Info Security

Subscribe to Info Security  feed
Updated: 1 hour 41 min ago

Researchers Discover Rare Form of Malware that Targets VoIP Softswitches

Thu, 09/10/2020 - 14:05
Researchers Discover Rare Form of Malware that Targets VoIP Softswitches

A new type of malware that targets Voice over IP (VoIP) softswitches, potentially for cyber-espionage purposes, has been uncovered by ESET researchers.

The malware, named CDRThief, is designed to attack a specific VoIP platform used by two China-made softswitches called Linknat VOS2009 and VOS3000, which are software-based solutions that run on standard Linux servers. ESET believes the main purpose of this malware is to exfiltrate various private data from a compromised softswitch. This includes call data records, which contain sensitive metadata about VoIP calls such as caller and IP addresses of call recipients, starting time of the call and call duration.

The cybersecurity firm added that it caught their attention as entirely new Linux malware is rare to see.

CDRThief attempts to steal metadata by querying internal MySQL databases used by the softswitch, with its mode of operation demonstrating a “solid understanding of the internal architecture of the targeted platform.” ESET found that any suspicious-looking strings in the malware were encrypted by the authors in order to hide malicious functionality from basic static analysis. Additionally, even though the password from the configuration file is encrypted, the CDRThief malware is still able to read and decrypt it.

ESET also revealed the malware can be deployed to any location on the disk under any file, and once it starts operating, attempts to launch a legitimate file present on the Linknat platform. ESET researcher Anton Cherepanov, who discovered the Linux malware, said that “this suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerade as a component of the Linknat softswitch software.”

He added: “It’s hard to know the ultimate goal of attackers who use this malware. However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyber-espionage. Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about the activity of VoIP softswitches and their gateways, this information could be used to perform international revenue share fraud.”

Categories: Cyber Risk News

ThreatConnect Acquires Nehemiah Security to Add Risk Quantifier Capabilities

Thu, 09/10/2020 - 12:01
ThreatConnect Acquires Nehemiah Security to Add Risk Quantifier Capabilities

ThreatConnect has announced the acquisition of Nehemiah Security, adding cyber-risk quantification to its existing threat intelligence platform (TIP) and security orchestration, automation and response (SOAR) capabilities.

The deal aims to create a cybersecurity platform aligning the entire security lifecycle to the goal of reducing risk and the ThreatConnect risk quantifier will enable the identification of the risks that matter most to organizations by quantifying them based on potential financial or operational impact.

ThreatConnect said with this acquisition, it is able to further deliver on its mission of revolutionizing the way organizations protect themselves by turning intelligence into action with a risk-led approach to cybersecurity making prioritization easy for security teams, enabling them to filter out noise and focus on what matters most.

Adam Vincent, chief executive officer at ThreatConnect, said: “We began our journey focused on making threat intelligence actionable with our TIP solution, providing a platform to collect, enrich and prioritize intelligence. We evolved our capabilities to deliver an award-winning SOAR platform to market, helping orchestrate and automate security actions with an intelligence-led approach, but we never lost sight of the belief we articulated in 2015 that risk mitigation should drive all action in security.

“We’ve watched with interest as the cyber-risk quantification movement has taken off, keeping an eye on evolving approaches and listening to the experiences of our clients. The decision to acquire Nehemiah was an easy one as they are ahead of the market in terms of their ability to automate cyber-risk quantification.”

In an email to Infosecurity, former Nehemiah Security CEO Paul Farrell said cyber-risk quantification was “an obvious missing puzzle piece in security” and the mentality of the market has shifted dramatically over the past two years.

“It is the most critical piece of the puzzle as understanding the risks that represent the most harm finally allows security to prioritize all activities around the mission of reducing those risks,” he said. “We have been focused on automating the job of cyber-risk quantification, of providing timely results and near instant time to value. We have been focused on integrating data already existing in the security technology stack, of delivering a solution that security people can actually use as a decision support capability.”

He called ThreatConnect “an ideal partner” as the company has “the means to take our vision forward, to provide sales, marketing and engineering resources we could not.”

“When marrying risk into the equation, ThreatConnect not only helps fulfil our vision – where risk drives all decision making in security – but they become one of the most powerful players in security as they can help marry risk, threat and response,” he said. “It really was a match made in heaven – and ThreatConnect will act as a steward of our vision and for the future of security as a whole.”

Categories: Cyber Risk News

Healthcare SMEs Get Government Security Spending Boost

Thu, 09/10/2020 - 11:01
Healthcare SMEs Get Government Security Spending Boost

Small and medium-sized healthcare suppliers and providers are set to get a small cybersecurity boost after the government announced a £500,000 fund to support certification and training.

Announced to coincide with London Tech Week, the half-a-million pound support package will go to primary care providers (excluding GP practices), medical suppliers and other eligible businesses.

It must be spent on consultancy and certification costs needed to gain accreditation for the government’s Cyber Essentials certification, which guarantees a baseline of best practice security.

