Info Security

Subscribe to Info Security  feed
Updated: 2 min 26 sec ago

Poor Software Quality Costs US $2.08tn

Wed, 01/06/2021 - 18:43
Poor Software Quality Costs US $2.08tn

Poor-quality software cost America over $2tn last year, according to a new report by the Consortium for Information & Software Quality (CISQ).

The "Cost of Poor Software Quality in the US: A 2020 Report," which was co-sponsored by American software company Synopsys, found that the cost of poor software quality (CPSQ) in the US in 2020 was approximately $2.08tn.

Researchers looked at poor software quality resulting from software failures, unsuccessful development projects, legacy system problems, technical debt, and cybercrime enabled by exploitable weaknesses and vulnerabilities in software.

Operational software failure was determined to be the leading driver of the total CPSQ. CISQ estimated the cost of operational software failure in the US in 2020 as $1.56tn, a figure that has increased 22% since 2018. 

The next largest growth area of the CPSQ, estimated at $260bn, was unsuccessful development projects, the cost of which has risen 46% since 2018.    

Unmitigated flaws in the software were reported as the primary underlying cause of operational software failure, while a lack of attention to quality was "a consistent theme" among the causes of unsuccessful development projects. 

"Software quality lags behind other objectives in most organizations," wrote CISQ. "That lack of primary attention to quality comes at a steep cost, which is revealed in this report. 

"While organizations can monetize the business value of speed, they rarely measure the offsetting cost of poor quality."

CISQ advised software shops to avoid unsuccessful projects by not creating arbitrary schedules. It further advised shops to "pay attention to defined quality objectives and measure against those objectives throughout a project's lifecycle."

Researchers put the CPSQ associated with operating and maintaining legacy software at $520bn, down from $635bn in 2018. 

"As poor software quality persists on an upward trajectory, the solution remains the same: prevention is still the best medicine," said Joe Jarzombek, director for government and critical infrastructure programs at Synopsys.  

"It's important to build secure, high-quality software that addresses weaknesses and vulnerabilities as close to the source as possible. This limits the potential damage and cost to resolve issues."

Categories: Cyber Risk News

British Airways Plans £3bn Breach Settlement

Wed, 01/06/2021 - 17:32
British Airways Plans £3bn Breach Settlement

The UK's flag-carrier airline is planning to begin settlement discussions that could see customers who became the victims of a data breach receive a compensation payout of up to £3bn.  

British Airways customers were impacted by two data breaches in 2018. Between April and July 2018, some 185,000 British Airways reward-booking customers were notified that their personal information and financial details had been compromised, while a further 380,000 users of the airline’s app and website had their information exposed between August and September 2018.

Data compromised in the breaches included customer names, billing addresses, and email addresses. Payment card information, including card numbers, expiry dates, and—in tens of thousands of cases—the CVV security code, was also exposed. No passport details were stolen.

In July 2019, the Information Commissioner’s Office (ICO) issued a notice of intention to fine the airline a record £183m over the breach. However, this penalty was reduced drastically to a £20m fine in October 2020.

According to a statement released today by consumer action law firm Your Lawyers, British Airways has voiced its intention to kick off settlement discussions in the first quarter of 2021.

In 2019, Your Lawyers was appointed to the Steering Committee responsible for the overall conduct of the BA data breach litigation. The firm described the airline's plans to begin settlement discussions as an admission of culpability for the breach and an effort to avoid the burden of litigation.

“News that British Airways wants to settle compensation claims, with negotiations set to take place in the first quarter of 2021, is acknowledgement of its wrongdoing in failing to protect customer data," said Aman Johal, director at Your Lawyers.

“This is incredibly positive news for the victims of the breach and for consumer rights in general, but people must act fast to avoid missing out."

The deadline to join the Group Litigation Order (GLO) falls on March 19, 2021. Your Lawyers believes that affected customers could each potentially receive an average of £6,000 in compensation. Financial losses arising from the breach could also be claimed.

Categories: Cyber Risk News

ElectroRAT Drains Crypto Wallets

Wed, 01/06/2021 - 16:58
ElectroRAT Drains Crypto Wallets

Thousands of cryptocurrency users have fallen victim to a sophisticated threat campaign that uses trojanized apps to drain funds from digital wallets.

The recently discovered campaign is a wide-ranging operation that encompasses fake companies, a marketing campaign, custom-built cryptocurrency applications, and a new Remote Access Tool (RAT) written from scratch to avoid antivirus detection.

Researchers at Intezer who unearthed the operation in December believe it was initiated in January 2020.

“The campaign includes domain registrations, websites, trojanized applications, fake social media accounts and a new undetected RAT that we have named ElectroRAT," wrote researchers. 

ElectroRAT is written in the open-source programming language Golang and is compiled to target Windows, Linux, and Mac operating systems.

