Security researchers revealed today that it took them just hours to access over 100,000 personal records and credentials belonging to United Nations employees.
A team from Sakura Samurai had decided to look for bugs to report to the UN under its vulnerability disclosure program, first probing multiple endpoints that were in scope.
It initially found an exposed subdomain for UN body the International Labour Organization (ILO), according to Sakura Samurai founder John Jackson. This gave them access to Git credentials which they used to takeover a legacy MySQL database and a survey management platform. Exfiltration of these credentials was done with the git-dumper tool.
Although these assets contained “hardly anything of use,” the researchers then discovered an exposed subdomain related to the United Nations Environment Programme (UNEP), which was a much bigger privacy risk. The domain was also leaking Git credentials.
“Ultimately, once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects and within the projects we found multiple sets of database and application credentials for the UNEP production environment,” Jackson explained.
“In total, we found seven additional credential pairs which could have resulted in unauthorized access of multiple databases. We decided to stop and report this vulnerability once we were able to access PII that was exposed via database backups that were in the private projects.”
In total, the team discovered over 100,000 employee records including names, ID numbers, gender, pay grade, records of travel details, work sub-areas and departments, evaluation reports and funding source records.
The UN is a frequent target for nation state attackers and its cybersecurity has often been found wanting in the past.
A year ago it emerged that hundreds of gigabytes of internal data, potentially including highly sensitive information on human rights activists, had been stolen in 2019 by attackers.
Controversially, the organization itself appeared to use its diplomatic immunity to keep the incident a secret.
Fortunately, this time around the UN is believed to have quickly patched the vulnerabilities in question and secure the exposed data.
Privacy experts are celebrating after the High Court ruled against the intelligence agencies’ use of bulk hacking for domestic targets.
In 2014, Edward Snowden first revealed the use of hacking techniques to target large numbers of users simultaneously. The government relied on the issuing of “general warrants” under section 5 of the Intelligence Services Act 1994 to do so.
Non-profit Privacy International challenged the practice in the Investigatory Powers Tribunal (IPT), a secretive court set-up to handle cases involving the intelligence agencies. However, the IPT ruled in the latter’s favor, back in 2016.
Although the government then tried to block a High Court challenge to the ruling, by claiming the tribunal’s decisions can’t be subject to judicial review, it lost, and the case went ahead.
On Friday, the High Court agreed with Privacy International, quashing the IPT decision.
It cited 250 years of common law precedent whereby individuals have a right not to not have their property searched without lawful authority, even in cases of national security. As general warrants don’t apply to individuals, the authorities are wrong to take this approach, it found.
“The aversion to general warrants is one of the basic principles on which the law of the United Kingdom is founded,” the court noted. “As such, it may not be overridden by statute unless the wording of the statute makes clear that parliament intended to do so.”
Privacy International legal director, Caroline Wilson Palow, argued the ruling brought legal precedent into the modern age, where searching “property” could mean remotely spying on users’ digital lives.
“General warrants are no more permissible today than they were in the 18th century. The government had been getting away with using them for too long. We welcome the High Court's affirmation of these fundamental constitutional principles,” she said.
However, some government hacking powers are now governed by a newer law, the controversial Snooper’s Charter, or Investigatory Powers Act.
There are also various legal challenges underway to this legislation. In October last year, campaigners received a boost when the Court of Justice of the European Union (CJEU) ruled that bulk collection and retention of citizens’ data must be brought into line with EU privacy law, even in cases of national security.
The UK has a vested interest in rowing back from its position on bulk surveillance, as it seeks an “adequacy decision” from the EU on data handling that is vital to seamless cross-border data flows in the new post-Brexit era.
A Russian hacker who was instrumental in one of the largest thefts in history of US customer data from a single financial institution has been sentenced to prison.
Moscow resident Andrei Tyurin, also known as Andrei Tiurin, was part of an international hacking campaign that compromised the computer systems of major financial institutions, brokerage firms, news agencies, and other companies to steal data.
Tyurin's illegal activities were committed with the help of partner Gery Shalon, along with Joshua Samuel Aaron, Ziv Orenstein, and other co-conspirators in furtherance of securities market manipulation, illegal online gambling, and payment processing fraud schemes.
According to the allegations contained in the indictments to which Tyurin pled guilty, the 37-year-old Muscovite hacked into companies between 2012 and mid-2015 and stole the personal information of over 100 million customers.
