After the previously announced keynote speaker Will Hurd was withdrawn among criticism among the security community over his voting record, Zovi took the opportunity to focus on the “shift left” concept and how he had worked his way through events like Pwn2Own and security jobs where he had seen differing security cultures.
He said that starting his job at Square in 2014, he was able to overcome some of the collaboration problems he had seen in other jobs, and especially where there was a culture of collaboration and empathy, “as security engineers wrote code like everyone else.”
“A software team member said 'hello, security friends' and asked a question, and someone voluntarily talked to security. It took me a while to figure out what the ingredients were, and that was the transformative change for me.”
He said that when he saw this firsthand, he was critical and went to demonstrating his capabilities because “we are not insiders anymore” and we need to opportunities to demonstrate what we have learned.
To be better at security, he recommended looking at three transformative lessons:
- Work backwards from the job
- Seek and apply leverage
The first lesson is “what customers hire us for,” as agility “is important as threats change, and it is important to keep up.”
The second lesson should be about the fact that “we are still a small community and problems we tackle are huge,” Zovi said. If we have better feedback loops, he said, we can measure attacking and succeeding and consequently develop better software.
The third lesson is that culture is hard, and “ops and devs jobs are hard and to allow change, we need to allow change to happen.” He also said that it is about cultivating a culture of empathy. Instead of saying no, “say yes and how we can help” and move away from a culture of blame.
“If we do this better, it will shape our strategy and shape our tactics and have an impact on results. And that is why we should focus on generating generative cultures,” he said. “Security teams are afraid and there are good reasons to be afraid, as there is a lot of bad activity going on out there, a lot of breaches, a lot of scary things and new stuff every day. But fear misguides us, as it is irrational, and if we are afraid of tail risks we could have a deprioritization of our resources. We may focus completely on targeted zero-day attacks and completely ignore credential stuffing attacks, which are far more common and way more likely to affect most people.”
He concluded by encouraging the world “to start with yes” as it keeps the conversation going and is collaborative and constructive. “That is how we have real change and have real impact.”
The LokiBot malware continues to evolve and is now using steganography to cloak its malicious files, according to a report from Trend Micro this week.
Recently highlighted as one of the top three malware strains of 2018, LokiBot started out as a password- and cryptocurrency wallet–stealing malware on hacker forums as early as 2015, but it has evolved, according to Trend Micro. It has taken to abusing the Windows installer and updating the methods that it uses to stay on the victim's system.
Now, Trend Micro has identified a new variant of the malware that uses steganography to help hide its malicious intent. It installed itself as a .exe file, along with a separate .jpg image file. The image file opens, but it also contains data that LokiBot uses when unpacking itself.
This LokiBot variant drops the image and the .exe file into a directory that it creates, along with a Visual Basic script file that runs the LokiBot file. Its unpacking program uses a custom decryption algorithm to extract the encrypted binary from the image.
Trend Micro has seen LokiBot hiding inside image files before. In April, it reported a variant of the malware that hid a .zipx attachment inside a .png file.
Steganography has two benefits for malware authors, warned the researchers. First, it provides another layer of obfuscation, helping the malware to slip past some email security systems. Second, it provides the malware authors with more flexibility. This variant used the VBScript file interpreter to execute the malware rather than relying on the malware to execute itself. This means that the authors can change the script to alter the technique that LokiBot uses to install itself.
Steganography is becoming an increasingly common form of obfuscation for malware authors. Other notable uses of the technique include the Stegoloader backdoor Trojan, and the Vawtrak malware, which hid update files in favicons. The 2019 the VeryMal campaign also used the technique to hide malware in advertising images.
You've heard about wardriving, but what about warshipping? Researchers at IBM X-Force Red have detailed a new tactic that they say can break into victims' Wi-Fi networks from far.
The company calls the technique warshipping, and it is a more efficient evolution of wardriving, a popular technique among hackers seeking access to any wireless network they can find. Whereas wardrivers drive around a wide area with a directional antenna looking for wireless networks to crack, IBM's researchers took a more targeted approach.