"It is rather common to see various information stealers trying to collect private keys to access victims’ wallets," wrote researchers. "However, it is rare to see tools written from scratch and used to target multiple operating systems for these purposes."

The author of the malicious campaign entices cryptocurrency users to download trojanized applications by promoting the apps on social media and in dedicated online forums. 

"We estimate this campaign has already infected thousands of victims based on the number of unique visitors to the pastebin pages used to locate the command and control servers," noted researchers.

Three different trojanized apps—Jamm, eTrade, and DaoPoker—have been created by the attacker, each with a Windows, Linux, and Mac version. The attacker then built websites specifically to host the binaries. 

The apps appear to offer easy-to-use tools that will help users trade and manage their cryptocurrency. 

"These applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan," wrote researchers. 

"The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware."

To make the DaoPoker app appear legitimate, the attacker created Twitter and Telegram accounts for it and paid a social media influencer with over 25,000 Twitter followers to advertise the app.

Among ElectroRAT's extremely intrusive capabilities are keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim’s console.

Categories: Cyber Risk News

Secure Chorus Transfers Ownership of Encrypted Messaging App Standards to ETSI

Wed, 01/06/2021 - 14:15
Secure Chorus Transfers Ownership of Encrypted Messaging App Standards to ETSI

Secure Chorus, a not-for-profit membership organization for the development of strategies, standards and capabilities in the field of information security, has announced the transfer of ownership of its interoperability standards for enterprise grade encrypted messaging apps to the European Telecommunication Standards Institute (ETSI).

ETSI produces globally applicable standards for ICT-enabled systems, applications and services deployed across all sectors of industry and society.

The standards – developed by Secure Chorus over a four-year project – provide solutions which offer state-of-the-art, end-to-end encryption powered by the open cryptographic standard MIKEY-SAKKE and alleviate vendor lock-in constraints, allowing enterprise users to choose their preferred service in terms of functionality

The transfer to ETSI was fully achieved in December 2020 and will allow for the wide adoption of the standards along with the development of new features in the future.

Stephen Brown, Secure Chorus’ chairman, said: “Secure Chorus is very pleased that ETSI has agreed to the transfer of ownership of our interoperability standards. ETSI is a center of excellence for the development of globally applicable standards for ICT, so we are confident they will continue the good work we started.”

Categories: Cyber Risk News

BlueVoyant Enters Strategic Partnership with Third Party Risk Management Consultancy

Wed, 01/06/2021 - 13:01
BlueVoyant Enters Strategic Partnership with Third Party Risk Management Consultancy

Cybersecurity company BlueVoyant has announced a strategic partnership with third-party risk management consultancy DVV Solutions. The collaboration will enable BlueVoyant’s Cyber Risk Management (CRx) services to be delivered to DVV Solutions’ global customer base.

The firm said it can now offer actionable intelligence to this cohort of customers, helping them identify and address supply chain vulnerabilities. This will be primarily via BlueVoyant’s Vendor Risk Management (CR3) solution, which offers visibility and expertise to meet vendor risk management requirements as well as improve organizations’ own cyber-risk strategies.

This will add to DVV Solutions’ currently dedicated third-party risk management portfolio, which encompasses on-site/virtual visits, risk assessments, questionnaires, security ratings, continuous monitoring, cyber-risk maturity consultancy and regulatory compliance services.

In addition, BlueVoyant’s Cyber Risk Management for Investors (CRi) solution will also be available within DVV Solutions’ mergers and acquisitions (M&A) consultancy. This service showcases and mitigates the cyber-risks associated with potential transactions of this kind.

Commenting on the agreement, Robert Hannigan, chairman at BlueVoyant International, said: “The knock-on effect of COVID-19 has led to squeezed financial margins and a reduction in the resources available to tackle third-party risk in the supply chain, just as the pandemic widens the attack surface. Our CR3 solution will provide the desired level of risk analysis and remediation for DVV Solutions’ customers and their vendor ecosystems, enabling them to effectively quantify, manage and remediate third-party security risks.”

Sean O’Brien, managing director of DVV Solutions, stated: “Partnering with BlueVoyant is a natural extension of our third-party risk management and security monitoring services. As businesses and their vendor ecosystems have changed throughout an unprecedented 2020, we have seen a sharp uptick in the requirement for managed services, as supply chains become increasingly complex. Organizations therefore require a managed service-based third-party risk management solution to cut through the noise, helping them to prioritize the most pertinent supply chain risks.”

Categories: Cyber Risk News

Dark Web User Numbers Spiked During #COVID19 Lockdown

Wed, 01/06/2021 - 12:01
Dark Web User Numbers Spiked During #COVID19 Lockdown

The volume of dark web forum members is on the rise, with visitor numbers surging 44% during the first COVID-19 lockdowns last year, according to new data from Sixgill.