Among the companies targeted were E*Trade, Scottrade, the Wall Street Journal, and JPMorgan Chase and Co., from which Tyurin stole personal data belonging to more than 80 million of the bank's customers.
On top of the hacks, from around 2007 to mid-2015, Tyurin carried out cyber-attacks against numerous American and foreign companies for the benefit of various criminal enterprises operated by Shalon and his co-conspirators, including unlawful internet gambling businesses and international payment processors.
Through these various criminal schemes, Tyurin, Shalon, and their co-conspirators obtained hundreds of millions of dollars in illicit proceeds, with Tyurin personally amassing $19m in profits from his hacking activity alone.
In one scheme, Tyurin, Shalon, and his co-conspirators misleadingly marketed certain stocks, publicly traded in the US, to customers of the victim companies whose contact information Tyurin had stolen, in an attempt to artificially inflate the stocks' prices.
To carry out his nefarious activities, Tyurin used computer infrastructure located across five continents, which he controlled from his home.
Tyurin was extradited to the United States from the country of Georgia in September 2018. On January 7, in Manhattan Federal Court, US District Judge Laura Taylor Swain sentenced Tyurin to 144 months in prison for computer intrusion, wire fraud, bank fraud, and illegal online gambling offenses in connection with his involvement in the hacking campaign.
In addition to the prison term, Judge Swain ordered Tyurin to pay forfeiture in the amount of $19,214,956.
A cyber-attack on a Vermont healthcare provider has delayed the rollout of an electronic health record (EHR) system and cost millions of dollars in lost revenue.
The University of Vermont Health Network, which is based in Burlington, was hit by ransomware in October 2020, and is yet to make a full recovery. Most computer systems have been brought back online; however, some applications are still down, causing delays in various departments, including radiology.
The network serves much of Vermont and parts of upstate New York. When attackers struck at six of the network's hospitals, Vermont's governor, Phil Scott, deemed the situation serious enough to merit the deployment of the Vermont Army National Guard’s Combined Cyber Response Team 1 to aid in the recovery effort.
In December, UVM Health Network CEO Dr. Stephen Leffler said that the cyber-attack was costing the network about $1.5m a day in lost revenue and recovery costs.
The UVM Health Network completed the first phase of implementation of the Epic EHR system in November 2019, launching additional clinical and administrative capabilities for inpatient and outpatient settings that included clinical care, billing, registration, and scheduling.
Phases two and three were scheduled to take place in March 2021 and November 2021. However, the combined effects of the ransomware attack and the impact of the coronavirus outbreak have now pushed those dates back to November 2021 and April 2022, pending approval from the Green Mountain Care Board.
“In 2020, our Network, like those across the world, experienced tremendous challenges due to the COVID-19 pandemic, only to be further encumbered by a ransomware attack,” John Brumsted, M.D., president and CEO of the UVM Health Network, said in a statement published Tuesday.
“An electronic health record is one of the most significant things we can do to ensure high quality care and create a seamless experience for our patients. That is why it is absolutely critical to our patients, our people, and our communities that we get the implementation of this system right.
"Given the obstacles we faced over the last year, modifying our timeline for installation of the EHR is the right thing to do.”
By bringing StackRox’s Kubernetes-native security capabilities to Red Hat OpenShift, Red Hat said it hopes to take one step closer to creating a single platform that will enable users to "build, deploy and securely run nearly any application across the entirety of the hybrid cloud."
In addition to Red Hat OpenShift, StackRox will carry on supporting multiple Kubernetes platforms, including Microsoft Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE).
StackRox was founded in 2014 with the goal of reinventing enterprise security. The company is headquartered in Mountain View, California, and employs around 60 people.
For StackRox CEO Kamal Shah, the planned acquisition is confirmation of StackRox's originality when it comes to Kubernetes security, which over the past two years has evolved to be the company's focus.
"We're thrilled to join forces with Red Hat, coupling the industry’s first Kubernetes-native security platform with the leading Kubernetes platform for hybrid cloud, multicloud, and edge deployments," said Shah.
"This is a tremendous validation of our innovative approach to container and Kubernetes security. Red Hat is an ideal partner to accelerate our vision of enabling organizations to securely build, deploy and run their cloud-native applications anywhere."
Red Hat revealed plans to open source StackRox’s technology post-acquisition in an action that's consistent with Red Hat's open source heritage. Red Hat has pledged to continue to support the KubeLinter community as well as new communities as the company works to open source StackRox’s tech treasures.
