Info Security

Subscribe to Info Security  feed
Updated: 2 hours 42 min ago

Iranian Threat Group Targets Universities

Fri, 08/24/2018 - 16:08
Iranian Threat Group Targets Universities

On the heels of Iran driving a disinformation campaign on Facebook, researchers have discovered a spoofed university login page that appears to be part of a larger credentials theft campaign believed to be the work of COBALT DICKENS, a threat group associate with the Iranian government. 

According to the Counter Threat Unit (CTU) research team at Secureworks, 16 domains contained more than 300 spoofed websites and 76 university login pages across 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.

Unsuspecting victims who entered their login credentials to the spoofed pages were then redirected. Once on the legitimate website, users were either automatically logged into a valid session or asked to re-enter their credentials. "Numerous spoofed domains referenced the targeted universities' online library systems, indicating the threat actors' intent to gain access to these resources,” researchers wrote.

On 23 March 2018, the Department of Justice issued indictment charges against nine Iranians alleged to be associated with the Iran-based company, Mabna Institute, that reportedly conducted cyber-intrusion campaigns into the computer systems of universities around the globe between 2013 and 2017.

“These nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries,” said Deputy Attorney General Rod Rosenstein.

Despite indictments in March 2018, the Iranian threat group is believed to still be targeting global universities to compromise credentials through the same spoofing tactics as previous attacks.

“Universities are attractive targets for threat actors interested in obtaining intellectual property. In addition to being more difficult to secure than heavily regulated finance or healthcare organizations, universities are known to develop cutting-edge research and can attract global researchers and students. CTU researchers have contacted various global partners to address this threat,” researchers wrote.

Categories: Cyber Risk News

No Financial Data Compromised in T-Mobile Breach

Fri, 08/24/2018 - 15:28
No Financial Data Compromised in T-Mobile Breach

The cybersecurity team at T-Mobile discovered and halted an attack after a malicious actor had gained unauthorized access to the personal information of some customers during an ongoing security breach that the company disclosed on 20 August.

While no financial data, passwords or social security numbers were compromised, T-Mobile wrote, “You should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”

The company also affirmed that it has security measures in place to protect customer information from unauthorized access, though they provided no specifics on the details of those safeguards.

“This security incident favorably stands out among many others by prompt detection and transparent disclosure,” said Ilia Kolochenko, CEO, High-Tech Bridge.

“Many of the recent data breaches, including the most disastrous ones, were discovered weeks ago but then announced months after the occurrence. T-Mobile serves as a laudable example of prompt incident response. This, however, does not absolve them from accountability for the breach and further cybersecurity enhancement to prevent similar incidents in the future.”

Cell phones being compromised puts both individuals and enterprises at risk of all types of exploitation. Despite the prompt detection and response, the information compromised during the security breach could be used for nefarious purposes, according to Amit Sethi, security consultant at Synopsys.

“Hackers stole customer names, ZIP codes, phone numbers, email addresses, account numbers and account types. This information can potentially be used in targeted attacks where attackers can impersonate customers to T-Mobile’s customer service representatives," Sethi said.

“Attackers may also be able to impersonate the customers to other wireless carriers and attempt to port the numbers in order to hijack the phone numbers. People who are impacted should ensure that they have set up a PIN with T-Mobile that they use to authenticate to customer service representatives and that is required to port their phone numbers to another carrier.”

Categories: Cyber Risk News

99% of Texas Voter Records Exposed

Fri, 08/24/2018 - 14:55
99% of Texas Voter Records Exposed

Election security has again been called into question after millions of Texas voter records were left exposed. A file discovered by Flash Gordon, a New Zealand-based data breach hunter, was left on an unsecured server without a password, according to TechCrunch. Of the 15.2 million total registered Texas voters, an astounding 14.8 million records were left exposed on a single file.

The data in the file was reportedly compiled by a conservative-focused data firm, The Data Trust, and contained personal information such as voter’s name, address, gender and several years’ worth of voting history, including primaries and presidential elections.

“The data also included gauges on voters’ views regarding immigration, abortion and the Second Amendment. The file also held data assessing if voters trusted Hillary Clinton,” The Hill reported.

The news comes at a time when trust in data protection and privacy with regard to voting is low. Confirmation of Russian meddling has set off alarms across the aisle as candidates move toward midterm elections. That 14.8 million personal records of Texas voters were found on an unprotected server, without even the basic security measure of a password, does little to boost confidence in election systems, said Bill Evans, a vice president at One Identity.

“The idea of having a database like this sitting with no password is such an incredible lapse in judgment today. While we all know that keeping up with password best practices can be somewhat annoying – forgetting and resetting them in a broken cycle – it is inexcusable and maybe illegal to leave data that contains personal information like this completely unprotected,” Evans said.