The cyber-intelligence firm analyzed five popular English and Russian language forums to better understand their popularity over time and who is responsible for most activity.

Collating data from the launch of each forum through to the end of 2020, Sixgill found that all five sites had grown their membership exponentially without impacting each other’s popularity.

Although some grew faster than others, and some months were more successful, the overall trend points towards a continued rise in the number of users visiting dark web sites, the firm concluded.

This matters, because as the population of the dark web increases, so does criminal activity, according to Sixgill security research lead, Dov Lerner.

More interesting still was the fact that user numbers soared into double-digits from January to spring 2020, before reverting to pre-COVID numbers.

“Prior Sixgill reports have noted a tremendous uptick in specific types of cybercrime on the underground during the COVID lockdowns. This includes gaming store accounts, compromised RDP credentials, money laundering services and narcotics. This research demonstrates that the number of participants in the cyber-underground spiked at the time as well,” explained Lerner.

“Why would coronavirus lockdowns lead to a massive increase in users of dark web forums? Some of these users were bored at home and decided to go exploring. Others may have been interested in turning to crime amid the economic shocks from the pandemic and the widely covered proliferation of cybercrime targeting remote workers, such as ransomware and phishing.”

The research also revealed that while user numbers are growing, only a small number seem to be responsible for the vast majority of posts. In fact, the top 20% of frequent posters generated 73% of posts.

This may be due to large numbers of inexperienced threat actors coming merely to observe but not participate in activity, or that experienced users are creating “burner” accounts to post from a new username each time, Lerner argued.

Categories: Cyber Risk News

Most Public Sector Victims Refuse to Pay Ransomware Gangs

Wed, 01/06/2021 - 10:30
Most Public Sector Victims Refuse to Pay Ransomware Gangs

The public sector is leading the way on ransomware resilience and refusing to pay its attackers, according to new research from Veritas.

The data management firm polled 2690 IT execs at companies of over 1000 employees to compile its 2020 Ransomware Resiliency Report.

It found that 86% of public sector respondents targeted with ransomware refused to pay, compared to an average of 43% across all verticals.

This is linked to the fact that these organizations were more likely to be able to bounce back quickly from an incident, recovering over 90% of their data versus an average of 69% across all sectors, the study revealed.

Veritas claimed that this enhanced resilience to ransomware can be partly explained by the relative simplicity of public sector cloud environments.

Organizations in this vertical use just 6.43 cloud services on average, the lowest of any vertical and almost half the global average of 11.73, the vendor argued. Only 5% of government organizations run more than 20 cloud services, versus a sector-wide average of 16%.

The backup specialist noted that 46% of public sector organizations have been hit by ransomware infection at least once in the past, with 9% facing three to five attacks. This chimes with findings from Coveware, which put the sector second overall in Q3 2020, accounting for 11.6% of total attacks and behind only professional services (25.2%).

However, the digital transformation push sparked by the COVID-19 crisis may yet increase the organizational attack surface and complexity for public sector bodies, as they ramp up cloud adoption.

“Importantly, this process hasn’t finished yet and the public sector remains one of the most attractive ransomware targets around. It’s almost inevitable that with time, the complexity of cloud within public sector organizations will grow,” argued Veritas UK&I director for public sector, Andy Warren.

“Now is the time for these IT departments to make sure they’ve got the full visibility and control over that data so they can remain as prepared in the future as they are now.”

Categories: Cyber Risk News

US: Fewer Than 10 Govt Agencies Hit by SolarWinds Attack

Wed, 01/06/2021 - 09:30
US: Fewer Than 10 Govt Agencies Hit by SolarWinds Attack

The US government has, for the first time, attributed the SolarWinds cyber-espionage attacks to Russia, and clarified that fewer agencies have been affected than some first thought.

A lengthy joint statement from the FBI, NSA, the Office of the Director of National Intelligence (ODNI) and the Cybersecurity and Infrastructure Security Agency (CISA) claimed the attack was primarily an intelligence-gathering operation, “likely Russian in origin.”

While those in the cybersecurity community have always been fairly certain that the attack was indeed one focused on data theft, this confirmation could be viewed as an attempt to silence conspiracy theorists who have tried to tie it to debunked accusations of election fraud in November.

It’s unclear why it has taken the US authorities this long to name Russia: a New York Times report published as the news first broke had insiders naming APT29, or Cozy Bear, as the culprit.

The APT group has been linked to the Russian Foreign Intelligence Service (SVR) and KGB successor the Federal Security Service (FSB), and has been blamed for previous attacks on the Democratic National Committee (DNC) in 2016 and COVID-19 vaccine stakeholders last year.