This will include training to ensure all mobile devices, laptops and PCs are kept up-to-date with the latest patches, firewalls are configured properly to secure internet connections and user access controls are tightened to prevent unauthorized access to systems. 

Although it has been running since 2014, only 50,400 Cyber Essential certificates have so far been issued, the Department for Digital, Culture, Media & Sport admitted.

Yet healthcare organizations have become an increasingly popular target for attackers, especially during the COVID-19 crisis. The National Cyber Security Centre (NCSC) was forced back in May to issue a joint alert with the US authorities warning of large-scale password spraying campaigns against healthcare and medical research organizations.

“Protecting healthcare has been our top priority during the COVID-19 pandemic and we have been working hard to ensure organizations can keep themselves secure. While we will continue to support them, signing up to initiatives such as Cyber Essentials is an excellent way for organizations to help themselves,” argued NCSC director of operations, Paul Chichester.

“Those who have not already taken up this offer should do so — it will help ensure they have fundamental security protections in place, even in the most challenging of times.”

Categories: Cyber Risk News

ETERBASE Crypto-Exchange Hit in $5m Heist

Thu, 09/10/2020 - 09:35
ETERBASE Crypto-Exchange Hit in $5m Heist

Yet another cryptocurrency exchange has been hit by a major cyber-attack, this time leading to the loss of over $5m from customers’ hot wallets.

Slovakian firm ETERBASE, which describes itself as “Europe’s premier digital asset exchange,” revealed yesterday that around $5.4m was stolen.

“Law enforcement authorities have been informed and we will assist as much as we can in the ongoing investigations,” it added. “We want to inform our users that we have enough capital to meet all our obligations.”

The firm moved quickly to contact the exchanges that it believes were used to receive the stolen funds. It claimed on Twitter that a large part of the digital currency ended up at Binance, Huobi and HitBTC.

Six hot wallets were affected, managing digital currencies: Bitcoin, Ether, ALGO, Ripple, Tezos and TRON.

Digital thefts at cryptocurrency exchanges are the 21st century equivalent of a bank heist, although with far fewer chances of the culprits ever getting caught.

They occur with worrying regularity: in February this year Italian exchange Altsbit said it had lost almost all the funds entrusted to it in a cyber-attack.

Some of the biggest of recent years have included a $32m attack on Japanese player Bitpoint last year; a $52m heist at South Korea’s UpBit a few months later; a $60m raid on Japanese exchange Zaif in September 2018 and a $31m attack on Seoul-based Bithumb a few months previously.

Many of these raids may have been coordinated by North Korean hackers, who have been singled out for attention by both the UN and security researchers at FireEye.

In fact, last year the UN claimed that Pyongyang had amassed a fortune of $2bn after its increasingly sophisticated hacking units attacked banks and cryptocurrency exchanges.

Categories: Cyber Risk News

Bluetooth Bug Could Allow MITM Attacks

Thu, 09/10/2020 - 08:30
Bluetooth Bug Could Allow MITM Attacks

Security researchers have discovered a new vulnerability in Bluetooth which could allow attackers to perform man in the middle (MITM) attacks and access authenticated services.

The so-called “BLURtooth” vulnerability was independently discovered by teams at the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University.

It exists in the Cross-Transport Key Derivation (CTKD), which sets up authentication keys for dual-mode devices (i.e. smartphones) that support both Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) transport methods.

Several attack scenarios were described using BLURtooth (CVE-2020-15802). It is possible for an attacker to exploit the bug to overwrite and lower the strength of the LTK or Link Key (LK) encryption keys used to pair devices.

“Vulnerable devices must permit a pairing or bonding to proceed transparently with no authentication, or a weak key strength, on at least one of the BR/EDR or LE transports in order to be susceptible to attack,” explained Carnegie Mellon University.

“For example, it may be possible to pair with certain devices using JustWorks pairing over BR/EDR or LE and overwriting an existing LTK or LK on the other transport. When this results in the reduction of encryption key strength or the overwrite of an authenticated key with an unauthenticated key, an attacker could gain additional access to profiles or services that are not otherwise restricted.”

Devices that had previously been paired but are vulnerable to the exploit may also be exposed to MITM by attackers within range.

“If a device spoofing another device’s identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur,” explained the Bluetooth Special Interest Group (SIG).

There doesn’t appear to be a patch available for BLURtooth as yet, although the SIG said it is “encouraging” its member companies to roll one out when ready.

In the meantime, it  recommended that “potentially vulnerable implementations introduce the restrictions on CTKD mandated in Bluetooth Core Specification versions 5.1 and later.”

Categories: Cyber Risk News

Employee Social Media Use Viewed as Risky

Wed, 09/09/2020 - 17:26
Employee Social Media Use Viewed as Risky

Small-business owners are worried that their employees' use of social media is a potential security risk, according to new research by the Cyber Readiness Institute.