The transaction is scheduled to close in the first quarter of 2021, subject to the usual closing conditions.
"Securing Kubernetes workloads and infrastructure cannot be done in a piecemeal manner; security must be an integrated part of every deployment, not an afterthought," said Red Hat CEO and president Paul Cormier.
"Red Hat adds StackRox's Kubernetes-native capabilities to OpenShift's layered security approach, furthering our mission to bring product-ready open innovation to every organization across the open hybrid cloud across IT footprints."
The notorious Emotet Trojan is back at the top of the malware charts, having had a makeover designed to make it more effective at escaping detection.
Check Point’s newly released Global Threat Index for December 2020 revealed that the malware variant bounced back from fifth place in November.
It now accounts for 7% of malware infections globally after a spam campaign targeted more than 100,000 users per day over the holiday period, the security vendor claimed. Emotet is closely followed by fellow modular Trojan Trickbot and info-stealer Formbook, both on 4%.
“It has now been updated with new malicious payloads and improved detection evasion capabilities: the latest version creates a dialogue box, which helps it evade detection from users,” explained Check Point.
“The new malicious spam campaign uses different delivery techniques to spread Emotet, including embedded links, document attachments, or password-protected Zip files.”
Emotet and Trickbot are often used in combination by ransomware groups to gain an initial foothold into networks. Attackers can then pick and choose which victims to go after with “hands-on-keyboard” multi-staged attacks.
In fact, a new report detailing the activities of the Ryuk variant recommended one of the best ways for organizations to mitigate the threat is to prevent initial infection by malware like Emotet.
The focus therefore should be on email security with anti-phishing capabilities and enhanced end user awareness training, although defense-in-depth is always preferable, including two-factor authentication and prompt patching to reduce the attack surface further.
“Emotet was originally developed as banking malware which sneaked on to users’ computers to steal private and sensitive information. However, it has evolved over time and is now seen as one of the most costly and destructive malware variants,” said Maya Horowitz, director of threat intelligence & research, products at Check Point.
“It’s imperative that organizations are aware of the threat Emotet poses and that they have robust security systems in place to prevent a significant breach of their data. They should also provide comprehensive training for employees, so they are able to identify the types of malicious emails which spread Emotet.”
Ping Identity has announced the appointment of Hall of Fame CIO Paul Martin to its board of directors.
Martin will help the security firm enhance its leadership strategy and IT innovation. He joins with a strong track record as an IT leader, having received a number of accolades. This includes being named to the CIO Hall of Fame by CIO Magazine in 2017 and being awarded the 2020 Chicago CIO of the Year Leadership ORBIE Award.
His most recent position was as CIO and senior vice-president for healthcare company Baxter International Inc., where he was responsible for its global IT strategy, operations, security and processes. He has also held IT leadership roles at Rexam PLC, CIT Group, BNSF Railway and Frito-Lay Inc.
Commenting on the appointment, Andre Durand, CEO of Ping Identity, said: “Few CIOs can match Paul’s proven track record of innovating IT solutions that generate bottom-line profitability and stakeholder value. His extensive experience in the CIO community will bring greater insight to Ping Technology’s leadership, and further champion our customers throughout all business operations.”
Martin is also a board member for Unisys Corporation and Baxter Credit Union as well as being a trustee at Rush University Medical Center and Ravinia Festival.
The appointment of Martin is the latest step taken by Ping Identity to expand its business during recent months. In October, it appointed Emma Maslen as its vice-president and general manager for EMEA and APAC to grow its international operations, and in November announced the acquisition of dynamic authorization company Symphonic Software.
The infamous operators of the Ryuk ransomware have amassed a fortune of at least $150m, according to researchers who studied the flow of Bitcoin to the group.
A new report from US threat prevention firm AdvIntel and UK-based threat intelligence vendor Hyas is based on analysis of 61 cryptocurrency deposit addresses linked to Ryuk.
Most of the digital currency the group collects is sent to Asia-based exchanges Huobi or Binance, which may help them to escape scrutiny, the report authors argued.
“Huobi and Binance are interesting choices because they claim to comply with international financial laws and are willing to participate in legal requests but are also structured in a way that probably wouldn’t obligate them to comply. In addition, both Huobi and Binance are companies that were founded by Chinese nationals but moved their business to other countries that are more friendly to cryptocurrency exchanges,” the researchers explained.
“Both exchanges require identity documents in order to exchange crypto-currencies for fiat or to make transfers to banks, however it isn’t clear if the documents they accept are scrutinized in any meaningful way.”
