Info Security

Subscribe to Info Security  feed
Updated: 2 hours 27 min ago

German Regulator Fines Firm for GDPR Failings

Mon, 11/26/2018 - 10:23
German Regulator Fines Firm for GDPR Failings

A German privacy regulator has issued its first GDPR fine after a hacker stole unencrypted data on hundreds of thousands of customers of a local chat app.

The Baden-Württemberg Data Protection Authority (LfDI) fined Knuddels just €20,000 ($22,700) despite the firm having stored user passwords and emails in plain text.

As a result, hackers were able to make off with 330,000 legitimate credentials, publishing them in September 2018 on Pastebin and Mega.

The breach itself is thought to have been much bigger, with over 800,000 email addresses and over 1.8 million passwords stolen, although only 330,000 have been confirmed.

Although the lack of encryption breaks a core requirement of the GDPR, the German chat app provider seems to have benefited from responding with speed and transparency.

“The company implemented extensive measures to improve its IT security architecture within a few weeks, bringing its users' data up to date. In addition, the company will implement additional measures to further improve data security in the coming weeks in coordination with LfDI,” the regional regulator said in a statement.

“The very good cooperation with the LfDI spoke in particular to the benefit of the company. The transparency of the company was just as exemplary as the readiness, the guidelines and recommendations of the State Commissioner for Data Protection and Freedom of Information. In this way, the security of the user data of the social media service could be significantly improved in a very short time.”

The action taken in this case will reassure some Data Protection Officers (DPOs) waiting to see how regulators enforce the GDPR that the emphasis is on education rather than making an example of organizations.

UK watchdog the Information Commissioner’s Office (ICO) has said as much in the past.

"Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack," said Stefan Brink, state data protection commissioner for Baden-Württemberg. "The LfDI is not interested in entering into a competition for the highest possible fines. In the end, it's about improving privacy and data security for the users."

Categories: Cyber Risk News

Ukrainian Police Nab Suspected RAT-Slinger

Mon, 11/26/2018 - 09:54
Ukrainian Police Nab Suspected RAT-Slinger

Police in Ukraine have arrested a man who allegedly used a notorious Remote Access Trojan (RAT) to target thousands of users around the world.

A statement from the Ukrainian National Police on Friday said that cyber specialists on the force cuffed a 42-year-old man from Lviv on suspicion of using the DarkComet malware.

He’s said to have infected 2000 computers in 50 countries around the world.

On searching his machines, the police found the man installed "a Trojan virus administration program on his computer and modified it to send out client versions of the virus,” according to the statement.

These ‘clients’ are used to harvest data from infected machines. The malware has been around for at least six years and was even used by the Syrian regime to spy on activists and opposition groups.

It features multiple capabilities including keylogging, password and document theft, webcam monitoring, taking screenshots of the victim’s machine, and even disabling AV notification settings.

“The cyber police specialists analyzed the malware. It is found that the virus provides full remote access to controlled computers. In particular — the ability to download and upload files, manage startup and services, remotely manage the registry, install and remove programs, take screenshots from the remote screen, intercept microphone sound and video from embedded or external cameras,” the statement continued.

Perhaps most incriminating of all, the police found screenshots of infected victim computers on the arrested man’s machine.

Ukrainian police also issued a series of steps for users to take to check if their computer has been infected with DarkComet.

This involves checking if the machine is trying to communicate with IP address 193.53.83.233 on port 1604 or 81.

If so, they’re urged to use anti-malware program to remove the infection.

Categories: Cyber Risk News

US Says China Increased Hacking over Trade Dispute

Fri, 11/23/2018 - 15:44
US Says China Increased Hacking over Trade Dispute

In advance of a meeting between US President Donald Trump and China's President Xi Jinping, a US government report made claims that China had increased hacking attempts in an effort to steal American technology and shows no sign of stopping or slowing its cyber-theft practices, according to the Associated Press.

The report from the Office of the United States Trade Representative stated: "cybersecurity firms have observed, in the period from mid-2017 through mid-2018, what appear to be Chinese state-sponsored entities attacking firms in cloud computing, Internet of Things, artificial intelligence, biomedicines, civilian space, alternative energy, robotics, rail, agricultural machinery, and high-end medical devices sectors. One cybersecurity firm, CrowdStrike, observed that Chinese state hacking is gaining in pace and volume, while another, FireEye/Mandiant, similarly stated that previously inactive Chinese hacking groups had now been reactivated.