A survey of 400 SMB owners and 1,059 US workers found that 56% of owners believe that their employees’ social media use poses a cybersecurity threat to their business. 

Despite their fears, 82% of employers said that they allow employees to use personal devices to access work email or other data and 67% of business owners allow their employees to use social media applications on work devices.

While 56% of employees said that they have social media applications on devices they use for work, only 30% had been issued with guidelines on the use of social media applications on those devices.

Almost a quarter—22%—of workers admitted to ignoring or bypassing the cybersecurity guidelines issued by their company on a daily or weekly basis. 

“It is clear that small-business owners are fully aware of the cybersecurity risks associated with mixing personal and work activities on the same device,” said Kiersten Todt, managing director of the Cyber Readiness Institute.

“SMBs now need to issue policies that address these risks. More than 4-in-5 owners allow employees to use personal devices for work and only about half have policies regarding the apps that can or cannot be on devices used. It is a recipe for cyber insecurity."

Installing social media apps on work devices was common among employees, with 42% of business owners saying that more than 75% of their employees have social media applications on devices they use for work.

Facebook was the most popular app used by workers on their work device, with 50% of those surveyed saying that they used it.

More than half of employees—56%—said that their company has not issued new guidelines on the use of social media apps on work devices since the COVID-19 pandemic had triggered the introduction of remote working.

Adding new policies regarding social media apps or modifying existing policies for employees having to work at home to slow the spread of the novel coronavirus was being considered by 36% of employers.

Categories: Cyber Risk News

Judge Dismisses Privacy Lawsuit Against University of Chicago

Wed, 09/09/2020 - 16:53
Judge Dismisses Privacy Lawsuit Against University of Chicago

A federal judge has dismissed a lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach.

The potential class-action suit was filed in June last year over a data-sharing partnership between Google and the University of Chicago Medicine. 

In 2017, Google received the anonymized data of University of Chicago Medicine patients for research purposes. The data was sent by University of Chicago Medicine under an initiative to improve predictive analysis of hospitalizations and subsequently raise the level of patient care.

Under the partnership, the tech giant used machine learning techniques to analyze the patient data in the hope of detecting when a patient’s health is deteriorating. The idea was to find out if and how a timely intervention might prevent the need for hospitalization.

Data sent by the University of Chicago Medicine to Google belonged to hundreds of thousands of people who were patients of the healthcare provider between 2009 and 2016. Although de-identified, the data contained time stamps of dates of service and notes made by physicians.

Edelson PC filed the lawsuit on behalf of lead plaintiff Matt Dinerstein, a patient of UC Medical Center who stayed at the hospital twice in 2015.

The suit alleged that Dinerstein’s confidential protected health information had been shared with Google without first being appropriately de-identified. The suit claimed that the alleged data breach had come to light after the publication of a 2018 research study that confirmed notes and time stamps had not been removed from the data before it was sent to Google.

In the suit, Dinerstein sought a royalty for the use of his protected health information by Google. The plaintiff claimed his medical records were of value to himself and had been stolen. 

Federal judge Rebecca Pallmeyer of the United States District Court Northern District of Illinois Eastern Division dismissed the suit on September 4. Pallmeyer ruled that royalties are only appropriate when a property right has been interfered with, and Dinerstein had failed to establish that he had property rights to his own personal health information.

Categories: Cyber Risk News

Bank of England to Tackle Cybercrime

Wed, 09/09/2020 - 16:26
Bank of England to Tackle Cybercrime

The Bank of England is to make securing cashless payment technology and preventing cybercrime a top priority. 

The decision by the 326-year-old institution to focus on cybersecurity and digital payments was revealed yesterday by an external member of the Bank of England's financial policy committee. The committee was created in 2010 with the remit of monitoring the economy of the United Kingdom. 

According to, committee member Elisabeth Stheeman said that the impact of the COVID-19 pandemic on the financial system was key in driving the decision to focus on cyber-issues. According to Stheeman, what had been a gentle stroll toward digital dominance in everyday payments had increased to a leggy gallop.

"The reality is that online fraud and cyber-hacking of digital accounts have outstripped traditional theft of banknotes and gold," Stheeman said. "Payments have undergone rapid innovation in recent years, and the COVID-19 shock has accelerated these trends." 

Stheeman said the committee believes these two areas will be critical in creating the kind of operational resilience that will enable the system to contain and withstand future unforeseen financial crises.

To achieve such resilience, Stheeman said the committee will call for more frequent stress-testing to gauge how well banks can recover from cyber-attacks. The committee also plans to create new standards for how quickly and effectively financial institutions should be expected to contain cyber-attacks. 

Stheeman anticipates that the responsibility for ensuring the security of digital payments will lie with technology companies in the future, rather than with banks. 

Cyber-criminals have sought to exploit the changes wrought by the global health pandemic, creating scams promising cures or vaccinations and targeting the newly opened up attack surface created by the increase in remote working. 

