Info Security

Subscribe to Info Security  feed
Updated: 2 hours 34 min ago

WikiLeaks Editor Julian Assange Arrested & Removed from Ecuadorian Embassy

Thu, 04/11/2019 - 10:00
WikiLeaks Editor Julian Assange Arrested & Removed from Ecuadorian Embassy

Julian Assange, editor of whistleblowing website WikiLeaks, has been arrested by the Metropolitan Police for failing to surrender to a court.

According to a statement by the Metropolitan Police, Assange was arrested at the Embassy of Ecuador in Knightsbridge where he has been resident since June 19 2012. The warrant was issued on June 29 2012.

statement from the Home Office confirmed that Assange was “arrested in relation to a provisional extradition request from the United States of America” where he is accused of computer related offences.

He will remain in custody at a central London police station before being presented before Westminster Magistrates' Court as soon as it is possible. 

The Met Police said that it had a duty to execute the warrant, on behalf of Westminster Magistrates' Court, and was invited into the embassy by the Ambassador, following the Ecuadorian government's withdrawal of asylum.

Before 2012, WikiLeaks released classified cables which contained classified and confidential documents and conversations. It had also released footage from a Baghdad airstrike in 2007 when Iraqi journalists were killed, and later in 2016 it released emails and other documents from the Democratic National Committee and from Hillary Clinton's campaign manager.

In 2017, it began releasing the “Vault7 and Vault 8” CIA tools and later released source code for the tools.

In the indictment, issued by the US District Court for the Eastern District of Alexandria, Virginia, alleged that Assange knew that Chelsea Manning “was providing WikiLeaks with classified records containing national defense information of the United States” and was “knowingly receiving such classified records from Manning for the purpose of publicly disclosing them on the Wikileaks website.” Manning, whose remaining sentence was commuted by President Obama in 2017, used a US DoD computer to download the cables that were later released.

The indictment alleges that in March 2010, Assange engaged with Manning to assist in cracking a password stored on US Department of Defense computers connected to the Secret Internet Protocol Network (SIPRNet), a US government network used for classified documents and communications. Manning, who had access to the computers in connection with her duties as an intelligence analyst, was using the computers to download classified records to transmit to WikiLeaks.

Cracking the password would have allowed Manning to log on to the computers under a username that did not belong to her.

The charges read that Assange “knowingly access[ed] a computer without authorization and exceeding authorized access, to obtain information that has been determined by the United States Government pursuant to an Executive Order and statute to require protection against unauthorized disclosure for reasons of national defense classified up to the ‘secret’ level, with reason to believe that such information so obtained could be used to the injury of the United States and the advantage of any foreign nation.” 

The “purpose and object of the conspiracy” was to “facilitate Manning’s acquisition and transmission of classified information related to the national defense of the United States so that WikiLeaks could publicly disseminate the information on its website.”

Speaking on Twitter, WikiLeaks claimed that Ecuador has illegally “terminated Assange's political asylum in violation of international law” and that Assange was arrested inside the Ecuadorian embassy.

“Julian Assange did not 'walk out of the embassy'. The Ecuadorian ambassador invited British police into the embassy and he was immediately arrested.”

According to BBC News, Ecuador's president Lenin Moreno said it withdrew Mr Assange's asylum after his repeated violations to international conventions.

Home Secretary Sajid Javid, said: “Nearly seven years after entering the Ecuadorean Embassy, I can confirm Julian Assange is now in police custody and rightly facing justice in the UK. I would like to thank Ecuador for its cooperation and the Metropolitan Police for its professionalism. No one is above the law.”

Categories: Cyber Risk News

WikiLeaks Editor Julian Assange Arrested & Removed from Ecuadorian Embassy

Thu, 04/11/2019 - 10:00
WikiLeaks Editor Julian Assange Arrested & Removed from Ecuadorian Embassy

Julian Assange, editor of whistleblowing website WikiLeaks, has been arrested by the Metropolitan Police for failing to surrender to a court.

According to a statement by the Metropolitan Police, Assange was arrested at the Embassy of Ecuador in Knightsbridge where he has been resident since June 19 2012. The warrant was issued on June 29 2012.

He will remain in custody at a central London police station before being presented before Westminster Magistrates' Court as soon as it is possible. 

The Met Police said that it had a duty to execute the warrant, on behalf of Westminster Magistrates' Court, and was invited into the embassy by the Ambassador, following the Ecuadorian government's withdrawal of asylum.

Before 2012, WikiLeaks released classified cables which contained classified and confidential documents and conversations. It had also released footage from a Baghdad airstrike in 2007 when Iraqi journalists were killed, and later in 2016 it released emails and other documents from the Democratic National Committee and from Hillary Clinton's campaign manager.

In 2017, it began releasing the “Vault7 and Vault 8” CIA tools and later released source code for the tools.

Speaking on Twitter, WikiLeaks claimed that Ecuador has illegally “terminated Assange's political asylum in violation of international law” and that Assange was arrested inside the Ecuadorian embassy.