Interestingly, the Cyber Unified Coordination Group (UCG) — a task force set up by the NSA, FBI, CISA and ODNI to mange the fall-out of the attacks — claimed that fewer than 10 US government agencies were caught in the campaign, a lower number than that previously reported by some media.

“This is a serious compromise that will require a sustained and dedicated effort to remediate. Since its initial discovery, the UCG, including hardworking professionals across the United States government, as well as our private sector partners, have been working non-stop,” the statement noted.

“These efforts did not let up through the holidays. The UCG will continue taking every necessary action to investigate, remediate and share information with our partners and the American people.”

Categories: Cyber Risk News

UK Jails Cyber-Voyeur

Tue, 01/05/2021 - 18:44
UK Jails Cyber-Voyeur

A former civil servant has been imprisoned in the United Kingdom for hacking into the computer accounts of nearly 600 women and girls to blackmail them into sharing sexually explicit images of themselves. 

Akash Sondhi, of Chafford Hundred, Essex, engaged in a cybercrime spree that lasted nearly three and a half years and impacted 573 victims located around the world in countries including Australia, Hong Kong, and the UK.

The 27-year-old, who was described by the Crown Prosecution Service as "an extremely manipulative man," was sentenced today in Basildon Crown Court to 11 years in prison for blackmail, voyeurism, and cybercrimes. 

Judge Samantha Cohen told Sondhi: "You were a source of pride to your family, but now you are a source of shame."

Between December 26, 2017, and March 17, 2020, Sondhi gained unauthorized access to hundreds of victims' social media accounts. Snapchat, a messaging app that lets users exchange pictures and video that are meant to disappear shortly after they're viewed, was his favored hunting ground. 

After gaining access to an account, Sondhi would trawl it for indecent images that he could use to threaten his victim. 

"Sondhi told them if they didn’t send him nude images of themselves, he would post intimate images of them to their friends and family," said the CPS. 

Some of the young women complied with Sondhi's requests, and in at least six cases, this serial sextortionist carried out his threats to expose their private images.

The CPS said that a number of Sondhi's victims reported experiencing serious emotional and psychological harm as a result of his actions. One victim even attempted to kill herself. 

“Akash Sondhi is an extremely manipulative man who inflicted emotional and psychological damage on young women while also getting gratification from their images and videos," said CPS senior crown prosecutor Joseph Stickings.

"Following a diligent and thorough investigation conducted by the Essex Police Cyber Crime Unit the CPS was able to build a comprehensive case of 65 counts reflecting the high level of his offending."

Stickings went on to thank all of the victims who came forward to report Sondhi's crimes, commending them for their bravery.

Categories: Cyber Risk News

iboss Raises $145m in Funding

Tue, 01/05/2021 - 18:09
iboss Raises $145m in Funding

American cloud security provider iboss today announced that it has raised $145m in new funding.

The fresh financing will be spent on supporting the company's "rapid growth" in a market it says is worth $25bn.

iboss is a privately held company founded in 2003 that is headquartered in Boston, Massachusetts. The company is known for its cloud platform, which provides network security as a service, delivered in the cloud, as a complete SaaS offering. 

According to the company's CEO, Paul Martini, the ongoing global health pandemic has accelerated the shift to cloud-based cybersecurity providers, giving iboss a boost.

“COVID-19 has exposed massive vulnerabilities with outdated, hardware-based cybersecurity solutions and accelerated the timeline of moving away from the old method of securing physical office perimeters,” said Martini. 

“Implementing modern architecture that provides network security in the cloud is the best way to ensure safety and productivity, even as remote workers rely more and more on fast connections for things like video meetings and online productivity apps.”

iboss uses a Secure Access Service Edge (SASE) model to protect dispersed workforces that increasingly connect to cloud applications such as Microsoft Office 365 and Zoom. 

“iboss has created the largest, most modern and comprehensive SASE security platform on the market and is the only platform that can fully transition organizations from on-prem security appliances to SaaS security delivered in the cloud,” said Dave DeWalt, founder of NightDragon and co-chairman of iboss. 

“What makes this stronger is that iboss is an open security platform that allows organizations to apply the security engines and log analytics platforms of their choosing compared to existing closed SASE solutions that lack this flexibility and restrict better security due to lack of collaboration with top cybersecurity intelligence vendors.”

The funding round was led by NightDragon and global investment firm Francisco Partners. 

“We are thrilled to partner with iboss and participate in this growth financing,” said Francisco Partners' head of credit, Scott Eisenberg.

“As the traditional enterprise perimeter dissolves, security solutions need to enable safe access to apps and services anytime, anywhere. iboss’ cloud-first solution was designed to address this transformational infrastructure shift.”