Speaking at Black Hat USA, IBM researchers explained how they used off-the-shelf components costing under $100 to create a single-board computer with Wi-Fi and 3G capability. This enables it to connect to a Wi-Fi network to harvest data locally and then send it to a remote location using its cellular connection. The small device runs on a cell phone battery and easily fits into a small package.
Attackers can then send the device to a company via regular mail, where it will probably languish in a mail room for a while. During this time, it can connect to any Wi-Fi networks it finds in the building and harvest data – typically a hashed network access code. It sends this back to the attacker, who can then use their own resources (or a cloud-based cracking service) to extract the original access code. At this point, they have access to the company's Wi-Fi network.
The warship device could access the Wi-Fi network and mount a man-in-the-middle attack, impersonating a legitimate Wi-Fi access point and coaxing company employees to access it. It would then be able to harvest their credentials and other secrets, IBM explained.
The device could be programmed to wake up periodically and use its 3G network to check a command and control server for instructions on whether to begin its attack or go back to sleep. This would help preserve its battery, IBM said.
The concept works in practice, warned the company, which said: "In this warshipping project, we were, unfortunately, able to establish a persistent network connection and gain full access to the target’s systems."
Chris Henderson, global head of IBM X-Force Red, has written up the attack at SecurityIntelligence.
Researchers at the Black Hat security conference this week have revealed vulnerabilities in a leading child's tablet product.
The flaws revolved around Pet Chat, an app that lets children talk to each other in a virtual room using pet avatars and predefined phrases. The app creates a peer-to-peer Wi-Fi connection (also known as Ad Hoc mode) that broadcasts the tablet's presence to similar devices using the SSID Pet Chat.
Checkmarx researchers used WiGLE, a wireless network mapping website, to track the location of LeapPads using Pet Chat. The vulnerability would allow anyone online to find the location of a LeapPad using Pet Chat by seeking them out on public Wi-Fi or tracking the device's MAC address.
Because Pet Chat didn't require authentication between devices, anyone near a LeapPad running the app could send an unsolicited message to the child with it, potentially using the preset phrases to lure the child into danger.
The LeapPad's outgoing traffic was also unencrypted, using HTTP rather than the TLS/SSL-encrypted HTTPS, the researchers warned.
They disclosed the Pet Chat vulnerability to LeapFrog in December 2018, although the company didn't remove it until June 2019.
This isn't the first time that children have been exposed by technology that purports to help them. In February, security consulting firm Pen Test Partners discovered that cybersecurity in children's smart watches had failed to improve following a report from the Norwegian Consumer Council in early 2018. The European Commission issued a recall order for one smartwatch, called Safe-KID-One, from German company ENOX, which sent information including location history and phone numbers in the clear. Malicious users could send commands to any watch making it call another number of their choosing.
LeapFrog didn't return our request for comment by press time.
In a panel at Black Hat USA, cryptographer Bruce Schneier; Camille Francois, research and analysis director at Graphika and fellow at Harvard Law School Berkman Center; and Eva Galperin, director of cybersecurity at the EFF, talked about the benefits of technologists to society.
In a panel titled “Hacking for the Greater Good: Empowering Technologists to Strengthen Digital Society,” Francois said that the concept of technologists are not new “and not tied to the nature of Black Hat and DEFCON.” Meanwhile, Galperin talked of how the EFF’s need to add technologists was expanded in the 1990s as people “who explained things to lawyers or take on large challenges like securing endpoints,” but the role of the technologist requires a different set of skills and day-to-day work from what most companies were doing.
This is because the “notion of adversarial research is an act of public interest technology,” Schneier said, and that it is "not new to me, or new to the community.”
Schneier said that the concept of finding systems that are sold and relied on, and tested without the permission of the company or government, should be welcome as "they are evaluated and determine whether they should they be used."
“When we do this as academics or in a threat lab, we are engaging in the public interest,” Schneier said.
Francois asked about when the Edward Snowden leaks were disclosed, saying that there was a reliance on technologists to help journalists with stories. “I was called by Glenn Greenwald to look at the documents, and journalists needed associate technologists to figure out what was going on,” Schneier said.
