Half of the top one million sites in the world are now using HTTPS, in a boost for global web security, according to a leading researcher.
Scott Helme revealed that growth had slowed at the start of the year, but picked up again in recent months so that 51.8% of Alexa Top 1 Million sites were redirecting to the secure protocol as of August.
“Looking at the history we've made serious progress in the last couple of years and again we're continuing to see maintained growth which is exactly what we need,” he said. “The web is now well on its way to being 100% encrypted and long may it continue.”
Part of this growth is thanks to Let’s Encrypt, a free, automated certificate authority which claimed a fortnight ago that it added six million HTTPS domains in just five days and now services 124 million.
Another factor is that in July Chrome started warning visitors when they encounter non-HTTPS sites, a move which will certainly see more webmasters get proactive with adoption. Helme himself and fellow security researcher Troy Hunt have also been raising publicity via their whynohttps.com site.
Elsewhere, Helme observed a fall in the use of public key pinning (PKP) following Google’s decision to deprecate the security mechanism. Although it was originally intended to help prevent Man in the Middle attacks, researchers have over recent years claimed that attackers could actually manipulate PKP to their own ends, for example by installing malicious pins.
Helme welcomed the increase in use of some security headers: specifically a 40% increase in CSP and a 23% increase in HSTS.
“Whilst we did see a slight reduction in the use of CSPRO, we saw a considerably larger increase in the use of CSP,” he explained. "My guess on what's most likely happening is that sites are moving from a report only version of a policy to an enforced version, which shows progress in deployments of CSP.”
However, it wasn’t all good news: Extended Validation (EV) certificate use doesn’t seem to have seen much growth, despite the growing popularity of HTTPS.
Crypto-mining malware detections jumped 96% in the first half of 2018 versus the whole of last year as cyber-criminals increasingly looked to more covert ways of making money, according to Trend Micro.
The security vendor claimed in its latest Midyear Security Roundup that it blocked over 20 billion threats in the first six months of this year.
However, fewer of these are standard “spray and pay” ransomware attacks and breaches, it claimed. In fact, 1H 2018 is the first time since the advent of ransomware in 2005 that there has been a decrease in new families discovered.
Instead, attackers are looking to crypto-jacking along with fileless, macro and small file malware techniques to fly under the radar.
There was a 956% increase in cryptocurrency malware detections versus 1H 2017, and a 250% increase in detections of small file malware, TinyPOS, compared to 2H 2017.
The findings chime with other research into the threat landscape. Check Point, for example, warned last month that the number of global organizations affected by cryptojacking rose from just under 21% in the second half of 2017 to 42% in 1H 2018, with cyber-criminals making an estimated $2.5bn over the past six months.
“The recent change in the threat landscape mirrors what we’ve seen for years — cyber-criminals will constantly shift their tools, tactics and procedures (TTPs) to improve their infection rates,” said Bharat Mistry, principal security strategist for Trend Micro.
“This means once again, business leaders must evaluate their defenses to ensure sufficient protection is in place to stop the latest and most pressing threats.”
On the plus side, data breach reporting remained pretty consistent during the period despite the advent of the GDPR, but the number of SCADA vulnerabilities reported by Trend Micro’s Zero Day Initiative doubled from 1H 2017.
The firm warned operators of Human Machine Interface (HMI) systems to be on the lookout for bugs as threat actors ramp up attacks from mere reconnaissance and testing to destructive raids.
In total, the ZDI published over 600 advisories in the first six months of 2018.
In a distributed-denial-of-service (DDoS) attack that began on Sunday, 26 August, and extended into today, Spain's central bank was knocked offline. While Banco de Espana struggled to fight off the attack, business operations were not disrupted, according to Reuters.
"We suffered a denial-of-service attack that intermittently affected access to our website, but it had no effect on the normal functioning of the entity," a spokeswoman for Banco de Espana wrote in an email.
DDoS attacks interrupt services by overwhelming network resources. Spain’s central bank is a noncommercial bank, which means that it does not offer banking services online or on site, and communications with the European Central Bank were not impacted.
