Info Security

Subscribe to Info Security  feed
Updated: 2 hours 12 min ago

Ex-NSA Contractor Gets Nine Years for Stealing Secret Docs

Mon, 07/22/2019 - 10:20
Ex-NSA Contractor Gets Nine Years for Stealing Secret Docs

A former government contractor has been sentenced to nine years behind bars after stealing as much as 50TB of sensitive information over two decades.

Harald Martin III, 54, of Glen Burnie, Maryland, pleaded guilty to all charges – having previously denied them – back in March.

From December 1993 to August 27, 2016, he was employed by at least seven different defense contractors including Edward Snowden’s former employer, Booz Allen Hamilton.

He worked at the NSA and a number of other government agencies, holding security clearances up to Top Secret and Sensitive Compartmented Information (SCI) at various times.

For a period of over 20 years, Martin has admitted stealing and keeping documents relating to national defense: both hard copies and digital, and including Top Secret and SCI information.

“As detailed in his plea agreement, Martin retained the stolen documents and other classified information at his residence and in his vehicle. Martin knew that the hard copy and digital documents stolen from his workplace contained classified information that related to the national defense and that he was never authorized to retain these documents at his residence or in his vehicle,” a DoJ statement noted.

“Martin admitted that he also knew that the unauthorized removal of these materials risked their disclosure, which would be damaging to the national security of the United States and highly useful to its adversaries.”

The big question is why Martin stole the documents. His defense team claimed it was only so that he could bone up on work at home to get better at his job. He was linked in some news reports to major leaks of sensitive government information by WikiLeaks and Shadow Brokers, although never charged.

Martin’s nine-year sentence will be followed by three years of supervised release.

Categories: Cyber Risk News

Over 60 US Colleges Compromised by ERP Exploit

Mon, 07/22/2019 - 08:36
Over 60 US Colleges Compromised by ERP Exploit

Scores of US colleges and universities have been compromised after hackers exploited a vulnerability in popular ERP software, according to the Department of Education.

The government revealed the campaign in an alert last week, explaining that the flaw in question exists in the Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9, and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4.

The former is a module of the Ellucian Banner ERP platform which allows organizations to customize their web apps. The latter is employed to manage user accounts.

The vulnerability in question, CVE-2019-8978, is an “improper authentication” flaw which has a CVSS 3.0 score of 8.1 (high) and could allow attackers to remotely access user accounts.

“This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID,” noted a NIST advisory. “During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.”

The education department has now identified 62 colleges that have been affected by the flaw, after revealing that it spotted cyber-criminal actively scanning for organizations that had yet to patch.

“Victimized institutions have indicated that the attackers exploit the vulnerability and then leverage scripts in the admissions or enrolment section of the affected Banner system to create multiple student accounts,” the notice explained.

“It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts. Some of these accounts appear to be leveraged almost immediately for criminal activity.”

It's unclear exactly what criminal activity was afoot, although the notice warned that because Banner “affects or influences all aspects of academic administration,” the vulnerability could put financial aid data at risk.

Categories: Cyber Risk News

Russian FSB Contractor Breach Reveals 7.5TB of Data

Mon, 07/22/2019 - 08:10
Russian FSB Contractor Breach Reveals 7.5TB of Data

Russia’s fearsome intelligence agency the FSB has been trying to decrypt Tor traffic since 2012, according to new reports stemming from a major breach of a Russian defense contractor.

The firm in question, SyTech, was revealed to be working on several projects. It was breached by a group known as 0v1ru$, which defaced its website and stole 7.5TB of data from its servers – amounting to one of the worst such incidents of its kind in Russia.

The information, which includes details on several projects and the managers in charge of each, was passed on to another hacking group, Digital Revolution, who in turn passed it to reporters. Digital Revolution is said previously to have hacked the Kvant Research Institute, also run by the FSB.

Although no state secrets are said to have been exposed, the revelations are highly embarrassing for the Kremlin, and President Putin.

One project, Nautilus-S, describes an attempted de-anonymization of the Tor network, which began back in 2012.

Another version of the Nautilus project details an attempt to collect information on social media users, while one known as “Mentor” targets email communications sent by Russian enterprises.

Two more projects, Hope and Tax-3, are related to attempts by the Putin regime to split the internet in the country from the global web.

The plan was approved by the Russian parliament in April. Although it was billed as an attempt to reduce national security risk by pre-empting an online attack by foreign powers, it could also lay the foundations for a China-style great firewall, some have argued.

