Info Security

Subscribe to Info Security  feed
Updated: 8 min 4 sec ago

Global Enterprises Suffer 30 Security Breaches Per Year

Tue, 04/17/2018 - 10:55
Global Enterprises Suffer 30 Security Breaches Per Year

Organizations are getting much better at stopping cyber-attacks, but still suffered on average 30 security breaches last year, causing damage or data loss, according to Accenture.

The global consultancy polled 4600 cybersecurity practitioners in companies with revenues over $1bn across 15 countries, to compile its 2018 State of Cyber Resilience Executive Summary.

It found that 87% are now preventing "focused" attacks, up from 70% last year, but that still leaves 13% of online raids penetrating defenses.

The report also claimed that over half (55%) of global enterprises took one week or less to detect a breach, compared to just 10% last year, while 89% detected within a month.

FireEye estimated a global median dwell time of 101 days in its most recent M-Trends report.

Accenture respondents placed cyber-threat analytics (46%) and security monitoring (46%) as the number one most-needed technologies to fill existing gaps. An additional 83% agreed that AI, machine/deep learning, user behavior analytics and blockchain are “essential to securing the future of organizations.”

“While the findings of this study demonstrate that organisations are performing better at mitigating the impact of cyber-attacks, they still have more work to do. Building investment capacity for wise security investments must be a priority for those organizations who want to close the gap on successful attacks even further,” said Kelly Bissell, managing director of Accenture Security.

“For business leaders who continue to invest in and embrace new technologies, reaching a sustainable level of cyber-resilience could become a reality for many organizations in the next two to three years. That’s an encouraging projection.”

Global organizations breached a record 2.6 billion documents last year, up 88% on 2016, according to Gemalto.

Like Verizon’s Data Breach Investigations Report, the firm’s study last week highlighted the importance of mitigating insider risk.

Accidental loss, including improper disposal of records, misconfigured databases and other issues, caused the exposure of 1.9 billion records – a 580% increase from 2016.

Categories: Cyber Risk News

Facebook Fail as 100+ Cybercrime Groups are Found on Site

Tue, 04/17/2018 - 09:58
Facebook Fail as 100+ Cybercrime Groups are Found on Site

Facebook has deleted over 100 private discussion groups revealed to have been facilitating identity fraud and cybercrime for years on the platform.

Journalist Brian Krebs claimed to have found the groups after searching for just a couple of hours last week. He said they covered a broad range of illicit activity including DDoS-for-hire, carding, 419 scams and botnet creation tools — with over 300,000 members signed up.

Most were easily identifiable by group names such as “botnet helpdesk” and “tax refund fraud” and had been active on the social network for an average of two years — with 10% having lasted for over four years without being discovered, reported, or shut down.

Krebs claimed that he only sought out groups operating in English language and with over 25 members.

“As such, there may well be hundreds or thousands of other groups who openly promote fraud as their purpose of membership but which achieve greater stealth by masking their intent with variations on or mispellings of different cyber fraud slang terms,” he argued.

Although the groups blatantly abused Facebook’s community standards policy regarding the promotion of illegal goods and services, the social network appears to have had no automated way to check and investigate such activity, relying primarily on users to report violations.

A statement sent to Krebs claimed that the firm would look at “other ways to use automation” in the future.

“We investigated these groups as soon as we were aware of the report, and once we confirmed that they violated our Community Standards, we disabled them and removed the group admins,” it added. “We encourage our community to report anything they see that they don’t think should be in Facebook, so we can take swift action.”

The existence of such forums on the dark web is well known, although the buying and selling of hacking tools and online account credentials on a legitimate platform like Facebook will come as a surprise to many.

Categories: Cyber Risk News

NCSC: Chinese Telecoms Firm ZTE is National Security Risk

Tue, 04/17/2018 - 08:54
NCSC: Chinese Telecoms Firm ZTE is National Security Risk

The UK’s National Cyber Security Centre (NCSC) has warned that one of China’s biggest telecoms infrastructure and smartphone firms is a national security risk.

The GCHQ body released a short statement on Monday penned by technical director, Ian Levy, and relating to the use of ZTE “equipment and services” in UK telecoms infrastructure.

“It is entirely appropriate and part of NCSC’s duty to highlight potential risks to the UK’s national security and provide advice based on our technical expertise,” it stated.

“NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated."

Unlike the US, which de facto banned Huawei and ZTE from competing to provide telco infrastructure back in 2012, UK firms have embraced partnerships with the former, with the blessing of government.

It appears as if GCHQ does not have the resources to monitor the equipment of two Chinese firms in its critical infrastructure.

"The UK telecommunications network already contains a significant amount of equipment supplied by Huawei, also a Chinese equipment manufacturer," Levy wrote in a letter to the telecoms sector, according to the FT.

"Adding in new equipment and services from another Chinese supplier would render our existing mitigations ineffective."

The warning from the NCSC coincides with new US sanctions levied against ZTE which will prevent US firms like chipmaker Qualcomm from selling to the company for the next seven years. That’s because it’s said to have broken the agreement signed with Washington after pleading guilty to breaking different sanctions by selling equipment to North Korea and Iran.