“It is a good reminder, however, and call to action for any organization that is storing sensitive data, that it is their responsibility to ensure security, as well as authentication to access it. There are four basic security measures that should be part and parcel of doing business today. Those include end-user education, multi-factor authentication, privileged-access management, and access governance to ensure only the right people have the right access to the right things at the right time.”

Categories: Cyber Risk News

US Election Hack Whistleblower Gets Five Years

Fri, 08/24/2018 - 09:42
US Election Hack Whistleblower Gets Five Years

Former NSA contractor-turned-whistleblower Reality Winner has been sentenced to over five years in prison after leaking details on Russian efforts to target the 2016 presidential election.

The 63-month sentence was expected but her supporters have always argued that she acted out of frustration that the truth of Kremlin targeting of voting infrastructure was not being outed, and of misinformation in the right-wing broadcast media.

In fact, the subsequent report from The Intercept provided local election officials with information that had up to that point been withheld from them by the intelligence agencies.

However, it was that report that was to be her downfall, after a copy of the top secret intelligence document she printed and smuggled out in her underwear was shared by the publication with the authorities in order to prove its veracity.

Unfortunately, tiny microdots on the paper identified the printer that had been used along with the date and time, leading investigators to Winner.

The information blew the lid on the true scale of Russian attempts to impact the 2016 election, detailing how Kremlin hackers had spear-phished at least 100 state and local voting officials in the week prior to election day, by targeting a US voting software supplier.

A statement from The Intercept stopped short of an apology and instead focused on Winner’s selflessness.

“After an internal review, we acknowledged shortcomings in our handling of the document. However, it soon became clear that the government had at its disposal, and had aggressively used, multiple methods to quickly hunt down Winner,” it read.

“Reality Winner’s courage and sacrifice for the good of her country should be honored, not punished. Selective and politically motivated prosecutions of leakers and whistleblowers under the Espionage Act — which dramatically escalated under Barack Obama, opening the door for the Trump Justice Department’s abuses — are an attack on the First Amendment that will one day be judged harshly by history.”

The sentence could be viewed as particularly harsh given that no US personnel were put in any danger, nor information disclosed that foreign agents wouldn’t already have access to.

Categories: Cyber Risk News

Cheddar’s Scratch Kitchen Breach Hits 500K Cards

Fri, 08/24/2018 - 09:09
Cheddar’s Scratch Kitchen Breach Hits 500K Cards

Over half a million customers of US restaurant chain Cheddar’s Scratch Kitchen have had their payment card information compromised after an unauthorized intrusion at the company.

Parent company Darden Restaurants said it was notified by the “federal authorities” that attackers are likely to have swiped 567,000 payment card numbers after compromising a legacy POS system.

Guests who visited restaurants in 23 states between November 3 2017 and January 2 2018 could be affected.

“Upon being notified of this incident, we activated our response plan and we engaged a third-party forensic cybersecurity firm to investigate,” the company said. “Our current systems and networks were not impacted by this incident. In fact, this incident occurred on a legacy Cheddar's system that was permanently disabled and replaced by April 10, 2018, as part of our integration process.”

Identity protection services from ID Experts are being provided free of charge to those users affected.

Ryan Wilk, VP at NuData Security, argued that the breach risk has now effectively spread to “payment card providers and any other organizations with whom the victims hold accounts.”

“Once personal and financial information such as this is accessible to criminals, it feeds the pipeline of future cybercrime for years to come,” he argued.

“What companies can do at this point is to implement a different method of account protection to stop the damage after breaches. This is why businesses operating online are applying multi-layered security strategies with passive biometrics and behavioral analytics.”

The affected states are: Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin.

Categories: Cyber Risk News

Admins Urged: Stop Everything and Patch New Apache Struts Flaw

Fri, 08/24/2018 - 08:52
Admins Urged: Stop Everything and Patch New Apache Struts Flaw

Security experts are warning of another critical CVSS 10.0 vulnerability in Apache Struts, the framework that resulted in a major breach at Equifax last year.

Remote code execution vulnerability CVE 2018-11776 already has a working exploit published for it, meaning organizations should prioritize a fix.

Vendor Risk Based Security gave a “full stop, all hands on deck” warning to administrators to patch ASAP.

“Even though this issue has just been disclosed, VulnDB already has rated the ‘Social Risk Score’ is as High,” it added. “This means that based on the already strong social media presence discussing the vulnerability, the odds of active exploitation will be higher than average.”

Last year, credit agency Equifax was breached to the tune of over 140 million customers, nearly half the population of the US, after failing to patch a known Apache Struts vulnerability for several months.

However, the pressure to patch never relents: already this year there have been 1426 vulnerabilities disclosed with a CVSS rating of 10.0, according to Risk Based Security.

