Info Security

Subscribe to Info Security  feed
Updated: 2 hours 13 min ago

UK Mid-Sized Firms Lost £30bn to Attacks in 2018

Tue, 07/16/2019 - 08:57
UK Mid-Sized Firms Lost £30bn to Attacks in 2018

Cybersecurity incidents have cost UK mid-market firms a combined £30bn over the past year as automated attacks become the norm, according to Grant Thornton.

The accounting and consulting giant interviewed 500 UK business leaders from firms with revenue of between £15m and £1bn to compile its latest study, Cyber security: the board report.

It revealed that more than half of those polled had reported losses of between 3-10% of revenue following a cybersecurity breach. For those hit hardest, losses were up to 25% of revenue.

Reputational loss (58%) was the most commonly reported impact of a cyber-attack, followed by clean-up costs (45%), management time (44%), loss of turnover (39%), and customer churn/behavior change (35%).

Part of the problem is that many mid-market firms still believe they are able to avoid the scrutiny of cyber-criminals, and therefore pay less attention to security best practice.

Less than a third (31%) claimed to follow minimum cybersecurity standards, versus 46% of large companies; just half (48%) conduct risk assessments versus 69% in larger enterprises; and 55% do cyber health checks compared to 64%.

Risks will only increase as automated attack techniques grow in popularity – enabling vulnerability identification, credential stuffing, and open source information scraping en masse.

“It’s the equivalent of thieves driving down a street to see who’s left their door open. Criminals exploit the vulnerable networks they identify or sell the list of promising targets on to others eager to exploit the opportunity. If your defenses are not up to scratch, you could already be on a list,” argued Grant Thornton head of cybersecurity, James Arthur.

“The reality is that it’s not the size or profile of a business that attracts the interest of cyber-criminals. They have increasingly sophisticated targeting tools and are using these to launch an increasing volume of attacks against anyone who looks like they have weak defenses. It’s not personal – it’s just business.”

Putting cyber risk on the board agenda is one of the best ways to regain the initiative and minimize the chances of a successful attack, but challenges persist, the consultancy claimed.

Only two-fifths (41%) of respondents claimed to have an incident response plan in place, and even fewer (37%) said their board formally reviews cybersecurity, or that there’s a security-specific role on the board (37%). Just 36% said they had provided all staff with security training over the past year.

In most cases the board member with responsibility for cyber is the CIO (31%), CTO (23%), CEO (16%) or CFO (15%). Chief security officer doesn’t feature at all.

Categories: Cyber Risk News

Oracle to Release Critical Patch Update

Mon, 07/15/2019 - 16:50
Oracle to Release Critical Patch Update

Oracle will release its Critical Patch Update on July 16, 2019, which will include seven new fixes for the Oracle database server, according to a pre-release announcement.   

“While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory,” Oracle wrote.

The Critical Patch Update is a collection of patches for multiple security vulnerabilities, and the July 16 update contains 322 new fixes. Six of the security vulnerabilities were reportedly discovered by the Onapsis Research Labs team.

"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the announcement stated.

Two of the six different patches that were originally reported by the Onapsis Research Lab team addressed "critical vulnerabilities in the Oracle E-Business Suite (EBS), which has been deeply researched by Onapsis in the last few years,” researchers wrote. “Successfully exploiting these vulnerabilities may allow an attacker three critical scenarios compromising the integrity and availability of EBS: remote code execution in the server, remote code execution in the client and a Denial of Service.”

The two vulnerabilities reported by Onapsis are an unrestricted file upload, which was originally reported in November 2018 and leads to remote code execution (CVSS 9.1), and a reflected server-side request forgery, which was originally reported in April 2019 and can lead to a denial of service (DoS) and a client-side remote code execution (CVSS 9.6).

If left unpatched, these vulnerabilities have the potential to allow remote execution and DoS, disrupting critical services such an ERP system convert this attack into a critical one, since it affects all availability, confidentiality and integrity of the data.

“Both vulnerabilities allow remote command execution, one in any EBS client and the other one directly on the server side. Even though all the announced CPUs should be applied, these critical vulnerabilities must be immediately addressed, and customers should prioritize implementation of the patches in order to avoid malicious exploitation,” the blog stated.

Categories: Cyber Risk News

Monroe College Campuses Downed by Ransomware

Mon, 07/15/2019 - 15:13
Monroe College Campuses Downed by Ransomware

Multiple campuses of Monroe College have had their systems downed after a ransomware attack reportedly struck the for-profit institution on July 11. 

The attack reportedly affected each of Monroe’s campuses in Manhattan and New Rochelle, New York, and St. Lucia, and emails have been compromised. Infosecurity contacted Monroe College via the email listed on its website, but the message was returned as undeliverable, indicating that systems are still downed.