The team were also able to observe “significant flows” of Bitcoin to smaller entities. These are likely to be criminal enterprises set up to help launder funds into local currencies or other types of digital money.
As a further step to obfuscate their true identity, the Ryuk attackers get victims to pay a well-known broker, who in turn makes payments to the group, sometimes in the millions but more likely in the hundreds of thousands of dollars.
Any money not cashed out at the two Asian exchanges is used to pay for goods and services on cybercrime markets, the report claimed.
Two unique Protonmail addresses are prepared to communicate with each victim. These organizations are selected according to a scoring system in precursor malware used by the attackers, which apparently assesses their likelihood of paying.
“With the limited visibility available to analysts, it is painfully clear that the criminals behind Ryuk are very business-like and have zero sympathy for the status, purpose or ability of the victims to pay,” the researchers continued.
“Sometimes the victims will attempt to negotiate with Ryuk and their significant offers are denied with a one-word response. Ryuk did not respond or acknowledge one organization that claimed to be involved in poverty relief and lacked the means to pay.”
The report recommended organizations develop counter-measures to prevent initial infection by precursor malware like Emotet or Zloader. All remote access points should require multi-factor authentication (MFA), and Office macros and remote access tools should be restricted, it added.
The Russian CEO of a software provider has hit back at reports that one of the firm’s products may have been exploited by Russian hackers in the recent SolarWinds campaign.
Czech-headquartered JetBrains provides tools for software developers including TeamCity, a continuous integration and deployment system at the center of the reports.
The New York Times and others claimed that unspecified US intelligence agencies and cybersecurity investigators are looking into whether Russian state attackers managed to compromise the software. They’re unsure whether it may have been used to gain a foothold into the SolarWinds developer environment, or as a direct attack vector into US government systems, it said.
According to the report, JetBrains is used at 300,000 businesses globally including 79 of the Fortune 100 and has research labs in Russia.
However, in two posts following the reports, St Petersburg-based CEO Maxim Shafirov refuted any allegations that the firm may have played an unwitting role in the audacious cyber-espionage campaign, and added that no government officials had yet been in contact.
“To date we have no knowledge of TeamCity or JetBrains having been compromised in any way that would lead to such a situation. In addition, we not only run regular scheduled audits of our software, but we are now organizing a further independent security audit of TeamCity,” he explained.
“If we are to find any vulnerability in the product that may have led to this, we will be fully transparent on the matter and inform our customers under our security and privacy policies. It’s also worth mentioning that we ourselves do not use SolarWinds Orion or any of their other software.”
Shafirov essentially argued that if JetBrains is under investigation, it is merely because TeamCity is used by SolarWinds during its build process.
However, in a separate post, he did explain a hypothetical situation in which the product may have been abused.
“It’s important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability,” Shafirov said.
This week, the Department of Justice became the first US government entity to shed some light on the scope of the compromise, claiming attackers managed to access 3% of its Office 365 inboxes, which means more than 3000 users were affected.
Cyber-attackers are disguising malware as a video file depicting a fake sex scandal involving United States President Donald Trump.
The email-based attack was discovered by cybersecurity researchers at Trustwave who were reviewing their spam traps.
Targets are sent an email with the attachment “TRUMP_SEX_SCANDAL_VIDEO.jar”. Those who click on the malicious Java Archive (JAR) file unwittingly install the Qnode Remote Access Trojan (RAT) onto their computer.
Unusually, the title of the malicious file bore no resemblance to the subject of the email to which it was attached.
When the researchers opened the email “GOOD LOAN OFFER!!,” they expected to discover nothing more than an investment scam. However, attached to the email was an archive containing the malicious JAR file.
"We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is totally unrelated to the email’s theme," wrote researchers.
An investigation into the attack revealed that the JAR file is a variant of a QRAT downloader researchers brought to the public's attention in August. Similarities between the new and old variants include Allatori Obfuscator's being used to obfuscate the JAR file and the installer of Node.Js's being retrieved from the official website nodejs.org.
As is the case with the old variants, researchers found that the new downloader supports Windows platforms only.
Researchers noted that while the Trump sex scandal email campaign used to deliver the malware "was rather amateurish," the new QRAT was more sophisticated than prior variants.
"This threat has been significantly enhanced over the past few months since we first examined it. To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics and behavior were improved," wrote researchers.