Categories: Cyber Risk News

FBI Warns of Swatting Attacks

Tue, 01/05/2021 - 17:42
FBI Warns of Swatting Attacks

A spate of swatting attacks waged against users of smart-home devices in America has prompted the Federal Bureau of Investigation to issue a public warning

The term 'swatting' is used to describe a hoax call made to emergency services, typically reporting an immediate threat to human life, to trigger a response from law enforcement and the deployment of a S.W.A.T. team to a specific residence. 

The FBI said on December 29 that law enforcement agencies have received reports from smart-home device manufacturers that offenders have been gaining unauthorized access to devices using stolen passwords. The cyber-attackers have focused their malicious activity on owners of devices that have camera and voice capabilities. 

After gaining control of a device, the attackers take over the live-stream camera and device speakers. They then initiate contact with first responders, falsely informing them that a crime or emergency situation is unfolding at the victim's home address. 

As law enforcement responds to the residence, the attacker watches the swatting attack they have manufactured unfold via livestream footage, engaging with the responding police through the camera and speakers. 

In some cases, attackers have live-streamed the incidents they manufactured online via shared community platforms.

"Swatting may be motivated by revenge, used as a form of harassment, or used as a prank, but it is a serious crime that may have potentially deadly consequences," warned the FBI.

"Confusion on the part of homeowners or responding officers has resulted in health-related or violent consequences and pulls limited resources away from valid emergencies."

The FBI said that it is working with private-sector partners who design and build smart devices to advise customers about the swatting attacks and how to avoid being victimized. The Bureau is also taking steps to alert law enforcement first responders to this dangerous threat.

Users of smart-home devices with cameras and voice capabilities are advised to use complex, unique passwords and enable two-factor authentication to help protect against swatting attacks. 

"It is highly recommended that the user's second factor for two-factor or multi-factor authentication be a mobile device number and not a secondary e-mail account," said the FBI.

Categories: Cyber Risk News

Ericom Appoints First Ever Chief Strategy Officer

Tue, 01/05/2021 - 14:21
Ericom Appoints First Ever Chief Strategy Officer

Cybersecurity firm Ericom Software has announced the appointment of Dr Chase Cunningham as its first chief strategy officer. Joining from market research company Forrester, Cunningham will be responsible for shaping Ericom’s strategic vision, roadmap and key partnerships.

Cunningham has over 19 years of experience in the cybersecurity sector, with particular expertise in the area of zero-trust. At Forrester, he helped develop its zero-trust certification program and was the principal driving force for its zero-trust eXtended (ZTX) framework.

Before working at Forrester, he held the position of director of cyber-threat intelligence at Armor, where he was responsible for designing and managing the cloud security and intelligence engine for enterprise customers. Prior to this, he worked for a number of US government agencies, including the NSA, CIA and FBI, in the areas of cyber-forensic and cyber-analytic operations. There, he worked with clients to enhance their security architecture, such as optimizing security operations command systems and centers and installing encryption and analytic systems. Cunningham is also a retired US Navy chief.

Ericom hopes the appointment will enable it to expand its zero-trust secure web and application access solution portfolio.

Commenting on the announcement, David Canellos, CEO of Ericom, said: “Chase’s zero-trust vision and drive have had a major impact on the global cybersecurity market, and his passion, real world expertise and candor are valued and appreciated by industry executives and as well as government leaders. We believe that his insights and hands-on security expertise will enable the digital transformation that is crucial for our customers’ secure growth and success.

“His guidance and direction of our strategic programs and technology innovation will help us rapidly deliver more impactful cloud cybersecurity solutions for our customers and partners.”

Cunningham commented: “Ericom has a strong history of helping its customers establish secure connectivity and network access, and it has evolved into a nimble and highly innovative zero-trust security player.

“I look forward to helping the company ramp up that evolution and build out its security portfolio, providing an unmatched set of capabilities to help secure businesses as they digitally transform in the future.”

Categories: Cyber Risk News

Ransomware Surge Drives 45% Increase in Healthcare Cyber-Attacks

Tue, 01/05/2021 - 12:15
Ransomware Surge Drives 45% Increase in Healthcare Cyber-Attacks

Cyber-attacks on global healthcare organizations (HCOs) increased at more than double the rate of those targeting other sectors over the past two months, according to Check Point.

The security vendor’s latest data covers the period from the beginning of November to the end of 2020, and compares it with the previous two months (September-October), a spokesperson confirmed to Infosecurity.

It revealed a 45% increase in attacks on the healthcare sector, versus less than half this figure (22%) for all other verticals. November was particularly bad, with HCOs suffering 626 weekly attacks on average per organization, compared with 430 in the previous two months.

Although the attacks span a variety of categories — including ransomware, botnets, remote code execution and DDoS — perhaps unsurprisingly, it is ransomware that displayed the largest increase overall and poses the biggest threat to HCOs, according to Check Point.

Ryuk and Sodinokibi (REvil) were highlighted as the main culprits.