“For organizations who may say ‘well we don’t use Apache Struts, we’re safe!’, we want to remind you that Apache Struts is a third-party library of sorts and can be found in numerous high-profile products,” it added.

These include products from Cisco, Hitachi, IBM, MicroFocus, Oracle and VMware.

The bad news is that organizations appear overwhelmed with the patch load, according to new research from Kollective.

Its State of Software Delivery research revealed that 37% of US and UK IT managers believe “a failure to install updates” is their biggest security threat of 2018.

Yet over a quarter (27%) of respondents said it takes at least a month before they can install updates, a figure rising to 45% for businesses with over 100,000 endpoints.

“While it’s obviously important for IT teams to spend time testing new software and updates before rolling them out, our research has found that many of the delays in software distribution aren’t because of testing, but rather a lack of infrastructure,” explained Kollective CEO, Dan Vetras.

“Poorly constructed networks mean that, even those companies that have made a significant investment in security software, are still leaving their organizations vulnerable to attack. With a growing number of applications being left out of date, today’s businesses are creating their own backdoors for hackers, botnets and malware to attack.”

Categories: Cyber Risk News

Ryuk and Sextortion Ransomware Nets $1m

Thu, 08/23/2018 - 14:50
Ryuk and Sextortion Ransomware Nets $1m

Two recent ransomware campaigns have earned attackers over $1m.

According to Bleeping Computer, those behind the Ryuk ransomware earned over $640,000, while those operating a scam tactic to convince people there was a compromising video of the victim made $500,000 according to Motherboard.

While the sextortion phishing scam was widespread, it did ask for $1400 in Bitcoin and according to research by Banbreach of around Bitcoin 770 wallets, 230 had over 1000 transactions, receiving a total of around 70.8 BTC.

The Ryuk ransomware asked victims to pay either 15-35 Bitcoin or 50 Bitcoin, depending on which ransom note was received. Raj Samani, chief scientist and fellow at McAfee, told Infosecurity that the ransom demanded for Ryuk is very high when compared to other ransomware variants.

“This suggests this is a straightforward extortion campaign as opposed to a case of pseudo ransomware,” he said. “It also suggests a very targeted campaign aimed at organizations – part of a growing trend of enterprise-targeted campaigns.”

Andy Norton, director of threat intelligence at Lastline, said: “SamSam, Bitpaymer and now Ryuk have targeted corporate environments with fast spreading lateral infection behaviors. This is proving to be a successful model for them, as the disruption of business processes or services is the first cost the victim considers, then the time and money it takes to perform an actual investigation, backup and restore effected machines.

“As a rule of thumb, this is roughly double the cost of paying the ransom, so judging by the three transactions into one of the Ryuk bitcoin wallets, it looks like some victims have chosen to pay the ransom as the lesser evil.”

On the sextortion scam, Norton said that this was “very convincing” as it highlights bad password practices “so if you don’t change your passwords after a breach or reuse passwords across different portals, then the chances are the password they send you will still be accurate and therefore be very believable.”

Categories: Cyber Risk News

Bad News About AppleJeus

Thu, 08/23/2018 - 13:43
Bad News About AppleJeus

Unlike the apple juice enjoyed by many a youngster, the newly discovered AppleJeus looks pretty rotten, according to new research from Kaspersky Lab.

Researchers have discovered the advanced persistent threat group Lazarus using AppleJeus, a new malicious operation. While assisting with incident response efforts in previous attacks from the group, researchers unexpectedly identified an attacker penetrating the network of a cryptocurrency exchange in Asia. The attacker used Trojanized cryptocurrency trading software, with the reported goal of stealing cryptocurrency from victims.

A previously unidentified version of a Windows-based malware was targeting the macOS platform, according to today's press release. The group was able to compromise the stock exchange's infrastructure by bamboozling an unsuspecting employee into downloading a third-party application from a specious website.

"The application’s code is not suspicious, with the exception of one component – an updater. In legitimate software, such components are used to download new versions of programs," Kaspersky wrote in the press release.

"In the case of AppleJeus, it acts like a reconnaissance module: first it collects basic information about the computer it has been installed on, then it sends this information back to the command and control server and, if the attackers decide that the computer is worth attacking, the malicious code comes back in the form of a software update."

Though the operation looks similar to a supply-chain attack, it is reportedly not, because the vendor of the cryptocurrency trading software has a valid certification for signing its software and legitimate registration records for the domain.

“We noticed a growing interest of the Lazarus group in cryptocurrency markets at the beginning of 2017, when Monero mining software was installed on one of their servers by a Lazarus operator. Since then, they have been spotted several times targeting cryptocurrency exchanges alongside regular financial organizations,” noted Vitaly Kamluk, head of GReAT APAC, Kaspersky Lab.