The latest revelations from SyTech show those plans are well along. Tax-3 will create an intranet for the storage of information on important state figures, while Hope is all about mapping the Russian internet and its connections to other countries.

Other projects revealed in the raid include ones targeting IM, file transfer services and P2P networks. They have apparently been ongoing since 2009 and linked to the FSB unit 71330.

Categories: Cyber Risk News

Slack Resets 1% of Passwords After 2015 Data Breach

Fri, 07/19/2019 - 16:09
Slack Resets 1% of Passwords After 2015 Data Breach

New information discovered in the aftermath of Slack’s security breach from March 2015 has prompted the company to reset the passwords of some of its users, according to a July 18 blog post

Slack explained that it reset account passwords for 1% of its users. Any users who created their account before March 2015 and haven't since changed their passwords and do not use single sign-on (SSO) will likely have their passwords reset by the company.

“We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password reuse between services, which we believed to be the case here,” Slack wrote.

Recognizing – and apologizing for – the potential inconvenience, Slack explained, “Today we are resetting passwords for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015. We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause.”

The announcement highlights the continued need to educate consumers about proper security hygiene, according to Terence Jackson, chief information security officer at Thycotic.

“We cannot control the situation in which our data will be breached, but what we can do is limit the fallout when it happens. These credentials that were exposed in 2015 are still surfacing. Once the data is out there, it’s out there. Using a password manager to prevent password reuse and enabling multi-factor authentication on all accounts that support it are good first steps to protect your digital identities.”

Because of the high frequency of data breaches, Shahrokh Shahidzadeh, CEO at Acceptto, said we all must operate under the assumption that it’s only a matter of time before we truly understand that all of our credentials and personal information are already compromised. 

For that reason, “The reliance on binary authentication methods, such as passwords independent of their length, or even mixing it with two-factor and multi-factor authentication solutions that are susceptible to phishing attacks, is a recipe for failure and a matter of when, not if. In light of recent developments, the only safe credential is one that is immutable and that can only be bio-behavioral-based,” Shahidzadeh said.

Categories: Cyber Risk News

FinServ Fears Cert-Related Outages Will Hurt Brand

Fri, 07/19/2019 - 15:49
FinServ Fears Cert-Related Outages Will Hurt Brand

Over one-third of global finance chief information officers (CIOs) acknowledge organizations experienced an outage in the last six months, according to a new study from Venafi, the leading provider of machine identity protection.

The study queried more than 100 CIOs in the financial services industry from the U.S., U.K., France, Germany and Australia and found that financial services organizations are more likely to have digital certificate-related outages than other industries.

Since January 2019, 36% of financial organizations suffered an outage that had some degree of impact on critical business applications or services. Despite the impact to business, participating CIOs reported that they are more concerned about the impact to customers from certificate-related outages, with 50% of CIOs admitting they fear damage to brand from an outage.

Survey participants also said these types of outages are only going to become more severe, according to the report. Approximately one-third (34%) said they are concerned about increasing interdependencies, which could make future outages even more painful. 

Meanwhile, certificate use continues to skyrocket in the financial services industry with 82% of respondents expecting to see certificate usage in their organizations grow by at least 25% in the next five years. In addition, 56% of respondents projected a minimum growth rate of greater than 50%. 

“Organizations from every sector struggle with certificate-related outages on critical infrastructure, but it’s clear that these issues are even more pronounced in the financial services industry,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, in the release. 

“The entire sector is focused on trust, performance and reliability, so they can’t afford service interruptions. At the same time, the industry has been transformed by open banking initiatives. As a result, financial services organizations rely on machine identities to secure and protect a wide range of business-critical, machine-to-machine communication. Unfortunately, these critical security assets are often unmanaged and unprotected, even though they protect mobile applications, containerization initiatives and cloud architectures.” 

Categories: Cyber Risk News

New Malware Frame Cashing in on Ad Fraud

Fri, 07/19/2019 - 15:43
New Malware Frame Cashing in on Ad Fraud

A new malware framework has been discovered padding statistics on social sites and ad impressions, according to new research from Flashpoint.

Researchers explained that over the course of the past three months, the malware framework has been responsible for more than one billion fraudulent Google AdSense ad impressions.

The malware uses three separate stages of installation to deliver a malicious browser extension that performs fraudulent AdSense impressions and generates likes on YouTube videos. It also watches hidden Twitch streams. 