“Worryingly, as of Tuesday afternoon their website remained offline despite the attack having started on Sunday. Whether this was as a result of an ongoing attack, recovering from any resulting damage or as a precaution pending a forensic investigation is not clear,” said Andrew Lloyd, president, Corero Network Security.
“The recent guidance from the Bank of England (BoE) requires banks to have the cyber-resilience to 'resist and recover' with a heavy emphasis on 'resist.' The BoE guidance is a modern take on the old adage that 'prevention is better than cure.' Whatever protection the Bank of Spain had in place to resist a DDoS attack has clearly proven to be insufficient to prevent this outage."
To help mitigate the risk of a DDoS attack, banks and other financial institutions can invest in real-time protection that can detect attacks before they compromise systems and impact customer service.
As of the time of writing this, the bank's website appears to be back online.
Six days after researchers discovered and publicly disclosed a vulnerability that affects the Ghostscript suite of software, a CERT alert was issued for a vulnerability found in the Microsoft windows task scheduler that allows hackers to gain elevated system privileges.
The latest Microsoft Windows task scheduler contains a local privilege escalation vulnerability. “With the latest Windows OS vulnerability made public, IT professionals need to be extra vigilant regarding their network users’ behaviors,” said Justin Jett, director of audit and compliance for Plixer.
“The PoC released by researcher, SandboxEscaper, on Twitter gives malicious actors leverage needed to break into organizations to steal valuable information. Network traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically don’t," Jett continued.
“We’ll have to wait for Microsoft to respond, but if nothing is released until the scheduled September 11 Patch Tuesday, hackers will have a two-week window to take advantage of this vulnerability.”
In a second Ghostscript vulnerability, disclosed by the eSentire Threat Intelligence team, implementing the –dSAFER sandbox, which is intended to validate content, can circumvent the sandbox to allow malicious content through. By sending a malformed file (PDF, PostScript, XPF or EPS), a malicious actor is able to carry out the attack so that when the file reaches the Ghostscript interpreter, it infects the host machine by automatically executing.
“If exploited the vulnerability could allow a remote, unauthenticated threat actor to run commands, create files and delete or extract data. The exploitation of this vulnerability has not been seen in the wild at this time, but proof of concept code has been released. It is likely that more widespread exploitation attempts will be seen in the near future,” researchers wrote in a post today.
A patch has not yet been released; however, researchers wrote, “a potential short term fix for this vulnerability is to disable PS, EPS, PDF, and XPS coders. This is not recommended due to the high potential for business disruption. Due to the wide range of programs that rely on Ghostscript this vulnerability should be taken seriously and patches should be applied as soon as vendors make them available.”
Some of the several systems known to be infected include Artifex Software Inc., CentOS, LinkUs, Ubuntu, SUSE Linux, and Red Hat Inc. There is potential that Apple, Arch Linux, Arista Networks Inc. and ASP Linux are also affected. eSentire advised that patches should be applied as quickly as possible once the patches are released.
Poland's National Cybersecurity System Act, which aims to ensure an appropriate level of security of ICT systems, today enters into full effect. Originally adopted on 5 July 2018 by the Sejm, the lower house of the Parliament of Poland, the system covers a wide range of entities from operators of essential services to digital service providers and a cybersecurity council.
Along with its executive regulations, the act will fully implement the EU NIS Directive into Poland's legal order and create a single point of contact for cybersecurity matters.
Earlier this month, Poland was one of 17 countries to receive a warning from the European Commission for missing the 9 May 2018 deadline “to adopt an EU Directive that is designed to ensure the security of digital networks and information systems across the EU,” according to CISO Mag.
Concerns over the security of critical infrastructure have continued to grow as “the number of reported vulnerabilities related to supervisory control and data acquisition (SCADA) systems increased since the second half of 2017, and many of these vulnerabilities were found in human-machine interface (HMI) software,” according to a post from Trend Micro today.