“Julian Assange did not 'walk out of the embassy'. The Ecuadorian ambassador invited British police into the embassy and he was immediately arrested.”

According to BBC News, Ecuador's president Lenin Moreno said it withdrew Mr Assange's asylum after his repeated violations to international conventions.

Home Secretary Sajid Javid, said: “Nearly seven years after entering the Ecuadorean Embassy, I can confirm Julian Assange is now in police custody and rightly facing justice in the UK. I would like to thank Ecuador for its cooperation and the Metropolitan Police for its professionalism. No one is above the law.”

Categories: Cyber Risk News

WikiLeaks Editor Julian Assange Arrested & Removed from Ecuadorian Embassy

Thu, 04/11/2019 - 10:00
WikiLeaks Editor Julian Assange Arrested & Removed from Ecuadorian Embassy

Julian Assange, editor of whistleblowing website WikiLeaks, has been arrested by the Metropolitan Police for failing to surrender to a court.

According to a statement by the Metropolitan Police, Assange was arrested at the Embassy of Ecuador in Knightsbridge where he has been resident since June 19 2012. The warrant was issued on June 29 2012.

He will remain in custody at a central London police station before being presented before Westminster Magistrates' Court as soon as it is possible. 

The Met Police said that it had a duty to execute the warrant, on behalf of Westminster Magistrates' Court, and was invited into the embassy by the Ambassador, following the Ecuadorian government's withdrawal of asylum.

Before 2012, WikiLeaks released classified cables which contained classified and confidential documents and conversations. It had also released footage from a Baghdad airstrike in 2007 when Iraqi journalists were killed, and later in 2016 it released emails and other documents from the Democratic National Committee and from Hillary Clinton's campaign manager.

In 2017, it began releasing the “Vault7 and Vault 8” CIA tools and later released source code for the tools.

Speaking on Twitter, Wikileaks claimed that Ecuador has illegally “terminated Assange political asylum in violation of international law” and that Assange was arrested by inside the Ecuadorian embassy.

“Julian Assange did not "walk out of the embassy". The Ecuadorian ambassador invited British police into the embassy and he was immediately arrested.”

According to BBC News, Ecuador's president Lenin Moreno said it withdrew Mr Assange's asylum after his repeated violations to international conventions.

Home Secretary Sajid Javid, said: “Nearly seven years after entering the Ecuadorean Embassy, I can confirm Julian Assange is now in police custody and rightly facing justice in the UK. I would like to thank Ecuador for its cooperation and the Metropolitan Police for its professionalism. No one is above the law.”

Categories: Cyber Risk News

Triton Group Found Inside Second CNI Facility

Thu, 04/11/2019 - 09:53
Triton Group Found Inside Second CNI Facility

A sophisticated Russian hacking group linked to an attempt to blow up a Saudi oil plant has been discovered inside a second critical infrastructure (CNI) facility, security researchers have warned.

The Triton group has been active since 2014, and uses dozens of custom and commodity tools to gain access to and maintain persistence inside IT and OT networks of CNI firms, according to FireEye.

The security vendor didn’t elaborate on the location or even type of CNI firm targeted in this second attack, although it emphasized that campaigns can require months or even years of careful planning, to install malware like Triton, hide it and maintain persistence until the time is right to strike.

“This attack was no exception. The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Throughout that period, they appeared to prioritize operational security,” FireEye explained.

“After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.”

Obfuscation techniques used by the gang included: renaming files to look legitimate; using regular admin tools like RDP and PsExec/WinRM; using encrypted “SSH-based tunnels” to transfer tools and remote execution; and routine deletion of attack tools, execution logs, files staged for exfiltration, and so on.

The aim was to deliver the Triton malware on the SIS workstation, although it’s not clear if the ultimate goal was destruction or sabotage, as per the last major reported incident involving the group.

FireEye urged ICS managers to use the detection rules and other information in its report to hunt for presence of the group inside their facilities.

It’s claimed that the only thing preventing a major explosion at the Saudi petrochemical plant was a bug in the attackers’ code.

Categories: Cyber Risk News

US Government Warns of New North Korean Malware

Thu, 04/11/2019 - 09:23
US Government Warns of New North Korean Malware

Officials at the US Department of Homeland Security (DHS) have issued another warning about North Korean malware, this time a new variant dubbed “Hoplight.”

The backdoor trojan malware is linked to the notorious Hidden Cobra group, also known as the Lazarus Group.

“This artifact is a malicious PE32 executable. When executed the malware will collect system information about the victim machine including OS version, volume information, and system time, as well as enumerate the system drives and partitions,” the alert warned.

“The malware is capable of the following functions: Read, Write, and Move Files; Enumerate System Drives; Create and Terminate Processes; Inject into Running Processes; Create, Start and Stop Services; Modify Registry Settings; Connect to a Remote Host; Upload and Download Files.”

The malware uses a public SSL certificate for secure communications from South Korean web giant Naver, and employs proxies to obfuscate its activity.

“The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors,” the report claimed.

This is the latest in a long line of alerts warning of new North Korean malware, now in the double-digits.