Francois said that there is a need to better prove the capabilities of technologists who serve the public interest. Schneier said: “We are seeing a lot more groups trying to bridge technology and policy and especially our area of tech security. Some is for fame and glory, some is for funding. Technologists want to do collaboration.”
Galperin said that the EFF’s niche of human rights in technology is “now touching everyone’s lives” and as technologists become more mainstream and important, “the opportunity for misunderstanding is higher.” She said that she is finding that battles that were thought to have been won, such as backdoors in end-to-end encryption, are being re-fought.
Moss said that a lot of the talks over the past 20+ years at Black Hat had been on wanting the attention of management and political leaders and the board. Now they are listening, he questions what the industry are going to do with that.
“How we communicate really determines our outcomes, so for example now that the spotlight is on us, if we communicate well to the board you might get more budget, and if you communicate poorly to the board, you might get fired,” he said.
He asked how you communicate what “cyber” or “security” is and the language we use causes us to think of problems in a certain way and “leads in a direction we may not want to go in.”
Moss used the example of cyber being seen as the fifth domain by the military, but said that does not mean it is equal “and we are using language in a way that doesn’t fit.”
Moss said that despite being in the early days of the internet, there are going to be several defining trends, including “centralized versus decentralized”, which Moss said he believes in the latter “but there are efficiency gains in centralized.”
Moss said that we’re in a “centralization phase” and that will enable law enforcement and regulation and if the trend continues, he speculated, none of us will be surprised that we are more regulated.
“I’m a big believer that most of our problems are communications problems,” he said, saying that inDEFCON post-mortems, 80% of the problems are communications related and “totally fixable communications problems.”
Moss concluded by saying: “This gives me a lot of hope because we can fix communications problems. We are not inventing a new kind of maths, but what we have to do is reorder the way we think about things and reorder the way in which we communicate things and once we do that, you’ll see we will get completely different outcomes. Whether it is outcomes from our boss, or politicians or regulation. It is a bit of a soft skill that leads to better outcomes.”
A Pakistani man has been charged with multiple offenses after allegedly bribing AT&T staff to the tune of hundreds of thousands of dollars to help him fraudulently unlock two million customer mobile phones.
Muhammad Fahd, 34, was arrested in Hong Kong in February 2018 and extradited to the US last Friday. He’s charged with conspiracy to commit wire fraud and violate the Travel Act and the Computer Fraud and Abuse Act, four counts of wire fraud, two counts of accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act.
He is alleged to have bribed staff at the US telco giant over a five-year period ending in 2017, paying one individual as much as $428,500. Three have so far pleaded guilty to their involvement.
“Initially, Fahd allegedly would send the employees batches of international mobile equipment identity (IMEI) numbers for cell phones that were not eligible to be removed from AT&T’s network. The employees would then unlock the phones,” explained a DoJ news statement.
“After some of the co-conspirators were terminated by AT&T, the remaining co-conspirator employees aided Fahd in developing and installing additional tools that would allow Fahd to use the AT&T computers to unlock cell phones from a remote location.”
This effectively meant installing malware and unauthorized hardware on AT&T’s network so he could sell phone unlocking services to the general public, depriving the telco “of the stream of payments that were due under the service contracts and instalment plans,” according to the indictment.
Another co-conspirator, Ghulam Jiwani, was also arrested in Hong Kong but died before he could be extradited to the US. Fahd is facing a maximum of 20 years behind bars if found guilty.
“This defendant thought he could safely run his bribery and hacking scheme from overseas, making millions of dollars while he induced young workers to choose greed over ethical conduct,” said US attorney Brian Moran. “Now he will be held accountable for the fraud and the lives he has derailed.”
Over half of organizations are struggling to protect their workloads, claiming the maturity of their security posture can’t keep up with the rapid pace of cloud adoption, according to Symantec.
The security giant polled 1250 IT decision-makers in 11 countries worldwide to compile its 2019 Cloud Security Threat Report.
It revealed that while 53% of enterprise workloads have now been migrated to the cloud, a similar percentage of organizations (54%) are struggling to keep pace with the expansion of cloud apps.