The act distinguishes three different computer security incident response teams (CSIRTs). The teams will each be responsible for handling incident response in three particular realms of Poland’s cyberspace. CSIRT GOV will respond to governmental and subordinate unit infrastructures, including the NBP and BGK banks.
The CSIRT NASK team will be responsible for handling citizen and company incidents, including self-governmental organizations and state universities.
Finally, the CSIRT MON will handle the computer security incident response for entities supervised by the Ministry of Defense, which will include companies with economic and military significance.
In categorizing the responses, the teams will identify incidents as either critical, serious or significant.
There has been a huge annual rise in data breach complaints to the Information Commissioner’s Office (ICO) following the start of the General Data Protection Regulation (GDPR) regime, according to a leading law firm.
An FOI request issued by London-headquartered EMW revealed that the watchdog received 6281 complaints between May 25 and July 3 this year: a 160% increase on the same period in 2017.
It’s believed that the increased publicity and extra powers it gives to consumers on managing and accessing details about their personal data could have driven the rise.
To cope with the extra burden, the ICO itself is on a recruiting drive and hopes to increase the number of full-time staff from the current 530 up to 720, the report also revealed.
Its annual funding of £24m will also shoot up to £38m in 2018-19.
Mark Adams, regional vice-president of UK & Ireland at Veeam, claimed the figures should be a wake-up call for UK businesses.
“If this significant rise of GDPR-fuelled complaints tells us anything, it’s that how businesses handle data is now fully immersed within the public consciousness,” he added. “Businesses must therefore now become far more proactive in managing that data, because the cost of failure exceeds the now infamously heavy penalties. It could also cause a long tail of damage for a company’s brand and reputation.”
Adams recommended firms deliver company-wide training for employees on data handling and how to spot phishing attacks, to improve awareness, alongside intelligent data management tools and effective incident response processes.
The latter could be in trouble with the ICO after grossly underestimating the size of the breach, which is now said to affect as many as 10 million customers.
The volume of Business Email Compromise (BEC) attacks caught by a leading security provider jumped by 80% over the past quarter.
Mimecast’s latest Email Security Risk Assessment (ESRA) report revealed the provider blocked over 41,000 impersonation attempts over the latest three-month period which were missed by other vendors. This could indicate its detection is getting better, rival vendors are getting worse and/or BEC attacks are becoming more popular.
Business Email Compromise occurs when typically members of the finance team are socially engineered into making massive fund transfers from the corporate bank account to third parties. Attackers do this either by spoofing the email of the CEO or CFO, or even by phishing and hacking their email account first.
There was a 136% increase in BEC losses between December 2016 and May 2018, with over $12.5bn lost globally between October 2013 and May 2018, according to the FBI.
Mimecast’s ESRA also revealed that the vendor caught over 19 million pieces of spam, 200,000 malicious links, 13,176 emails containing dangerous file types and 15,656 malware attachments.
“Targeted malware, heavily socially-engineered impersonation attacks, and phishing threats are still reaching employee inboxes. This leaves organizations at risk of a data breach and financial loss,” said Matthew Gardiner, cybersecurity strategist at Mimecast.
The findings highlight email as the enduring threat vector of choice for cyber-attackers.
Trend Micro’s annual round-up report, The Paradox of Cyberthreats, revealed that of the 66.4 billion threats blocked by the security vendor in 2017, over 85% were in emails containing malicious content.
It also recorded a doubling of BEC attack volumes in the second half of 2017 versus the first half of the year.
A security researcher has discovered yet another misconfigured MongoDB installation online, this time exposing over 200,000 highly sensitive corporate documents.
The 142GB MongoDB account was hosted on Amazon Web Services (AWS) infrastructure in the US and belonged to global document recognition and content capture software developer ABBYY, according to former Kromtech man Bob Diachenko.
Unfortunately, the account was left totally unprotected, with no password or log-in, meaning anyone with internet access could theoretically have gained entry.
“The biggest concern was the fact MongoDB in question also contained a large chunk of scanned documents (more than 200,000 contracts, NDAs, memos, letters and other internal documentation, properly OCR'd and stored) which apparently were stored by ABBYY partners using their administration console,” he explained.