It urges IT teams to follow best practices in cybersecurity including keeping systems and AV tools up-to-date and patched, disabling file and printer sharing, enforcing strong passwords, restricting user permissions, scanning for suspicious email attachments and more.

Experts welcomed the latest report.

“This is the 16th report compiled by the DHS and FBI over the past two years on malicious activity associated with Hidden Cobra. Hoplight primarily consists of proxy applications used by Hidden Cobra to disguise its efforts to ‘phone home,’ which is the traffic sent by the malware back to its command and control (C&C) server,” explained Satnam Narang, senior research engineer at Tenable.

“The continued analysis and reporting by these agencies helps provide organizations key indicators of compromise to identify infected systems as well as guidance to thwart attempts by Hidden Cobra to infiltrate more organizations.”

Categories: Cyber Risk News

Two-Thirds of Hotel Sites Leak User Data

Thu, 04/11/2019 - 09:00
Two-Thirds of Hotel Sites Leak User Data

Two-thirds of hotel booking sites are leaking customers’ booking reference codes to third parties, potentially exposing their personal data to malicious insiders, according to Norton.

The Symantec company’s principal threat researcher, Candid Wueest, claimed 67% of the more than 1500 hotels in 54 countries he tried were affected by this issue, putting data such as name, email and postal address, mobile phone number and passport number at risk.

In over half of the cases (57%) it would be even easier for a third-party to access this information as the sites sent a confirmation email to the guest with a direct link to their booking — no log-in required.

Hotels shared the booking reference code with as many as 30 third parties on average, including social networks, search engines and ad and analytics firms.

“There are other scenarios in which the booking data may also be leaked. Some sites pass on the information during the booking process, while others leak it when the customer manually logs into the website. Others generate an access token, which is then passed in the URL instead of the credentials, which is not good practice either,” Wueest explained.

“In most cases, I found that the booking data remains visible, even if the reservation has been cancelled, granting an attacker a large window of opportunity to steal personal information.”

Other security errors included 29% of the sites studied failing to encrypt the booking reference link, meaning an attacker could intercept user credentials to view details or amend the booking, if they’re on public Wi-Fi or similar.

Wueest also claimed “multiple sites” had no protections in place against brute forcing of the booking reference or enumeration attacks.

Stolen data could be used to commit identity theft, launch convincing phishing or extortion attacks, or even to monitor high profile business and government employees, he warned.

Disappointingly, a quarter of data protection officers contacted about the privacy snafu failed to respond within six weeks, despite the threat of GDPR fines.

Categories: Cyber Risk News

#ISCWest2019: DHS Asks for Collaboration

Wed, 04/10/2019 - 19:49
#ISCWest2019: DHS Asks for Collaboration

Advances in machine learning and artificial intelligence (AI) are driving investments from the Department of Homeland Security (DHS) science and technology directorate (S&T) with the goal of enhancing security and resiliency in public safety, transportation and communications, according to William N. Bryan, acting under secretary of S&T, who delivered the opening-day keynote speech at the 2019 ISC West conference in Las Vegas.

Before talking risk management and security in the digital age, Bryan took a moment to address what he called the elephant in the room. “What’s going on at the department? We are all actors. We have more actors in the DHS right now than Hollywood does, but rest assured that with the outgoing or incoming leadership, the country is in good hands. Trust me when I tell you the nation is in good hands.”

Recognizing that technology continues to fuel risks, Bryan applauded the efforts of all the risk managers in the room and talked about the need for collaboration between government and industry if we are to advance security in the digital age.

“On my desk in my office right now, there is a coffee cup that is web enabled so that I can set the temperature of my coffee from my phone. How did I live without that for 60 years?” Bryan joked.

All kidding aside, more and more people are embracing the interconnected world, which has the potential for both good and harm.

“How does one sort out truth from reality? There is a lot of the turmoil inside our country that is being generated from outside of the US,” Bryan said, noting that fewer people are taking the time to figure out what is fact and what is fiction.

As a result, rapid innovation, threat changes and the need to respond immediately are the challenges that have driven change at the department. Whether it’s drones or security cameras, technology has the potential for good, but “if you can see it, someone else can tap into your system. Things like communications and transportation are driven by AI, but other people are not looking at it for the good of mankind. They are looking to take it over,” Bryan said.

“Security mitigations should be developed with technology. And we are seeing the consequences of when security becomes an afterthought, it is difficult to retrofit, and we have got to do a better job. Rapid innovation and security is a shared responsibility.”

In closing, Bryan recognized that the paradigm has shifted. “Government needs to tap into industry, and we need to create an environment that entices industry to work with us.”

Categories: Cyber Risk News

#ISCWest2019: Harden Devices with Defense in Depth

Wed, 04/10/2019 - 19:10
#ISCWest2019: Harden Devices with Defense in Depth

As the physical and cyber worlds continue to converge, those who have historically only focused on physical security are now challenged with the risks posed from connected internet of things (IoT) devices, a topic of interest at this year’s ISC West 2019 conference in Las Vegas.