"In November 2018, cybersecurity firm Carbon Black found a sharp rise in the third quarter of 2018 'in attacks against manufacturing companies – a type of attack that has been frequently tied to Chinese economic espionage.' It also found that 68% of incident response professionals surveyed during the preceding three months assessed that China was the source of the observable cyberattacks, more than any other country." 

Asserting the increased threat to US companies from Chinese advanced persistent threat (APT) group, APT10, the report said the Department of Homeland Security (DHS) had also seen an uptick in cyber-enabled theft coming from China.

“We completed this update as part of this Administration’s strengthened monitoring and enforcement effort,” Ambassador Robert Lighthizer said in a press release. “This update shows that China has not fundamentally altered its unfair, unreasonable, and market-distorting practices that were the subject of the March 2018 report on our Section 301 investigation.” 

In addition, the policies and practices of Chinese adversaries are growing more sophisticated. The report stated: "China’s state-supported hackers have developed new ways of concealing their attacks. In particular, hackers appear to be using generic 'tools' that leave little if any unique traces, making attribution more difficult."

Categories: Cyber Risk News

PI System Software Maker, OSIsoft, Announced Breach

Fri, 11/23/2018 - 15:06
PI System Software Maker, OSIsoft, Announced Breach

A self-proclaimed leader in enabling operational intelligence, OSIsoft, maker of PI system software, announced an ongoing investigation into a data breach that likely compromised all domain accounts.

On 16 November, the company reported that it was experiencing a security incident that potentially affected everyone from employees and interns to consultants and contractors. Attackers reportedly stole credentials and used them to access the OSIsoft computers, which resulted in alerts of unauthorized activity from the intrusion detection systems.

“Our security service provider has recovered direct evidence of credential theft activity involving 29 computers and 135 accounts. We have concluded, however, that all OSI domain accounts are affected,” the data breach notification warned.

Additionally, the company advised, “You should assume your OSI domain logon account name, as well as email address and password have been compromised.”

The incident remains under investigation with the company’s security service providers, and OSIsoft reported that it “has developed a comprehensive remediation strategy that includes a contingency plan, in case there is an escalation of unauthorized activity as the investigation continues.”

The company also advised that users reset external accounts to use different passwords.

“While most organizations factor vendors, suppliers and contractors into their third-party risk management programs, the reality is that our digital ecosystems are a lot bigger than that. Any third party in a company’s digital ecosystem can be the weak link that gives attackers a clear path to exposed data,” said Fred Kneip, CEO, CyberGRX.

“In this case, OSIsoft’s security controls weren’t able to stop a case of credential theft, affecting a confirmed 135 accounts and possibly more. With over 65% of Fortune 500 industrial companies using their product, OSIsoft is a major gateway to valuable data and they should be seen as such. Large companies like these often interact with tens of thousands of third parties, and it’s critical for them to gain a better understanding of which of those third parties pose the biggest risk to their data.”

Categories: Cyber Risk News

Phishing Used to Launch GreyEnergy's ICS Attacks

Fri, 11/23/2018 - 14:42
Phishing Used to Launch GreyEnergy's ICS Attacks

The advanced persistent threat (APT) group GreyEnergy has been targeting industrial networks across Ukraine and Eastern Europe for years, and according to analysis of the group’s activity, the attacks begin with a malicious document sent in a phishing email.

Nozomi Networks performed analysis on the GreyEnergy advanced ICS malware and found that the tools and tactics used by the threat actors allowed the group to stay under the radar of typical anomaly detection tools for a long time.

Found in Ukraine and Poland, the GreyEnergy ICS malware successfully infected its targets using a phishing email that included a suspicious looking – and indeed malicious – word document written in Ukranian, according to Alessandro Di Pinto, security researcher at Nozomi Networks. While there is a security warning at the top of the page, within the security warning is a box asking the user to "enable content" – a clear attempt to trick the user.

The message also encourages viewers to fill in the fake interactive form included within the email. While the phishing email is common, “The malware’s code is anything but common – it is well written and smartly put together and is designed to defeat detection by cybersecurity products,” Di Pinto wrote.