Most (93%) said they are having trouble keeping track of workloads and estimated that more than a third of files in the cloud shouldn’t be there.
Some 83% claimed they don’t have the right processes in place to effectively manage security incidents, meaning a quarter of alerts go unaddressed.
Nearly three-quarters (73%) said they’ve experienced an incident because their cloud security isn’t mature enough – i.e. they lack controls like encryption and multi-factor authentication (MFA) and are poorly configured. Some 65% of organizations failed to implement MFA in IaaS environments and 80% don’t use encryption, according to the report.
As a result, they face an increased risk of insider threats – ranked by respondents as the third biggest threat to cloud infrastructure.
Nico Popp, Symantec’s senior vice-president of cloud & information protection, explained that 69% of responding organizations believe their data is already on the dark web for sale and fear an increased risk of data breaches because of their cloud migration.
“The adoption of new technology has almost always led to gaps in security, but we’ve found the gap created by cloud computing poses a greater risk than we realize, given the troves of sensitive and business-critical data stored in the cloud,” he added.
“Data breaches can have a clear impact on enterprises’ bottom line, and security teams are desperate to prevent them. However, it’s not the underlying cloud technology that has exacerbated the data breach problem – it’s the immature security practices, overtaxed IT staff and risky end-user behavior surrounding cloud adoption.”
Security researchers are warning of a new speculative execution vulnerability affecting all modern Intel processors which could allow attackers to access sensitive data stored in the kernel.
The CVE-2019-1125 flaw bypasses all mitigations put in place after the discovery of Spectre and Meltdown in early 2018, according to Bitdefender. It’s said to affect all processors built since 2012, running on Windows, Linux or FreeBSD laptops and servers – meaning consumers and enterprises are at risk.
It could enable a side-channel attack that abuses a little-known system instruction called SWAPGS, exposing data in privileged portions of the kernel memory such as passwords, tokens, private conversations, encryption and more.
“This attack exposes sensitive information from the OS kernel by abusing speculative execution of SWAPGS instruction. An attacker can force arbitrary memory dereferences in kernel, which leaves traces within the data caches,” explained Bitdefender.
“These signals can be picked-up by the attacker to infer the value located at the given kernel address. Consequently, attackers can exploit this vulnerability to search values in kernel memory (check if a given value is located at a given kernel address) or leak values from arbitrary kernel addresses.”
Bitdefender has been working with Intel for over a year on this research and claims its Hypervisor Introspection (HVI) tool will provide protection until patches are available, instrumenting each vulnerable SWAPGS instruction to ensure it will not execute speculatively.
Patches are apparently being readied by ecosystem partners like Microsoft and users are urged to implement them as soon as they're available.
“Criminals with knowledge of these attacks would have the power to uncover the most vital, best-protected information of both companies and private individuals around the world, and the corresponding power to steal, blackmail, sabotage and spy,” said Gavin Hill, vice-president, datacenter and network security products at Bitdefender.
“Research into these attacks is on the cutting edge as it gets to the very roots of how modern CPUs operate and requires a thorough understanding of CPU internals, OS internals, and speculative-execution side-channel attacks in-general.”
Lord, who also served as CISO of Yahoo, Netscape and Rapid7, talked about stories such as the Yahoo attack and breach, and how the lessons learned “should be talked about,” but there are too many cases where we “talk technology but have forgotten how to tell stories to executives.”
He said that this problem of communication is “repeated breach after breach” and that the industry often fails to tell a story and be heard.
Pointing to his current work at the DNC, Lord said that this involves working with state parties and campaigns, which have separate funding and separate charters, and are separate legal entities with different levels of maturity.
This led to a suggestion to kill the checklist of security best practice, which Lord called “a roadmap of our failure to build usable security in products”. The only way to resolve it, he offered, is to sit down one-on-one to get it done. That, he countered, doesn’t scale.
He said: “We realize doing the basics is hard and time consuming” and if have to do it one-on-one we have “failed users” and we need to take a more active role and move to “secure by design.” This includes making updates painless, automatic and transparent, enabling encryption on laptops which doesn’t have to be paid for, and is not hard to install.