The firm’s head of information security replied to Diachenko’s email requesting more info.
“Database access has been disabled soon after I sent him the IP address (two days after my initial notification), but questions still remain as of how long it has been left without password/login, who else got access to it and would they notify their customers on the incident,” he added.
A statement sent to the researcher following the incident claimed the “temporary data breach” affected just one of the developer’s customers, and that a “full corrective security review of our infrastructure, processes and procedures” has been undertaken.
ABBYY lists major global companies and governments among its customer base, including Deloitte, McDonald’s, Volkswagen and the Reserve Bank of Australia.
The firm is fortunate Diachenko found the trove of documents rather than online attackers who last year twice ran major campaigns in which data was stolen from exposed servers before being ransomed. It’s believed tens of thousands of victims were involved.
Unfortunately for small-to-medium-sized businesses (SMBs), many employees remain ignorant to the reality of cyber threats, making decisions that continue to put the company at risk, according to a new study from Switchfast Technologies.
The study found that one in three business owners do not have safeguards in place to combat cyber breaches and 60% of small businesses that suffer a breach go out of business within six months. With legislation like the National Institute of Standards and Technol Small Business Cybersecurity Act being put in place, it’s clear that cybersecurity has become a weakness for SMBs.
In large part, employees remain unaware of the cybersecurity threats they face both in and out of the office, in part because the businesses themselves are not taking cybersecurity seriously. The study found that 35% of employees haven’t changed their work email password in the last year. Risks to business from weak password policy is compounded by the number of employees (19%) who share their passwords with colleagues. The same number of employees reported that they use personally identifiable numbers (birthday, anniversary, Social Security numbers) in their work email password.
In addition, 26% do not know what the dark web is, which means that they are also unaware that their personal data may be on it. All the while, few organizations are reportedly providing cybersecurity guidance to their employees. Nearly 21% of those surveyed said their company has never provided cybersecurity training and 65% said their company has never run a phishing email test.
“Today’s cybercriminals employ a variety of complex attack methods to exploit business weaknesses and target employees with bad cyber hygiene, whether it’s the CEO or an intern, bypassing the basic security measures most companies have in place,” according to the report.
“Until they recognize they are prime targets for hackers and adjust their security strategies, small businesses will continue to fall victim to rampant cyberattacks.”
Nation-state threats continue to pose risks to national security. In an effort to mitigate those attacks, Google continues to improve its security tools to better detect and respond to state-sponsored threats, particularly with regard to protecting political campaigns and local, state and national elections.
In “An Update of State-Sponsored Activity” published 23 August, Kent Walker, SVP of Google’s global affairs, wrote that its threat analysis group has been working with its partners at Jigsaw and the Google Trust & Safety team to identify bad actors, disable their accounts, warn users and share intelligence – both with other companies and law enforcement officials.
Three specific areas of work that Google has focused on include “state-sponsored phishing attacks, technical attribution of a recently reported influence campaign from Iran and detection and termination of activity on Google properties.” To that end, Gmail users recently received a notification from Google alerting them to take immediate action against government-back attackers who may have been attempting to steal passwords.
“Google’s efforts to track and terminate deceptive campaigns of influence run by inauthentic nation-state actors is a step in the right direction. Deception is one of the most effective and pernicious cyber-threats facing Americans and democracy today,” said Rick Moy, chief marketing officer at Acalvio.
“This coordinated action with other security organizations should be welcomed. While some may characterize this as censorship, the evidence presented in the reports is transparent and open to vetting and analysis by the broader community.”
Yet not all experts in the security industry welcome these types of coordinated efforts.“Everyone appreciates any action taken to prevent any interference with the US political process. However, we must be careful that private actions done outside of the appropriate legal framework doesn't result in exactly the opposite results that those actions were trying to protect against,” said Joseph Kucic, chief security officer at Cavirin.
“There should be a governmental process implemented, similar to a FISA court, where appropriate oversight is in place prior to private companies taking actions against perceived bad actors (individuals and/or companies).”