It’s believed that BT has an R&D partnership with the Chinese firm, and has distributed routers made by the company, but is playing down its relationship.

A spokeswoman told the BBC that BT has a “robust testing regime in place” to keep its network secure.

“Such [R&D] projects focus on the future uses of networks and technologies and do not necessarily result in the commercial deployment of the research partner's kit in our network,” she added.

Categories: Cyber Risk News

#RSAC: Security Considerations Around Digital Business Transformation

Tue, 04/17/2018 - 01:25
#RSAC: Security Considerations Around Digital Business Transformation

At the CIO/CISO Interchange event in San Francisco on April 16 2018, Forrester VP Principal Analyst Julie A. Ask considered the key trends in digital business transformation and the impact they are having on security.

She summarized the key trends in customer digital experiences:

  1. Mobile will persist as the most important digital platform and will become an orchestrator of experiences. The role of the smartphone will continue to evolve and it will sit at the center of the ecosystem of all digital experiences
  2. Smart experiences will shift the cognitive load away from the consumer. Currently the cognitive load sits on the consumer, but smartphones will start to order and organize these experiences. Consumers will expect technology to anticipate what they want
  3. Immersive experiences built with augmented-, mixed- and virtual reality are evolving but nascent
  4. Conversations are a key element of future digital experiences, but one of many channel choices. Smart speakers are currently mainly used for basic things like turning on music and setting alarms. Consumers don’t actually want conversations, they want peace of mind and they want to get stuff done. They want the least path of resistance
  5. The future of digital experiences will be an orchestration of dynamically assembled experience components based on real-time context

Forrester’s Ask explained that “whenever we think about security or risk professionals, we think of them as inhibiting what we do. They need to be part of the conversation from the beginning,” she said. “Customer expectations are moving very quickly. Your customer experience, marketing and digital business teams are quickly assembling relationships with third parties that involve the sharing or transfer of customer data to serve customers on many touchpoints. Security professionals must get involved in these conversations early,” she advised.

“What’s worrying security and risk professionals the most is that people that don’t understand security and risk are using tools to build automatic work-flows without considering the security and privacy implications, let alone the liability associated with it.”

Ask recommended that security professionals need to ensure they can handle the collection of consumer data in real-time to “enable these experiences on a host of connected devices and the deletion per customer requests and GDPR requirements at all points of presence.

“New digital business models will force you to collect and use data in real time to conquest and set prices,” she continued. “”But how will you think through the ethics of these tactics and the long term implications on risk without slowing down business?”

With machine learning, she concluded, you need to ensure the integrity of the data and algorithms.

Categories: Cyber Risk News

#BSidesSF: Managing Secrets in Your Cloud Environment

Mon, 04/16/2018 - 21:20
#BSidesSF: Managing Secrets in Your Cloud Environment

Speaking at BSides San Francisco today Evan Johnson, security engineer at Segment, and Maya Kaczorowski, product manager, Security & Privacy at Google, explored the topic of cloud ‘secrets’, highlighting common mistakes in secret management and solutions to the problem.

A cloud secret is “anything an application needs at build or run time,” said Kaczorowski, citing examples such as credentials, API keys, usernames and passwords.

Johnson added that “secret management was a very big thing that blasted onto the scene in 2015/16 – but people are still coming up to me saying ‘we’re still working on that and need a solution for it’.”

Kaczorowski said that secrets are typically either managed in a decentralized manner adjacent to code (which is undesirable) or with a centralized, purpose-built solution, with more and more people opting for the latter. “There’s really no point at this time in keeping things decentralized,” she claimed.

In terms of common mistakes made in secret management, Kaczorowski highlighted the following:

  • Putting secrets in code
  • Not rotating secrets
  • Not backing up secrets
  • Not having a concept of identity
  • Protecting secrets the same way you protect everything else

Conversely, Johnson and Kaczorowski then pointed-out the good properties of secret management:

  • Identity: requires strong identities and least privilege
  • Auditing: verify the use of individual secrets
  • Encryption: always encrypt before writing to disk
  • Rotation: change a secret regularly in case of compromise
  • Isolation: separate where secrets are used vs managed

What organizations need to consider when selecting the best secret management option for them is whether they run mostly in containers or mostly in the cloud, they both added.

To conclude, Johnson and Kaczorowski highlighted the issues that make, and will continue to make, secret management difficult:

  • Usability: it’s great to have these tools, but now figure them out without messing up
  • Root secret: how do you protect the secret to all secrets?
  • Secret rotation: some tools do it, some don’t; but it’s still highly manual in most cases
Categories: Cyber Risk News

#BSidesSF: How to Solve Infosec Problems with Creative Solutions

Mon, 04/16/2018 - 20:18
#BSidesSF: How to Solve Infosec Problems with Creative Solutions

Speaking at BSides San Francisco today Katie Ledoux, manager of trust and security governance at Rapid7, presented a session exploring some creative solutions to infosec problems.