The attackers ditched the string “qnodejs,” which can distinguish the files related to this threat. And, to avoid detection, they split up the malicious code of the downloader into different buffers inside the JAR.
Researchers advised email administrators to "take a hard line" against inbound JARs and to use their email security gateways to block them.
The United States Army has promoted the first Army Reserve cyber officer to the rank of brigadier general.
Colonel Robert Powell Jr. was promoted in a December ceremony held at Signal Theater at Fort Gordon in Georgia. Having pinned the one-star rank to his Army Green Service Uniform, Powell will serve as the deputy commanding general of the 335th Signal Command (Theater).
Powell was born in Tennessee and graduated from Middle Tennessee State University in 1991. He was commissioned through the Reserve Officer Training Corps (ROTC) and started his military career as an armor officer with the 1st Cavalry Division at Fort Hood, Texas.
In 2004, Powell joined the Army Reserve as a military intelligence officer. He commanded the US Army Reserve Cyber Protection Brigade from 2016 to 2019 and recently mobilized to support the Cyber National Mission Force, US Cyber Command at Fort Meade in Maryland.
Powell's promotion ceremony was hosted by Maj. Gen. Stephen J. Hager, deputy commander of operations, Cyber National Mission Force, US Cyber Command, who Powell met during a deployment in Kuwait. Hager recruited Powell to the Cyber National Mission Force after being tasked with finding talented senior officers for US Army Cyber Command.
"Out of over 200,000 people in the Army Reserve, there are less than 130 general officers," said Hager. "The jump from colonel to flag officer is a very competitive endeavor."
Hager added that with his acceptance of the new role, Powell's allegiance to the Army had entered new territory.
"This is a major event," said Hager. "This appointment and promotion come with a very large commitment. I often tell leaders that when you are a colonel with 25 to 30 years you are 'seriously dating the Army. When you become a general, you are married to the Army.'"
Hager told Powell's wife, daughter, and son, who were present at the ceremony, that they should be proud of Powell's promotion.
"Rob is the first United States Army Reserve General Officer to come from the cyber branch. That is significant since it demonstrates to our younger troops that there is a path to general officership," said Hager.
The United States has imprisoned the leader and several members of a cyber-gang that stole $5m in a skimming attack on gas pumps in the Eastern District of Virginia.
According to court documents, the six conspirators placed skimming devices on gas pumps located in Northampton County. The devices recorded the credit and debit card numbers, along with their PINs, of customers who used their card at the pump to pay for gas.
In April and May 2018, the crew traveled to various branches of the supermarket Harris Teeter, among other destinations, and used the stolen card information to withdraw money from the victims’ bank accounts. The illicitly obtained financial data was also exploited to purchase prepaid gift cards.
The all-male crew, who are all Cuban nationals residing in Florida, was sentenced on January 5 to a total of more than 28 years in prison. Four of the men were convicted of aggravated ID theft while all six were convicted of conspiracy to commit bank fraud.
Several other conspirators involved in the attack remain at large and are thought to be living in Mexico.
The Department of Justice said that many of the conspirators "had significant criminal histories involving the same conduct and were known to travel the country perpetrating this scheme." Over the course of several years, the gang caused victims to suffer aggregate losses of over $5m.
Crew leader Yasmani Granja Quijada used his email account to deal in stolen data. The 33-year-old was found to be trading over 9,800 additional stolen credit card numbers.
Quijada received the largest sentence of 120 months in prison. Twenty-nine-year-old Luis Miguel Fernandez Cardente received 64 months; 31-year-old Jorge Bello Fuentes, 60 months; 34-year-old Guillermo Bello Fuentes, 47 months; 40-year-old Pedro Emilio Duran, 30 months; and 29-year-old Yariel Monsibaez Ruiz, 19 months.
The FBI and US Marshals Service seized numerous vehicles and other items that were purchased by the criminals with stolen funds, including a 2006 Triton 2895CC Boat and trailer, a 2017 Ford F250 Super Cab truck, a 2016 Cruise Radiance Travel Trailer RV, a 2017 Ford Escape SUV, a 2017 Maserati Ghibli, and a 2013 Porsche Panamera.
Sensitive data stolen from Hackney Council in the UK has allegedly been published online, three months after the ransomware attack on the local authority that took place last year.
A cyber-criminal group called Pysa/Mespinoza has claimed it has published a range of information resulting from the incident on the dark web. This includes sensitive personal data of staff and residents, such as passport documents.