The college took to Twitter to share the news with its online students.

In a statement, Marc Jerome, president of Monroe College, said, “Our team is working feverishly to bring everything back online, and we are working with the appropriate authorities to resolve the situation as quickly as possible,” according to Insider Higher Ed.

“In the meantime, Monroe continues to operate. We’re simply doing it the way colleges did before email and the internet, which results in more personal interactions. As we have done throughout our 86-year history, we are coming together to assure that our students, faculty and staff are well served."

An attacker demanded the college pay $2 million to have its files decrypted. Jackie Ruegger, executive director of public affairs at the college, reportedly told Inside Higher Ed that the college knows who conducted the attack. Infosecurity attempted to call the numbers listed on the Twitter message, but the recipient disconnected the calls. 

The attack follows a number of university cyber-attacks, including the recent OSU, Graceland University and Missouri Southern State University email-based breaches in the last few months. According to recent data from Mimecast’s State of Email Security report, 56% of organizations in the education sector saw an increase in phishing with malicious links or attachments in the last year. It took 31% two to three days to get back to a recovered state upon suffering an email-based attack. Nearly half (42%) of organizations say ransomware has impacted their business operations in the last 12 months and 73% have experienced two to five days of downtime as a result of the ransomware attack.

Categories: Cyber Risk News

Nearly 20% of Organizations Still Run Windows 7

Mon, 07/15/2019 - 14:18
Nearly 20% of Organizations Still Run Windows 7

Despite the awareness that in six months Microsoft will officially end its support for its nearly 10-year-old operating system, Windows 7, 18% of large enterprises have not yet migrated to Windows 10, according to new research from Kollective.

At the start of 2019, researchers found that 43% of companies were still running Windows 7. Of those, 17% didn’t even know about the end of support. In its most recent analysis of 200 US and UK IT decision makers, the report revealed that organizations have a long way to go to prepare for the much anticipated end of Windows 7 support.

Six months later, 96% of IT departments have started their migration, and 77% have completed the move. However, given that the migration from Windows XP to Windows 7 reportedly took some firms more than three years to complete, companies that have not started migration are at risk of missing the final deadline.

In order to aid organizations in deploying a new OS to all endpoints, Microsoft has provided different options for companies still running Windows 7, one of which includes an extended support package at an annual cost of up to $500,000 for a company with 10,000-plus endpoints, the research said.

“The combined versions of Microsoft Windows operating systems equal more than 50 percent of global operating system usage. Windows 10 has the lion’s share of the market, which bodes well for security since Microsoft’s support for Windows 7 will end in January 2020,” wrote the Center for Internet Security (CIS), which released the CIS Controls Microsoft Windows 10 Cyber Hygiene Guide on July 11.

“Though many businesses are better prepared now than they were for the end of Windows XP, the move to Windows 10 comes with its own set of challenges,” said Dan Vetras, CEO of Kollective. “The migration itself is only the first step. IT managers moving to Windows 10 now have to prepare their networks for increasingly frequent ‘as a service’ updates to the OS. They will need to ensure their networks are ready for more testing, more roll outs and more network congestion to keep up to date.”

Categories: Cyber Risk News

Chinese Software Engineer Accused of US IP Theft

Mon, 07/15/2019 - 09:50
Chinese Software Engineer Accused of US IP Theft

A Chinese software engineer is still on the run after being accused of stealing intellectual property for his new employer.

Xudong (“William”) Yao, 57, worked at a Chicago-based manufacturer of equipment for train engines from August 2014, according to a December 2017 indictment unsealed last week.

Yet after just two weeks in his role, Yao had downloaded 3000 files containing proprietary and trade secret information relating to the system that operates the manufacturer’s locomotives, the Department of Justice (DoJ) claimed.

Other information, including technical documents and source code, was also downloaded by Yao over the next six months. At the same time, he apparently reached out to and accepted a place at a Chinese firm that provides automotive telematics service systems.

After Yao’s employment was terminated for unrelated reasons in February 2015, he made copies of all the stolen trade secret info and traveled home to China to start his employment at the company there.

Flying from Chicago O’Hare airport in November that year, he is alleged to have had in his possession the stolen trade secrets, including nine copies of control system source code and system specs explaining how the code worked, according to the indictment.

Yao face a maximum 10 years behind bars if found guilty of the nine counts of theft of trade secrets. But it’s unlikely he will be caught, unless he makes the mistake of setting foot back in the US or an allied country.

China has long been considered a prodigious stealer of intellectual property, whether its state-backed cyber-espionage designed to give domestic companies an advantage, or the behavior of individuals looking to abuse their insider positions at Western companies.