In fact, financially motivated cyber-criminals have been going after the healthcare sector since the start of the COVID-19 crisis, well aware that hospitals and clinics are distracted with the huge surge in cases coming through their doors.

Microsoft revealed in April how these groups are increasingly using APT-style tactics to gain a foothold in networks, perform lateral movement and credential theft, and exfiltrate data before deploying their ransomware payload.

Central Europe experienced the biggest rise in cyber-attacks on its HCOs during the period (145%), followed by East Asia (137%) and Latin America (112%).

Europe recorded a 67% increase, although Spain saw attacks double and Germany recorded a 220% surge. Although North America (37%) saw the smallest rise regionally, Canada experienced the biggest increase of any country, at 250%.

“This past year, a number of hospital networks across the globe were successfully hit with ransomware attacks, making cyber criminals hungry for more,” explained Check Point manager of data intelligence, Omer Dembinsky.

“Furthermore, the usage of Ryuk ransomware emphasizes the trend of having more targeted and tailored ransomware attacks rather than using a massive spam campaign. This allows the attackers to make sure they hit the most critical parts of the organization and have a higher chance of getting their ransom paid.”

Check Point urged organizations to look for the presence of Trickbot, Emotet, Dridex and Cobalt Strike, as these often presage ransomware, and to be on their guard on weekends, when attackers often strike.

Virtual patching, employee education and anti-ransomware solutions are also crucial tools in the CISO’s armory, it added.

Categories: Cyber Risk News

Chinese APT Group Linked to Ransomware Attacks

Tue, 01/05/2021 - 11:15
Chinese APT Group Linked to Ransomware Attacks

A well-known Chinese state-backed APT group is believed to have been responsible for multiple ransomware attacks against firms last year, according to new research.

A report from Security Joes and Pro reveals how the vendors uncovered the links after investigating an incident in which ransomware encrypted “several core servers” at an unidentified victim organization.

They found samples of malware linked to the DRBControl campaign which targeted major gaming companies and is associated with two well-known Chinese-backed groups, APT27 (aka Emissary Panda) and Winnti.

Specifically, they claimed to have detected an older version of the Clambling backdoor used in that campaign, an ASPXSpy webshell previously used by APT27, and the PlugX RAT which is often used in Chinese attacks.

Although Winnti is known for financially motivated attacks, APT27 is generally more focused on data theft. However, the latter has previously been linked to one ransomware attack, featuring the Polar variant.

“There are extremely strong links to APT27 in terms of code similarities and TTPs,” the report noted. “This incident occurred at a time when where COVID-19 was rampant across China with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising.”

The attack itself does not seem to have been particularly sophisticated.

The initial vector was a third-party service provider that itself had been infected by a third party, and the attackers used Windows own BitLocker encryption tool to lock down targeted servers.

ASPXSpy was deployed for lateral movement and PlugX and Clambling were loaded into memory using a Google Updater executable vulnerable to DLL side-loading. Popular open source tool Mimikatz was also used in the attack and a publicly available exploit for CVE-2017-0213 was used to escalate privileges.

Gaming firms are an increasingly popular target among financially motivated attackers, according to new research released yesterday by Kela. The threat intelligence firm claimed to have discovered one million compromised internal accounts from gaming companies on the dark web, and 500,000 breached credentials belonging to employees.

Categories: Cyber Risk News

HelpSystems Acquires FileCatalyst to Boost Data Transfer Portfolio

Tue, 01/05/2021 - 10:22
HelpSystems Acquires FileCatalyst to Boost Data Transfer Portfolio

Software firm HelpSystems has announced the acquisition of FileCatalyst to boost the speed and security of its file transfer offerings.

FileCatalyst specializes in helping transfer extremely large files in organizations at hundreds of times faster than what the file transfer protocol allows. These include the sharing of video and other media-rich files, big data and extensive databases, which are particularly important for industries such as broadcast media and live sports.

This enables businesses to work more efficiently while avoiding latency and packet loss when moving around large amounts of data across global networks. 

This type of service has become increasingly important as a result of the shift to home working brought about by the COVID-19 pandemic, with file sharing often taking place across insecure channels, networks and devices. For instance, last year a study found that nearly half of SME businesses regularly share confidential files via email, including financial and employee data in spreadsheets.

Kate Bolseth, CEO of HelpSystems, commented: “Our customers and partners have expressed a growing need to move significant volumes of data more quickly than ever before, and FileCatalyst addresses this problem effectively for many well-known organizations.

“FileCatalyst is an excellent addition to our managed file transfer and robotic process automation offerings, and we are pleased to bring the FileCatalyst team and their strong file acceleration knowledge into the global HelpSystems family.”