The initial stage of the framework executes the installer, which either sets up a new browser or downloads a module that does so. “The installer sets itself up as a task related to Windows Update by creating an XML file on the local disk and executing it as a scheduled task (schtasks),” the July 18 blog post explained. It then checks to make sure the installer was successful. 

The second component is the finder, “a module designed to steal browser logins and cookies, package them in .zip files, and send them to the attacker’s command-and-control infrastructure.” Finally, the patcher module sets up the browser extension. 

The malware is generating revenue for its operators, who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers such as Google Chrome, Mozilla Firefox and Yandex’s browser, according to the research.

“Flashpoint researchers found code, for example, that looks for YouTube referrers and then injects a new script tag to load code for YouTube. In this case, the injected JavaScript has an extensive amount of code that is designed to like videos, most of which are related to political topics in Russia. Separately, researchers also found code that injects an iframe into the browser designed to play a hidden Twitch stream, padding the viewer stats for the streamer on that page,” researchers wrote.

Categories: Cyber Risk News

Magecart Group Spotted Operating From War Zone

Fri, 07/19/2019 - 08:57
Magecart Group Spotted Operating From War Zone

One of the groups using Magecart to steal customer card data from e-commerce sites is operating out of a war zone in eastern Ukraine, security experts have revealed.

The Malwarebytes Threat Intelligence Team described in a blog post how the location of Luhansk near the border with Russia is an “ideal breeding ground where criminals can operate with total impunity from law enforcement or actions from the security community.”

The attacks detailed by the vendor target Magento e-commerce sites, and use JavaScript disguised as a Google Analytics domain previously associated with the VisionDirect breach of last year.

The researchers found usernames and passwords belonging to hundreds of e-commerce sites, indicating the scope of the campaign, as well as a PHP backdoor used in these attacks.

The so-called exfiltration gate, web servers set up to receive the stolen data, is also disguised as a Google domain. Along with the card details, the attackers are stealing names, addresses, emails, and phone numbers for possible use in follow-on phishing attacks, Malwarebytes claimed.

The hosting server is located in Luhansk, capital of an unrecognized state set up in 2014 by Russian-backed separatists and known as the Luhansk People's Republic. At the center of the war-torn Donbass region, bulletproof hosting services are “safe from the reach of European and American law enforcement,” according to the vendor.

“Choosing the ASN AS58271 ‘FOP Gubina Lubov Petrivna’ located in Luhansk is no coincidence for the Magecart group behind this skimmer. In fact, on the same ASN at 176.119.1[.]70 is also another skimmer (xn--google-analytcs-xpb[.]com) using an internationalized domain name (IDN) that ties back to that same exfiltration gate. In addition, that ASN is a hotspot for IDN-based phishing, in particular around cryptocurrency assets,” it explained.

“Due to the very nature of such hosts, takedown operations are difficult. It’s not simply a case of a provider turning a blind eye on shady operations, but rather it is the core of their business model.”

Categories: Cyber Risk News

Microsoft Alerts 10,000 Customers of Nation State Attacks

Fri, 07/19/2019 - 08:22
Microsoft Alerts 10,000 Customers of Nation State Attacks

Microsoft has warned 10,000 customers that they’ve been targeted by nation state attacks over the past year, including hundreds of US political organizations, the firm revealed this week.

In a blog post to promote the firm’s new ElectionGuard secure voting system, corporate VP for customer security and trust, Tom Burt, revealed that the vast majority (84%) of state-sponsored attacks were targeted at Microsoft’s enterprise customers, with the remainder (16%) hitting consumers' personal email accounts.

The majority came from groups in Russia (Yttrium and Strontium), Iran (Homium and Mercury) and North Korea (Thallium).

“While many of these attacks are unrelated to the democratic process, this data demonstrates the significant extent to which nation-states continue to rely on cyber-attacks as a tool to gain intelligence, influence geopolitics or achieve other objectives,” said Burt.

However, a significant minority of attacks have been focused on democratic organizations. Officially launched last August, Microsoft’s AccountGuard tool has since alerted on 781 nation state attacks against “political campaigns, parties, and democracy-focused non-governmental organizations (NGOs).”

Although the tool is only available in 26 countries so far, the vast majority (95%) of political organizations targeted were in the US, which amounts to around 742.

“Many of the democracy-focused attacks we’ve seen recently target NGOs and think tanks, and reflect a pattern that we also observed in the early stages of some previous elections. In this pattern, a spike in attacks on NGOs and think tanks that work closely with candidates and political parties, or work on issues central to their campaigns, serve as a precursor to direct attacks on campaigns and election systems themselves. We saw such attacks in the US presidential election in 2016 and in the last French presidential election,” explained Burt.