In his SIA Education sessions, Aaron Saks, product and technical manager at Hanwha Techwin America, shared best practices for applying defense in depth as a security model to secure video surveillance devices.

Because the devices are connected, securing surveillance cameras demands that they are looked at through the lens of an IoT device. In order to add the necessary layers to fortify the devices, it’s first critical to know where the vulnerabilities and issues come from.

To ensure the device is hardened, you can’t rely solely on a firewall. “The idea of defense in depth is a strategy where you have multiple concentric rings of security that build on each other, whereby a breach or vulnerability in one layer does not leave you defenseless,” Saks said.

Multiple levels of security provide multiple protections to fall back on. “What if something happens to the firewall? What happens if something is already in my network? What is stopping them from going out? From infecting my device on the network?”

“Breaking in is easy,” Saks continued. “Crossing the moat might be easy, which is why we need other layers to protect us. Firewalls are important, critical when it comes to layers of defense, but there have to be additional layers to stop an intruder if they get through a hole.”

Beyond firewalls, you need network segmentation, a strong password policy, antivirus protections and consistent upgrades of firmware and software.

IP filtering is an easy way to add an extra layer of defense that doesn’t need to happen on the network side. It can be configured on the camera side as well. “You can set rules that say you are only allowed to talk to the VMS server. That’s the allow side. There’s also a deny side so you can say you are not allowed to talk to those devices.”

If a network does get hacked, the intruder can’t talk to the camera.  

In addition, it’s important to remember that a device may function, but out of the box, it’s not always set up the right way. Also spending isn’t synonymous with security. “Spending doesn’t mean it’s going to stop everything,” Saks said.

At the end of the day, defense in depth helps integrators and end users make it as difficult as possible for an attacker to gain access. “You want to make it so annoying that they find someone else to attack and leave you alone.”

Categories: Cyber Risk News

#ISCWest2019: From SOC to Fusion Center and Beyond

Wed, 04/10/2019 - 18:11
#ISCWest2019: From SOC to Fusion Center and Beyond

Those who have embarked on the process of convergence shared their experiences and challenges at ISC West 2019 in Las Vegas, during an SIA Education panel, Next Generation Security: The Truths, the Myths, the Future of Fusion Centers and Security Operations.

Digital transformation has been driven by convenience and efficiency, but as more companies continue along through the process, they find the convergence of the digital and physical worlds has caused disruptions in physical security, leaving organizations not only rethinking but also retooling their physical and cyber security operations.

Panel participant Todd Vigneault, director, corporate security and safety, GEICO, talked about the successes of the fusion center, one of which was the result of cutting out the silos. Bringing everything together helped avoid situations that had commonly occurred, where one team responding to a ticket then has to send the alert over to a different team. 

As companies move forward in digital transformation, one common thread related to convergence, particularly with a fusion center, is that the focus needs to be about outcomes.

When building and adopting a fusion center, what is most important to its success is that “you don’t make it about you, you make it about the outcome,” said Jason Veiock, senior manager, global employee safety and security at GoDaddy. “It’s not process, not technology, but what outcome are we looking for? That’s just good IT practice, it’s not about IT security."

The cloud is the future of security, and panel moderator Guy Morgante, president of managed services, Northland Controls, said, “If you are not thinking about cloud, you better figure it out. In five to 10 years, that’s all there will be. You’re not going to have servers anymore.”

Whether talking about physical or cyber security, the overall security strategy has to consider people, process and technology. The factor that can be most challenging in talking about the future is people, but Philip Halplin, senior vice president, global security at Brown Brothers Harriman & Co., said people play an important role in the value of fusion centers.

“Whether you have a SOC or a NOC, a fusion center isn’t about eliminating the jobs of people. It’s an opportunity for cross-training, giving people more meaningful work.”

Categories: Cyber Risk News

Yahoo Offers New $117m Breach Settlement

Wed, 04/10/2019 - 10:01
Yahoo Offers New $117m Breach Settlement

Yahoo has proposed a new $117.5m offer to its customers to settle a class action lawsuit following a devastating 2013 breach.

All eyes will now be on US district judge Lucy Koh, a veteran of tech cases, who still has to approve the new offer.

She rejected the original back in January after expressing concerns that it might not be “fundamentally fair, adequate and reasonable,” as it didn’t specify how much victims could expect to recover.

She also argued that the $35m set aside for the plaintiff’s lawyers was excessive, given that the case, in legal terms at least, was “not particularly novel.”

The new settlement includes at least $55m for victim, $24m for two years of credit monitoring, up to $30m for legal fees, and up to $8.5m for other expenses, according to Reuters.

It reportedly covers 194 million users in the US and Israel with around 896 million accounts. Some three billion accounts were compromised back in 2013, Yahoo finally admitted in 2017.

High-Tech Bridge CEO, Ilia Kolochenko, argued that the pay-out of around $25 per compromised account amounted to an “embarrassingly modest compensation,” although was not unusual in offering more to the attorneys than the victims.