Ledoux said that when fixing problems “managing little fires without losing sight of long-term goals is an issue that anyone who has a job needs to deal with” but in infosec it is particularly challenging as “much of our work is reactive and time-sensitive.”

In her experience, fixing information security problems and building environments in which problem-solvers thrive in comes down to managing two categories: individual factors and environmental factors.

The first individual factor is an ability to define a problem, Ledoux said, explaining that “we often fail to articulate the problem we need to solve before we jump into action.

“A better problem statement invites you to consider all of your options.”

The second individual factor is an ability to stack small victories, Ledoux continued. “When we’re trying to fix something in our organization or industry, there’s nothing wrong with starting small. Not only does every improvement count, but these experiences are also valuable lessons that we will use for larger issues down the road.”

The third individual factor is the ability to leverage diversity of thought, Ledoux said. “The more diverse backgrounds we leverage the more associations we get, and the more paths we have towards solving a hard problem.”

As for the environmental factors, the first to consider is how to most-effectively manage resources to generate meaningful outcomes. “More resources alone won’t solve all of our problems,” Ledoux argued, so “we need to be strategic about how we direct them”. To do that, Ledoux advised using “crafty” metrics to:

  • Set boundaries on time spent on operational tasks
  • Use clear, visible KPIs to drive attention to priorities

The final factor to manage is the environmental one of encouraging problem-solvers to challenge the status quo, Ledoux concluded.

Categories: Cyber Risk News

A Pair of Mobile Apps in Google Play Target Mideast Victims

Mon, 04/16/2018 - 19:19
A Pair of Mobile Apps in Google Play Target Mideast Victims

Two separate incidents of surveillance-ware were found in the Google Play Store, targeting Middle East organizations.

Google has removed the offending apps, ViperRAT 2.0 and Desert Scorpion, but they both represent a rare instance of a malicious mobile APT (mAPT) in an official app marketplace.

According to Lookout Security, ViperRAT 2.0 represented the resurgence of a mAPT that originally targeted individuals in the Israeli Defense Force (IDF).

Early last year, Lookout researchers reported on the discovery ViperRAT, when it compromised IDF personnel through social engineering. They were prompted to download third-party chat apps by attackers posing as attractive young women. The “young women” would send a link to a target and persuade the mark into clicking on it and installing a Trojanized app.

ViperRAT 2.0 was packaged inside of custom mobile chat apps.

“The first, VokaChat, had received between 500 and 1,000 downloads, while the second, Chattak, listed the number of downloads as between 50 and 100,” Lookout said. “It is interesting that in these new samples, the chat functionality was fully implemented, something that is different from the previous samples. Furthermore, command and control infrastructure for the two samples remained active…and even included the privacy statement that Google requires from developers who publish to the Play Store.”

Meanwhile Desert Scorpion, related to APT-C-23 and the FrozenCell spyware family, targeted individuals in Palestine and was also packaged inside mobile messaging apps. Lookout has seen this actor rely heavily on phishing campaigns to trick victims into downloading their malicious apps, specifically on Facebook. The firm was able to tie the malware to a long-running Facebook profile that it observed promoting the first stage of this family, a malicious chat application called Dardesh, via links to Google Play.

“Even sophisticated actors are using lower-cost, less technologically impressive means like phishing to spread their malware because it's cheap and very effective, especially on mobile devices where there are more ways to interact with a victim (messaging apps, social media apps, etc.), and less screen real estate for victims to identify potential indicators of a threat,” Lookout explained.

Categories: Cyber Risk News

Most Web Apps Contain High-Severity Vulnerabilities

Mon, 04/16/2018 - 18:59
Most Web Apps Contain High-Severity Vulnerabilities

An analysis of web applications shows that 94% of applications tested had at least one high-severity vulnerability.

According to Positive Technologies’ Web Application Vulnerabilities in 2017 report, collated through the security firm’s automated source code analysis through the PT Application Inspector, most detected vulnerabilities (65%) overall were of medium severity, with much of the remainder (27%) consisting of high-severity vulnerabilities.

“Web applications practically have a target painted on their back,” said Leigh-Anne Galloway, Cyber Security Resilience Lead at PT. “A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”

The most common vulnerability across the board was cross-site scripting (affecting 82% of tested web applications), which allows attackers to perform phishing attacks against web application users or infect their computers with malware.

Other critical vulnerabilities also find their way into government web applications. For example, security assessment of a web application for a Russian local government revealed SQL Injection, a critical vulnerability that could allow attackers to obtain sensitive information from a database.

Financial services are at greatest risk. The analysis found that 46% of all tested web applications in this sector were at the greatest risk, with high-severity vulnerabilities found in 100% of tested banking and finance web applications.

PT also assessed the potential impact of every detected web application vulnerability and compiled a list of the most common security threats. The No. 1 threat is attacks that target web application users. Alarmingly, 87% of banking web applications and all government web applications tested were susceptible to these kinds of attacks. Users of government web applications in particular tend to not be security savvy, which makes them easy victims for attackers.