In June, a Chinese engineer was found guilty of conspiring to illegally export US semiconductors with military applications back home.

Categories: Cyber Risk News

Japanese Exchange Bitpoint Hit By $32m Cyber-Attack

Mon, 07/15/2019 - 08:56
Japanese Exchange Bitpoint Hit By $32m Cyber-Attack

Japan-based cryptocurrency exchange Bitpoint has become the latest to lose tens of millions of dollars in a cyber-attack.

The firm said it was forced on Friday to stop all services — including withdrawals, deposits, payments, and new account openings — while it investigated the incident. It has also notified the relevant authorities in Japan.

Hackers managed to steal funds not only from the firm’s hot wallets, but also its offline cold wallets. After first detecting an error in Ripple remittances, Bitpoint said it realized it had been the victim of a cyber-attack. It then took another three hours before the firm realized the attack also compromised funds stored in Bitcoin, Bitcoin Cash, Litecoin, and Ethereal.

A total of around 3.5 billion yen ($32 million) had been stolen, most ($23m) of which were customer-owned funds. The remainder belonged to Bitpoint, but it’s not clear at this stage whether the firm is planning to reimburse its customers.

The firm is the latest in a long line of cryptocurrency exchanges to come under the scrutiny of cyber-criminals. Last year, two Japanese exchanges were hit: Zaif lost 6.7bn yen ($60m) after hackers stole it from a hot wallet, while Coincheck lost 500m NEM tokens worth $530m at the time.

Just last month, Singaporean cryptocurrency exchange Bitrue was estimated to have lost around $4.5m in funds after hackers breached a hot wallet and moved the funds to other exchanges. A month previous, hackers stole in the region of $41m from Binance in a single hot wallet transaction.

In most incidents, at least the majority of stolen money is returned to customers.

Last month, Europol convened a meeting of cryptocurrency experts at its HQ in the Hague in a bid to share best practice and build partnerships to improve policing of digital crimes.

Categories: Cyber Risk News

Facebook Set For Record $5bn FTC Fine

Mon, 07/15/2019 - 08:01
Facebook Set For Record $5bn FTC Fine

Facebook is reportedly set to be handed a record $5bn fine by a US regulator over privacy violations leading to the Cambridge Analytica scandal.

The Federal Trade Commission (FTC) is said to have made the decision following an investigation begun in March last year after sensational reports emerged of improper use of users’ personal data.

It turned out that the shadowy consultancy had managed to obtain data collected by a third-party app on 87m Facebook users and their friends and use it to profile and target wavering voters ahead of the 2016 Presidential election.

When it levied a maximum £500,000 fine under the pre-GDPR data protection regime last October, the UK’s Information Commissioner’s Office (ICO) argued that Facebook had processed user information “unfairly” by allowing developers to access this data without adequately “clear and informed consent.” It also criticized the social network for allowing developers to access the personal data of users who had not even downloaded the app but were friends of those who had.

The $5bn fine is unlikely to trouble a firm that made over $15bn in the first three months of 2019 alone, but it is believed to be the largest ever levied by the FTC against a tech firm and for privacy violations.

It is also around the amount Facebook predicted it would be fined a few months ago, according to Dan Goldstein, former attorney and owner of digital marketing agency, Page 1 Solutions.

"The real ‘teeth’ of this announcement will come not from the $5 billion settlement. Facebook is worth hundreds of billions of dollars, so this amount is practically a drop in the bucket. I am more curious about the regulations expected to accompany the terms of the settlement," he argued.

"If the financial losses don't paint a clear enough picture for the tech industry as a whole, perhaps new regulations for one of its key players will finally convince these companies to begin protecting users instead of exploiting them.”

Regulators outside the US are already coming down hard on data protection and privacy violations. Last week the ICO issued to huge fines to BA and Marriott International for cybersecurity failings that led to massive data breaches at their respective organizations.

Categories: Cyber Risk News

Attacks in Turkey Used Excel Formula Injection

Fri, 07/12/2019 - 16:41
Attacks in Turkey Used Excel Formula Injection

Having tracked the activities of threat actors suspected of being involved in a large number of malicious spam attacks targeting organizations based in Turkey, Sophos researchers determined that the attackers flew under the radar using Excel formula injections to deliver the payload. 

“The threat actor predominantly targets victims based in Turkey using malspam email messages written in the Turkish language. The spam author’s grasp of Turkish grammar, among other indicators, lends credibility to the hypothesis that both the origin and targets of this campaign are in Turkey,” wrote Sophos’s Gabor Szappanos in a July 12 blog post.