“Otherwise, the settlement conveys an illusory message of relatively modest penalties for negligent data protection,” he added.

“In 2019, even a less severe breach is capable of exposing your company to incomparably severe and harsh sanctions in different jurisdictions. We have to take cybersecurity seriously or pay a considerable price.”

More interestingly, new owner Verizon has agreed to spend $306 million over the next four years on cybersecurity, which is reportedly five times what Yahoo spent in the period 2013-2016. It is said to have also committed to quadrupling staff in the IT security department.

The key will be how wisely the funds are spent. Gartner estimated last year that global cybersecurity spending in 2019 would exceed $124bn, with GDPR compliance and risk management within digital transformation programs driving much of the investment.

Categories: Cyber Risk News

Microsoft Fixes Another Two Zero Days in Patch Avalanche

Wed, 04/10/2019 - 09:12
Microsoft Fixes Another Two Zero Days in Patch Avalanche

Microsoft maintained the pressure on system administrators this month by releasing fixes for over 70 vulnerabilities in its products, two of which are classed as zero-day flaws.

The 15 updates released by Redmond cover 74 unique CVEs in Windows, Internet Explorer, Edge, Office, SharePoint and Exchange.

Just like last month, two of them are being actively exploited in the wild and should be prioritized.

“Elevation of privilege vulnerabilities are important to address because they are often part of the second phase of an attack where the attacker attempts to gain control of the victim’s machine,” explained Recorded Future senior solutions architect, Allan Liska.

“Two of these vulnerabilities, CVE-2019-0803 and CVE-2019-0859, are both being exploited in the wild. Both of these privilege escalation vulnerabilities reside in the Win32k component, which exists on all versions of Windows.”

He added that the risk for IT teams is to only focus on the most severe vulnerabilities, leaving systems exposed via others which fall down the priority list.

These include MSXML remote code execution vulnerabilities CVE-2019-0790 to CVE-2019-0794, which affect Windows 7, 8 and 10 and Windows Server 2008, 2012, 2016 and 2019.

“Proof of Concept exploit code for a similar vulnerability, CVE-2018-8420, was released earlier this year on a Russian underground forum,” explained Liska.

“While we have not seen evidence that this code was used in active exploits, it being shared shows current interest in this type of exploit among criminals, elevating the chance that attackers will want to exploit these vulnerabilities quickly; this also means that patching these should be a high priority, especially given the wide range of Windows systems they impact.”

As if that weren’t enough, there was also plenty from Adobe for sysadmins to digest on Tuesday.

The firm released seven updates fixing 43 CVEs in products such as Adobe Reader, Acrobat, AIR, Flash and Shockwave.

The latter has reached end-of-life so there are no updates for its seven critical flaws, according to Ivanti director of product management, security, Chris Goettl.

“Remove Shockwave from your environment. Its seven vulnerabilities are going to leave the majority of Shockwave installs exposed. You can bet an exploit is imminent there,” he argued.

“Wireshark also released three updates resolving 10 CVEs. Wireshark is one of those overlooked IT tools that can pose a significant risk to your environment. Ensure it gets updated or removed where it is no longer needed.”

Categories: Cyber Risk News

UK Man Jailed for Porn Site Ransomware Scheme

Wed, 04/10/2019 - 08:48
UK Man Jailed for Porn Site Ransomware Scheme

An Essex man has been jailed for over six years for his part in a global, multimillion-pound ransomware conspiracy.

Zain Qaiser, 24, from Barking, was part of a Russian-speaking organized crime group believed to be linked to the Lurk Group that is thought to have created infamous exploit kit Angler.

Under the online moniker K!NG he is said to have posed as legitimate online advertising agencies in order to buy ad space for pornographic websites.

These ads were then seeded with malware, infecting users who clicked with Angler and other threats designed to exploit vulnerabilities on their machine.

One of the payloads delivered to victims was notorious ransomware Reveton. This typically locks a user’s screen before displaying a message from the ‘police’ or ‘government’ claiming an offence has been committed and the victim must pay a fine of $300-$1000 to unlock their device.

Payment was made by victims in cryptocurrency and the funds would then be laundered internationally — highlighting the global reach of the gang and its sophistication. One member in the US transferred ransom funds onto pre-loaded credit cards in fake identities then withdrew the cash, changed it back to crypto-currency and transferred to Qaiser, according to the National Crime Agency (NCA).

The Essex man is said to have used a variety of fake identities and documents, including fake passports, to buy new ad space. When some of the online ad agencies suspected wrongdoing, he DDoS-ed them, threatening “child porn spam abuses.”

Qaiser operated from 2012 until he was arrested in December 2018, making as much as £700,000 and costing the companies he defrauded half a million pounds in lost revenue and mitigation.

He admitted 11 offences, including blackmail, fraud, money laundering and computer misuse, and was jailed at Kingston Crown Court.

NCA senior investigating officer, Nigel Leary, described Qaiser’s accomplices as “one of the most sophisticated, serious and organised cybercrime groups” the NCA has ever investigated.