In analyzing how the document works, Di Pinto found that once opened, it tries to load a remote image, which happens before the viewer enables the macros. The malicious code is easily decompressed and extracted using the oledump tool, according to Di Pinto.

“Having completed my analysis, it’s evident that the GreyEnergy packer does a great job of slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were wisely selected,” Di Pinto wrote.

“For example, the threat actor chose to implement custom algorithms that are not too difficult to defeat, but they are hard enough to protect the malicious payload. Additionally, the broad use of anti-forensic techniques, such as the wiping of in-memory strings, underline the attacker’s attempt to stay stealthy and have the infection go unnoticed."

Categories: Cyber Risk News

Alleged SIM Swap Fraudster Stole $1m from Exec

Fri, 11/23/2018 - 11:02
Alleged SIM Swap Fraudster Stole $1m from Exec

A Manhattan man is alleged to have stolen $1m in cryptocurrency from a Silicon Valley executive in a classic SIM swapping attack.

Nicholas Truglia, 21, allegedly targeted several victims including Saswata Basu, CEO of blockchain service 0Chain Myles Danielsen, vice-president of Hall Capital Partners and Gabrielle Katsnelson, co-founder of startup SMBX.

He was apparently able to hijack all of their mobile phone accounts, convincing carrier staff to transfer their numbers to new SIMs, but didn’t managed to grab any funds as a result.

However, a fourth victim wasn’t so lucky. San Francisco father-of-two, Robert Ross, also had his account hijacked and this time Truglia was allegedly able to use it to access $500,000 in a Coinbase account and $500,000 in a Gemini account.

Typically, this is possible because SIM swap attackers are able to intercept the two-factor authentication codes sent via text message to ‘enhance’ account security.

Truglia was arrested at his West 42nd Street high-rise apartment where police were able to recover $300,000 in stolen funds. He now faces 21 counts related to six victims, according to reports.

The case highlights the growing pressure on mobile operator staff to ensure they carry out the appropriate identity checks on the phone or in store, when individuals request numbers to be ported to new SIMs.

However, sometimes the scammers may get help from individuals working on the inside.

Back in August, a US entrepreneur and cryptocurrency investor filed a $223m lawsuit against AT&T after a store employee allegedly helped SIM swap fraudsters get away with $24m of his digital funds.

Michael Terpin filed 16 counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and other charges in a US District Court in Los Angeles.

Categories: Cyber Risk News

Alleged Insurance Fraudster Arrested After Faking Death

Fri, 11/23/2018 - 10:28
Alleged Insurance Fraudster Arrested After Faking Death

A Minnesota man has been arrested and extradited to the US after allegedly faking his own death for an insurance scam.

Defendant Igor Vorotinov, 54, made his initial appearance before a US magistrate on Monday following his arrest last week in the Republic of Moldova. He’s been at large since an indictment was served for mail fraud back in February 2015.

According to the indictment, Vorotinov bought a $2m life insurance policy from Mutual of Omaha Insurance Company back in March 2010 and named his wife Irina as sole beneficiary.

However, in October 2011, police in Moldova received reports of a dead body, with documents including passport, hotel cards, and contact phone numbers indicating it was that of Vorotinov.

His wife travelled to Moldova, identified the body as his, obtained a death certificate and had the body cremated, before returning with the ashes.

A check of $2,048,414 was sent by the insurer to Irina, who recruited a third party to deposit it in a newly opened account, before apparently instructing them to transfer $1.5m to her son Alkon. According to the DoJ, more than $1.5m of the proceeds was transferred to bank accounts in Switzerland and Moldova between March 29 2012 and January 2015.

However, the alleged scam was busted when Alkon was stopped by customs in Detroit on returning from a trip to Moldova. On his laptop, agents discovered photos of his father taken in April and May 2013, alive and well.

Irina Vorotinov is currently serving a 37-month stretch in a federal prison after pleading guilty to mail fraud and one count of “engaging in a monetary transaction in criminally derived property,” while her son pleaded guilty to to one count of misprision of a felony and was sentenced to three years’ probation. They were ordered to pay joint restitution of $2,056,554.