Researchers suspect that the method of attack may soon extend beyond the borders of the Türkiye Cumhuriyeti. “Successful ideas eventually infiltrate the entire crimeware ecosystem, and while this may not be the most effective tool for criminals, they can still use it like any other tool in the toolbox.”

While the attack itself wasn’t highly sophisticated, it used a novel means of delivering malware through simple email messages sent with Excel file attachments that carry out the attack, yet another example of the many ways attackers are evolving their methods to go unnoticed.

Several samples of phishing emails revealed the attackers followed the same structure in crafting the lures. “Later analysis revealed that the emails were generated by a builder that randomly selected from predefined sentence components, which explains the similarities,” Szappanos wrote.

As the email messages evolved, they grew more cryptic, which researchers suspect was due to the threat actor’s attempt for the message to appear less mechanical.

During analysis, researchers found Windows programs hosed on additional servers that were hosting the payload malware. 

“These files were not downloaded by the Excel files, but they must have been placed on the servers by the threat actor. We see no reason for storing them on the servers. The executables in question turned out to be builder programs that generate both the malicious attachment files and the randomized malspam message. These tools also have SMTP mailer functionality to send out the malspam with the attachment."

Categories: Cyber Risk News

Hacked Hair Straightener Could Set a Fire

Fri, 07/12/2019 - 16:19
Hacked Hair Straightener Could Set a Fire

Security researchers have hacked hair straighteners from Glamoriser, according to Pen Test Partners. The UK firm bills itself as the maker of the “world’s first Bluetooth hair straighteners,” devices that users can link to an app so that the owner can set the heat and style settings and switch the straighteners off from within Bluetooth range. 

Researchers found it relatively easy to send malicious Bluetooth commands within range, allowing them to remotely control the hair straighteners. The researchers demonstrated that they could send one of several commands over Bluetooth, lowering the temperature to 122°F and raising it as high as 455°F – higher than paper’s burning point. An attacker could remotely alter and override the temperature of the straighteners and how long they stay on. 

“Hair straighteners can cause house fires and skin burns if not used safely. We’ve shown that we can tamper with the temperature, so even if used safely by the user, a hacker can make them less safe,” the researchers wrote.

“It would have been so easy for the manufacturer to include a pairing/bonding function to prevent this. Something as simple as a button to push to put the straighteners in pairing mode would have solved it. Instead, we now have a method to set fire to houses.”

As the straightener is a Bluetooth, a malicious actor intending to start a fire would need to be in range in order to exploit this vulnerability, and Lamar Bailey, senior director of security research at Tripwire, said, “the probability of exploration from a hacker is very low, unless you make a sibling or neighbor (if you live in an apartment) mad at you. If you have this device, remember to be nice to anyone who could be within 33 feet of you straightening your hair.”

In order to mitigate the risks of these connected devices being compromised, Ben Goodman, CISSP, senior vice president of global business and corporate development at ForgeRock, said Glamoriser must hold themselves accountable for securely establishing and maintaining the full lifecycle of IoT devices. 

“IoT projects often prioritize connectivity and data consumption and look to security and privacy as afterthoughts. IoT is here to stay and the identities of connected devices, services and users and their associated credentials must be trusted and usable across numerous connected ecosystems to prevent man-in-the-middle as well as other types of attacks.”

Categories: Cyber Risk News

Healthcare Organizations Too Confident in Cybersecurity

Fri, 07/12/2019 - 15:46
Healthcare Organizations Too Confident in Cybersecurity

According to a survey of 100 healthcare professionals from hospitals to physician group practices, more than half of respondents are highly confident in the cybersecurity of their patient portals. 

The State of Patient Identity Management report, published by LexisNexis® Risk Solutions, revealed that healthcare organizations (HCOs) have great confidence in their cybersecurity preparedness. While confidence in their cybersecurity is high, the survey also found that most organizations are only using basic authentication methods despite the growing number of data breaches in which patient identity has been compromised. 

The survey found that 93% of HCOs rely on username and password authentication for patient portals, yet only 65% deploy multi-factor authentication. The results continued to dwindle when respondents were asked about addition authentication methods, according to a press release.

Only 39% of HCOs reported using a knowledge-based Q&A for verification and only 38% use email verification. However, as little as 13% deploy device identification.

Respondents are confident in the strength of their cybersecurity, yet 65% reported that their individual state budgets for patient identity management will not increase in 2019, according to the press release.

"There are some surprises in the results, particularly the higher than expected confidence that organizations have in regards to the security of their patient portal and telemedicine platforms given that only 65% deploy multi-factor authentication," said Erin Benson, director of market planning for LexisNexis Health Care.