Lord also called for better security standardization, especially in authentication. Instructing someone how to use a password manager, he said, “is a real struggle to help someone under the best circumstances.”
He pointed at the case of 2FA. If a user has to search for how to enable 2FA, he said, then “something is not quite right.” He also advised against connecting to “sketchy wifi,” but conceded that it is hard to determine what a “sketchy wifi” network looks like.
“You shouldn’t have to pay more to be good at security,” Lord said. “Don’t treat it as a luxury item.”
He concluded by saying that things should be more “secure for default for average folks, in all devices and services, with no action required by users” and praised the work of FIDO Alliance which he said is “a real game changer in making things secure for the average person.”
Marking the sixth birthday of the 'I Am the Cavalry' concept of driving better security standards, co-founder Josh Corman spoke at BSides Las Vegas on what the initiative had achieved so far, and what more had to be done.
Corman said that over the past year, he had looked at what the movement had achieved, and what the milestones were and he determined that “we are sort of there for cars and part there for medical” and if there were an attack on medical devices, “we would probably be safe.”
However he felt that whilst a lot had been done for medical to make it “trustworthy and safe”, he believes the movement was “stuck” and needs to get back to its first principles. Corman said that there is a theme of “getting our asses kicked over and over” and whilst he still had a lot of fight in him, “someday we will fight our last fight.”
Looking at the concept of the cyber kill chain, Corman said that if we are being kicked again and again, we need to determine that “if we disrupt one link, the breach doesn’t happen.” We need to know, he said, what steps to take “so there are no mass casualties in hospitals” and so we can build trust in regulators.
Corman said that steps need to be taken to “start workshopping how to define a lifeline”. We need to determine how long it is and how many links are in the rope, he said. Further, we need to know “how many have to die first” and still catch it and accept it.
He said that by building trust with the founding principles of empathy, focusing on future success and not on past failures and using better language, the founders “didn’t know it if would work but it did.”
Despite this, Corman said that “we are one noise away from mass casualty” and that is a sobering shot down to reality, as there is a lot more work to do. “Every time we got a new team mate, we solved the next step of puzzle,” he said.
Corman concluded by saying that the movement needs to “lead by example” and that the next step is to consider who else to bring into the fold and what aptitudes to bring in.
Microsoft has doubled the top bounty reward for vulnerabilities in its Azure cloud software to $40,000. It also introduced a hacker environment called the Azure Security Lab, which is a cloud infrastructure dedicated to letting cybersecurity researchers test out their skills in an IaaS environment.
Hackers don't get to color outside the lines. Instead, the Lab includes a series of scenario-based challenges that they can follow to try and exploit the system. They can earn up to $300,000 if they succeed, according to Microsoft's blog post announcing the Lab.
Hackers wanting access to the Azure Security Lab must request a Windows or Linux VM.
Apple is also reportedly fleshing out its existing bounty program in two ways. Forbes reports that the company will announce plans to give security researchers developer versions of its iPhone, featuring access to the underlying software and hardware that normal users don't get. These phones, which will be available only to existing participants in Apple's invitation-only bug bounty program, will let them inspect system memory, for example.
Apple will also unveil a bug bounty program for its macOS operating system, according to the report. This could mean that researchers like Linus Henze, who discovered a bug in the Mac operating system's keychain password manager earlier this year, will finally get paid. The teenager had originally planned not to privately disclose the bug to Apple because it hadn't been paying for macOS bugs.
An announcement at Black Hat 2019 this week would mark the third anniversary of Apple's original bug bounty program, in which it promised to pay up to $200,000 for the best reported security flaws.
Cloud Security Alliance has unveiled its Top Threats to Cloud Computing: Egregious Eleven report, which lists the top 11 cybersecurity problems facing cloud computing users. It is the first major update to the list since 2016, when Alliance released the Treacherous 12, although it has released reports taking a deep dive into the threats with case studies in the interim.
Data breaches still top the list, unmoved since 2016. Other perennial threats remaining on the list from last time are poor identity management, insecure APIs, account hijacking, insider threats and the abuse and nefarious use of cloud services.