In an effort to reduce online fraud, the National Cybersecurity Center of Excellence (NCCoE), a subdivision of the National Institute of Standards and Technology (NIST), announced it is now accepting feedback on its draft exploring the ways in which multi-factor authentication can help to mitigate fraudulent online purchases.
As was the case in Europe after retailers adopted chip-and-pin technologies, retailers in the US have seen a spike in ecommerce fraud. In fact, the US saw a 30% increase in online fraud and credit card theft during 2017.
After chip-and-signature and chip-and-PIN security measures were adopted, cyber-criminals shifted their fraudulent activity to the ecommerce space. Ironically, the increased point-of-sale security has given rise to greater fraud with online card-not-present transactions.
The technology partners that collaborated on the project signed a cooperative research-and-development agreement and worked in a consortium with NIST to build the draft, NIST Special Publication 1800-17, Multifactor Authentication for E-Commerce. With the draft, retailers will able to successfully implement the example solutions by following the step-by-step guide.
Collaborating with stakeholders in the retail sector, NCCoE has developed a draft that explores the use of multifactor authentication in a variety of risk-based scenarios. “In the project’s example implementations, if certain risk elements (contextual data related to the transaction) are exceeded that could indicate an increased likelihood of fraudulent activity during the online shopping session, the purchaser will be prompted to present another distinct authentication factor – something the purchaser has – in addition to the username and password,” NIST wrote.
The practice guide is intended to help organizations reduce online fraudulent purchases, which includes the use of credentials stuffing to take over accounts. The guide also aims to protect the ecommerce systems of participating organizations, which will also demonstrate to customers that security is a priority for the organization. By providing greater situational awareness, the guide will allow retailers to avoid system-administrator-account takeover through phishing.
The guide has been divided into three volumes for greater ease of use. Comments are currently open and can be submitted to NIST by 22 October 2018 by using this online form.
On the heels of Iran driving a disinformation campaign on Facebook, researchers have discovered a spoofed university login page that appears to be part of a larger credentials theft campaign believed to be the work of COBALT DICKENS, a threat group associate with the Iranian government.
According to the Counter Threat Unit (CTU) research team at Secureworks, 16 domains contained more than 300 spoofed websites and 76 university login pages across 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.
Unsuspecting victims who entered their login credentials to the spoofed pages were then redirected. Once on the legitimate website, users were either automatically logged into a valid session or asked to re-enter their credentials. "Numerous spoofed domains referenced the targeted universities' online library systems, indicating the threat actors' intent to gain access to these resources,” researchers wrote.
On 23 March 2018, the Department of Justice issued indictment charges against nine Iranians alleged to be associated with the Iran-based company, Mabna Institute, that reportedly conducted cyber-intrusion campaigns into the computer systems of universities around the globe between 2013 and 2017.
“These nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries,” said Deputy Attorney General Rod Rosenstein.
Despite indictments in March 2018, the Iranian threat group is believed to still be targeting global universities to compromise credentials through the same spoofing tactics as previous attacks.
“Universities are attractive targets for threat actors interested in obtaining intellectual property. In addition to being more difficult to secure than heavily regulated finance or healthcare organizations, universities are known to develop cutting-edge research and can attract global researchers and students. CTU researchers have contacted various global partners to address this threat,” researchers wrote.
The cybersecurity team at T-Mobile discovered and halted an attack after a malicious actor had gained unauthorized access to the personal information of some customers during an ongoing security breach that the company disclosed on 20 August.
While no financial data, passwords or social security numbers were compromised, T-Mobile wrote, “You should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”
The company also affirmed that it has security measures in place to protect customer information from unauthorized access, though they provided no specifics on the details of those safeguards.
“This security incident favorably stands out among many others by prompt detection and transparent disclosure,” said Ilia Kolochenko, CEO, High-Tech Bridge.
“Many of the recent data breaches, including the most disastrous ones, were discovered weeks ago but then announced months after the occurrence. T-Mobile serves as a laudable example of prompt incident response. This, however, does not absolve them from accountability for the breach and further cybersecurity enhancement to prevent similar incidents in the future.”