"Multi-factor authentication is considered a baseline recommendation by key cybersecurity guidelines. Every access point should have several layers of defense in case one of them doesn't catch an instance of fraud. At the same time, the security framework should have low-friction options up front to maintain ease of access by legitimate users."

The report findings suggest that traditional authentication methods are insufficient, multi-factor authentication should be considered a baseline best practice and the balance between optimizing the user experience and protecting the data must be achieved in an effective cybersecurity strategy, the press release said.

Categories: Cyber Risk News

ZTE Aims to Win Over EU Lawmakers With New Lab

Fri, 07/12/2019 - 09:45
ZTE Aims to Win Over EU Lawmakers With New Lab

ZTE has launched a cybersecurity testing lab in Brussels in an attempt to improve transparency.

The firm’s new Cybersecurity Lab Europe is designed to alleviate lawmakers’ concerns over the security of its 5G equipment.

The lab, which joins similar facilities in Nanjing and Rome, will allow regulators to review source code and documents, and conduct black box and penetration testing.

“ZTE’s original intention of the Cybersecurity Lab Europe is to provide global customers, regulators and other stakeholders with great transparency by means of verification and communication,” said ZTE chief security officer, Zhong Hong. "The security for the ICT industry cannot be guarded by one sole vendor, or by one sole telecoms operator. ZTE is willing to play an important role in contributing to the industry's security along with its customers and all other stakeholders.”

The move can be seen in the context of escalating Sino-US tension over the potential for Chinese tech firms to introduce backdoors to new 5G networks, which could be seen as a national security risk.

Although ZTE and larger Shenzhen rival Huawei have both professed their innocence, US hawks warn that they would be powerless to resist an order from Beijing to provide access to such networks if one was issued.

While the US and Australia have banned Chinese companies from bidding for 5G network projects, the UK has still formally to choose a provider and many European countries are more willing to use Chinese equipment to build 5G.

However, ZTE has something of a chequered past, having been found guilty of breaching a US embargo on Iran by selling equipment to the Islamic Republic containing US components, and then lying to try and cover its tracks.

After Washington responded by banning US firms from selling the firm components it faced virtual collapse before Donald Trump decided to relax the moratorium as part of his ‘deal’ making.

The UK’s National Cyber Security Centre (NCSC) issued a damning report on ZTE last year, claiming that the national security risks of using its equipment in telecoms infrastructure “cannot be mitigated.”

Categories: Cyber Risk News

Sea Turtle DNS Hijackers Go After More Victims

Fri, 07/12/2019 - 09:15
Sea Turtle DNS Hijackers Go After More Victims

A notorious state-sponsored cyber-espionage campaign has expanded its operations with new victims and DNS hijacking techniques, according to Cisco Talos.

The security vendor claimed in a new blog post that the actors behind the Sea Turtle attacks - first revealed in April - have not been deterred by their new-found infamy.

The campaign has mainly been targeting military organizations and governments in the Middle East. Attackers get hold of DNS server credentials via phishing or vulnerability exploitation, then modify the records to point users to malicious servers in classic Man in the Middle attacks. These harvest credentials enabling them to log-in to prized accounts to steal sensitive data.

The new technique in question has been spotted just twice in the wild, hitting targets in 2018.

“In this case, the actor-controlled name server and the hijacked hostnames would both resolve to the same IP address for a short period of time, typically less than 24 hours. In both observed cases, one of the hijacked hostnames would reference an email service and the threat actors would presumably harvest user credentials,” Cisco explained.

“One aspect of this technique that makes it extremely difficult to track is that the actor-controlled name servers were not used across multiple targets — meaning that every entity hijacked with this technique had its own dedicated name server hostname and its own dedicated IP address. Whereas previously reported name server domains such as ns1[.]intersecdns[.]com were used to target multiple organizations.”

Cisco Talos also observed continuing activity against the ccTLD for Greece, enabling the attackers to perform DNS hijacking against three government entities.

Although most primary target organizations are based in the Middle East, new Sea Turtle victims have been spotted in the US and Sudan. Energy companies, think tanks, NGOs and even an airport have been hit.

Categories: Cyber Risk News

Apple Disables Walkie-Talkie App Over Privacy Concerns

Fri, 07/12/2019 - 08:55
Apple Disables Walkie-Talkie App Over Privacy Concerns

Apple has disabled a popular comms app on its watchOS after concerns were raised over users being able to eavesdrop on each other.

Available on the Apple Watch Series 1 or later with watchOS 5, the Walkie-Talkie app allows users “to get in touch with just one tap,” according to Apple.

However, the tech giant has been forced to switch the function off while it “quickly” fixes an emerging vulnerability.

“Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously,” it said in a statement. “We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologize again for this issue and the inconvenience.”