Chris Bailey, CEO and co-founder of FileCatalyst, said: “We are thrilled to become part of a company with deep roots and expertise in both cybersecurity and automation. Our customers will find value in pairing our file transfer acceleration solutions with HelpSystems’ extensive solution suites.”

This announcement follows a number of other recent acquisitions by HelpSystems, including cloud-based data protection provider Vera last month and data classification companies Titus and Boldon James in June 2020.

Categories: Cyber Risk News

NYSE U-Turn Means Chinese Telcos Escape Delisting

Tue, 01/05/2021 - 09:30
NYSE U-Turn Means Chinese Telcos Escape Delisting

The world’s largest stock exchange has reversed its decision to ban three Chinese telecoms companies after a Presidential order was issued late last year.

The New York Stock Exchange (NYSE) had issued its original decision to delist the firms on December 31 following President Trump’s executive order the month previously.

In it, Trump claimed that ostensibly civilian businesses in China are actually part of a giant military-industrial complex, and that by listing on US exchanges they are effectively raising funds from unwitting investors in order to modernize China’s military.

“Through the national strategy of military-civil fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” it said. 

“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence and security apparatuses and aid in their development and modernization.”

However, in a brief statement on Monday, the NYSE said it had reconsidered its decision regarding China Telecom, China Mobile and China Unicom.

“In light of further consultation with relevant regulatory authorities in connection with Office of Foreign Assets Control FAQ 857 … the New York Stock Exchange LLC announced today that NYSE Regulation no longer intends to move forward with the delisting action in relation to the three issuers enumerated below which was announced on December 31 2020,” it stated.

A link in the statement takes readers to a US Treasury FAQ page.

The move follows a tersely worded statement from the China Securities Regulatory Commission over the weekend, which claimed that the US continues to “groundlessly suppress foreign companies listed on the US markets.”

Last month, a new law passed Congress which will force Chinese firms to comply with Public Company Accounting Oversight Board’s (PCAOB) audits or be delisted. Companies from many other nations do this in line with SEC rules to provide maximum transparency to investors, although China has resisted for over a decade.

The NYSE ended its brief statement by admitting that it will continue to assess the applicability of the executive order to the Chinese telcos and their listing status.

Categories: Cyber Risk News

Cyber-Attack on US Laboratory

Mon, 01/04/2021 - 17:54
Cyber-Attack on US Laboratory

An American laboratory specializing in home phlebotomy has disclosed a cyber-attack that occurred five months ago after data stolen in the attack turned up online.

Apex Laboratory opened in 1997 and is based in Farmingdale, New York. The company has provided medical testing services to hundreds of home health agencies and thousands of physicians in New York and South Florida.

On July 25, 2020, Apex learned that it had become the victim of a cyber-attack that rendered certain files and systems inaccessible. Network access was restored along with the impacted data, and the company resumed normal operations on July 27. 

A third-party cyber forensic analyst was hired by Apex to investigate the attack. The investigation found no evidence of unauthorized access or acquisition of patient information, and Apex did not disclose the incident. 

However, Apex discovered last month that the cyber-criminals behind the attack had stolen "personal and health information for some patients" and posted it online on their blog. Information believed to have been taken includes patient names, dates of birth, test results, and, for some individuals, Social Security numbers and phone numbers.

Apex is yet to reveal how many patients were impacted by the incident, but the laboratory did say that the information stolen by the threat actors could have been pinched over a four-day period. 

"It is believed that this information may have been acquired from Apex’s systems between July 21, 2020 and July 25, 2020," stated Apex. 

From a notice of data event posted by Apex on December 31, the attack sounds like it might have involved ransomware.  

The notice states: "On July 25, 2020, Apex Laboratory of Farmingdale, NY ('Apex') discovered that it was the victim of a cyber-attack and that certain systems in its environment were encrypted and inaccessible."

Apex didn't say that it paid a ransom to the cyber-attackers; however, the speedy restoration of the impacted data and the removal of the stolen data from the hacker's blog might suggest some communication between the criminals and their victim has occurred. 

The company said that it is "unaware of any actual or attempted misuse of any information other than the extracting of this data as part of the cyber-attack."

Categories: Cyber Risk News

Netwrix and Stealthbits Announce Merger

Mon, 01/04/2021 - 17:07
Netwrix and Stealthbits Announce Merger

American cybersecurity companies Netwrix and Stealthbits Technologies, Inc. announced today that they will be merging. 

The combined entity will operate as Netwrix, with Steve Dickson continuing to serve as its chief executive officer and on the company’s Board of Directors. Steve Cochran, founder and chairman of Stealthbits, will be an investor in Netwrix and will also serve on the new entity's Board.

Terms of the transaction were not disclosed.

Netwrix has scooped up over 150 industry awards since it was founded in 2006. The new incarnation of the company will employ over 500 people and serve customers in more than 50 countries. 