Categories: Cyber Risk News

Black Friday Warning as UK Retailers Fail on 2FA

Fri, 11/23/2018 - 09:46
Black Friday Warning as UK Retailers Fail on 2FA

Nine out of 10 UK retailers are failing to boost customers' log-in security with two-factor authentication (2FA), according to new research from LastPass.

The LogMeIn company used the Black Friday shopping period this weekend to raise awareness about the continued security failings of many online retailers.

Only Amazon passed the 2FA test among the top shopping sites in the UK by 2017 retail sales. Asda, Very, Marks & Spencer, Argos, John Lewis, Sainsbury’s, Tesco, Ocado and Next all failed.

This is despite most retailers on the list making an annual revenue of over £1 billion, with a couple (Tesco and Argos) well over that.

Even worse, none of the 10 retailers require special characters when creating a password, and only two, Asda and Very, provide a password strength meter to help customers choose stronger passwords, according to LastPass.

It’s well-known that passwords represent a major security risk, both to corporate users and consumers. Phishing attacks were linked to 93% of all data breaches investigated by Verizon last year, for example, and consumer account takeover fraud is also on the rise.

Aside from phishing for log-ins, hackers have multiple tools and techniques at their disposal to hijack accounts. Automated credential stuffing tools, for example, try username/password combinations stolen or bought off the dark web on a variety of sites in the hope that users have reused their log-ins. 

In this respect, both a password manager or, even better, 2FA can help to mitigate the risks associated with log-in security, although retailers believe the latter could add friction to the authentication process and therefore potentially affect profits.

Despite these concerns, more and more companies are investing in 2FA. According to LastPass, 45% now use it, versus just 25% the previous year.

However, retailers continue to lag, with one of the worst Security Scores of any sector: 48% versus an average of 52% for the 43,000 customers benchmarked by the LastPass.

One the plus side, all of those appraised were found to be using HTTPS. However, another report this week found four top high street names which were not: Cards Galore, Selfridges and Arcadia Group’s Dorothy Perkins and Topshop.

It's estimated that UK consumers will spend £2.5bn online this Black Friday.

Categories: Cyber Risk News

#Irisscon Is Spam Email Defeated or Not?

Thu, 11/22/2018 - 17:42
#Irisscon Is Spam Email Defeated or Not?

Looking back at the first spam messages sent in the 1800s, Virus Bulletin editor Martijn Grooten said that in the 1980s spam was impolite, 1990s it was a nuisance, 2000s it was a threat but in the 2010s spam was apparently ‘solved’.

He said that statistics have proved that email spam was “something we could not keep up with no matter how good your spam filter is.”

Grooten said that spam “exists as people like to break the law” and the issue of dealing with unsolicited bulk email remains a challenge as solutions do not work. He pointed at “solutions” such as only accepting email from people you have previously approved, calling this “unworkable as you would need global approval system, and some sort of PKI.” 

From the defense side, Grooten said that IP blacklists, a list of bad senders and IP addresses that should not send email, can work if the sender’s reputation is more advanced. Actively scanning attachments and links also works, as well as practices such as reducing open relays, closing port 25 for home users and standards like SPF, DKIM and DMARC. On DMARC, Grooten said that this can be cost prohibitive, but while the impact of DMARC on spam and other kinds of filtering is subtle, he said “it is one of the great success stories.”

He concluded by saying that he wished all emails were end to end encrypted, but there seems to be no desire to do that. 

As for stopping targeted email attacks, Grooten said that this was not possible, but defenders can tackle the problem by raising awareness about clicking on links, assuming some emails will get though so build defenses accordingly with options like 2FA and multi layered approaches, or by watching out for breaches in the headlines and “be ready to contact Mandiant and keep an eye on Krebs in case he mentions you.”

Categories: Cyber Risk News

#Irisscon: Stop Siloing Vulnerability Management to Deal with Old Bugs

Thu, 11/22/2018 - 15:05
#Irisscon: Stop Siloing Vulnerability Management to Deal with Old Bugs

Some common vulnerabilities are coming up to their 30th birthday, and some were “coined in the days of Netscape Navigator.”

Speaking at Irisscon in Dublin, Edgescan CEO Eoin Keary said that one of the problems in cybersecurity is vulnerability management being siloed, and network security and web application security testing being determined as another silo and “something to look at is our assets as a full stack which will continually change all the time.”