Cell phones being compromised puts both individuals and enterprises at risk of all types of exploitation. Despite the prompt detection and response, the information compromised during the security breach could be used for nefarious purposes, according to Amit Sethi, security consultant at Synopsys.
“Hackers stole customer names, ZIP codes, phone numbers, email addresses, account numbers and account types. This information can potentially be used in targeted attacks where attackers can impersonate customers to T-Mobile’s customer service representatives," Sethi said.
“Attackers may also be able to impersonate the customers to other wireless carriers and attempt to port the numbers in order to hijack the phone numbers. People who are impacted should ensure that they have set up a PIN with T-Mobile that they use to authenticate to customer service representatives and that is required to port their phone numbers to another carrier.”
Election security has again been called into question after millions of Texas voter records were left exposed. A file discovered by Flash Gordon, a New Zealand-based data breach hunter, was left on an unsecured server without a password, according to TechCrunch. Of the 15.2 million total registered Texas voters, an astounding 14.8 million records were left exposed on a single file.
The data in the file was reportedly compiled by a conservative-focused data firm, The Data Trust, and contained personal information such as voter’s name, address, gender and several years’ worth of voting history, including primaries and presidential elections.
“The data also included gauges on voters’ views regarding immigration, abortion and the Second Amendment. The file also held data assessing if voters trusted Hillary Clinton,” The Hill reported.
The news comes at a time when trust in data protection and privacy with regard to voting is low. Confirmation of Russian meddling has set off alarms across the aisle as candidates move toward midterm elections. That 14.8 million personal records of Texas voters were found on an unprotected server, without even the basic security measure of a password, does little to boost confidence in election systems, said Bill Evans, a vice president at One Identity.
“The idea of having a database like this sitting with no password is such an incredible lapse in judgment today. While we all know that keeping up with password best practices can be somewhat annoying – forgetting and resetting them in a broken cycle – it is inexcusable and maybe illegal to leave data that contains personal information like this completely unprotected,” Evans said.
“It is a good reminder, however, and call to action for any organization that is storing sensitive data, that it is their responsibility to ensure security, as well as authentication to access it. There are four basic security measures that should be part and parcel of doing business today. Those include end-user education, multi-factor authentication, privileged-access management, and access governance to ensure only the right people have the right access to the right things at the right time.”
Former NSA contractor-turned-whistleblower Reality Winner has been sentenced to over five years in prison after leaking details on Russian efforts to target the 2016 presidential election.
The 63-month sentence was expected but her supporters have always argued that she acted out of frustration that the truth of Kremlin targeting of voting infrastructure was not being outed, and of misinformation in the right-wing broadcast media.
In fact, the subsequent report from The Intercept provided local election officials with information that had up to that point been withheld from them by the intelligence agencies.
However, it was that report that was to be her downfall, after a copy of the top secret intelligence document she printed and smuggled out in her underwear was shared by the publication with the authorities in order to prove its veracity.
Unfortunately, tiny microdots on the paper identified the printer that had been used along with the date and time, leading investigators to Winner.
The information blew the lid on the true scale of Russian attempts to impact the 2016 election, detailing how Kremlin hackers had spear-phished at least 100 state and local voting officials in the week prior to election day, by targeting a US voting software supplier.
A statement from The Intercept stopped short of an apology and instead focused on Winner’s selflessness.
“After an internal review, we acknowledged shortcomings in our handling of the document. However, it soon became clear that the government had at its disposal, and had aggressively used, multiple methods to quickly hunt down Winner,” it read.
“Reality Winner’s courage and sacrifice for the good of her country should be honored, not punished. Selective and politically motivated prosecutions of leakers and whistleblowers under the Espionage Act — which dramatically escalated under Barack Obama, opening the door for the Trump Justice Department’s abuses — are an attack on the First Amendment that will one day be judged harshly by history.”