That leaves room for five new threats.Weak control plane
In this scenario, the user doesn't understand how data flows in the cloud and might not have secure processes for securing and verifying it.Metastructure and applistructure failures
This risk revolves around the application programming interfaces that allow customers to extract information about security protections and operations in the cloud. Examples include logging and audit information. Cloud service providers (CSPs) must understand what to provide and customers must use this wisely, the report warns.Misconfiguration and inadequate change control
It's no wonder that this threat appeared on the list. It concerns the misconfiguration of cloud resources that could then expose sensitive information. Every accidentally exposed S3 bucket or Elasticsearch database falls into this category.Lack of cloud security architecture and strategy
The big problem here is a misunderstanding of the shared-responsibility model. Customers lift and shift their operations into the cloud assuming that the CSP will take care of all the security, without understanding their own responsibilities.Limited cloud usage visibility
This is the culprit behind shadow IT, when users buy cloud applications without informing IT and then use them insecurely.
What's interesting about this release is its increasing focus on administrator mistakes rather than purely on external bad actors and more traditional security issues. In short, the security challenges are becoming more nuanced, according to Alliance, which suggests a gradual maturing of the cloud security landscape.
As A-Level results day rolls around, UK universities are sorely lacking in cybersecurity protections, according to security company Proofpoint.
The company tested the UK's top universities, as ranked by the Complete University Guide, and found 65% of them were not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records.
DMARC is a protocol that organizations can use to decide whether email servers should accept an email, making it a useful weapon against phishers. Without it, you can't be sure that an email sent to you came from a legitimate sender rather than a phisher spoofing that domain.
Adenike Cosgrove, cybersecurity strategist at Proofpoint, said that the lack of a published DMARC record leaves universities open to impersonation attacks, which could be a problem next week when students start getting their A-Level results.
“In this particular example, cyber-criminals would spoof the university’s domain and send emails to would-be students’ consumer mailboxes (Gmail, Hotmail, etc.)," she explained. "Without DMARC, criminals can use the exact email address of the university in question. With DMARC, the university can block (with a ‘reject’ policy) any unauthorized use of its domain, communicating to receivers (i.e., the consumer ISPs in this case) that any unauthorized senders using its domains should be blocked. In essence, DMARC works to protect consumers (outbound), employees (inbound) and business partners from email fraud.”
Although 35% of the top 20 universities in the UK had published a DMARC record, only 5% of them were using the strictest settings, which are the ones that would block fake emails from reaching the students, Proofpoint warned.
Students should be extra diligent when receiving email from universities, the company warned, especially if they request log-in credentials or threaten to suspend an account if they don't click on a link. They should use strong passwords that are individual to each account, it concluded.
Losses from romance scams soared by over 71% from 2017-18, with victims increasingly recruited as money mules, according to a new public service announcement from the FBI.
The bureau’s Internet Crime Complaint Center (IC3) claimed that 15,000 victims reported romance and confidence scams in 2017, at a cost of $211m. By the following year there were 18,000 victims reporting losses of over $362m.
These figures propelled the cybercrime category to the seventh most widely reported scam and second costliest to victims last year after BEC.
The IC3 said elderly widows are particularly vulnerable to such scams. Once trust has been established, the scammer — who often masquerades as a US/European citizen living abroad — will ask for money so they can buy a plane ticket to visit the victim.
Sometimes they claim that wired funds did not reach them and request another transfer. Often when they don’t arrive they’ll claim they were arrested and ask for bail money, the notice warned.
Often the victim is persuaded to open bank accounts and/or register a limited company in their name in order to send or receive funds – sometimes to facilitate a lucrative ‘business opportunity.’
Money mules are a key link in the cybercrime chain, enabling criminals to launder money from their online schemes.
The recruitment of victims via romance scams is just one method of tricking users into handing over their bank details. Often youngsters are approached on social media or WhatsApp with ads promising them an opportunity to make some quick cash.
Despite a potential jail sentence in the UK of up to 14 years, there was a 26% rise in reports of money mules aged 21 and under between 2017 and October 2018, according to anti-fraud non-profit Cifas.