“We couldn’t be more thrilled to be merging with the people and products of Stealthbits," said Dickson.

"Our combined organization can now offer data security solutions for any organization anywhere in the world."

The combined entity will continue to offer Netwrix's complete portfolio of over half a dozen security solutions aimed at identifying and detecting data security risk as well as protecting against, responding to, and recovering from cybersecurity attacks.

Cochran said that the merger will give Stealthbits' customers access to a one-stop shop for all their data protection and cybersecurity needs.

“Stealthbits has always been driven to work with our customers to solve their most challenging credential and data security requirements," said Cochran. 

"Combining our breadth of products and depth of expertise with that of Netwrix means our customers can quickly strengthen their security posture and address multiple projects and requirements through a single provider."

A press release announcing the merger said that it would speak to the problem of fragmented solutions in the data security market preventing organizations from building comprehensive security strategies to protect sensitive and regulated data.

"To address this challenge, Netwrix and Stealthbits are joining forces to leverage each other’s expertise to broaden product capabilities and improve user experience," stated the release.

Stealthbits was founded by Cochran in 2001. The cybersecurity software company's focus is on protecting an organization’s sensitive data and the credentials attackers use to steal that data. 

Last year the company won the Best Cybersecurity Company and Best Privileged Access Management Product categories in the Cybersecurity Excellence Gold Awards.

Categories: Cyber Risk News

UK Rejects Assange Extradition Request

Mon, 01/04/2021 - 16:34
UK Rejects Assange Extradition Request

A British court has ruled that WikiLeaks founder Julian Paul Assange should not be extradited to the United States to stand trial over the publication of thousands of classified diplomatic and military documents.

The US Department of Justice initially indicted Assange in April 2019 for conspiring with former US Army intelligence analyst Chelsea Manning to crack a password to a classified US government computer network, the Secret Internet Protocol Network (SIPRNet).

However, that charge was superseded in May 2019 by a new 18-count indictment alleging that beginning in late 2009, 49-year-old Assange and WikiLeaks actively solicited United States classified information, publishing a list of “Most Wanted Leaks” that sought classified documents. 

"Manning responded to Assange’s solicitations by using access granted to her as an intelligence analyst to search for United States classified documents, and provided to Assange and WikiLeaks databases containing approximately 90,000 Afghanistan war-related significant activity reports, 400,000 Iraq war-related significant activities reports, 800 Guantanamo Bay detainee assessment briefs, and 250,000 US Department of State cables," said the DOJ. 

The security incident, in which many documents classified at the Secret level were exposed, was described by the DOJ as one of the largest compromises of classified information in the history of the United States.   

In Westminster Magistrates' Court today, District Judge Vanessa Baraitser rejected the Trump administration's request to extradite Assange to the United States on mental health grounds. 

“That extradition should be refused because it would be unjust and oppressive by reason of Mr. Assange’s mental condition and the high risk of suicide pursuant to section 91 of the EA 2003,” Baraitser said.

Referring to the opinion of Professor Michael Kopelman, medical expert and emeritus professor of neuropsychiatry at King's College London, Baraitser said, “Taking account of all of the information available to him, he considered Mr Assange’s risk of suicide to be very high should extradition become imminent. This was a well-informed opinion carefully supported by evidence and explained over two detailed reports.”

Commenting on Baraitser's decision, the Freedom of the Press Foundation said: "This is a huge relief to anyone who cares about the rights of journalists.

"The extradition request was not decided on press freedom grounds; rather, the judge essentially ruled the US prison system was too repressive to extradite. However, the result will protect journalists everywhere."

Categories: Cyber Risk News

Microsoft: SolarWinds Attackers Viewed Our Source Code

Mon, 01/04/2021 - 12:00
Microsoft: SolarWinds Attackers Viewed Our Source Code

Microsoft has revealed that the nation state group behind a recent global cyber-espionage campaign managed to view some of the firm’s source code.

The tech giant has provided several updates in the wake of the discovery of the campaign, which appears to have targeted mainly US government agencies and tech firms and has been linked to Russia.

In the spirit of cross-industry collaboration, its latest notice goes into more detail about the attack on its own systems, which was discovered when the firm found evidence of the malicious SolarWinds binaries used to target others.

“Our investigation has revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment,” it explained.

“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”

Microsoft claimed that its use of open source development practices and culture internally means that it does “not rely on the secrecy of source code for the security of products.

“So viewing source code isn’t tied to elevation of risk,” it added.

“As with many companies, we plan our security with an ‘assume breach’ philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.”

New victims of the campaign are emerging all the time.

In late December, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a new alert warning that the same threat actor is using the same vector (SolarWinds Orion) to target not just federal but also state and local governments, as well as critical infrastructure and private sector organizations.

Categories: Cyber Risk News