“As we head into the 2020 elections, given both the broad reliance on cyber-attacks by nation states and the use of cyber-attacks to specifically target democratic processes, we anticipate that we will see attacks targeting US election systems, political campaigns or NGOs that work closely with campaigns.”

Categories: Cyber Risk News

Over 800K Systems Remain Vulnerable to Bluekeep

Fri, 07/19/2019 - 08:03
Over 800K Systems Remain Vulnerable to Bluekeep

Over 805,000 computers around the world are still vulnerable to the critical Bluekeep vulnerability, which experts have warned could create a worm-like threat worse than WannaCry.

Security firm BitSight claimed that, as of July 2, 805,665 systems remained at risk, a decrease of just 17% from May 31.

“Assuming a simplistic average this represents an average decrease of 5,224 exposed vulnerable exposed systems per day. By consistently observing individual vulnerable systems that remain exposed to the Internet and then identifying when they’re patched, we can calculate that at minimum an average of 854 vulnerable systems per day are patched,” it explained.

“The difference between these two estimates may represent systems which no longer expose the service to the Internet today, or those that are changing IP addresses frequently.”

China and the US remain the countries with the largest number of exposed systems, despite both having reduced their exposure by the largest amount globally, 24% and 20% respectively.

The most responsive industries around the world have been Legal, which reduced affected systems by 33%, Non-profit/NGO (27%) and Aerospace/Defense (24%). However, the worst performers were Consumer Goods (5%), Utilities (10%), and Technology (12%).

BitSight also warned organizations to take a more proactive stance towards third parties that may be exposed via Bluekeep.

“There are multiple ways a system administrator may mitigate against this issue affecting an externally exposed system. The primary and most important of which is actually applying the patch to the affected system. In addition, the administrator or user may remove exposure of that system to the Internet by taking it offline or applying proper access control lists to those systems to limit access to them,” it added.

“It’s been two months since the patch has been made available by Microsoft and we’ve only observed a 17.18% decrease in the number of exposed vulnerable systems in the last month. It’s important for organizations to patch their systems to not only protect their own data and systems, but those of their third parties that they conduct business with.”

Bluekeep is an RCE flaw in Windows Remote Desktop Services (RDS) which could enable an attacker to take complete control of a machine. It affects Windows XP to Windows 7 and Server 2003 to Server 2008 R2 computers.

The vulnerability (CVE-2019-0708) is deemed particularly critical as it can infect and spread without user interaction. Working exploits have already been engineered by security researchers, and the concern is hackers could use it as a mechanism to spread cryptomining malware, banking trojans or other types of malware.

Categories: Cyber Risk News

APT Targets Diplomats in Europe, Latin America

Thu, 07/18/2019 - 18:57
APT Targets Diplomats in Europe, Latin America

Evidence suggests that new versions of malware families are linked to the elusive Ke3chang group, along with a previously unreported backdoor, according to researchers at ESET.

The researchers have long been tracking the advanced persistent threat (APT) group and suspect that it operates out of China, according to today’s press release.

Named Okrum by ESET, the malware was first detected in late 2016 when it was used to target diplomatic missions and governmental institutions in Belgium, Slovakia, Brazil, Chile and Guatemala. However, researchers have seen multiple variations of the malware families and attributed the activity to the Ke3chang group.

“In research going back to 2015, ESET identified new suspicious activities in European countries. The group behind the attacks seemed to have particular interest in Slovakia, but Croatia, the Czech Republic and other countries were also affected. Analyzing the malware used in these attacks, ESET researchers found that it was linked to known malware families attributed to the Ke3chang group, and dubbed these new versions Ketrican,” the release stated.

“We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor, compiled in 2017. On top of that, we found that some diplomatic entities that were affected by the Okrum malware and the 2015 Ketrican backdoors were also affected by 2017 Ketrican backdoors,” said Zuzana Hromcova, the ESET researcher who made the discoveries. 

The group has remained active in 2019. As recently as March, researchers “detected a new Ketrican sample that has evolved from the 2018 Ketrican backdoor. It affected the same targets as the backdoor from 2018,” according to the research.

“Okrum can impersonate a logged on user’s security context using a call to the ImpersonateLoggedOnUser API in order to gain administrator privileges.” It then automatically collects information about the infected computer, including computer name, user name, host IP address, primary DNS suffix value, OS version, build number, architecture, user agent string and locale info (language name, country name), the report added.