In fact, it has become such a problem that Scottish police wrote to every secondary school in the country earlier this year warning parents and guardians that pupils are increasingly being recruited by cybercrime gangs as money mules.
A new version of Matrix-themed ransomware MegaCortex is targeting organizations with demands of up to $5.8m to regain access to their encrypted data, according to Accenture researchers.
In version two, the authors have improved automation and usability and made it harder to stop, according to Leo Fernandes, senior manager of the firm’s iDefense Malware Analysis and Countermeasures (MAC) team.
One major change is the removal of a password requirement for installation. It is now hard-coded into the binary.
“The original version of MegaCortex had its main payload protected by a custom password that was only available during a live infection. As a result, this feature made the malware difficult for security vendors to analyze,” he explained.
“However, the password requirement also prevented the malware from being widely distributed worldwide and required the attackers to install the ransomware mostly through a sequence of manual steps on each targeted network.”
The ransomware has also been redesigned to self-execute, and there are some new anti-analysis features in the main module, as well as a more streamlined way to “stop and kill a wide range of security products and services.” These no longer need to be manually executed as batch script files on each host.
“The changes in version two suggest that the malware authors traded some security for ease of use and automation. With a hard-coded password and the addition of an anti-analysis component, third parties or affiliated actors could, in theory, distribute the ransomware without the need for an actor-supplied password for the installation,” Fernandes explained.
“Indeed, potentially there could be an increase in the number of MegaCortex incidents if the actors decide to start delivering it through e-mail campaigns or dropped as secondary stage by other malware families.”
This would be bad news for businesses given the current demand for ransom money is anywhere between two and 600 Bitcoins: around $20,000-$5.8m.
First revealed in May this year, the MegaCortex ransom note contained various references to cult '90s film The Matrix, while the name itself echoes that of the company (MetaCortex) where hero Neo works .
The number of DDoS attacks detected by Kaspersky jumped 18% year-on-year in the second quarter, according to the latest figures from the Russian AV vendor.
Although the number of detected attacks was down 44% from Q1, the vendor claimed that this seasonal change is normal as activity often dips in late spring and summer. However, the spike was even bigger when compared to the same period in 2017: an increase of 25%.
Application attacks, which the firm said are harder to defend against, increased by a third (32%) in Q2 2019 and now constitute nearly half (46%) of all detected attacks. The latter figure is up 9% from Q1 2019, and 15% from Q2 2018.
Crucially, the seasonal drop in attacks has barely touched targeting of the application layer, which fell just 4% from the previous quarter.
These attacks are difficult to detect and stop as they typically include legitimate requests, the firm said.
“Traditionally, troublemakers who conduct DDoS attacks for fun go on holiday during the summer and give up their activity until September. However, the statistics for this quarter show that professional attackers, who perform complex DDoS attacks, are working hard even over the summer months,” explained Alexey Kiselev, business development manager for the Kaspersky DDoS Protection team.
“This trend is rather worrying for businesses. Many are well protected against high volumes of junk traffic, but DDoS attacks on the application layer require them to identify illegitimate activity even if its volume is low. We therefore recommend that businesses ensure their DDoS protection solutions are ready to withstand these complex attacks.”
Kaspersky also recorded the longest DDoS attack since it started monitoring botnet activity in 2015. Analysis of commands received by bots from command and control (C&C) servers revealed one in Q2 2019 lasting 509 hours, which is nearly 21 days. The previous longest attack, observed in Q4 2018, lasted 329 hours.
A BEC scammer has pleaded guilty to his part in an operation in which he and co-conspirators tricked two US universities into sending over $872,000 to their accounts.
In July 2918, the University of California San Diego (UCSD) was sent an email spoofed to come from a Dell account demanding the institution redirect its payments to the firm to a new bank account in Minnesota.
The bank account belonged to Amil Hassan Raage, who pleaded guilty to fraudulently receiving nearly $750,000 in 28 payments from the university, From August 8 to September 12 2018.
Raage apparently withdrew the money each time it was wired and transferred it to another account.
His unnamed co-conspirators played a major part in the operation, by creating the spoofed Dell email account from a base in Kenya.