The function will be restored “as soon as possible,” Apple continued.

The news comes just a day after Cupertino issued a silent update for its Mac app to fix a widely reported privacy issue in conferencing service Zoom.

The vulnerability meant that any website could automatically open up a conference call on a user’s machine, switching on the webcam in the process. Even if users deleted their Zoom app, the service would keep a localhost web server running covertly on their Mac, so that if a link is clicked, the client would restart again without any user interaction.

Although Zoom finally patched the issue this week after dragging its heels for months, removing the localhost server, Apple seems to have been concerned that a large number of users may not apply the patch – potentially because they thought they’d already uninstalled Zoom.

Categories: Cyber Risk News

Kiosk Vulnerability Puts Customer Data at Risk

Thu, 07/11/2019 - 14:00
Kiosk Vulnerability Puts Customer Data at Risk

Researchers have discovered a vulnerability impacting a leading manufacturer of managed kiosks found in hotels, businesses, retail and other industries that could allow a malicious actor access to the cloud database, according to Trustwave.

Uniguest outsources secure, fully managed customer-facing technology solutions, but researchers reported that “based on the way their infrastructure is set up, it appears Uniguest actually manages the machines and not the hotel or whatever other business employs Uniguest software.”

Uniguest’s cloud database contains kiosk credentials, including admin, router, BIOS passwords and product keys for all of its customers. Armed with this information, an attacker could implant keyloggers and remote-access trojans to capture kiosk visitor activity such as printing boarding passes, hotel check-ins and online banking, according to the research.

Using a Google search, researchers discovered the publicly exposed website that contained the necessary tools a technician would use to deploy or manage a kiosk location.

“There was no authentication required, and among the pre-packaged kiosk software and manuals, SystemSleuth stood out. SystemSleuth is written in C# and is therefore trivially decompiled back to source code using something like dnSpy,” the researchers wrote.

The SystemSleuth application deployed to Uniguest’s legacy kiosks reportedly is used to collect information such as product keys, asset tags, passwords and various other data. “The data is sent up to a Salesforce API and of course, with the C# decompiler, it didn't take long to find the API credentials, hardcoded within the application,” the report said.

If an adversary were able to discover this information, the attacker could “deploy keyloggers, remote access trojans and various other forms of malware, attacking hotel guests or business patrons just passing through, the report said.”

Researchers contacted Uniguest and the company has placed the site behind an authentication portal, yet the researchers point out that “SystemSleuth and the API credentials (albeit disabled) may still be found on their managed systems, until Uniguest can go and reimage them all.”

Categories: Cyber Risk News

Buhtrap Group Using Zero-Day Attack in Windows

Thu, 07/11/2019 - 13:34
Buhtrap Group Using Zero-Day Attack in Windows

Microsoft has issued a patch to fix a zero-day exploit in Windows that was being deployed in a highly targeted attack in Eastern Europe, according to ESET researchers. ESET reported the exploit to the Microsoft Security Response Center, which fixed the vulnerability and released a patch.

“An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft wrote in the vulnerability announcement.

An attacker would first need to log on to the system in order to exploit this vulnerability (CVE-2019-1132). If successful, “an attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.”

Researchers witnessed, for the first time, the cyber-criminal group using a zero-day attack as part of a campaign. They have attributed the activity to the Buhtrap advanced persistent threat (APT) and cyber-criminal group who have been conducting espionage operations in Eastern Europe and Central Asia for several years. 

Known for targeting financial institutions and businesses in Russia, the Buhtrap group has been active since late 2015, though researchers detected a notable change to the profile of the group’s traditional targets. 

“It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in target occurred before the source code leaked, we assessed with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in the targeting of governmental institutions,” says Jean-Ian Boutin, head of threat research at ESET.

“It is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,” he added.

Categories: Cyber Risk News

Flaw in GE Anesthesia and Respiratory Devices

Thu, 07/11/2019 - 13:07
Flaw in GE Anesthesia and Respiratory Devices

Researchers have discovered a vulnerability that could allow an attacker to send remote commands that will interfere with the device’s normal working order in the protocol of in-hospital anesthesia devices, GE Aestiva and GE Aespire (models 7100 and 7900), according to the US Department of Homeland Security's Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT). 

Discovered by CyberMDX, the vulnerability was given a moderate severity CVSS of 5.3 because an attacker could “impair respirator functionality, changing the composition of aspirated gases — silencing alarms and altering time/date.” 

In a statement, GE Healthcare said it was aware of the vulnerability and had conducted a formal internal risk investigation.