The sentence could be viewed as particularly harsh given that no US personnel were put in any danger, nor information disclosed that foreign agents wouldn’t already have access to.
Over half a million customers of US restaurant chain Cheddar’s Scratch Kitchen have had their payment card information compromised after an unauthorized intrusion at the company.
Parent company Darden Restaurants said it was notified by the “federal authorities” that attackers are likely to have swiped 567,000 payment card numbers after compromising a legacy POS system.
Guests who visited restaurants in 23 states between November 3 2017 and January 2 2018 could be affected.
“Upon being notified of this incident, we activated our response plan and we engaged a third-party forensic cybersecurity firm to investigate,” the company said. “Our current systems and networks were not impacted by this incident. In fact, this incident occurred on a legacy Cheddar's system that was permanently disabled and replaced by April 10, 2018, as part of our integration process.”
Identity protection services from ID Experts are being provided free of charge to those users affected.
Ryan Wilk, VP at NuData Security, argued that the breach risk has now effectively spread to “payment card providers and any other organizations with whom the victims hold accounts.”
“Once personal and financial information such as this is accessible to criminals, it feeds the pipeline of future cybercrime for years to come,” he argued.
“What companies can do at this point is to implement a different method of account protection to stop the damage after breaches. This is why businesses operating online are applying multi-layered security strategies with passive biometrics and behavioral analytics.”
The affected states are: Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin.
Security experts are warning of another critical CVSS 10.0 vulnerability in Apache Struts, the framework that resulted in a major breach at Equifax last year.
Remote code execution vulnerability CVE 2018-11776 already has a working exploit published for it, meaning organizations should prioritize a fix.
Vendor Risk Based Security gave a “full stop, all hands on deck” warning to administrators to patch ASAP.
“Even though this issue has just been disclosed, VulnDB already has rated the ‘Social Risk Score’ is as High,” it added. “This means that based on the already strong social media presence discussing the vulnerability, the odds of active exploitation will be higher than average.”
Last year, credit agency Equifax was breached to the tune of over 140 million customers, nearly half the population of the US, after failing to patch a known Apache Struts vulnerability for several months.
However, the pressure to patch never relents: already this year there have been 1426 vulnerabilities disclosed with a CVSS rating of 10.0, according to Risk Based Security.
“For organizations who may say ‘well we don’t use Apache Struts, we’re safe!’, we want to remind you that Apache Struts is a third-party library of sorts and can be found in numerous high-profile products,” it added.
These include products from Cisco, Hitachi, IBM, MicroFocus, Oracle and VMware.
The bad news is that organizations appear overwhelmed with the patch load, according to new research from Kollective.
Its State of Software Delivery research revealed that 37% of US and UK IT managers believe “a failure to install updates” is their biggest security threat of 2018.
Yet over a quarter (27%) of respondents said it takes at least a month before they can install updates, a figure rising to 45% for businesses with over 100,000 endpoints.
“While it’s obviously important for IT teams to spend time testing new software and updates before rolling them out, our research has found that many of the delays in software distribution aren’t because of testing, but rather a lack of infrastructure,” explained Kollective CEO, Dan Vetras.
“Poorly constructed networks mean that, even those companies that have made a significant investment in security software, are still leaving their organizations vulnerable to attack. With a growing number of applications being left out of date, today’s businesses are creating their own backdoors for hackers, botnets and malware to attack.”
Two recent ransomware campaigns have earned attackers over $1m.
According to Bleeping Computer, those behind the Ryuk ransomware earned over $640,000, while those operating a scam tactic to convince people there was a compromising video of the victim made $500,000 according to Motherboard.
While the sextortion phishing scam was widespread, it did ask for $1400 in Bitcoin and according to research by Banbreach of around Bitcoin 770 wallets, 230 had over 1000 transactions, receiving a total of around 70.8 BTC.
The Ryuk ransomware asked victims to pay either 15-35 Bitcoin or 50 Bitcoin, depending on which ransom note was received. Raj Samani, chief scientist and fellow at McAfee, told Infosecurity that the ransom demanded for Ryuk is very high when compared to other ransomware variants.