“Zain Qaiser was an integral part of this organised crime group generating millions of pounds in ransom payments by blackmailing countless victims and threatening them with bogus police investigations,” he added.

“In addition, when Qaiser’s criminal enterprise was frustrated by diligent members of the online advertising community, he retaliated causing misery and hundreds of thousands of pounds in financial losses.”

Categories: Cyber Risk News

New Grab-and-Go Stealer Is Making Waves

Tue, 04/09/2019 - 16:40
New Grab-and-Go Stealer Is Making Waves

Researchers suspect that a new stealer malware dubbed Baldr, first detected in January, has incorporated three known threat actors, according to Malwarebytes.

In today's blog post, researchers said that Baldr has earned positive reviews on Russian hacking forums for its use of three threat actors: Agressor for distribution, Overdot for sales and promotion and LordOdin for development. However, it’s not only among Russian hackers that the new malware is making waves.

“In our analysis of Baldr, we collected a few different versions, indicating that the malware has short development cycles. The latest version analyzed for this post is version 2.2, announced March 20,” wrote researchers William Tsing, Vasilios Hioureas, and Jérôme Segura.

Typically, banking Trojans need a user to log into their bank’s website, but these grab-and-go stealers are different from traditional banking Trojans because they are largely able to steal information without the victims realizing they’ve been compromised.

“This means that upon infection, the malware will collect all the data it needs and exfiltrate it right away. Because such stealers are often non-resident (meaning they have no persistence mechanism) unless they are detected at the time of the attack, victims will be none-the-wiser that they have been compromised,” researchers wrote.

Analysis suggests that the new malware is not the work of a script kiddie. “There is nothing ground breaking as far as what it’s trying to do on the user’s computer, however, where this threat differentiates itself is in its extremely complicated implementation of that logic.”

The new stealer has reportedly been distributed through fake YouTube videos that promise programs that will generate free Bitcoins. Researchers suspect that the actors believe they are on to something good, as the stealer has evolved through multiple versions in only a few short months. It is expected that this threat will continue to evolve and grow more popular with additional features.

"Baldr is a solid stealer that is being distributed in the wild. Its author and distributor are active in various forums to promote and defend their product against critics," the authors wrote.

Categories: Cyber Risk News

Crooks Appear Legitimate Using Stolen Digital IDs

Tue, 04/09/2019 - 15:40
Crooks Appear Legitimate Using Stolen Digital IDs

Cyber-criminals have been trading stolen identities in Genesis, an underground marketplace, and then using them to bypass anti-fraud protections, according to Kaspersky Lab.

At the 2019 Security Analyst Summit (SAS), researchers announced the findings of their Genesis investigation. According to the research, criminals are able to bypass advanced anti-fraud measures and make transactions appear to be legitimate user activity, though they are really the work of digital doppelgangers using over 60,000 stolen identities.

The identities, when paired with stolen logins and passwords, allow an attacker to access online accounts where they can make new, trusted transactions in the victim’s name.

“To identify fraudsters and separate them from legitimate buyers the anti-fraud system uses various mechanisms designed to verify the user’s digital identity mask, and if it knows this mask to be legitimate or the mask is a new and unique one, it will not throw the 'red flag'. As a result, the user behind the mask is recognized to be a legitimate one, and his query, such as an attempt to make a purchase using the provided bank card details, will be approved,” researchers wrote.

The Genesis dark web marketplace has been selling stolen digital masks for anywhere from $5 to $200, according to the Kaspersky Lab researchers who discovered the underground e-store in February 2019.

“We see a clear trend of carding fraud increasing around the world,” said Sergey Lozhkin, security researcher, Kaspersky Lab, in a press release. “While the industry invests heavily in anti-fraud measures, digital doppelgangers are hard to catch. An alternative way to prevent the spread of this malicious activity is to shut down the fraudsters’ infrastructure. That is why we urge law enforcement agencies across the world to pay extra attention to this issue and join the fight.”

Trading stolen identities in marketplaces is not the only way for cyber-criminals to become digital dopplegangers, though. According to researchers, other tools, such as a special Tenebris browser with an embedded configuration generator to develop unique fingerprints, enable malicious actors to scratch their own unique digital masks that won’t trigger anti-fraud solutions.

“Once created, the carder can simply launch the mask through a browser and proxy connection and conduct any operations online.”

Categories: Cyber Risk News

Verizon Issues Fix for Home Router Bugs

Tue, 04/09/2019 - 15:10
Verizon Issues Fix for Home Router Bugs

Customers using the Verizon FiOS Quantum Gateway for their home routers are advised to update to the latest firmware – version 02.02.00.13 – which addresses fixes for multiple vulnerabilities discovered by Chris Lyne, researcher at Tenable Research.

According to an advisory published today, a new vulnerability (CVE-2019-3914) was found in the administrator password, not the password users enter to login. Lyne discovered that the vulnerability would allow an attacker to authenticate remote command injection. His tinkering led him to discover additional vulnerabilities, which include login replay (CVE-2019-3915) and password salt disclosure (CVE-2019-3916).