“The fact that they developed malware to infect macOS users in addition to Windows users and – most likely – even created an entirely fake software company and software product in order to be able to deliver this malware undetected by security solutions, means that they see potentially big profits in the whole operation, and we should definitely expect more such cases in the near future," Kamluk said. "For macOS users this case is a wake-up call, especially if they use their Macs to perform operations with cryptocurrencies.”

Categories: Cyber Risk News

BlackIoT Aims to Disrupt the Power Grid

Thu, 08/23/2018 - 11:56
BlackIoT Aims to Disrupt the Power Grid

The primary security concern with regard to internet-of-things (IoT) devices has largely been focused on individual security and privacy, but researchers at Princeton University found another substantial way an attacker could compromise IoT devices and use them to disrupt the power grid.

At last week’s 27th USENIX Security Symposium in Baltimore, Maryland, researchers presented their findings that high-wattage IoT devices, dubbed BlackIoT, pose a significant risks to power grids.

This new type of attack on the actual power grid is distinctly different from threats to SCADA systems, according to the recently released white paper, BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power GridResearchers proposed that an attack could happen if an malicious actor exploited high-wattage IoT devices for manipulation of demand via IoT attacks, resulting in local power outages and large-scale blackouts.

“An Internet of Things (IoT) botnet of high wattage devices – such as air conditioners and heaters – gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid,” researchers wrote.

“In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid,” they wrote.

Attacks could result in frequency instability, line failures and cascading failures, all of which could increase operating costs.

“Overall, our work sheds light upon the interdependency between the vulnerability of the IoT and that of other networks such as the power grid whose security requires attention from both the systems security and the power engineering communities. We hope that our work serves to protect the grid against future threats from insecure IoT devices,” they wrote.

The scenario presented in their findings is alarming yet not surprising to some industry experts. “This is directly analogous to an internet DOS [denial-of-service] attack, where an army of poorly protected computers flood a website with traffic,” said Ray DeMeo, co-founder and COO, Virsec.

“While we might hope IoT devices are built with adequate security, we should assume they are vulnerable. Smart grid technology will have to become smarter in a hurry to detect this new type of abuse."

Categories: Cyber Risk News

Cyber Scholarship to Build Multicultural Workforce

Thu, 08/23/2018 - 11:47
Cyber Scholarship to Build Multicultural Workforce

Select candidates from diverse backgrounds pursuing a career in cybersecurity could receive academic scholarships that pay half of their tuition, according to an announcement from NYU Tandon School of Engineering and Bridgewater Associates.

On 31 August the school will award an initial round of five scholarships to students from underrepresented minority groups enrolled in its Cyber Fellows online master’s degree program. This year five chosen members of the program will receive the new minority scholarship, funded by Bridgewater Associates, but the number of recipients will jump to 25 for next year.

“We will welcome our partners – the first Cyber Fellows, industry advisors and New York City – in this unique initiative to quickly scale up the number of technical experts capable of protecting our personal lives, critical infrastructure and national security,” Nasir Memon, NYU professor and associate dean for online learning, said in a press release.

During a welcome event for the inaugural cohort of 109 New York Cyber Fellows enrolled in NYU Tandon’s online cyber security master’s degree, Bridgewater Associates will present the recipients with their financial awards. Of those 109 students, 40% were reportedly identified as members of underrepresented groups, including women.

“The under-participation by large segments of our society represents a loss of opportunity for individuals, a loss of talent in the workforce and a loss of creativity in shaping the future of cybersecurity,” said International Consortium of Minority Cybersecurity Professionals president Aric K. Perminter.

“Not only is it a basic equity issue, but it threatens our global economic viability as a nation. The Bridgewater Scholarship underscores the importance of our mission to provide innovative, effective and timely solutions to the cybersecurity demands of employers.”

Building a diverse workforce remains both a challenge and an opportunity, which the scholarship intends to leverage in order to to address the growing shortage of highly trained technical security professionals.

“The Bridgewater Scholarship represents a meaningful alliance between Bridgewater Associates and the NYU Tandon School of Engineering with the shared goal of advancing the knowledge and careers of underrepresented minority students in cybersecurity,” said Bridgewater chief security officer Richard Falkenrath. “We are delighted to be involved in this significant program and to present the scholarship to this year’s winners.

Categories: Cyber Risk News

Cybercrime Pulls in $1m Every Minute

Thu, 08/23/2018 - 10:30
Cybercrime Pulls in $1m Every Minute

More than $1m is lost every minute to cybercrime, while 1861 people fall victim to scams.

According to research by RiskIQ of proprietary and third-party research, despite businesses spending $171,233 every minute on cybersecurity, $1,138,888 is lost to cybercrime. 

Its research found that every 60 seconds:

  • 1.5 organizations fell victim to ransomware attacks, with an average cost to businesses of $15,221
  • A new site appeared running the CoinHive cryptocurrency mining script
  • Four potentially vulnerable web components were discovered

It also found that a new phishing domain appears every five minutes, and a new site running the CoinHive cryptocurrency mining script was detected every 10 minutes.