Categories: Cyber Risk News

Security Experts Warn Against Use of FaceApp

Thu, 07/18/2019 - 15:15
Security Experts Warn Against Use of FaceApp

Security experts are warning the public not to partake in the FaceApp craze, which is being exacerbated by the #FaceAppChallenge that is going viral on social media, according to multiple reports. 

While security experts and privacy advocates are warning users to avoid the app, Senator Chuck Schumer has requested that the Federal Bureau of Investigation (FBI) and the Federal Trade Commission (FTC) investigate whether there are adequate safeguards in place to protect the privacy of the app’s users. 

"FaceApp's location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including foreign governments," wrote Schumer.

Created in 2017 by developers at Wireless Lab in St. Petersburg, Russia, FaceApp now has access to the face and images of over 150 million people, Forbes reported. Users’ photos are being uploaded to the cloud, yet the terms and conditions grant FaceApp the ability to do additional processing locally on their device.

“To make FaceApp actually work, you have to give it permissions to access your photos – ALL of them. But it also gains access to Siri and Search....Oh, and it has access to refreshing in the background – so even when you are not using it, it is using you,” tweeted technology author Rob La Gesse, who warned users who have installed the app to delete it. 

“FaceApp serves as an important reminder that free isn't free when it comes to apps. The user and his/her [photo are] the commodity, whether sold for purposes like marketing or more nefarious things like identity theft and creation of deep fakes. Don't use apps that need access to all your data and be sure to read the EULAs to ensure the app gives users some sort of control and protection based on where the data is stored and processed," said Rick McElroy, head of security strategy at Carbon Black.

Categories: Cyber Risk News

California State Auditors Say Government IT is Flawed

Thu, 07/18/2019 - 13:40
California State Auditors Say Government IT is Flawed

Weaknesses in the information security of some California state offices were brought to light after the state auditor called for additional oversight and regular assessments, according to the report Gaps in Oversight Contribute to Weaknesses in the State’s Information Security.

In the midst of ongoing conversations around the security of customer data and less than six months before the California Consumer Privacy Act (CCPA) is scheduled to go into effect, the report comes at a time when governments are grappling with the ever-growing threat of cyber-attacks. 

According to the report from state auditor Elaine Howle, the personal information of California residents may not be protected because of flaws in the government’s IT systems. “We surveyed 33 non-reporting entities from around the State and reviewed 10 of them in detail. Twenty-nine of the 33 obtained an information security assessment to evaluate their compliance with the specific security standards they selected, 24 learned that they were only partially compliant, and 21 identified high-risk deficiencies,” the report said.

Howle called for state agencies to do more in order to effectively safeguard the information that state government agencies collect, maintain and store. Additionally, Howle noted that “the non-reporting entities we surveyed may be unaware of additional information security weaknesses because many of them relied upon information security assessments that were limited in scope.”

Because California has usually been considered a trailblazer when it comes to information security and data privacy practices, Ben Sadeghipour, head of hacker operations at HackerOne, said the auditor’s report comes as a surprise. “When you are a large government agency like the State of California dealing with the data of almost 40 million residents, it is absolutely critical to have consistency across information security policies, especially among the numerous government entities who are tasked with handling, storing and safeguarding personal data,” said Sadeghipour.

“Cyber-criminals are constantly searching for ways to exploit vulnerabilities, especially in the government sector due to the notion that they are easy targets with a goldmine of data. Every government agency, regardless of budget, should at minimum implement a vulnerability disclosure policy (VDP) so that security researchers or ethical hackers can find those vulnerabilities before the bad guys do.”

Categories: Cyber Risk News

Security is Biggest Digital Transformation Concern

Thu, 07/18/2019 - 10:30
Security is Biggest Digital Transformation Concern

Cybersecurity is viewed as the biggest single risk to digital transformation projects, but most organizations aren’t involving CISOs early enough in projects, according to new research from Nominet.

The .uk registry and DNS security organization polled 274 CISOs, CIOs, CTOs and others with responsibility for security in US and UK organizations.

It found that the vast majority (93%) were implementing digital transformation projects, although of the small number who weren’t, more than a quarter (27%) said it is because of security concerns.

Cybersecurity was also far and away the biggest worry for those currently undertaking such projects, with 53% citing it as a top-three threat. Some 95% expressed some concern, with over two-fifths (41%) either “very” or “extremely” concerned.