Across the pond, Americans have lost more than $77 million in fraud related to COVID-19 since the outbreak began, according to the US Federal Trade Commission. John Breyault, vice president of public policy, telecommunications, and fraud at the National Consumers League, thinks the real figure is much higher.

“I think the FTC’s numbers are almost certainly just the tip of the iceberg when it comes to fraud losses,” Breyault said. “We know fraud is historically an under-reported crime.”

Categories: Cyber Risk News

Fake Alert Scams Increasingly Targeting Mobile Networks

Wed, 09/09/2020 - 15:15
Fake Alert Scams Increasingly Targeting Mobile Networks

Malicious actors have substantially evolved the use of fake alert scams in recent years, in particular, the increasing targeting of mobile users, according to a new report by Sophos.

The investigation, authored by Sean Gallagher, senior threat researcher at Sophos, found that “a vast majority” of the fake alerts in malvertising networks targeted mobile users. This is partly because mobile has become a greater source of internet traffic, but these devices also offer easier modes of attack compared to desktop. For instance, iOS Safari’s accessibility function allows pop-up ads to make phone calls to lure victims to a dodgy app on the corresponding app store without scammers needing to cold call or voice-phish victims.

Gallagher added that most of the iOS fake alerts discovered were linked to App Store listings for a group of apps that claimed to be virtual private networking and site blocker tools. These apps all included in-app purchases, requiring payments to be made following a trial period.

The study also observed that desktop tech support scam operations have evolved over the past decade, primarily shifting from call center cold calls to more automated targeting techniques. These include pull-based attacks based on Google search ads and search engine optimization, vishing campaigns prompting the target to call back and email or text phishing campaigns to lure targets to a fraudulent website.

In addition, it was highlighted how malicious alerts masquerading as pop-up/pop-under ads, such as and, are being routed through legitimate advertising networks. They are therefore able to slip through as blocking them would substantially disrupt these advertising networks’ business models.

“At least on the desktop, there are multiple ways to prevent having an encounter with a fake alert site to begin with,” commented Gallagher. “The problem on the mobile side, however, remains largely a user education issue. While Apple and Google have made it more difficult for scammers to leverage browser features to attack users’ privacy and install unwanted applications without intervention, pop-up defenses remain weak and app store abuses remain an issue. As protections increase on desktops against malvertising, more scammers will focus on the weaknesses of mobile devices.”

Categories: Cyber Risk News

Businesses Fear Insider-Enabled Data Breaches

Wed, 09/09/2020 - 13:32
Businesses Fear Insider-Enabled Data Breaches

Businesses fear suffering a data breach and expect it to be caused by an insider or internal error.

A survey of 500 IT professionals by Exonar found that 94% of respondents have experienced a data breach, and 79% were worried their organization could be next.

In an email to Infosecurity, Niamh Muldoon, senior director of trust and security at OneLogin, said the fear associated with breaches stems from the security culture within the organization, along with the security reporting structure.

“Having security teams in close dialogue with executive leadership, supporting the leadership to make informed risk-based decisions and driving the business strategy, including the technologies used, reduces this fear significantly,” she said. 

“Secondly, not understanding information security, its components and principles drives fear and anxiety of the unknown, so having security education training, and developing awareness and consciousness of threats, will enable and empower the entire organization to act with a ‘security first’ mindset.

“Finally, recognizing the importance of access control to protect systems and data is a foundational level control that organizations can apply to reduce the risk of a data breach. Hand in hand with this is partnering with trusted identity and access control platform providers who can provide enterprises with that security expertise and industry leadership.”

In terms of what is causing the breaches, 40% of respondents to the Exonar survey said accidental employee incidents were to blame, compared to 21% who said it is external attackers. Asked if this is a case of businesses not having a handle on what leaves their organizations (either intentionally or accidentally), Sammy Migues, principal scientist at Synopsys, said insiders already have access and can leave with data invisibly, which might turn up somewhere embarrassing later. 

Migues added: “Insiders make bad decisions to temporarily put data in the cloud without knowing how to secure it. Insiders are pretty sure it is okay to just tell a few people about that new thing that no one should know about. Insiders know exactly how to hurt the organization if they want to. Between accidents and malicious intent, insiders are a major concern.”

Muldoon said: “Firstly, always remember your employees are your biggest information asset. Security is the biggest enabler supporting business moves forward, especially during times of uncertainty, and fostering and growing good working relationships with your organization’s security team will help to bring diversity and inclusion to business strategy and decisions, while creating and maintaining highly-performing teams.

“Secondly, as the saying goes, you are only as strong as your weakest link, so working with an organization to ensure access to systems and data is provisioned only on a need-to-know basis will go a long way. This is where working with a trusted identity and access control partner really benefits an organization as a single access view of access for internally housed systems and/or cloud-based systems.”