Lyne proposed several different scenarios in which a malicious actor could tamper with the security settings of the device, but in CVE-2019-3914, the attacker “must be authenticated to the device's administrative web application in order to perform the command injection. In most cases, the vulnerability can only be exploited by attackers with local network access. However, an internet-based attack is feasible if remote administration is enabled; it is disabled by default.”

While the first vulnerability requires that an attacker be authenticated, in the login replay flaw, the web administration interface does not enforce HTTPS. As a result, “an attacker on the local network segment can intercept login requests using a packet sniffer. These requests can be replayed to give the attacker admin access to the web interface. From here, the attacker could exploit CVE-2019-3914.”

In his blog post, Lyne noted that Verizon has released a patch.

“Routers are the central hub of every smart home today. They keep us connected to the corners of the internet, secure our homes, and even remotely unlock doors,” said Renaud Deraison, co-founder and chief technology officer, Tenable, in a press release. “However, they also act as a virtual entry point into the very heart of the modern home, controlling not just what goes out but also who comes in.”

Categories: Cyber Risk News

Verizon Issues Fix for Home Router Bugs

Tue, 04/09/2019 - 15:10
Verizon Issues Fix for Home Router Bugs

Customers using the Verizon FiOS Quantum Gateway for their home routers are advised to update to the latest firmware – version 02.02.00.13 – which addresses fixes for multiple vulnerabilities discovered by Chris Lyne, researcher at Tenable Research.

According to an advisory published today, a new vulnerability (CVE-2019-3914) was found in the administrator password, not the password users enter to login. Lyne discovered that the vulnerability would allow an attacker to authenticate remote command injection. His tinkering led him to discover additional vulnerabilities, which include login replay (CVE-2019-3915) and password salt disclosure (CVE-2019-3916).

Lyne proposed several different scenarios in which a malicious actor could tamper with the security settings of the device, but in CVE-2019-3914, the attacker “must be authenticated to the device's administrative web application in order to perform the command injection. In most cases, the vulnerability can only be exploited by attackers with local network access. However, an internet-based attack is feasible if remote administration is enabled; it is disabled by default.”

While the first vulnerability requires that an attacker be authenticated, in the login replay flaw, the web administration interface does not enforce HTTPS. As a result, “an attacker on the local network segment can intercept login requests using a packet sniffer. These requests can be replayed to give the attacker admin access to the web interface. From here, the attacker could exploit CVE-2019-3914.”

In his blog post, Lyne noted that a patch has been released Greenway Systems' Axon Platforms.

“Routers are the central hub of every smart home today. They keep us connected to the corners of the internet, secure our homes, and even remotely unlock doors,” said Renaud Deraison, co-founder and chief technology officer, Tenable, in a press release. “However, they also act as a virtual entry point into the very heart of the modern home, controlling not just what goes out but also who comes in.”

Categories: Cyber Risk News

EU Launches GDPR Probe into Microsoft Contracts

Tue, 04/09/2019 - 10:24
EU Launches GDPR Probe into Microsoft Contracts

The EU has launched an investigation into contracts Microsoft holds with its institutions to ensure data processing is conducted in compliance with the GDPR.

Regulator the European Data Protection Supervisor (EDPS) revealed yesterday that it was undertaking the investigation into contractual arrangements with the US tech giant after a Data Protection Impact Assessment Report in the Netherlands last November highlighted issues.

That audit found that: “Microsoft collects and stores personal data about the behavior of individual employees on a large scale, without any public documentation.”

Microsoft Office ProPlus was singled out for attention in that report.

Now the EDPS is warning of “increased risks to the rights and freedoms of individuals” for any EU institutions using the same apps detailed in the audit.

“The EU institutions rely on Microsoft services and products to carry out their daily activities. This includes the processing of large amounts of personal data. Considering the nature, scope, context and purposes of this data processing, it is vitally important that appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the new regulation,” said the EDPS.

“The EDPS investigation will therefore assess which Microsoft products and services are currently being used by the EU institutions, and whether the contractual arrangements concluded between Microsoft and the EU institutions are fully compliant with data protection rules.”

The regulation it is auditing against is Regulation 2018/1725, which is designed to bring the data protection rules governing EU institutions in line with the GDPR.

For its part, Microsoft has already committed to helping its customers comply with the GDPR and Regulation 2018/1725.

“We stand ready to help our customers answer any questions the European Data Protection Supervisor may have,” it added in a statement.

Categories: Cyber Risk News

Coin Mining Attack Cripples Production at Japanese Firm

Tue, 04/09/2019 - 09:55
Coin Mining Attack Cripples Production at Japanese Firm

A Japanese manufacturer has seen output plummet for several days after being hit by the first stage in an attempted crypto-mining cyber-attack, according to reports.

Optical equipment maker Hoya, which operates in over 30 countries worldwide, is said to have suffered the attack at the end of February.

In late February, around 100 machines were infected with malware designed to steal log-ins from users, as the first stage in a suspected crypto-jacking campaign, according to Kyodo.