“This suggests this is a straightforward extortion campaign as opposed to a case of pseudo ransomware,” he said. “It also suggests a very targeted campaign aimed at organizations – part of a growing trend of enterprise-targeted campaigns.”
Andy Norton, director of threat intelligence at Lastline, said: “SamSam, Bitpaymer and now Ryuk have targeted corporate environments with fast spreading lateral infection behaviors. This is proving to be a successful model for them, as the disruption of business processes or services is the first cost the victim considers, then the time and money it takes to perform an actual investigation, backup and restore effected machines.
“As a rule of thumb, this is roughly double the cost of paying the ransom, so judging by the three transactions into one of the Ryuk bitcoin wallets, it looks like some victims have chosen to pay the ransom as the lesser evil.”
On the sextortion scam, Norton said that this was “very convincing” as it highlights bad password practices “so if you don’t change your passwords after a breach or reuse passwords across different portals, then the chances are the password they send you will still be accurate and therefore be very believable.”
Researchers have discovered the advanced persistent threat group Lazarus using AppleJeus, a new malicious operation. While assisting with incident response efforts in previous attacks from the group, researchers unexpectedly identified an attacker penetrating the network of a cryptocurrency exchange in Asia. The attacker used Trojanized cryptocurrency trading software, with the reported goal of stealing cryptocurrency from victims.
A previously unidentified version of a Windows-based malware was targeting the macOS platform, according to today's press release. The group was able to compromise the stock exchange's infrastructure by bamboozling an unsuspecting employee into downloading a third-party application from a specious website.
"The application’s code is not suspicious, with the exception of one component – an updater. In legitimate software, such components are used to download new versions of programs," Kaspersky wrote in the press release.
"In the case of AppleJeus, it acts like a reconnaissance module: first it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update."
Though the operation looks similar to a supply-chain attack, it is reportedly not, because the vendor of the cryptocurrency trading software has a valid certification for signing its software and legitimate registration records for the domain.
“We noticed a growing interest of the Lazarus group in cryptocurrency markets at the beginning of 2017, when Monero mining software was installed on one of their servers by a Lazarus operator. Since then, they have been spotted several times targeting cryptocurrency exchanges alongside regular financial organizations,” noted Vitaly Kamluk, head of GReAT APAC, Kaspersky Lab.
“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future," Kamluk said. "For macOS users this case is a wake-up call, especially if they use their Macs to perform operations with cryptocurrencies.”
The primary security concern with regard to internet-of-things (IoT) devices has largely been focused on individual security and privacy, but researchers at Princeton University found another substantial way an attacker could compromise IoT devices and use them to disrupt the power grid.
At last week’s 27th USENIX Security Symposium in Baltimore, Maryland, researchers presented their findings that high-wattage IoT devices, dubbed BlackIoT, pose a significant risks to power grids.
This new type of attack on the actual power grid is distinctly different from threats to SCADA systems, according to the recently released white paper, BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid. Researchers proposed that an attack could happen if an malicious actor exploited high-wattage IoT devices for manipulation of demand via IoT attacks, resulting in local power outages and large-scale blackouts.
“An Internet of Things (IoT) botnet of high wattage devices – such as air conditioners and heaters – gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid,” researchers wrote.
“In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid,” they wrote.
Attacks could result in frequency instability, line failures and cascading failures, all of which could increase operating costs.
“Overall, our work sheds light upon the interdependency between the vulnerability of the IoT and that of other networks such as the power grid whose security requires attention from both the systems security and the power engineering communities. We hope that our work serves to protect the grid against future threats from insecure IoT devices,” they wrote.
The scenario presented in their findings is alarming yet not surprising to some industry experts. “This is directly analogous to an internet DOS [denial-of-service] attack, where an army of poorly protected computers flood a website with traffic,” said Ray DeMeo, co-founder and COO, Virsec.
“While we might hope IoT devices are built with adequate security, we should assume they are vulnerable. Smart grid technology will have to become smarter in a hurry to detect this new type of abuse."