Categories: Cyber Risk News

BlackBerry Launches Dedicated EU Data Centers to Comply with GDPR

Wed, 09/09/2020 - 12:30
BlackBerry Launches Dedicated EU Data Centers to Comply with GDPR

BlackBerry has announced the launch of dedicated EU data centers to comply with new and existing GDPR regulations.

Located in the Netherlands and France, the new data centers will add to BlackBerry’s existing infrastructure in the UK and will help the company to provide dedicated EU instances of its critical event management platform AtHoc.

Under a new EU regulation, all member states must establish a critical event public warning system to protect citizens by 2022. BlackBerry explained that, with its new EU-dedicated data centers, organizations will be able to safely and securely communicate with their workforce and other organizations through any device in the event of a natural disaster, terrorist attack or other major contingencies.

“Empowering our customers with the most secure communication platform for increasing resiliency and communicating swiftly is critical in a crisis,” said Adam Enterkin, senior vice-president EMEA at BlackBerry. “It is also vital that we are able to adhere to new and existing EU data residency requirements per the GDPR. With BlackBerry AtHoc’s new EU-based data centers we are able to scale our infrastructure to better support our customers’ needs over a secure and reliable network.”

Categories: Cyber Risk News

Critical Bugs Could Enable OT Supply Chain Attacks

Wed, 09/09/2020 - 11:10
Critical Bugs Could Enable OT Supply Chain Attacks

Security researchers have discovered six critical vulnerabilities in third-party code which could expose countless operational technology (OT) environments to remote code execution attacks.

A team at Claroty found the bugs in Wibu-Systems’ CodeMeter software license management offering, widely used by many leading vendors of industrial control system (ICS) products.

They have been given a collective CVSS score by the ICS-CERT of 10.0, representing the highest level of criticality.

“Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,” the US Cybersecurity and Infrastructure Security Agency (CISA) noted.

Attackers could phish their targets, socially engineering them into visiting a malicious site under their control to inject a malicious license onto the victim machine. Or they could exploit one of the bugs to create and inject forged licenses onto a machine running CodeMeter, Claroty said.

The firm claimed the worst of the bugs allow attackers to compromise the CodeMeter communication protocol and internal API, allowing them to send commands to any machine running the code.

This could enable complete remote takeover, allowing attackers to install ransomware or other exploits and/or crash programmable logic controllers (PLCs) because of the malicious license.

Mitigating the threat is made more difficult by virtue of the fact that many OT managers may not know a vulnerable version of CodeMeter is running. Claroty recommended scanning for the product, blocking TCP port 22350 and contacting ICS vendors to check if they can manually upgrade the third-party component of CodeMeter.

A report from Claroty last month claimed that over 70% of ICS vulnerabilities disclosed in the first half of the year can be remotely exploited.

Categories: Cyber Risk News

Researchers Uncover 89 Zero-Days in CMS Platforms

Wed, 09/09/2020 - 09:40
Researchers Uncover 89 Zero-Days in CMS Platforms

Security researchers are warning users of popular content management system (CMS) platforms that they could be exposed to a range of cyber-threats, after uncovering 89 zero-day vulnerabilities.

A team at Comparitech decided to investigate a recent surge in web defacement attacks which appears to have bucked the long-term trend of a decline in such activity.

Monthly attacks soared from around 300,000 in July 2019 to nearly 700,000 in May 2020. Comparitech privacy advocate Paul Bischoff claimed the rise may be due to hackers staving off boredom while in lockdown.

As part of its investigation, the team uncovered 89 zero-day vulnerabilities in platforms such as WordPress, Joomla, Drupal and Opencart — and their plugins.

It claimed that as many as 100,000 websites are currently running plugins vulnerable to exploitation of these bugs, and that the vast majority of which were on WordPress (78,430) and Joomla (16,360).

“Researchers analyzed the source code of five popular mass-hacking bots, each of which can take advantage of 40 to 80 exploits,” Bischoff continued. “Arbitrary file upload vulnerabilities are the most common, which allow attackers to upload shell scripts onto web servers. Those shell scripts can then be used to remotely execute code and deface the site.”

However, web defacement represents a relatively minor impact compared to the potential damage such attacks could cause.

“Many of the exploits could also be used to distribute malware, set up phishing pages, redirect users to other malicious pages, install card skimming malware, add the server to a botnet, install a cryptominer, encrypt site data with ransomware or launch a number of other attacks on the site and its visitors,” Bischoff warned.

Comparitech also found that a relatively small number of the exploits it analyzed appear in vulnerability databases: just 124 out of a total of 280. This makes it less likely that security teams and vendors will have documented and built-in protections against them.

Scanning for specific plugins, databases and other elements known to be vulnerable is relatively straightforward via specially crafted searches known as “dorks,” explained Bischoff. Alternatively, IP scanning bots or IoT search engines like, Censys and BinaryEdge can be used. Off-the-shelf hacking tools have also lowered the barrier to entry significantly over recent years, he concluded.