Topping these concerns were exposure of customer data (60%), cyber-criminal sophistication (56%), an increased threat surface (53%), visibility blind spots (44%), and IoT devices (39%).

Although a third (34%) of respondents claimed security was considered during the development of the digital transformation strategy, many left it to the pre-implementation (28%) and implementation (28%) stages, or even post-implementation (9%). Some 2% said security wasn’t considered at all.

IT leaders may be over-confident in their ability to mitigate cyber-risk in digital transformation. Some 82% of respondents claimed it was considered early enough in their projects and 85% scored it near top marks for effectiveness, despite 86% having suffered a breach in the past 12 months.

What's more, a majority of partners (59%), customers (55%) and industry/regulatory bodies (54%) had queried the robustness of their approach.

“With digital transformation you have to be sure that when you’re bringing in new applications, security is considered from the outset," argued Nominet CISO, Cath Goulding. "More than this though, in a digital transformation project, the real trick is to manage the security considerations of legacy and new applications simultaneously.”

On the plus side, 31% of respondents reported that 11-25% of their digital transformation budget is allocated to cybersecurity, with over a fifth (23%) claiming that 26-50% is set aside.

Categories: Cyber Risk News

BEC Scams Cost US Firms $300m Each Month

Thu, 07/18/2019 - 09:25
BEC Scams Cost US Firms $300m Each Month

Business Email Compromise (BEC) scams have rocketed in volume and value over the past two years, making cyber-criminals over $300m each month in 2018 from US victims alone, according to new data.

The findings were revealed by the Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of the Treasury.

They note that the number of BEC reports has climbed rapidly, from around 500 per month in 2016 to more than 1100 last year. The total value of related BEC thefts has also soared over the same period, from around $110m per month to an average of $301m.

Manufacturing and construction was the most targeted sector in 2017 and 2018, accounting for around a fifth and quarter of reports in these respective years.

In 2018, this sector was followed by “commercial services” – which includes shopping centers, entertainment facilities, and lodging – and then real estate.

The former saw reported BEC attacks increase more than any other vertical, tripling from 6% in 2017 to 18% last year.

Interestingly, the vast majority (73%) of BEC attacks seen over the period involved scammers receiving funds into US accounts, rather than ones overseas, taking advantage of money mule networks nationwide, FinCEN claimed.

“Industries that are common in a particular state likely represent the most targeted companies in that state,” it added. “For example, financial firms are the most frequently targeted firms in New York, while manufacturing and construction firms are the most frequently targeted in Texas.”

In terms of attack methodology, CEO impersonation ranked pretty high in 2017, accounting for a third (33%) of scams, but declined to 12% in 2018. On the other hand, use of a fraudulent vendor or client invoices grew from 30% to 39% over the period. Impersonation of an outside entity was 20% in 2018 but not documented in 2017.

The FBI warned earlier this year that BEC losses hit $1.3bn in 2018, almost half of all losses associated with cybercrime in the year. These were linked to just 20,000 victims, highlighting the potential high ROI for the scammers.

The figure works out much lower than the cost of BEC calculated by FinCEN, but this could be down to under-reporting.

Categories: Cyber Risk News

Dutch Police Nab Macro Malware Suspect

Thu, 07/18/2019 - 08:38
Dutch Police Nab Macro Malware Suspect

Dutch police have arrested a man suspected of developing and selling toolkits designed to build malicious Office documents for use in attacks.

In a statement on Wednesday, the country’s high-tech crime team (THTC) revealed it had apprehended a 20-year-old Utrecht man after monitoring his participation in hacking forums, with help from McAfee.

He’s suspected of selling specialized off-the-shelf toolkits such as Rubella Macro Builder which effectively weaponize Office docs by enabling them to use obfuscated macro code to deliver a malicious payload, bypassing traditional security filters in the process.

However, in one of the man’s suspected posts to a hacking forum, investigators spotted use of a Dutch version of Microsoft Word. Given the relatively small global population that speaks the language, McAfee researchers went on the hunt for more clues.

“During our research we were able to link different nicknames used by the actor on several forums across a time span of many years,” the vendor said in a blog post. “Piecing it all together, Rubella showed a classic growth pattern of an aspiring cyber-criminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.”

On arrest, the suspect was found with data on dozens of credit cards and manuals on carding, as well as access credentials for thousands of websites.

“The suspect has collected an amount of approx. €20,000 in cryptocurrency such as Bitcoins. These have been seized. The investigation into further amounts the young man may have (unlawfully) earned will continue. In due course, a confiscation order will be issued,” a police statement noted.