In October 2020, London’s Hackney Council revealed it had been victim of a serious cyber-attack which affected many of its services and IT systems.
In a new statement on its website, the council said it was working with NCSC, National Crime Agency, Information Commissioner's Office, the Metropolitan Police and other experts to investigate what has been published and the next steps to take.
It noted that experts believe the data has not been published on a widely available public forum and is not visible through internet search engines, adding that “at this stage, it appears that the vast majority of the sensitive or personal information held by the council is unaffected, but the council and its partners are reviewing the data carefully and will support any directly affected people.”
Mayor of Hackney, Philip Glanville, stated: “I fully understand and share the concern of residents and staff about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected.
“While we believe this publication will not directly affect the vast majority of Hackney’s residents and businesses, that can feel like cold comfort, and we are sorry for the worry and upset this will cause them.
“We are already working closely with the police and other partners to assess any immediate actions we need to take, and will share further information about the additional action we will be taking as soon as we can.”
Commenting on the story, Matt Aldridge, principal solutions architect, Carbonite & Webroot, said: “Once a data breach has occurred, and the data has been exfiltrated, no amount of ransom payment can guarantee that all copies of the data will be securely destroyed. For this reason, it is critical that all organizations invest appropriately in their cyber-defenses and, wherever possible, that they have their approach validated by trusted independent third parties.
“Understanding the criticality and sensitivity of all organizational data is key, and different data types, locations and classifications should be protected appropriately, with more investment and protection being put in place to protect the most sensitive data within the organization. Regular reviews need to be made to keep on top of this situation, as data locations, types and flows are constantly changing in any modern organization.”
Enterprise security firm Panaseer has announced the appointment of Jonathan Gill as its new CEO.
Gill succeeds Panaseer founder Nik Whitfield in the role, with Whitfield becoming chairman and chief seer of the organization.
Gill brings a proven record of accomplishment in both leadership and sales, with previous roles including VP EMEA at RSA Security, EVP of global sales for Veracode and GM EMEA for Talend. He will focus on the international growth of Panaseer.
The security firm specializes in continuous controls monitoring (CCM) with its platform monitoring over four million entities for enterprise clients across two continents – Europe and North America.
Gill, CEO, said: “Throughout my career, the most fulfilling roles have been those where I have had scope to significantly scale a business to meet a global challenge. Panaseer offers the most exciting opportunity to date. Its platform is a game-changer for the security industry. It solves a major problem; the security landscape is increasingly complex, the rate of change is only accelerating.
“I am looking forward to working with the team to fulfil our vision of ensuring all enterprises have the proper safeguards to manage risk.”
Whitfield, chairman, added: “Our mission for our clients has always been to make sure their cybersecurity safeguards are switched on and working effectively at all times. Having established Panaseer as the first-choice platform to do this, the focus needed to shift to scaling the business.
“My decision to bring in a new CEO supports this growth objective, and the board and I are convinced that Jonathan is absolutely the right person to deliver on our ambitions and values.”
Deepfake video and audio technologies could become a major threat to businesses over the next two years, leading to substantial financial losses, according to a report by CyberCube entitled Social Engineering: Blurring reality and fake.
The cyber insurance analytics firm said that cyber-criminals have become increasingly adept at creating realistic audio and video fakes using AI and machine learning technology in recent years. Advancements in this field have accelerated further as a result of the shift to remote working during the COVID-19 pandemic, as organizations become more reliant on video and audio-based methods of communication.
The study observed that the growing number of video and audio samples of business people available online provides further opportunities to simulate individuals in order to influence and manipulate others. This includes building photo-realistic representations of influential people, and the use of mouth mapping technology, which enables the movement of the human mouth during speech to be mimicked with high accuracy.
These methods can put organizations at risk of severe financial losses. For instance, the report highlighted a case where cyber-criminals used AI-based software to impersonate a chief executive’s voice to demand the fraudulent transfer of $243,000.
The analysis also highlighted how traditional social engineering techniques have been ramped up since the start of COVID-19. This includes gathering information available online or from stolen physical records to create a fake identity for a particular target, a practice known as social profiling. Methods such as this have become easier for cyber-villains because of the greater use of online platforms in addition to the blurring of domestic and business IT systems during the pandemic.
The report’s author Darren Thomson, head of cybersecurity strategy at CyberCube, commented: “As the availability of personal information increases online, criminals are investing in technology to exploit this trend. New and emerging social engineering techniques like deepfake video and audio will fundamentally change the cyber-threat landscape and are becoming both technically feasible and economically viable for criminal organizations of all sizes.