Categories: Cyber Risk News

Microsoft Patches 129 CVEs in Another Major Monthly Update

Wed, 09/09/2020 - 08:25
Microsoft Patches 129 CVEs in Another Major Monthly Update

Microsoft has fixed 129 CVEs this Patch Tuesday, the seventh month in a row that the number has exceeded 100.

The September line-up for system administrators included 23 critical vulnerabilities, mostly affecting Windows OS and browsers, although none have been exploited or publicly disclosed.

SharePoint also accounts for seven of the critical bugs fixed this month, all of which could lead to remote code execution (RCE).

“Five of these vulnerabilities (CVE-2020-1200CVE-2020-1210CVE-2020-1452CVE-2020-1453CVE-2020-1576) involve uploading a malicious application package, and one (CVE-2020-1460) involves user-created content,” explained Qualys senior director of product management, Jimmy Graham.

“The remaining vulnerability (CVE-2020-1595) is a deserialization vulnerability in SharePoint APIs. Because of this, it is highly recommended to prioritize these patches across all SharePoint deployments.”

Another flaw highlighted by experts as a priority is an RCE bug in Exchange 2016 and 2019 with a CVSS score of 9.1 (CVE-2020-16875).

“The vulnerability is a memory corruption vulnerability, which means all an attacker has to do is send a specially crafted email to exploit it,” said Allan Liska, senior security architect at Recorded Future.

“Both cyber-criminal and nation state threat actors are looking to exploit Microsoft Exchange because so many large enterprises rely on it. For example, CVE-2020-0688 was disclosed in February of this year and by early March exploits were being discussed on underground forums, and vulnerable systems were being scanned and exploited.”

Another, CVE-2020-0922, is an RCE bug in Microsoft COM for Windows, which affects Windows 7-10 and Windows Server 2008-2019.

“The vulnerability exists in the way Microsoft COM handles objects in memory and, when exploited, would allow an attacker to execute arbitrary scripts on a victim machine. To exploit a vulnerability an attacker would need to get a victim to execute a malicious JavaScript on the victim’s machine,” said Liska.

“If this vulnerability is eventually weaponized, it would be in line with recent trends of attackers using so-called fileless malware in their attacks by sending phishing emails with malicious scripts as attachments.”

Google also released a security update yesterday fixing five security vulnerabilities in Chrome rated “high,” its second highest severity rating.

Categories: Cyber Risk News

DOJ Scam Targets Elderly Americans

Tue, 09/08/2020 - 17:12
DOJ Scam Targets Elderly Americans

Unscrupulous criminals are impersonating employees of the United States Department of Justice to scam elderly victims of crime. 

The DOJ issued a fraud alert on Friday in which it strongly encouraged the public to remain vigilant and urged them not to provide personal information over the phone to anyone claiming to be from the department.

An alert was issued after the Office of Justice Programs’ Office for Victims of Crime (OVC) received multiple reports that individuals claiming to represent the Department of Justice are calling members of the public as part of an imposter scam.

A DOJ spokesperson said: "Reports to the National Elder Fraud Hotline indicate these scammers falsely represent themselves as Department of Justice investigators or employees and attempt to obtain personal information from the call recipient, or they leave a voicemail with a return phone number." 

The return phone number directs users to a recorded menu that has been set up to match the genuine recorded menu for the department’s main phone number. 

Eventually, the user reaches a fake operator who connects them to someone claiming to be an investigator. That charlatan investigator then attempts to con the user into sharing their personal information.

The National Elder Fraud Hotline is open seven days a week for people to report fraud against American seniors aged 60 or older. 

“Phone scams are an ugly and pervasive act of victimization. The scams being reported to our National Elder Fraud Hotline are especially heinous because they show the perpetrators are preying upon one of the most vulnerable segments of our society—the elderly,” said OVC director Jessica Hart. 

“As if this were not despicable enough, the scammers do so posing as employees of the Justice Department, usurping public trust in the agency that serves as a bastion of fairness and lawfulness while these scams exploit the elderly for financial gain."

Hart added that the first step to identifying the criminals behind such scams is to report their crimes to the relevant authorities. 

Americans who receive one of these calls are urged to report it to the Federal Trade Commission.

Categories: Cyber Risk News

Ransomware Postpones School in Connecticut

Tue, 09/08/2020 - 16:43
Ransomware Postpones School in Connecticut

The first day back to school was postponed for students in the Connecticut capital after a cyber-attack knocked critical systems offline. 

Hartford Public Schools students were due to resume classes on Tuesday morning. Instead, lessons were put on hold while officials tried to deal with a ransomware attack that struck the city on Thursday, causing a systems outage over Labor Day Weekend. 

Hartford mayor Luke Bronin described the incident as the most extensive and significant cyber-attack on the city in the last five years. According to the mayor, the attack would have been worse had the city not invested in a cybersecurity system a year ago. 

City officials said an unauthorized attacker first gained access to the city's systems on Thursday but didn't launch an attack until Saturday. The IT team worked through the weekend, going server to server to restore systems. 