“The public prosecutor has meanwhile decided that the suspect will have to face trial. No court date has yet been set.”

Categories: Cyber Risk News

75% of Security Awareness Pros Are Part Time

Wed, 07/17/2019 - 16:38
75% of Security Awareness Pros Are Part Time

The 2019 Security Awareness Report published by SANS Security Awareness, a division of SANS Institute, found that across many organizations, there is an increased emphasis on the need for awareness and training programs.

According to the report, more than 75% of those who are currently responsible for security awareness and training are spending less than half of their time on employee education programs. 

“The implication is that awareness is simply mounted on to their other job requirements. This is the largest single factor limiting the growth and maturity of programs,” the report said.

Though awareness professionals often bring more dynamic skills to their technical roles, the lack of candidates who possess the much needed soft skills of communication and marketing hinders the organization’s ability to build a program that truly engages employees.

Among the nearly 1,600 respondents who participated in the study, those who reported having programs that are effectively changing employee behavior have at least two full-time employees dedicated to awareness and training. 

“While there is a general tendency to isolate individual employees as the cause of security related issues, the data within the report demonstrates that addressing an organization’s human cyber risk is best handled by making consistent systemic training investments. This report examines the most effective steps to address them, enabling you to benchmark your awareness program against your peers and other organizations,” the report said. 

The report did find that the number of organizations with no program at all has decreased over the last two years, falling from 7.6% to 4.3% and indicating a slow but steady shift toward success.

“I’m absolutely thrilled about the release of the 2019 Security Awareness Report,” says SANS security awareness director Lance Spitzner. “Every year we are able to gain a better understanding of the most common challenges awareness professionals face and how to best address them, and after five years we are beginning to identify key trends.”

Categories: Cyber Risk News

93% of Orgs Worry About Cloud Security

Wed, 07/17/2019 - 16:20
93% of Orgs Worry About Cloud Security

Two reports published independently of each other found that the majority of organizations are moderately to extremely concerned about the state of cloud security.

In Guardians of the Cloud, the 2019 cloud report published annually by Bitglass, researchers found that 93% of organizations are at least moderately concerned about their ability to use the cloud securely. The same number of respondents in the 2019 Cloud Security Report from Synopsys said that they were either moderately or extremely concerned about cloud security.

According to Guardians of the Cloud, 75% of organizations leverage multiple cloud solutions, while a mere 20% actually have visibility over cross-app anomalous behavior. Additionally, only 20% of participating organizations said that they use cloud data loss prevention (DLP), despite storing highly sensitive information in the cloud, including customer and employee data and intellectual property. Not surprisingly, malware is the most concerning data leakage vector.

The majority (67%) of companies said they believe cloud apps are either as secure as or more secure than on-premises apps. Two of the most popular cloud security capabilities among respondents are access control (52%) and anti-malware (46%). 

“Data is now being stored in more cloud apps and accessed by more devices than ever before,” said Rich Campagna, chief marketing officer of Bitglass, in today’s press release. “This report found that...the adoption rates of basic cloud security tools and practices are still far too low. Many organizations need to rethink their approach to protecting data, as traditional tools for safeguarding data on premises are not capable of protecting data in the cloud.”

Synopsys’ latest cloud security report likewise found that organizations have a wide range of cloud security concerns. Most notable, organizations are worried about data loss and leakage (64%) and data privacy and confidentiality (62%).

For 43% of organizations, monitoring new vulnerabilities in cloud services is one of the most challenging aspects of cloud compliance. 

“As workloads continue to move to the cloud, cybersecurity professionals are realizing the complications of protecting these workloads. The top two security headaches SOCs are struggling with are compliance (34%) and lack of visibility into infrastructure security (33%). Setting consistent security policies across cloud and on-premises environments (31%) and the continuing lack of qualified security staff (31%) are tied for third place,” the report said. 

Categories: Cyber Risk News

New Malware Samples Resemble StrongPity

Wed, 07/17/2019 - 15:16
New Malware Samples Resemble StrongPity

Researchers have said with high confidence that the publicly reported adversary dubbed StrongPity has been engaged in an unreported and ongoing malware campaign, according to research from AT&T Alien Labs

Threat actors are using the new malware and infrastructure to control compromised machines and deploying malicious versions of the WinBox router management software, WinRAR, as well as other trusted software to compromise their targets, researchers said. 