They went through the same modus operandi to defraud a second US university, this time based in Pennsylvania.
According to the Department of Justice (DoJ), the group again used the fake Dell email to trick university officials into wiring funds to a different account.
In total, it sent six payments of over $123,000.
After the Wells Fargo bank in Minnesota froze Raage’s account, he fled the country in September to Kenya, only to be tracked down by local law enforcers working with the FBI’s legal attache in the African country.
He was finally arrested in May 2019 and extradited a couple of weeks after.
“Modern criminals like Raage have ditched the ski mask and getaway vehicle and opted for a computer as their weapon of choice. As this defendant has learned, we are matching wits with new-age thieves and successfully tracking them down and putting an end to their high-tech deception,” said US attorney Robert Brewer.
BEC attacks cost businesses nearly $1.3bn last year, nearly half of the total cybercrime losses recorded by the FBI.
A Mexican bookstore that exposed millions of records through a publicly accessible database has had the data stolen and ransomed by hackers.
Libreria Porrua left the 2.1 million customer records online in a MongoDB database at two separate IP addresses, according to Comparitech, who collaborated with security researcher Bob Diachenko on the case.
The company, a bookseller and publisher with a history going back over 100 years, failed to respond to Diachenko when he notified it of the discovery on July 15. Three days later, the data had been wiped and replaced with a ransom note demanding around $500 in Bitcoin.
Public access to the database was disabled the next day, but it’s unclear whether the company paid the ransom or not.
Two sets of records were included in the trove: the first featuring names, addresses, phone numbers, emails, shipping numbers, invoice details and hashed payment card info. The second featured full names, dates of birth, phone numbers, discount card activation codes and more.
“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration makes it possible for cyber-criminals to manage the whole system with full administrative privileges,” Diachenko is quoted as saying.
“Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”
Customers of the bookstore are potentially at risk from follow-on phishing attacks if the hackers decide to monetize their efforts further.
MongoDB has been a favorite target for hackers looking to capture and hold customer data to ransom over the past few years.
The volume of destructive malware attacks has risen by 200% year-on-year in the first half of 2019, according to new data from IBM X-Force.
Once the preserve of sophisticated nation state actors, it appears as if financially motivated cyber-criminals are now getting in on the act, which is bad news for a range of organizations, according to the Incident Response and Intelligence Services (IRIS) report.
Analyzing incident response data from the first six months of the year, the report claimed that such attacks now cost multi-nationals on average $239m — 61-times more than the industry average of around $3.9m.
They also take a long time to respond to and remediate — on average 512 hours — with many victim organizations using multiple companies to assist them, further increasing the time taken.
Most concerning for organizations caught out by a destructive attack: on average a single blitz destroys 12,000 machines per company.
Destructive attacks have most commonly been associated with sophisticated malware such as Stuxnet, DarkSeoul and Shamoon, as nation states go after geopolitical rivals, explained IBM X-Force in a blog post introducing the research.
“Since 2018, however, we have observed the profile of these attacks expanding beyond nation-states as cyber-criminals increasingly incorporate destructive components, such as wiper malware, into their attacks,” it added.
“This is especially true for cyber-criminals who use ransomware, including strains such as LockerGoga and MegaCortex. Financially motivated attackers may be adopting these destructive elements to add pressure to their victims to pay the ransom, or to lash out at victims if they feel wronged.”
Half of these attacks — centered around the US, Middle East and Europe — targeted manufacturing during the reporting period, with oil and gas and education sectors also hit hard.
Hackers are often inside networks for weeks or months before launching their attacks, IBM said.
“Destructive malware adversaries often gain initial entry into systems through phishing emails, password guessing, third-party connections and watering hole attacks,” it added.
“We observe them taking care to covertly preserve access to privileged accounts or critical devices for the destructive phase of their attack, using them alongside legitimate remote command services within the targeted environment, such as PowerShell scripts, to move laterally through the victim’s network.”
Defense-in-depth is the answer, with MFA, well-tested incident response plans, network monitoring, threat intelligence and regular offline back-ups essential, IBM recommended.