In an email to Infosecurity, security author Raef Meeuwisse said that cybercrime continues to be a profitable industry, and cyber-criminals continually evolve their tactics to remain one step ahead of the average cybersecurity function.

He said: “Cybercrime and cybersecurity co-exist in a constant cycle of innovation. As one particular criminal trend towards a particular technique increases, so the security functions create or strengthen the required defenses.

“However, it is evident at both the level of personal and organizational cybersecurity that spending is usually too low. In fact, most of these cyber-criminals are not going after the hard targets with great defenses, they are targeting the low hanging fruit – and there is still far too much of it.”

He said that despite the examples cited by RiskIQ, he still has regular conversations where a person will talk about someone they know who has lost a fortune through an online scam, “yet they are still reluctant to consider paying £5 a month for home security software or even sparing the time to strip administration (installation) rights from their day-to-day account.”

RiskIQ CEO Elias Manousos said: “Leveraging the latest research as well as our own global threat intelligence, we're defining the sheer scale of attacks that take place across the internet to help businesses better understand what they’re up against on the open web.

“As companies innovate online to make more meaningful touchpoints with their customers, partners, and employees, attackers prey on their lack of visibility into their internet-facing attack surface to erode users’ trust and access credentials and sensitive data. Businesses must realize that they are vulnerable beyond the firewall, all the way across the open internet.”

Categories: Cyber Risk News

Half of English Councils Running Outdated Server Software

Thu, 08/23/2018 - 10:15
Half of English Councils Running Outdated Server Software

Nearly half of English local authorities are still running server software which is no longer supported by Microsoft, potentially leaving systems and sensitive data exposed to hackers, according to the results of a new Freedom of Information (FOI) request.

IT service provider, Comparex UK, submitted FOI requests to 95 councils including all London boroughs and received answers back from 81.

It revealed that 46% were still running one or more of: Windows Server 2000, Windows Server 2003 and Microsoft SQL Server 2005.

Although nearly all (94%) of those councils running Windows Server 2000 and Server 2003, and 88% of those running Microsoft SQL Server 2005, said they were upgrading within the next two years, they are exposed right now to attacks exploiting vulnerabilities no longer patched by Microsoft.

What’s more just 13% of the 94% of councils running Windows Server 2008 claimed they were paying for extended support, with the figure dropping to just 9% for Windows SQL Server 2008.

“By continuing to run out-of-date server software, many councils are exposing themselves to a host of security and compliance risks,” said Chris Bartlett, business unit director – public sector at Comparex UK.

“The FOI data suggests that matters are slowly improving, as separate FOI requests to London borough councils back in 2016 showed that 70% were running unsupported server software. However, with GDPR now in effect, councils need to be even more cognizant of vulnerabilities – especially considering the volume of citizen data they hold. With that in mind, it is important that risks are managed, and councils establish an upgrade strategy.”

The report is not the first to highlight the poor cybersecurity posture of many UK local authorities. Last year an FOI investigation from Barracuda Networks found that 27% had been infected with ransomware in the past.

Separate research from PwC found that only a third (35%) of council leaders are confident their organization can withstand a cyber-attack.

Categories: Cyber Risk News

Financial Watchdog Puts Pressure on Banks to Stop Fraud

Thu, 08/23/2018 - 09:41
Financial Watchdog Puts Pressure on Banks to Stop Fraud

A UK financial watchdog has put more pressure on banks to root out fraud, claiming they shouldn’t assume customer “gross negligence” is to blame.

Caroline Wayman, CEO of the Financial Ombudsman Service (FOS) said that in the disputes her organization is frequently called upon to settle, lenders often try to put the blame onto their customers.

However, unless they have the facts to back up their position, the FOS will usually rule that the financial institution has to pay up.

“Gross negligence is more than just being careless or negligent,” she wrote. “And as our case studies show, the evolution of criminals’ methods — in particular, their sophisticated use of technology and manipulative ‘social engineering’ — means it’s an increasingly difficult case to make.

Consumers in the UK lost £730m to scams last year, according to UK Finance. A third of these (£236m) were down to so-called “authorized push payment fraud” where the scammer tricks their victim into making payments to an account controlled by them.

According to Hannah Nixon, managing director of the Payment Systems Regulator, there were 43,875 reported cases of authorized push payment scams last year: 88% of victims were consumers, who lost an average of £2784 and the rest were businesses, who lost £24,355 on average per case.

The problem was exacerbated by the fact that banks had no measures in place to spot and block these fraud attempts, she said.

The regulator is now working on several initiatives to address the problem.