“StrongPity was first publicly reported on in October 2016 with details on attacks against users in Belgium and Italy in mid-2016. In this campaign, StrongPity used watering holes to deliver malicious versions of WinRAR and TrueCrypt file encryption software,” researchers wrote in a blog post

StrongPity was reported on again in 2017 and 2018. New samples that strongly resembled the work of StrongPity were again identified in early July 2019. 

These most recent samples of the malware have been, as of yet, unreported but mirror those created and deployed to targets following a toolset rebuild that came after public reporting of the malware during the fourth quarter of 2018, researchers said. 

“The malicious version of the software installs StrongPity malware without any obvious signs to the victim, and then operates as if it were a standard unaltered version of the trusted software.”

While researchers were unable to identify specific details about how the malicious installers are delivered, they noted, “It is likely that methods previously documented by the previous reports of StrongPity, such as regional download redirecting from ISPs, is still occurring. Based on the type of software used as the installer (WinRAR, WinBox, IDM, etc.), the type of targets may continue to be technically-oriented, again similar to past reports.”

Categories: Cyber Risk News

CEOs’ Cyber Ignorance Costing Firms Dear

Wed, 07/17/2019 - 11:05
CEOs’ Cyber Ignorance Costing Firms Dear

A lack of CEO awareness and engagement with cybersecurity could be placing their organizations at unnecessary risk of attack, according to new findings from RedSeal.

The security vendor polled over 500 IT professionals in the UK to better understand the cyber-risks posed by business leaders.

Over half (54%) said they don’t believe their CEO follows correct security procedure and in so doing is potentially exposing their organization to compromise. Over a third (38%) weren’t sure what technology their CEO used at home, with the majority (95%) claiming to be concerned that home smart devices could be hacked.

Over one in 10 (11%) respondents claimed that CEO or senior managers’ actions had put corporate security at risk, and three-quarters (75%) argued that their CEOs should pay more attention to cybersecurity in the future.

However, poor security policies and processes also seem to be to blame: 14% of UK CEOs still haven’t had any security training, while only 29% of respondents said they provide a daily cyber-report to their boss. A quarter (26%) said they only report major breaches to the CEO, perpetuating disengagement from cyber-related issues at the highest level.

In reality, cyber matters to CEOs as breaches could have a major impact on the bottom line and corporate reputation. Following a major incident, a third of respondents said they lost customers, 34% said it damaged reputation and over a fifth (23%) lost revenue.

“CEOs have wide access to their organization’s network resources, the authority to look into most areas, and frequently see themselves as exempt from the inconvenient rules applied to others. This makes them ideal targets,” argued RedSeal CTO, Mike Lloyd.

“The internet is a dangerous place where new security threats can evolve and rapidly mutate. Perfect defense is illusory; in a complex and interdependent world, some attacks are bound to succeed. Organizations must look to a strategy of resilience. They’ll survive only by planning in advance for how the inevitable successful attacks will be handled.”

Categories: Cyber Risk News

UK Government Staff Lost 500+ Devices Last Year

Wed, 07/17/2019 - 10:35
UK Government Staff Lost 500+ Devices Last Year

UK government workers have lost over 500 mobile devices and laptops over the past year, with just a small percentage ever recovered, according to new research from MobileIron.

The security vendor issued Freedom of Information (FOI) requests to nine government departments, all but one of which replied.

It found that public sector employees managed to lose 508 mobiles and laptops between January 2018 and April 2019.

It’s unclear whether these devices were password protected and/or if the data on them was encrypted, or if they had a remote wipe functionality to protect sensitive information. However, attackers could theoretically gain access to sensitive accounts if a device gets into the wrong hands without proper security controls in place.

“As the amount of business data that flows across devices, apps, networks, and cloud services continues to increase, it is essential that organizations have the right security protocols in place to minimize risk and prevent unauthorized access to sensitive data if a device is lost or stolen. Even one lost or stolen device provides a goldmine of readily accessible and highly critical data to potential fraudsters and hackers,” argued MobileIron UK and Ireland regional director, David Critchley.

The answer is to implement a zero-trust model, whereby users are forced to authenticate at all times, he said.

“This approach validates the device, establishes user context, checks app authorization, verifies the network, and detects and remediates threats before granting secure access to a device or user,” he added. “The zero-trust model allows organisations, including government departments, to significantly reduce risk by giving them complete control over their business data – even on lost or stolen devices.”

It’s not just the government that has been found wanting regarding the loss of devices. Last year, an FOI request revealed that the BBC had reported over 170 lost or stolen devices over the previous two years.

Categories: Cyber Risk News