Bronin said the Hartford Public Schools system has about 300 servers, more than 200 of which were impacted by the cyber-attack. 

Student information systems were restored at around midnight on Monday, said Hartford Public Schools superintendent Dr. Leslie Torres-Rodriguez. 

She said: “It houses all of our student addresses, our grades, our attendance. It’s all housed there. It’s all been fully restored."

Torres-Rodriguez added that the ransomware did not have any impact on the student learning platforms.

The system that routes school buses has not yet been fully restored following the attack. Other Hartford city systems impacted by the cyber-incident include public safety systems.

The city's police department said that response times were not impacted by the incident, but that the ransomware attack had caused inconvenient scheduling issues. 

City officials told NBC Connecticut that they don't believe any private information or sensitive financial information was exfiltrated by the attacker.

In its latest "State of Email Security Report," Mimecast examined the effects of ransomware and email attacks on the education sector. The company found that 32% of workers in the public sector said that ransomware had impacted their operations in the last 12 months.

On average, those struck by ransomware suffered two to three days of downtime as a result of the attack, with 9% experiencing downtime of a week or more.

Categories: Cyber Risk News

Acronis to Secure Flying Cars

Tue, 09/08/2020 - 16:15
Acronis to Secure Flying Cars

Global technology company Acronis today announced a technical and strategic partnership with Airspeeder, the world’s first electric flying car racing series.

Acronis will deliver technical and commercial support to the racing series, which was created by performance electric flying car manufacturer Alauda.

The partnership will be reflected in the placement of Acronis branding in a prominent position on Airspeeder’s MK4 racing craft.

Plans are under way for the first Airspeeder Grand Prix to be held in 2021, in which electric racing multi-copters will fly at speeds of up to 130km/h. 

Light Detection and Ranging (LiDAR) and Machine Vision technology will be used to create a virtual force-field around each racing craft. Acronis will provide cyber-protection solutions to ensure the technology can deliver close but safe racing between the crafts. 

Part of this technology will be delivered by Teknov8, a global provider of cybersecurity solutions that will support Acronis’ partnership with Airspeeder as an Official #CyberFit Delivery Partner.

"Backing from Acronis, a business with an extraordinary culture of technological success in Formula One and Formula E, represents significant affirmation of our vision to accelerate the next great mobility revolution through sporting competition,” said Matt Pearson, founder of Alauda and Airspeeder.

Under the new partnership, Airspeeder’s team and pilots will benefit from real-time data, including analysis of battery and key systems performance. From this information, engineers will be able to define strategy as they race to find a competitive advantage in a sport where every team starts with the same technical platform. 

“Acronis’ place at the leading edge of innovation in data management perfectly aligns with Alauda and Airspeeder’s vision to accelerate a mobility revolution through close sporting competition," said Jan-Jaap Jager, the board advisor and senior vice president at Acronis. 

"Our proven, integrated approach to providing easy, efficient, reliable and secure cyber protection for all data, applications and systems will help Airspeeder to enhance their performance on the air track and in the back office. We look forward to delivering on the promise of a true next generation technical and sporting proposition.”

Categories: Cyber Risk News

Cyber-Criminals Change Tactics to Exploit #COVID19

Tue, 09/08/2020 - 15:10
Cyber-Criminals Change Tactics to Exploit #COVID19

The COVID-19 pandemic has led to a significant shift in tactics employed by cyber-criminals, according to Bitdefender’s Mid-Year Threat Landscape Report 2020published today.

Threat actors have heavily focused on the issues related to the pandemic to launch attacks such as phishing, ransomware and malware as well as exploit the increased reliance on home networks and IoT devices in the lockdown period, the study found.

Bitdefender also revealed it had received a five-fold increase in the number of coronavirus-themed reports in the first two weeks of March alone, while an average of 60% of all received emails were fraudulent in April and June. Overall, an average of four out of 10 COVID-themed emails were tagged as spam throughout the first of half of 2020. These frequently impersonated government, health and financial institutions to spread misinformation, fake cures and offers for protective equipment.

As the shift to home working took place due to COVID-19 lockdown restrictions, cyber-criminals adapted their strategy to target this phenomenon. This included the discovery of a new DNS hijacking attack targeting a popular brand of home routers that redirected victims to malware-serving websites promising applications that offer new and up-to-date information about the outbreak.

In addition, malware developers also quickly sought to target applications commonly used by remote employees, such as the Zoom video conferencing platform.

Suspicious incident reports related to IoT devices went up by 46% in the six months from January to June, which is linked to people staying indoors much more during the lockdown period. Over half (55.73%) of IoT network threats involved port-scanning attacks.

Ransomware was another particularly popular mode of attack in this period, with a seven-fold year-on-year increase in reports.