Based on the findings of the investigation, GE Healthcare concluded, “the potential ability to remotely modify GE Healthcare anesthesia device parameters is an effect resulting from a configuration exposure through certain insufficiently secured terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks; while the anesthesia device is in use, the potential gas composition parameter changes, potential device time change, or potential remote alarm silencing actions will not interfere in any way with the delivery of therapy to a patient at the point of delivery, and do not pose any direct clinical harm; and the potential ability to modify GE Healthcare anesthesia device parameters or silence alarms does not demonstrate a vulnerability of the GE Healthcare anesthesia device functionality itself.”

However, GE’s response of “testing maximum variation in parameter modification” doesn’t sit well with Deral Heiland, Internet of Things research lead at Rapid7.

“It makes me wonder what level of control can be conducted over the network against the anesthesia and respiratory machines,” Heiland said. “My first thought is, if the device can accept commands over the network without authentication, then that would be a critical risk. Either way medical facilities should always maintain segmentation of their critical care networks from exposure and this may help mitigate many known and unknown risks.”

Categories: Cyber Risk News

Magecart Hackers Scan for Misconfigured S3 Buckets

Thu, 07/11/2019 - 09:59
Magecart Hackers Scan for Misconfigured S3 Buckets

Magecart hackers have compromised thousands of websites with digital skimming code by scanning for misconfigured Amazon S3 buckets, researchers have warned.

First discovered in May, the campaign is far more extensive that originally thought thanks to the automated scanning and exploitation of unsecured cloud storage accounts, explained RiskIQ’s Yonathan Klijnsma.

“These actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains. Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js),” he explained.

“They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket. This technique is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone.”

The attacks, which started in April, have managed to compromise a “vast collection of S3 buckets” related to over 17,000 domains, including some of the top 2000 Alexa-ranked websites in the world, Klijnsma said.

However, given the “spray-and-pay” nature of these attacks, the skimming code will not always load on a payment page.

Klijnsma urged organizations to improve security controls over S3 environments. This should include a whitelisting approach which details only the small number of users who should have access to buckets, reviewed periodically.

Write permissions should also be limited.

“The cause of the thousands of Magecart compromises we are now observing from S3 buckets is administrators setting the access control to allow anyone to write content to buckets,” explained Klijnsma. “Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content.”

Finally, administrators can block public access to prevent anyone in their account from opening a bucket to the public, regardless of S3 bucket policy.

The impact of Magecart on the bottom line and corporate reputation was highlighted this week when the ICO fined BA a massive £183m for a digital skimming attack last year that compromised data on 500,000 customers.

Categories: Cyber Risk News

Experts Raise Privacy Concerns Over NHS Alexa Tie-Up

Thu, 07/11/2019 - 09:44
Experts Raise Privacy Concerns Over NHS Alexa Tie-Up

Legal and security experts have raised concerns over a new NHS deal with Amazon which will allow patients to access health information through voice-assistant technology.

Announced on Wednesday, the tie-up is designed to help those who otherwise would find accessing the NHS website difficult, such as the elderly or blind.

In doing so, it could help to reduce the workload for GPs and pharmacists who have to take time out to field simple questions on common illnesses, the NHS argued.

“The public need to be able to get reliable information about their health easily and in ways they actually use,” claimed Matthew Gould, CEO of the new digital transformation unit NHSX. “By working closely with Amazon and other tech companies, big and small, we can ensure that the millions of users looking for health information every day can get simple, validated advice at the touch of a button or voice command.”

Marcus Vass, co-head of digital health at international law firm, Osborne Clarke, argued that the NHS website is already a popular source of info for patients, and enabling Alexa search is an extension of that.

Yet he added that patients and doctors will be keen to know whether any personal health data is being collected or used, and where it is stored.

“Details of any specific protections in place have not yet been disclosed – and in particular whether the NHS has agreed with Amazon any terms including enhanced security provisions over and beyond the obligations under GDPR and the Data Protection Act legislation,” he said.

“Any lack of clarity as to the use by Amazon of the personal data and health data would of course be subject to the valid consents of patients. Any concern from patients about the use of their health data would be corrosive to the trust in using voice assisted technology or other algorithms to access the NHS website.”

Kaspersky principal security researcher, David Emm, called for greater transparency from Amazon on the deal.

“We know that people are relying on these devices more and more, and their popularity is growing. They do have their benefits, and they are convenient, however, they are, at their core, smart listeners and have made headlines in recent times because of this – leaving a scepticism around them,” he argued.

“We also know that Amazon is storing and analyzing data that these devices collect, which also raises cybersecurity alarms when it comes to how this data will be used. They will be privy to sensitive health data, and so it must be made clear to the public how our data will be protected.”

Synopsys senior security engineer, Boris Cipot, warned that internet-connected services should always be treated with caution by users.