“Imagine a scenario in which a video of Elon Musk giving insider trading tips goes viral – only it’s not the real Elon Musk. Or a politician announces a new policy in a video clip, but once again, it’s not real. We’ve already seen these deepfake videos used in political campaigns; it’s only a matter of time before criminals apply the same technique to businesses and wealthy private individuals. It could be as simple as a faked voicemail from a senior manager instructing staff to make a fraudulent payment or move funds to an account set up by a hacker.”
Global security giant Kaspersky and robot cybersecurity firm Alias Robotics have announced a partnership that will seek to enhance protection for robots used in operational technology (OT) infrastructure.
Used in many industrial operations, robots – a key component of Industry 4.0 – represent yet another type of endpoint in OT settings that must be secured. However, as robots are separate, complex and connected systems with specific protocols and tools, protecting them requires a unique approach.
According to a case study from Kaspersky and Alias Robotics, the solutions offered by each company can effectively work together to prevent attacks on OT networks with robots, harden control stations and protect robot endpoints from being compromised.
“Robots have their own networks, technologies, safety requirements and business priorities, all of which must be uniquely addressed,” said Víctor Mayoral Vilches, CTO and founder at Alias Robotics. “These systems demand specialized cybersecurity measures that need to happen at the endpoint to guarantee no-human-harm. By integrating [our] robot immune system (RIS) into Kaspersky Industrial CyberSecurity, our clients can now protect their robots with RIS and manage the security of their ICS infrastructure seamlessly via Kaspersky’s solution.”
Anton Shipulin, solution business lead, Kaspersky Industrial CyberSecurity, Kaspersky, added that as OT infrastructure becomes more complex, it is important to add security for all of its various parts and layers.
“Protection measures and tools should also work smoothly with each other to cover the entire environment without any gaps. Considering the growing implementation of industrial robots, this partnership with Alias Robotics allows our customers with robots in their infrastructure to meet the demand for reliable protection.”
Thousands of Department of Justice (DoJ) email accounts were accessed by SolarWinds attackers last year, the department has confirmed.
The DoJ issued a brief statement yesterday to shed more light on the impact of the attacks, which the government has so far acknowledged and blamed on Russia, but done little else to clarify.
“On December 24 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the department’s Microsoft Office 365 email environment,” it explained.
“After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the Office 365 email environment. At this point, the number of potentially accessed Office 365 mailboxes appears limited to around 3% and we have no indication that any classified systems were impacted.”
With around 113,000 employees thought to work in the DoJ, this means over 3300 mailboxes could have been accessed by the attackers.
Even if no “classified systems” were impacted, this represents a major security breach that could have given attackers access to strategically useful information and provided a staging post for convincing phishing attacks on other government users.
In fact, the DoJ admitted that the activity it detected constitutes a “major incident” under the Federal Information Security Modernization Act, and said it “is taking the steps consistent with that determination.”
In an update earlier this week, the authorities claimed that fewer than 10 government departments and agencies were affected by the campaign. Others thought to have been infiltrated by the state-backed Russian operatives are the Treasury, State, Homeland Security and Energy departments and the Cybersecurity and Infrastructure Security Agency (CISA).
Social media companies have moved swiftly to block posts by Donald Trump in the wake of extraordinary scenes in the US capital that have left four people dead.
Twitter and Facebook both blocked the outgoing President’s accounts following policy violations, removing posts which repeated baseless allegations of election fraud and praised his followers – men and women who at the time were storming Capitol Hill.
Although Twitter has been flagging Trump’s repeated claims of fraud, which he says cost him victory last November, this marks an escalation in its actions.
“As a result of the unprecedented and ongoing violent situation in Washington, D.C., we have required the removal of three @realDonaldTrump Tweets that were posted earlier today for repeated and severe violations of our Civic Integrity policy,” it said in a statement on the platform.
“This means that the account of @realDonaldTrump will be locked for 12 hours following the removal of these Tweets. If the Tweets are not removed, the account will remain locked.”
More worrying for the former reality TV star is that Twitter said it will permanently suspend Trump’s account if he violates Twitter rules in the future.
He currently has 88.7 million followers on the social media platform, which has been a key tool over the past for years for a President that prefers one-way communication with his fanbase to difficult media interviews.
Elsewhere, Facebook and Instagram both locked Trump’s accounts for 24 hours and the former removed a video in which he praised the protesters as ‘patriots.’ YouTube also removed the video.