“These include guidelines to check the identity of people opening bank accounts to make it harder for fraudsters to open accounts that they use for scams; confirmation of payee, which will allow customers to verify that they are paying the person they want; and improved data sharing, which will mean banks can work together to respond to scams faster and more effectively,” said Nixon.

“We also tasked the industry to work with consumer representative groups to produce a code that the industry must adhere to when people report scams. This will give everybody greater protection against this type of fraud – and victims a much better chance of being reimbursed.”

Most security experts agreed with the FOS that banks should get better at tracking fraud.

“Banks should take more responsibility for defending against cyber-attacks and also assume the role of educator, as they possess the relevant knowledge of emerging threats, as well as the most effective defense,” said Webroot director of threat research, David Kennerley.

Trevor Reschke, head of threat intelligence at Trusted Knight, added that government also has a role to play.

“Banks must become more active in defending their systems and their customers, investigating instances to force proper attribution, and deployment programs to stop remote access and data theft from their systems,” he argued. “However, governments are often forgotten in this equation: as banks are critical national infrastructure, this should be an issue tackled at state level to stop the degradation of the financial sector as a whole.”

Categories: Cyber Risk News

DNC Spots Phishing Attempt to Access Voter Database

Thu, 08/23/2018 - 09:04
DNC Spots Phishing Attempt to Access Voter Database

The Democratic National Committee (DNC) has taken down a highly convincing phishing log-in page which appears to have been designed to give attackers access to the party’s voter database.

The page was discovered by Lookout Security’s AI-based phishing detection engine very early on in its lifecycle, most likely before attackers had a chance to send out related phishing messages to their targets.

It mimicked a log-in page for tech provider NGP VAN, used primarily by the DNC, which was hosted on DigitalOcean cloud infrastructure.

A DNC source told CNN that the site was intended to give the phishers access to a service called Votebuilder which hosts the party’s voter database.

Those involved co-ordinated a swift takedown of the page and informed the FBI.

“These threats are serious and that's why it's critical that we all work together, but we can't do this alone. We need the [Trump] administration to take more aggressive steps to protect our voting systems. It is their responsibility to protect our democracy from these types of attacks," said DNC chief security officer Bob Lord in a statement.

Although the timing of the attack could be a coincidence, it comes in the highly charged run up to the mid-term elections, where a Democratic Party majority in the lower house could pave the way for impeachment proceedings against President Trump.

While there’s no suggestion the Kremlin is behind this phishing attempt it certainly fits the modus operandi of state-sponsored groups like APT28, which famously spear-phished the DNC in the run-up to the 2016 presidential election, publishing sensitive emails in a bid to alienate Hillary Clinton voters.

Ross Rustici, senior director of intelligence services at Cybereason, argued that access to the DNC database would be useful for domestic partisan opposition and foreign intelligence and counterintelligence purposes.

“This type of prep work by hackers is likely to continue, and it is a good sign that these websites are being detected before they appear to be in use,” he added. “The efficacy of this type of credential theft is greatly mitigated by use of two-factor authentication and other identity management tools."

Lookout Security vice-president of security intelligence, Mike Murray, claimed that the new dynamics of running modern enterprises have created a “fertile ground” for more sophisticated phishing attacks.

“Where as organizations used to only have to protect against email-based phishing attacks, modern phishing attacks now occur through a variety of means: email, SMS, extended SMS messengers like Apple Messages, Google Hangouts, WhatsApp, WeChat, and social media sites like Facebook, LinkedIn, etc,” he argued.

“In many cases, mobile devices do not allow individuals to inspect links before clicking them. Additionally, these devices are constantly in motion from Wi-Fi to mobile networks, leaving the devices often unprotected and outside the organization’s security perimeter.”

The news comes after Microsoft this week claimed to have taken down six phishing domains said to have been run by the Russian APT28 group.

Categories: Cyber Risk News

AT&T Turns Acquired AlienVault into Cybersecurity Solutions Division

Wed, 08/22/2018 - 16:17
AT&T Turns Acquired AlienVault into Cybersecurity Solutions Division

Completing its acquisition of AlienVault, as revealed in July, AT&T will turn the threat intelligence vendor into its standalone Cybersecurity Solutions Division.

To be led by AlienVault CEO Barmak Meftah and AT&T Business CEO Thaddeus Arroyo, the division will combine AlienVault’s foundational unified security management platform and Open Threat Exchange with AT&T’s suite of managed cybersecurity services, solutions and network visibility to better protect businesses.

“Together we have the opportunity to simplify a complex problem and automate how customers tackle their cybersecurity needs,” Meftah said. “We will combine our phenomenal threat detection, incident response and compliance security platform with AT&T’s managed security capabilities, making near-real-time threat information actionable and achievable.”  

Said Arroyo, “AlienVault’s cybersecurity talent and threat intelligence capabilities, combined with our ability to deliver innovative threat detection and response solutions at scale, will help enable businesses of all sizes to better defend themselves.”

