face of increasing board level scrutiny,” Thompson said.

“By benchmarking an ITAM department output against recognized ISO standards, stakeholders in the ITAM lifecycle (in particular those not fully versed in the complexity of IT assets) will be assured of quality. While our current priority is to establish the ITAM Forum as the credible voice of the ITAM industry, we look forward to eventually establishing the ITAM Forum certification as the globally-recognized ‘Kitemark’ for ITAM quality.”

Categories: Cyber Risk News

Home Chef Breach May Affect Millions of Customers

Thu, 05/21/2020 - 09:30
Home Chef Breach May Affect Millions of Customers

Home Chef has confirmed a major breach of customers’ personal information, potentially affecting millions of users.

The Chicago-headquartered meal delivery service revealed in a notice on its website that email addresses, encrypted passwords, last four digits of credit card numbers and “other account information such as frequency of deliveries and mailing address” were among the compromised details.

“We are taking action to investigate this situation and to strengthen our information security defenses to prevent similar incidents from happening in the future,” it said.

Although passwords were scrambled, the firm urged customers to reset their credentials anyway. Its encryption of passwords and only partial storage of credit card details will limit the risk exposure to customers, but other personal details could be used to craft convincing phishing attacks spoofing the brand.

“You should also remain vigilant against phishing attacks and monitor your accounts for any suspicious activity,” said Home Chef. “Remember that we will never ask you to send sensitive information over email, and you can make any necessary changes to your accounts by logging into your account directly on our website.”

Although the firm claimed that only “select customer information” was taken, a dark web trader claims to have as many as eight million records up for sale.

Boris Cipot, senior security engineer at Synopsys, argued that even Home Chef’s efforts to minimize risk exposure may be undone.

"Passwords — even encrypted passwords — can be cracked. If a hacker succeeds in accessing password data, it could be a key element in carrying out additional attacks. When we add email addresses to those cracked passwords, attackers may now be able to enter other services such as bank accounts, e-commerce sites, among many others,” he argued.

“With regards to the last four digits of your credit card number, if you believe this is useless data without the full number, think again. Some services require you to only enter the last four numbers to confirm your identity. As such this data can be of use to attackers with the knowledge of how to make the most of such information."

Categories: Cyber Risk News

Pages