The firm also concluded that denial of service is especially threatening for e-commerce web applications, because any downtime means missed business and lost customers. High-profile e-commerce web applications receive large amounts of daily visits, increasing the motivation for attackers to find vulnerabilities to turn against users.

Categories: Cyber Risk News

University of Virginia Nabs Top Honors in Collegiate Cyber Contest

Mon, 04/16/2018 - 18:52
University of Virginia Nabs Top Honors in Collegiate Cyber Contest

The University of Virginia (UVA) took home top honors in this year’s National Collegiate Cyber Defense Competition (NCCDC), which took place April 13–15.

Ten cyber-defense teams faced off in Orlando, competing as white-hat hackers to protect a fictional biotech company called Volitech, which specializes in vaccine research, materials research, pharmaceuticals, and biomechanical organ development. The students were challenged to operate and manage a network infrastructure similar to that of networks found in the commercial sector and were scored based on their ability to minimize system infiltration, keep critical services in operation and prevent exfiltration of sensitive data.

The UVA team was formed just three months ago and had never competed in a large-scale cyber competition before. Half of the team (four members) are freshmen. The win is particularly notable given that more than 230 colleges and universities competed to take 10 finalist positions in the national round.

UVA team captain Mariah Kenny, the only female on the team, led them to victory. Kenny stands out in a field dominated by men. In fact, women currently comprise just 11% of the global cybersecurity workforce.

NCCDC gives students an opportunity to develop and apply real cybersecurity skills, which is a critical need. In the US alone, there are 750,000 unfilled cybersecurity positions. By 2020, more than 2 million cybersecurity jobs will be needed worldwide.

"NCCDC's systematic, professional approach to this competition and the use of real-world business scenarios will contribute to filling the projected cyber-job vacancies," said John DeSimone, vice president of Cybersecurity and Special Missions at Raytheon Intelligence, Information and Services. "We want to congratulate University of Virginia and encourage them to continue their pursuit of cybersecurity excellence through internships and throughout their careers post-graduation."

Raytheon will bring the winning team to Washington, D.C., this summer to tour some of the nation's top research and national cybersecurity sites.

"The NCCDC program brings academia, government and industry together in a unique way," said Dwayne Williams, director of the NCCDC. "Everyone recognizes we need to find and train more cyber professionals and these competitions are critical in helping meet that need."

In addition to University of Virginia's top finish, University of Central Florida placed second and Dakota State University placed third.

Categories: Cyber Risk News

US and UK Cyber Agencies Issue Russian Attacking Warning

Mon, 04/16/2018 - 17:18
US and UK Cyber Agencies Issue Russian Attacking Warning

State-sponsored Russian attackers have conducted a sustained campaign targeting routers and network infrastructure devices.

According to a joint investigation and technical alert by the US Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC), global network infrastructure devices such as routers, switches, firewalls and network intrusion detection systems have been targeted with a view to conduct espionage and intellectual property theft.

There is also evidence of attackers maintaining persistent access to victim networks and potentially laying a foundation for future offensive operations.

Specifically, network device vendors, internet service providers (ISPs), public sector organizations, private sector corporations and small office home office customers have been targeted with a view to getting access to connected customers.

The FBI, DHS and NCSC have released a report to inform those affected in order to remediate issues, which has been reported by “multiple sources including private and public-sector cybersecurity research organizations and allies.”

White House cybersecurity coordinator Rob Joyce said on a conference call that once an attacker is on a router “they own all the traffic” and an infected router is “a tremendous weapon in hands of an adversary.”

Joyce was keen dismiss any reference to Syria in regard to the weekend’s military action. However he did say that the White House was “intending to give it the gravitas of the whole US government,” and the actions of the attackers were not to steal, “but to facilitate other actors.”

Ciaran Martin, CEO of the National Cyber Security Centre said: “This is the first time that in attributing a cyber-attack to Russia the US and the UK have, at the same time, issued joint advice to industry about how to manage the risks from attacks. It marks an important step in our fight back against state-sponsored aggression in cyberspace.”

He went on claim that many of the techniques being used by Russia exploit basic weaknesses in network systems.

“The NCSC is leading the way globally to issue advice and automate defenses at scale to remove those basic attacks, thereby allowing us to focus on the most potent threats,” he said.

Martin also confirmed that the sustained targeting had continued for months and millions of machines were being targeted.

Asked if there were plans to “hit back,” Martin said that the UK response was about mitigations, and the intention of the advisory was to tell owners of networks how to tackle it, but the NCSC was not discussing offensive capabilities.

Categories: Cyber Risk News

Developers Outnumber Security Pros 100:1 as Breaches Grow

Mon, 04/16/2018 - 10:35
Developers Outnumber Security Pros 100:1 as Breaches Grow

Breaches related to open source components have soared by 50% since 2017, according to a new study from Sonatype urging developers to adopt DevSecOps practices.

The security vendor polled over 2000 IT professionals to compile its 2018 DevSecOps Community Survey.

The findings chime with a Sonatype study in March which found that one in eight open source components downloaded in the UK last year contained known security vulnerabilities — a 120% year-on-year increase.