Christina Richmond, program vice president, worldwide security services at IDC, said that the combination of the companies was “an exciting combination” as “AT&T has significant telemetry and intelligence.”

“With AlienVault’s Open Threat Exchange, the new organization has the opportunity to deliver to customers leading threat insight and analytics," Richmond said. "In addition, AlienVault and AT&T’s SMB combined market presence will offer security services that are viewed via a single pane of glass, cost effective, easy to use and can be combined with other services.”

Categories: Cyber Risk News

New Major Ghostscript Vulnerability Discovered

Wed, 08/22/2018 - 15:05
New Major Ghostscript Vulnerability Discovered

Google Project Zero security researcher Tavis Ormandy has exposed a new vulnerability in Ghostscript, a widely used suite of software based on an interpreter for Adobe Systems’ PostScript and Portable Document Format page-description language.

According to Ormandy, the vulnerability, which was without a CVE identifier or fix at the time of writing, gives an attacker the means to take over applications and servers that use vulnerable versions of Ghostscript by sending victims a malformed PostScript, PDF, EPS or XPS file containing a malicious code. When the file reaches the Ghostscript interpreter, the code will execute on the victim’s machine.

“I really *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default,” Ormandy wrote. “I think this is the number one ‘unexpected ghostscript’ vector.”

Steve Giguere, lead EMEA engineer at Synopsys, said the exploit, with the potential for file system access, could lead to sensitive data leaks and more because it can be the beachhead opportunity for a more comprehensive attack.

“This Ghostscript exploit is a premium example of cascading dependencies on open source software packages, where the dependency of a core component may not be easily upgraded. Even when a CVE is associated with something like this, and a fix available, there will be a secondary delay whilst packages which incorporate this into their own software like ImageMagick release a version with a fix,” he added.

“In the short term, the advice to start disabling PS, EPS, PDF and XPS coders by default is the only defense,” until a fix is available, he concluded.

Categories: Cyber Risk News

Almost a Third of Orgs Still Not Completely Prepared for GDPR

Wed, 08/22/2018 - 14:30
Almost a Third of Orgs Still Not Completely Prepared for GDPR

New research has revealed that more than a quarter of organizations (28%) do not feel completely compliant with the General Data Protection Regulation (GDPR), despite now being passed the 25 May deadline.

Security firm Imperva based its findings on a survey of 185 attendees at Infosecurity Europe 2018, with IT professionals, managers and executives among those polled.

When asked whether they thought they would pass their first GDPR audit, less than half of the respondents said they were very confident they would, while over one-third were somewhat confident and less than one-fifth were not confident.

With regards to knowledge of where the personal data of users resides in their systems, more than a third felt that they knew the location of such information, while more than half admitted that it would take them three months to get their house in order. Interestingly, though, almost 90% felt they could easily deal with subject data requests, with 57% saying their company had already received one.

“The deadline has now come and gone, yet the study shows that many organizations aren’t sure they have achieved GDPR compliance,” said Terry Ray, CTO of Imperva. “Any company that put GDPR off until the last minute now realizes compliance cannot be achieved overnight.”

Speaking to Infosecurity Jonathan Armstrong, partner at Cordery, said that Imperva’s findings are not a surprise, “except for those who think they are very confident they would pass an audit."

“It seems that many GDPR projects ran out of steam at the end of May with work still to be done,” he added. “We’re already seeing organizations get caught out – whether with a security breach, former employees or customers asking tough questions or an audit. It’s important to remember that GDPR compliance isn’t optional like some projects are. The volume of complaints we are seeing and the pro-active investigations of some regulators, like in the Netherlands, show us that GDPR compliance is as important now as it ever was.”

Categories: Cyber Risk News

Rights Group: Government Must Act on Nuisance Calls

Wed, 08/22/2018 - 09:34
Rights Group: Government Must Act on Nuisance Calls

A leading consumer rights group is urging the government to come good on its promise to clamp down on the growing epidemic of nuisance calls.

Which? claimed that a massive 73% of consumers it polled earlier in August had received at least one unsolicited call over the previous month, with nearly 6% actually being scammed by a cold caller.

What’s more, over 80% view it as an “intrusive interruption” while over 70% claimed the calls discourage them from picking the phone up. Two-fifths said they feel distressed by cold calls.

The UK’s Privacy and Electronic Communications Regulations (PECR) mandate strict rules governing the use of marketing emails, calls, texts and faxes.

Privacy regulator the Information Commissioner’s Office (ICO) has slapped huge fines on companies like Keurboom Communications (£400K), Miss-Sold Products UK (£350K), Your Money Rights (£350K) and more over the past year.

However, too often the directors behind these companies escape punishment by declaring bankruptcy, only to set up new businesses.