Although the second stage infection was reportedly repelled, the effect of dealing with the initial attack was to slow a key server down, hitting production and back-office processes.

A key manufacturing plant in Thailand was particularly badly affected, with Hoya’s lens production line partially shut down for three days. It is claimed that workers were no longer not able to use software to manage orders and production, with output slumping to around 40% of normal levels at two facilities.

However, the malware also found its way into machines at the firm’s offices in Japan, interfering with the distribution of invoices, according to the Japanese newswire.

The firm itself has been tight-lipped on the situation, with no official statements on its website. However, although Hoya had reportedly not been able to recover from the production delay by the end of March, an official told Kyodo that the attack will have “little” impact on its overall business.

Nevertheless, the raid is another sign of the potential for crypto-mining to disrupt operations, despite its reputation as a cyber-threat which operates covertly without the knowledge of victim organizations.

Back in November last year, a Canadian university also suffered major disruption from a crypto-mining campaign.

St Francis Xavier was forced to shut its entire network following an automated coin mining attack.

Categories: Cyber Risk News

Home Office Error to Blame for Windrush Privacy Snafu

Tue, 04/09/2019 - 09:10
Home Office Error to Blame for Windrush Privacy Snafu

The Home Office has apologized after an “administrative error” led to the personal details of hundreds of historic migrants to the UK being exposed.

Around 500 private email addresses were accidentally shared with other applicants of a government compensation scheme for the so-called “Windrush” generation.

Although around half a million migrants came to the UK between 1948 and 1971, many children did not have travel documents as they were travelling on parents’ passports.

That became a problem when then home secretary Theresa May brought in a “hostile environment” immigration policy, which led to some of these individuals being deported or held in detention centers, despite having lived in the UK for decades.

The government has now admitted it broke data protection laws after sending out an email to those enrolled in the compensation scheme — individuals and organizations — containing the emails of those who had registered an interest.

“Regrettably, in promoting the scheme via email to interested parties, an administrative error was made which has meant data protection requirements have not been met, for which the Home Office apologizes unreservedly,” said Home Office minister, Caroline Nokes, in a written statement.

No other personal data was included, meaning it’s unlikely the ICO will fine the government under the rules of the GDPR, although the department’s data protection officer is said to have been informed.

"Misdirected emails are consistently one of the main forms of data security incident reported to the ICO,” claimed Tessian CEO, Tim Sadler.

“This incident highlights the importance of cybersecurity and data protection policies that focus on protecting people in order to prevent breaches caused by human error — if not only to protect the sensitive data organizations hold but also to prevent the headlines that cause reputational damage."

Egress Software CEO, Tony Pepper, added that the accidental insider threat is often underestimated.

“With intelligently applied machine learning and big data analysis combined with a people-centric approach to technology and awareness programs, it is possible to mitigate against such human errors and enhance organizations’ cybersecurity,” he argued.

Categories: Cyber Risk News

Fake Malware Tricks Radiologists Diagnosing Cancer

Mon, 04/08/2019 - 16:06
Fake Malware Tricks Radiologists Diagnosing Cancer

With the use of deep learning, researchers Yisroel Mirsky, Tom Mahler, Ilan Shelef and Yuval Elovici at Cyber Security Labs at Ben-Gurion University demonstrated in a video proof of concept (PoC) that an attacker could fool three expert radiologists by falsifying CT scans, inserting or removing lung cancer, the Washington Post reported. 

“In 2018, clinics and hospitals were hit with numerous cyber attacks leading to significant data breaches and interruptions in medical services,” the researchers wrote. “Attackers can alter 3D medical scans to remove existing, or inject non-existing medical conditions. An attacker may do this to remove a political candidate/leader, sabotage/falsify research, perform murder/terrorism, or hold data ransom for money.”

Using a test dummy to highlight the vulnerabilities in picture archiving and communication systems (PACS), researchers demonstrated that 98% of the times they injected or removed solid pulmonary nodules, they were able to fool radiologists and state-of-the-art artificial intelligence (AI).

“I was quite shocked,” Nancy Boniel, a radiologist in Canada who participated in the study, told the Washington Post. “I felt like the carpet was pulled out from under me, and I was left without the tools necessary to move forward.”

According to the PoC, researchers built a man-in-the-middle device to use the method of attack that penetration testers demonstrated in a hospital. The researchers gained access to the radiologist’s workstation and the CT scanner room after the cleaning staff opened the door for them. In a matter of 30 seconds, they installed a device running a fake malware designed to inject or remove images.

Once installed, the attackers returned to the waiting room, where they had remote wireless access and were able to intercept and manipulate CT scans, which were not encrypted.

“We note that although TLSv1.2 encryption is denoted, the payload is in cleartext. In other cases, TLS is not used at all.”

Infosecurity reported on a vulnerability in ultrasound technology last month, yet another example of the cyber-threats in connected medical devices. While the healthcare sector is highly concerned about privacy and sharing medical data, the industry lags in ensuring the security of the medical devices collecting that data.

Categories: Cyber Risk News

Pages