It also echoes a new CA Veracode report, which claimed last week that only 52% of global developers update open source components when a new vulnerability is announced.

Overall, one in three respondents to the Sonatype study had or suspected a breach due to web app vulnerabilities in the past 12 months.

The report revealed a need for automated application security testing to tackle cybersecurity issues and improve business productivity.

For example, developers outnumber security professionals by 100:1, while 48% of respondents claimed they don’t have enough time to spend on application security.

The good news is that DevOps seems to be a pathway to DevSecOps: those with mature DevOps practices are 24% more likely to have deployed automated security practices throughout their development lifecycle.

What’s more, 59% of DevOps companies are building more security automation into their development process as awareness around GDPR compliance grows.

Overall, the use of DevSecOps practices grew 15% among respondents.

“As more software is layered into an ecosystem, more automation will make management less challenging,” explained SJ Technologies senior DevOps advocate, Chris Short. “Automating security tooling into container-based workflows will become a critical piece of every major organization's security posture. Remember, always be shifting left.” 

Categories: Cyber Risk News

Telegram App Banned in Russia

Mon, 04/16/2018 - 09:36
Telegram App Banned in Russia

As expected, messaging app Telegram has been formally blocked in Russia after its owner refused to hand the authorities encryption keys to help with investigations.

The popular app is used by many around the world to communicate without the fear of being monitored by repressive governments.

A recent demand by Russian security agency the FSB to help Telegram decrypt messages linked to six phone numbers went unanswered by the firm.

As a result, a Russian court has now backed the telecoms watchdog Roskomnadzor in issuing the order on Friday to block the app in the country with immediate effect.

The authorities had claimed that Telegram was used by the terrorists who planned the St Petersburg metro attack in April 2017, which killed 15 people, according to news agency TASS.

The company’s owner Pavel Durov — born in St Petersburg but now living in the West — released a statement via the app on Friday, claiming that “the power that local governments have over IT corporations is based on money.”

“At any given moment, a government can crash their stocks by threatening to block revenue streams from its markets and thus force these companies to do strange things (remember how last year Apple moved iCloud servers to China),” he added.

“At Telegram, we have the luxury of not caring about revenue streams or ad sales. Privacy is not for sale, and human rights should not be compromised out of fear or greed.”

Telegram has also consistently argued that the FSB’s requests for encryption keys is unconstitutional and can’t be met from a technical perspective without diminishing security for all users.

It’s the same argument that Apple has used time and again when requested by the FBI for it to provide de facto backdoor access to devices for law enforcers.

Russia’s latest move can be seen in the context of an increasing crackdown on online freedoms by the Putin regime, which has seen the state also ban the use of VPNs

Categories: Cyber Risk News

Lords: UK Could be World Leader in "Ethical" AI

Mon, 04/16/2018 - 09:03
Lords: UK Could be World Leader in "Ethical" AI

The UK could be a world-leader in artificial intelligence (AI) if it puts ethics first, according to a new House of Lords report — with experts claiming the technology could also help combat cybersecurity challenges.

The Lords select committee’s report, AI in the UK: ready, willing and able?, argued that by taking a proactive role in the development of the new technology, the UK could boost its economy and help to mitigate any associated risks and “misuse.”

The committee recommended AI tech be developed on five principles. It said it should be designed “for the common good and benefit of humanity” and that “the autonomous power to hurt, destroy or deceive human beings should never be vested in artificial intelligence.”

To that end, Cyber Security Challenge CEO Colin Lobley, argued that AI could help combat endemic industry skills shortages.

“A lot has been made of a skills gap in cybersecurity and a lack of resources to process, analyse and protect the vast amounts of data being created and processed across virtually every industry. With AI and machine learning, a lot of tasks can be automated, allowing analysts and security professionals to focus on the tasks that require the human touch — assessing flaws, mitigating damage caused by breaches and the like,” he explained.

“As cyber-attacks become more sophisticated, it’s the critical thought brought by people which will be the key to combatting breaches. This will mean a shift from cybersecurity being the reserve of the ‘techie’ to encompass people with skills in areas as varied as behavioral and forensic psychology or even creative disciplines.”

However, a vigorous debate is underway in cybersecurity circles about whether AI will ultimately be a more useful tool for IT security teams or cyber-criminals and state-sponsored hackers.

A Webroot survey from December 2017 found that although 87% of US IT security professionals in the country are using AI and 99% believe it could improve their organization’s cybersecurity posture, 91% of global cybersecurity professionals said they’re concerned about hackers using the same tech against them.

NTT Security EMEA SVP, Kai Grunwitz, argued recently that AI presents cyber-criminals with several opportunities, including automating the process of discovering new vulnerabilities.

“AI could also be used by the black hats to model, baseline and then imitate ‘normal’ user behavior to craft highly convincing phishing emails,” he added.

“AI might start off the preserve of a select few cyber-crime gangs and nation states, who have the resources to invest in it. But just as with previous tools and techniques before it, the trickle-down effect will see the technology eventually democratized via dark web forums to the majority.”