Facebook has said it is also looking to remove any other content on the platform that may have incited the violence and has banned the #StormtheCapitol hashtag, although some reports suggest that “Stop The Steal” Facebook events and groups remain live.
As events have proven, social media companies still struggle to take down offensive and dangerous content in time, as they must balance the right to free speech with their other commitments to the rule of law and the safety of users.
In the meantime, lawmakers have since returned to Congress to confirm Joe Biden’s victory last November, with some calling for Trump’s impeachment over the incident.
Over a third of technology and media companies in the UK suffered a serious cyber-incident last year, according to new data from insurer Hiscox.
The firm claimed that 34% of firms in the technology, media and telecoms (TMT) sector were caught out by a cyber-incident or breach in 2020, leading to a median loss of nearly $40,000.
Phishing accounted for the majority (53%) of incidents, followed by web-based attacks (42%) such as those exploiting web app vulnerabilities.
Nearly a quarter (23%) suffered a ransomware attack where they were able to recover data from backup.
The Hiscox Cyber Readiness Report 2020 ranked the global TMT sector as one of the most frequently targeted by attackers, alongside financial services. It said 44% of firms in each vertical were hit by at least one incident or breach in the previous year.
TMT also ranked as one of the best prepared industries in terms of “cyber-readiness,” although the report clarified that “firms are often forced into becoming experts when they are heavily targeted industries.”
That chimes with the latest UK findings, which revealed that 67% of respondents in TMT are confident in their cyber-readiness, and 85% have a dedicated team or leader in cybersecurity.
“Research shows that the UK tech sector is far from exempt when it comes to major cybersecurity threats – proving that even for those sectors most equipped to deal with threats, vulnerabilities should never be overlooked,” said Stephen Ridley, Hiscox UK cyber-underwriting manager.
“The industry is, however, following best practice and building resilience through spending priorities and dedicated cyber-roles. The findings are a reminder that firms should always look to shift cyber-strategies and improve resilience capabilities.”
In fact, the UK’s TMT firms added £1m on average to their cybersecurity budgets in 2019 versus the previous year, the insurer claimed.
Security spending priorities over the coming year include endpoint malware detection, compliance, supply chain security, customer-facing services/applications and existing vulnerabilities.
The Defense Digital Service (DDS) and HackerOne have announced the launch of a new bug bounty program, in which participants will attempt to uncover vulnerabilities in the US Army’s digital systems.
This will be the 11th bug bounty program to take place between the DDS and HackerOne, and the third with the US Department of the Army, offering the chance for military and civilian participants to discover vulnerabilities in exchange for monetary rewards. It will run from January 6 to February 17 2021, and is named Hack the Army 3.0.
Participation is by invitation only to civilian hackers and members of the US military, with bug bounties offered only to civilian hackers when valid security vulnerabilities are found according to the program policy.
The purpose of the program is to highlight security vulnerabilities in the US Army’s digital assets before they can be exploited by nefarious actors. These can then be secured to prevent successful cyber-attacks taking place.
Brig. Gen. Adam C. Volant, US Army cyber-command director of operations commented: “Bug bounty programs are a unique and effective ‘force multiplier’ for safeguarding critical Army networks, systems and data, and build on the efforts of our Army and DoD security professionals.
“By ‘crowdsourcing’ solutions with the help of the world’s best military and civilian ethical hackers, we complement our existing security measures and provide an additional means to identify and fix vulnerabilities. Hack the Army 3.0 builds upon the successes and lessons of our prior bug bounty programs.”
Marten Mickos, CEO of HackerOne, said: “We are living in a different world today than even just a year ago. Amid disinformation and a global health crisis, citizens are increasingly wary of how, when and where their information is used. For years, the US Department of Defense and respective military branches have successfully strengthened their cybersecurity posture and protected precious data by enlisting the help of ethical hackers on HackerOne. Years later, hacker-powered security is not only a best practice in the US military, but it is now a mandated requirement among civilian federal agencies. There is only one way to secure our connected society, together, and the US Army is leading the charge with this latest challenge.”
DDS has made extensive use of bug bounty challenges of this nature to improve security systems of US government departments. Since Hack the Pentagon was launched back in 2016, it has executed 14 public bounties on external-facing websites and applications in addition to 10 private bounties on sensitive internal systems in the US Department of Defense. These include Hack the Pentagon, Hack the Defense Travel System and Hack the Air Force.