Speaking to Infosecurity, Liviu Arsene, global cybersecurity researcher at Bitdefender, explained that he expects cyber-criminals to continue leveraging the COVID-19 pandemic to launch attacks throughout the rest of 2020. “If during the first half of 2020 cyber-criminals have been exploiting the pandemic with messages promising miracle cures and medical devices or equipment meant to protect users from infection, during the second half we’ll likely see attackers exploiting the economic and social aftermath of the pandemic,” he said.

“Spam or fraudulent messages will likely exploit the way both private and public companies have changed their interaction with users. For example, messages claiming to be from financial institutions asking customers to update their personal and financial data or promising financial relief, because they can no longer do it in person in light of COVID-19 restrictions.”

Categories: Cyber Risk News

SMBs Invest in Cybersecurity Budget and Firewall Technology

Tue, 09/08/2020 - 13:30
SMBs Invest in Cybersecurity Budget and Firewall Technology

Small- to medium-sized businesses (SMBs) are proactively putting tools in place to combat attacks whilst working with limited security budgets and constrainted resources.

According to research of 500 SMBs by Untangle, 38% have allocated under $1000 to their security budget, but this is an increase of 29% compared to 2019 and 27% compared to 2018. Heather Paunet, senior vice-president of product management at Untangle, told Infosecurity that its research found “74% of respondents from the survey confirmed that network security is a top business priority.”

She said 45% of respondents also confirmed news about large scale data breaches and companies dealing with these have shifted their network security roadmap. “This shows that SMBs are prioritizing some form of cybersecurity, but within their limited budgets,” she added. “This can be focusing on a firewall solution one year, and then endpoint security options in another.”

In terms of technology, 82% of SMBs rank firewalls as the most important features when considering which IT security solutions to purchase, whilst 71% have their firewall on site rather than in the cloud.

Paunet said: “Many firewalls can be deployed easily for novice or intermediate network administrators. Many times, next-generation firewalls can be deployed with some standard presets, and as IT teams and administrators become more familiar with the technology and the needs of their company, they can adjust settings, block lists, filters and access parameters.” 

In terms of budget allocation, 32% of respondents identify budget as their greatest barrier, followed by employees who do not follow IT security guidelines (24%) and limited time to research and understand emerging threats (13%). Paunet said with fewer employees overall, the number of incidents can decrease. “For example, with only a handful of employees, email filtering or web filtering overall can be more effective, and training five employees on a consistent basis to notice suspicious activity or emails can help create a better employee-driven defense against cyber-attack,” she explained.

“IT teams do need to be aware that just because their company may be small, they can still be targeted by phishing scams or malicious links.”

Furthermore, 78% of SMB employees are temporarily working remotely with 56% suggesting some positions will be permanently remote moving forward.

“As the abnormal becomes our new normal, SMBs need to approach remote work by using a combination of cloud-based applications and on-premises solutions to keep employees and systems safe, and ensure business continuity,” said Scott Devens, CEO at Untangle.

“SMBs should be looking for technologies that incorporate multi-layered network security tools and a hybrid network infrastructure, such as SD-WAN, to avoid large-scale network vulnerabilities, regardless of budget and resource size.”

Categories: Cyber Risk News

Almost a Quarter of UK Work Computers Lack Adequate Security Software

Tue, 09/08/2020 - 12:30
Almost a Quarter of UK Work Computers Lack Adequate Security Software

New research from Kaspersky has discovered that of the 32% of Brits provided with a corporate desktop computer, only 77% have adequate anti-virus or cybersecurity software installed, leaving 23% of company desktops significantly insecure and exposed to cyber-threats.

This is also the case for company smartphones, 23% of which are unprotected, according to the security giant.

Kaspersky did point out that corporate laptops are slightly more likely to be protected than desktops and smartphones, although it stated that one in five laptops still lack adequate security software.

Kaspersky commissioned Arlington Research to interview 2000 UK consumers aged 18+ in June 2020.

The figures gathered are particularly concerning given the current remote working trend brought about by the COVID-19 pandemic, which has seen 48% of the UK’s 32.9 million workers work remotely from their normal workplace this year.

With regards to personal devices being used for corporate means – something that has become more common since COVID-19 lockdowns and remote working strategies were introduced – Kaspersky’s findings make for even more troubling reading.

For example, more than half of those surveyed by Kaspersky stated that they use personal smartphones to check work email, while 36% rely on their personal laptop or desktop for work. However, personal devices are even less likely to be protected by adequate security software than employer-supplied equipment, Kaspersky found.

“When company devices are used outside the workplace, they are at greater risk of cyber-threats,” said David Emm, principal security researcher at Kaspersky. “Therefore, it’s troubling to discover that nearly a quarter of corporate computers and smartphones lack anti-virus software, leaving them potentially vulnerable to attack.

“It’s important that all businesses pre-install staff computers and devices with security software to ensure they are protected at all times. Employers must also make sure staff know how to install or check the status of anti-virus software while working on personal, or company devices from home, to secure corporate information and networks.”

Categories: Cyber Risk News