Categories: Cyber Risk News

Early Bird Code Injection Gets the Obfuscation Worm

Fri, 04/13/2018 - 18:29
Early Bird Code Injection Gets the Obfuscation Worm

A new code injection technique dubbed “Early Bird” has been uncovered, allowing the execution of malicious code before the entry point of the main thread of a process, bypassing security product hooks.

The technique appeared in malware samples at the Cyberbit malware research lab. Researchers said in an analysis that they observed the technique used by various malware, including a variant of the notorious Carberp banking malware, the DorkBot malware and the TurnedUp backdoor written by the APT33 Iranian hacker group.

On a technical front, Early Bird starts with a .net sample deobfuscating itself, then performing process-hollowing and filling the hollowed process with a native Windows image.

“The native Windows image injects into the explorer.exe process,” researchers explained. “The payload inside explorer.exe creates a suspended process – svchost.exe – and injects into it.”

In and of themselves, these steps are nothing new: Common legitimate Windows processes are among malwares’ favorite choices (svchost.exe, for instance, is a Windows process designated to host services).

But the technique becomes interesting in the next step: After creating the process, researchers observed the malware allocating memory within it, writing a code in the allocated memory region.

“The thread has not even started its execution since the process was created in a suspended state,” researchers said. They added, “It loads the malicious code in a very early stage of thread initialization, before many security products place their hooks – which allows the malware to perform its malicious actions without being detected,” they explained

Early Bird allows malware to be very stealthy indeed: As of March 20, this payload was signed by only 29 out of 62 anti-malware vendors. The original sample, which dates back to 2014, was signed by 47 out of 62 vendors.

Categories: Cyber Risk News

Scammers Bank on Cryptocurrency with Fake Apps

Fri, 04/13/2018 - 18:26
Scammers Bank on Cryptocurrency with Fake Apps

Scammers are taking advantage of the cryptocurrency craze with a bevy of fake apps designed to fool people out of money.

In the mobile app ecosystem, RiskIQ has detected and blacklisted dozens of fake cryptocurrency apps that exploit the names of well-known exchanges and mixers, as well as hundreds of sites that falsely promise to make users money in other ways.

“With cryptocurrency mania in full swing, investors must now navigate an entirely new, rapidly expanding threat landscape,” said Jordan Herman, RiskIQ researcher, in a blog. “Coins, alt-coins, tokens, exchanges and other cryptocurrency apps – both legitimate and malicious – pop up in the marketplace every day, many of which leverage the massive popularity and 'get-rich-quick' promise of cryptocurrency to attract new users. Some of these apps are stood up to target users, while many become the target of hackers themselves.”

For instance, the site resembles a common advance fee scheme. Users can purchase phony coins marketed as various cryptocurrencies with real money (rubles) via PAYEER, with the goal of being able to exchange them for a return on investment later. They can also earn them through bonuses rewarded for taking actions such as clicking on ads, visiting web pages, and recruiting new users. However, the exchange rates for these coins to rubles are intentionally confusing and absurdly steep.

This is only one of a network of sites that seem to be operated by a single individual or group, all sharing the cryptocurrency theme.

“A single IP address…hosts several domains using cryptocurrency themes and falsely promising their users profits,” explained Herman. “Pivoting in RiskIQ PassiveTotal, we see a handful of domains resolving to this address, ranging from sites masquerading as digital currency exchanges, sites offering ways of earning free cryptocurrency, and ‘economic simulators’ that promise users to renew in-game profits for real-world money.”

Users can, however, protect themselves by being vigilant about spotting typosquatting domains and fraudulent branding (domains or subdomains that appear to belong to major brands) and by carefully evaluating exchange services before placing their money with them. If it seems like a get-rich-quick scheme, then it’s likely a scam.

Categories: Cyber Risk News

Cybercriminals Earn Millions, And Spend It Wildly

Fri, 04/13/2018 - 18:23
Cybercriminals Earn Millions, And Spend It Wildly

While cybercriminals don’t pay taxes on their income, if they did, their annual earnings might push them into one of the higher tax brackets. Some spend their money like legitimate earners typically do – but others tend to blow it on fast cars, hookers and drugs.

According to a Bromium analysis of how much money cybercriminals earn and what they spend it on, high earners make up to $2 million per year. Mid-level criminals make up to $900,000, or more than double the US presidential salary. And entry-level hackers make $42,000 – significantly more than the average UK graduate.

“Every time someone pays a ransom, they are participating in the web of profit,” said Gregory Webb, CEO of Bromium. Cybercrime is a lucrative business, with relatively low risks compared to other forms of crime. Cybercriminals are rarely caught and convicted because they are virtually invisible. As criminals further monetize their businesses by allowing anyone to buy prepackaged malware or hire hackers on demand, the ability to catch the kingpins becomes even more challenging. The cybersecurity industry, business and law enforcement agencies need to come together to disrupt hackers and cut off their revenue streams. By focusing on new methods of cybersecurity that protect rather than detect, we believe we can make cybercrime a lot harder.”