According to Which? the government agreed two years ago that from spring 2017, directors of firms responsible for nuisance calls could each be fined up to £500,000 by the ICO if they breached the PECR.

So far, it has failed to introduce such measures.

“It’s time to stem the tide of this daily torment and properly hold to account company directors who are responsible for flouting the law. We must stop them from bombarding households with nuisance calls,” said Which? managing director of home products and services, Alex Neill.

“The government must seize this opportunity and act swiftly to deliver on its promise to stamp out dodgy practices and make sure that those responsible for making nuisance calls can no longer evade justice and skip fines.”

Colin Truran, principal technology evangelist at Quest, claimed that nuisance calls can “drive people to panic” if they think they may have had their data breached.

“It can also drive a tidal wave of Subject Access Requests and Right of Erasure requests between the victim and anyone they have passed their details to in the past,” he added.

“So, who’s to blame for this? The directors of the companies. The government needs to hold the directors personally accountable and by this I don’t mean a short-term suspension — this should include the banning of offenders from working in the industry to safeguard the public.” 

Categories: Cyber Risk News

Superdrug Held to Ransom After Breach

Wed, 08/22/2018 - 09:30
Superdrug Held to Ransom After Breach

Superdrug has become the latest big-name high street brand to have suffered a damaging breach of customer data, after hackers apparently tried to hold the firm to ransom.

The UK health and beauty retailer has been sending emails out to those affected after reports suggested hackers contacted the firm on Monday to say they had data on 20,000 customers.

“The hacker shared a number of details with us to try and ‘prove’ he had customer information — we were then able to verify they were Superdrug customers from their email and log-in,” a spokeswoman told ITV News.

The firm has apparently confirmed the validity of over 300 compromised accounts but appears to be trying to minimize the fall-out.

There’s no public statement as yet on the incident on its website and a cryptic tweet on Tuesday seemed to skirt around the issue, stating:

“To customers who have received an email from us today, this email is genuine. We recommend you follow the steps we outlined.”

Data stolen reportedly includes names, addresses, dates of birth and phone numbers as well as points balances, but not financial information. Superdrug is maintaining that its systems have not been compromised and instead that customer emails and passwords were obtained from breaches of other sites.

Superdrug claimed to have contacted the police and Action Fraud UK and has urged its customers to change the passwords on their accounts.

Jake Moore, security specialist at ESET, urged customers to be on the lookout for follow-on phishing attacks.

“These scams are increasingly sophisticated and difficult to spot, therefore, as a rule of thumb, do not click on any links or download any documents that you are not expecting,” he added. “Try and verify if and where you can on the origin of an email before acting upon any requests. "

Categories: Cyber Risk News

Microsoft Shuts Down Six APT28 Phishing Domains

Wed, 08/22/2018 - 08:35
Microsoft Shuts Down Six APT28 Phishing Domains

Microsoft claims to have shut down six phishing domains associated with an infamous Kremlin-sponsored group linked to 2016 presidential election interference, as tensions rise ahead of the mid-terms in November.

In a lengthy blog post, president Brad Smith said that Microsoft has increasingly been called upon to disrupt activity from the group, which was blamed by intelligence services for the theft and subsequent dissemination of sensitive Democratic Party data in the run up to the last presidential election.

“Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six internet domains created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28,” he explained. “We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group.”

However, although Smith placed the shut down activity in the context of potential election interference ahead of the 2018 mid-terms, the domains themselves are non-partisan.

“One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate,” he continued. “Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the US Senate but are not specific to particular offices.”

To help repel the threat, Microsoft has announced a new initiative, AccountGuard, designed to provide “state-of-the-art” protection to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations.

The offering features threat notifications, user education and guidance and early adopter opportunities.

Experts welcomed the move but cautioned that it would do little to disrupt any Russian state-backed cyber-espionage.

“Though APT28 has leveraged data gathered from intrusions to carry out active measures, such as targeted leaks through false personas, incidents of this nature do not necessarily signify such an operation,” argued FireEye director of threat intelligence, John Hultquist. “In fact, the principal focus of APT28 has always been quiet intelligence collection for the decision advantage of its sponsors — the Russian military and policymakers.” 

F-Secure security advisor, Sean Sullivan, welcomed the new product offering, but said the discussion of the 2018 mid-terms threatens to overwhelm the bigger picture.

“The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage. In short: spies are going to spy,” he claimed. “That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an ‘attack’ on the elections that risks missing the complete threat model — and therefore the complete countermeasures that should be taken.”

Dtex Systems CEO, Christy Wyatt, added that the shut downs are a mere drop in the ocean.

“Assessments we conducted as part of our 2018 Insider Threat Intelligence Report revealed that 67% of organizations had instances of employees visiting high risk websites, which is exactly what the sites Microsoft identified are,” she said.

Categories: Cyber Risk News