“If an insurance provider gains access to the user-specific data, they could potentially categorize users into risk categories based on the advice they sought which could also lead to increased insurance rates for those deemed high risk,” he added.

“Doctor-patient privacy could also be circumvented through this method of data collection since a doctor isn’t actually involved; therefore, nullifying patient privacy protection policies.”

Categories: Cyber Risk News

Agent Smith Android Malware Downloaded 25m+ Times

Thu, 07/11/2019 - 08:58
Agent Smith Android Malware Downloaded 25m+ Times

Researchers are warning of a new Android malware campaign that has already compromised a staggering 25 million devices via a popular third-party app store.

Dubbed “Agent Smith” by Check Point, the threat spreads by disguising itself as a legitimate Google application made available on the 9Apps marketplace run by Alibaba’s UCWeb.

If downloaded, it replaces legitimate apps on the phone with malicious versions which display fraudulent pop-up ads to generate illicit profits for the malware authors.

The vast majority (15m+) of infected devices are located in India, followed by Bangladesh (2.5m) and Pakistan (1.7m), although over 300,000 are located in the US and a large number of UK users are also affected.

Those behind the threat have worked hard to circumvent Android security controls, weaponizing multiple loopholes in a three-stage infection chain similar to malware like CopyCat, Hummingbad and Gooligan, according to Check Point.

The first stage involves a dropper app designed to lure the victim into downloading – usually a “barely functioning” photo utility, game or sex-related application.

Once downloaded, this app will decrypt and install a core malicious APK which carries out the updates to legitimate apps on the user’s phone. This malware is disguised as a Google Update app or similar.

“The core malware extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from C&C server), it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update,” Check Point continued.

“Agent Smith repacks its prey apps at smali/baksmali code level. During the final update installation process, it relies on the Janus vulnerability to bypass Android’s APK integrity checks. Upon kill chain completion, Agent Smith will then hijack compromised user apps to show ads.”

Although first detected as simple adware back in 2016, the threat evolved into something far more sophisticated a couple of years later. It has been traced back to a Chinese company which Check Point claimed has a legitimate front-end business promoting local Android developers on overseas platforms.

Tellingly, the Guangzhou-based firm is said to have advertised for Android reverse engineers in 2018.

Although the current version of the threat monetizes infection through ads, things could get worse, Check Point warned.

“With the ability to hide its icon from the launcher and hijack popular existing apps on a device, there are endless possibilities to harm a user’s digital [and] even physical security,” the vendor argued. “Today this malware shows unwanted ads, tomorrow it could steal sensitive information; from private messages to banking credentials and much more.”

Various elements of Agent Smith have also been discovered in apps on Google Play, indicating the malware authors are looking to spread their campaign even further. Check Point notified Google of 11 such apps, including two Jaguar Kill Switch infected apps which had already garnered 10 million downloads.

These have all now been removed, but the researchers urged greater use of on-device threat prevention and “attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time.”

Categories: Cyber Risk News

New Version of FinSpy Steals Info on iOS, Android

Wed, 07/10/2019 - 16:07
New Version of FinSpy Steals Info on iOS, Android

A new version of the advanced malicious surveillance tool, FinSpy, has been observed stealing information from global governments, law enforcement and NGOs, according to new research from Kaspersky.

“The new implants work on both iOS and Android devices and can monitor activity on almost all popular messaging services, including encrypted ones, and hide their traces better than before,” the July 10 press release said.

The implants are able to hide signs of jailbreak on iOS and gain root privileges on an unrooted Android device. “The Android implant has similar functionality to the iOS version, but it is also capable of gaining root privileges on an unrooted device by abusing the DirtyCow exploit, which is contained in the malware. FinSpy Android samples have been known for a few years now. Based on the certificate data of the last version found, the sample was deployed in June 2018,” researchers wrote.

A highly effective software tool used for targeted surveillance, FinSpy is being used by operators who tailor the behavior of each malicious implant to a specific target or group of targets, allowing attackers to steal information from devices the world over. Several dozen devices have reportedly been infected over the past year.

“The developers behind FinSpy constantly monitor security updates for mobile platforms and tend to quickly change their malicious programs to avoid their operation being blocked by fixes,” said Alexey Firsh, security researcher at Kaspersky, in the press release. 

“Moreover, they follow trends and implement functionality to exfiltrate data from applications that are currently popular. We observe victims of the FinSpy implants on a daily basis, so it’s worth keeping an eye on the latest platform updates and install them as soon as they are released. Regardless of how secure the apps you use might be, and how protected your data, once the phone is rooted or jailbroken, it is wide open to spying.”

Categories: Cyber Risk News