Data gathered through firsthand interviews with 100 convicted or currently engaged cybercriminals, combined with dark web investigations, revealed that 15% of cybercriminals, like the rest of us, spend most of their money on immediate needs, such as buying diapers and paying bills. About 30% of cybercriminals convert some of their revenues into investments, such as property or financial instruments, and other items that hold value, such as art or wine.

They reinvest in their businesses, too: About 20% of cybercriminals spend at least some of their revenue on further criminal activities, such as buying IT equipment.

About 15% of cybercriminals spend to attain status or to impress romantic interests and other criminals, like buying expensive jewelry. Bromium found that there is a growing market catering to cybercriminals by allowing them to buy things with virtual currency. Sites such as The White Company, Bitcoin Real Estate and De Louvois offer luxury products priced in Bitcoin, which is becoming a concern for financial analysts.

Additionally, 20% focus their spending on bad habits – like buying drugs or paying prostitutes.

One individual in the UK, who made around £1.2 million per year, spent huge amounts of money on a trip to Las Vegas, where he claimed to have gambled $40,000 and spent $6,000 hiring sports cars so that they could “arrive in style” to casinos and hotels. Another UK cybercriminal funneled his proceeds into gold, drugs and expensive watches and spent £2,000 a week on prostitutes.

“The range of spending habits among cybercriminals was fascinating,” said Mike McGuire, the researcher behind the report. “It’s alarming how easily cybercriminals are able to spend their illicit gains. There is an ever-growing market that is almost tailor-made for cybercriminals to make these ostentatious purchases with little to no regulation or oversight.”

Categories: Cyber Risk News

GWR Resets Passwords After Accounts Are Accessed

Fri, 04/13/2018 - 10:00
GWR Resets Passwords After Accounts Are Accessed

Great Western Railway (GWR) has been forced to reset in the region of a million user accounts after revealing that a small percentage have been compromised by attackers.

The UK train company, which runs services from London to Cornwall, said around 1000 accounts had been accessed by unauthorized outsiders.

It’s thought the credentials used to access these accounts may have been harvested from another source. The practice of “credential stuffing” — automatically trying breached password and username pairs in an attempt to access other online accounts — is increasingly common and a reason why experts urge the use of unique passwords for each account.

GWR reset all passwords as a precautionary measure but said its own systems had not been hacked.

RSA Security EMEA field CTO, Rashmi Knowles, praised GWR’s transparency and speed in reacting to the incident, but said security could be further enhanced via two-factor authentication on accounts.

“This is why everyone should practice good cyber-hygiene. If you know that one of your accounts has been compromised, and use the same username and password elsewhere, then update your other accounts immediately,” she said.

“More generally, with consumer breaches of this kind on the rise, you should never be using the same passwords for business and personal use. Targeting consumers is often a gateway into their place of work for hackers. By having separate passwords, you can minimize the chances of your employer being affected.”

Mike Viscuso, CTO of Carbon Black, argued that adding extra characters to your password can make it harder to crack.

“While there’s more than just brute-force guessing as a method to stealing passwords, the sentiment remains the same — the more complex a password is, the harder it may be for a hacker to steal and leverage,” he added. “And, beyond creating complex passwords, using a password manager, never reusing old or existing passwords, and using two-factor authentication, are all good tips to ensure better cybersecurity hygiene.”

Categories: Cyber Risk News

Q1 Cyber-Attacks on UK Firms Jump 27%

Fri, 04/13/2018 - 09:17
Q1 Cyber-Attacks on UK Firms Jump 27%

Online attacks on UK businesses jumped by over a quarter (27%) year-on-year in the first three months of the year, according to Beaming.

The business ISP claimed each UK firm experienced on average 600 attempts per day to breach its firewall between January and March 2018, compared to 474 attempts in the same period last year.

As per previous months, Internet of Things (IoT) endpoints were targeted the most, accounting for 54% of attacks, followed by attempts to compromise corporate databases (11%).

Beaming claimed the idea here is not necessarily to use the IoT endpoints as a stepping stone into corporate networks but to hijack them for use in DDoS botnets.

Security researchers discovered a new version of the infamous Mirai IoT botnet last month which has already been used to launch DDoS attacks on financial services firms.

The volume of attacks on UK businesses originating from Europe more than doubled during Q1 2018, from 3365 per business in January to 8983 attacks per business in March, as the region overtook Asia as number one attack source, accounting for 44%.

In addition, over a third (35%) of attacks came from the Czech Republic and 12% were from Russian IP addresses, although in all cases defining the true source of an attack is difficult as hackers can route their raids through multiple countries.

“Company firewalls and IT security systems have been under constant pressure from malicious computer scripts and we’ve had to constantly update our network-level protections to keep up with new and evolving threats,” said Beaming managing director, Sonia Blizzard.

“It is important that businesses of all sizes regularly review their cybersecurity measures, monitor their IT systems and communication networks for unusual activity and take all the help they can get to stay ahead of the criminals.”

A report from Gemalto out this week claimed that the UK suffered the second highest number of publicly reported data breaches in the world last year: 80. Although the number of compromised records fell from 54.5 million in 2016 to 33.1 million last year, it’s thought that the introduction of the GDPR will drive the number up significantly over the coming years.

Categories: Cyber Risk News

Uber Hit with New FTC Breach Settlement

Fri, 04/13/2018 - 08:48
Uber Hit with New FTC Breach Settlement

Uber has agreed to an expanded settlement with the Federal Trade Commission (FTC) over its massive 2016 data breach, and now faces civil penalties if it fails to notify the regulator of future incidents.

The under-fire ride-sharing company struck its original deal with the FTC before revelations emerged that the firm had suffered a damaging breach of 57 million global riders and drivers, then tried to hush it up by paying the hackers $100,000.

The new settlement confirms details of that incident, well understood by now, in which hackers accessed an Amazon Web Services account “access key” stored on code sharing site GitHub, allowing them to download unencrypted files containing the sensitive personal data.

By failing to use multi-factor authentication for its GitHub account Uber had exposed the credential to malicious third-parties able to brute force or guess the account password.

The new settlement compels Uber to disclose “future incidents” involving consumer data and submit all reports from third-party audits of its privacy program, rather than the originally requested initial report. It also has to retain certain bug bounty report records of vulnerabilities that relate to “potential or actual unauthorized access to consumer data.”

“After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the commission that it suffered another data breach in 2016 while the commission was investigating the company’s strikingly similar 2014 breach,” said acting FTC chairman Maureen Ohlhausen. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.”

The original settlement, now consigned to the bin, charged that Uber failed to live up to claims that it closely monitored employee access to rider and driver data and that it had deployed “reasonable measures” to secure personal data stored on a cloud provider’s servers.

If Uber fails to disclose a future breach, and it involves data on European citizens, it will also face the possibility of severe GDPR fines, up to €20m ($24.7m) or 4% of global annual turnover.

Categories: Cyber Risk News

Nation-State Attacks Take 500% Longer to Find

Thu, 04/12/2018 - 19:25
Nation-State Attacks Take 500% Longer to Find

When it comes to threats that put your business at risk, gaining visibility into attacks remains a challenge. New research shows that in 50% of cases over the past 12 months, organizations had insufficient endpoint or network visibility to respond successfully.

According to cybersecurity specialist Secureworks’ Incident Response Insights Report, which is based on the analysis of real-world attacks, there has been increasing complexity when it comes to nation-state efforts. As a result, these take 500% longer to find.

Meanwhile, the top three industries most impacted by targeted cyber-threats were manufacturing, technology and government. On average, these targeted threats remained undetected in an organization’s IT networks for 380 days. In fact, Incident Response responders frequently encountered threat actors who had access to compromised environments for months, sometimes even years.

Meanwhile, financially motivated criminal activity far outweighs government-sponsored threat actors and insider threats, with 83% of attacks being financially motivated.

Phishing continues to be hackers’ favorite method for gaining access into organizations. About 40% of the incidents Secureworks conducted began with a phishing email.

On the defensive front, patching remains an issue, and lapses were a consistent theme in 2017 response engagements. While patching guidance and best practices are plentiful, the practicalities of applying patches to all affected assets, as soon as they become available, is rarely a straightforward exercise. Patching is often de-prioritized due to concerns about business continuity, for example. However, there is compelling evidence for getting it done.

“In almost every case where software vulnerabilities were exploited by an adversary to gain access to a network or system, the vendor had released security patches for those vulnerabilities months beforehand,” said Don Smith, senior director, Cyber Intel Cell and EMEA Lead, for the Secureworks's Counter Threat Unit (CTU).

When it comes to threats that put your business at risk, gaining visibility into attacks remains a challenge. New research shows that in 50% of cases over the past 12 months, organizations had insufficient endpoint or network visibility to respond successfully.

According to cybersecurity specialist Secureworks’ Incident Response Insights Report, which is based on the analysis of real-world attacks, there has been increasing complexity when it comes to nation-state efforts. As a result, these take 500% longer to find.

Meanwhile, the top three industries most impacted by targeted cyber-threats were manufacturing, technology and government. On average, these targeted threats remained undetected in an organization’s IT networks for 380 days. In fact, Incident responders frequently encountered threat actors who had access to compromised environments for months, sometimes even years.

Meanwhile, financially-motivated criminal activity far outweighs government-sponsored threat actors and insider threats, with 83% of attacks being financially motivated.

Phishing continues to be a hackers’ favorite method for gaining access into organizations. About 40% of the incidents Secureworks conducted began with a phishing email.

On the defensive front, patching remains an issue, and lapses were a consistent theme in 2017 response engagements. While patching guidance and best practices are plentiful, the practicalities of applying patches to all affected assets, as soon as they become available, is rarely a straightforward exercise. Patching is often de-prioritized due to concerns about business continuity, for example. However, there is compelling evidence for getting it done.

“In almost every case where software vulnerabilities were exploited by an adversary to gain access to a network or system, the vendor had released security patches for those vulnerabilities months beforehand,” said Don Smith, senior director Cyber Intel Cell and EMEA Lead for the Secureworks' Counter Threat Unit (CTU).

Categories: Cyber Risk News