Keary said that code is pushed out by developers as part of their job which drives the company daily, and applications are deployed quicker, so we need to realize what impact a penetration test will have. “A one-off penetration test is a snapshot in time and by the time the report is delivered, new code is deployed and the system has changed,” he said.

Keary made reference to the Magecart attacks, saying that with some intelligence of the change in code these types of attack could be prevented. “Change gives rise to risk and gives rise to vulnerabilities.”

He said that full stack security should be considered over a one-time penetration test, but also the pitfalls of DevSecOps also need to be understood “as it gives you a false sense of security and you will catch the low hanging fruit.”

Also speaking at the conference, Dave Lewis, advisory CISO at Duo Security, cited the vulnerabilities that allowed the WannaCry ransomware to spread, saying that this was “something that was a known bad for a decade” and “we need to do better than this.”

Categories: Cyber Risk News

#Irisscon: Government Needs to Join Irish Cyber Agenda

Thu, 11/22/2018 - 13:01
#Irisscon: Government Needs to Join Irish Cyber Agenda

Government needs to take an active role in cybersecurity if it wants to develop technology sectors. 

Speaking at the tenth Irisscon conference in Dublin, BH Consulting CEO Brian Honan said that as the Irish Computer Emergency Readiness Team (CERT) was established in 2008 at the same time as the economic downturn, the intention of the CERT and Irisscon was to “identify Ireland as a key player in technology.”

Highlighting the change in times from its beginnings, Honan mentioned that in the first year of the CERT it received 448 incident reports, while 10 years later that figure was more than 30,000. He said that this has come about because of “more notifications and coordination with other CERTs” and shows how much the cybercrime landscape has changed in Ireland, as cyber-criminals are targeting companies not matter where they are.

Despite claims of zero-day exploitation and advanced persistent threats, Honan said that the root cause of security problems are poor passwords, systems that have not been patched and a lack of monitoring. “Companies only find they are hosting malware, cryptomining software or phishing domains when the CERT contacts them,” he added. “It is not what hits the headlines, it is the bog standard boring stuff.”

Looking back at milestones in the first 10 years of the Irish CERT, Honan said that Ireland was one of the key players in the Stuxnet takedown “as two command and control centers were hosted in Ireland.” It was also part of the Conficker working group, the take down of DNSchanger and it has worked with TFC CERT and FIRST “so we are actively involved in trying to make the overall online environment much safer as well.”

Concluding, Honan said that the whole nation relies on the work of the CERT. He warned: “We need to take this more seriously and need a role in government to take responsibility of cybersecurity at a national level, and we need a Tsar to drive this.”

He praised the work of the Irish National Cyber Security Centre despite many people not knowing of its existence. “As a nation, we should be very proud of what we are doing to keep safe, but as an industry, we need to go to politicians and say we need to spend more time on it.”

Categories: Cyber Risk News

UK Retailers in Website Security Fail

Thu, 11/22/2018 - 10:43
UK Retailers in Website Security Fail

Only around a third of some of the UK’s top retailers have invested in the most secure web certificates, potentially exposing customers to phishing attacks and missing out on sales, according to Sectigo.

Formerly known as Comodo, the world’s largest commercial certificate authority audited 25 major high street and online names to see what kind of certificate-based security they had in place.

Only nine are said to have passed muster with Extended Validation (EV) SSL certificates.

These offer customers the highest assurance they’re on the right site, providing a company-branded address bar and padlock in green, and more information on the issued certificate. They also require the applying business to undergo more stringent checks to authenticate.

Regular SSL certificates are still secure, but only flash up a padlock and there's no readily available information on the certificate. These are also issued more easily, with fewer checks.

Of greater concern are the four retailers which had no secure certificate in place for visitors to their site. This means users not only see no padlock or branded address bar, but there’s also a “not secure” warning displayed in the browser which could put many off from shopping on the site.

Cards Galore, Selfridges and Arcadia Group’s Dorothy Perkins and Topshop were all guilty of failing to secure their websites, according to the Sectigo study.

"Businesses grow when they can inspire trust in their customers. In the age of online shopping, the onus is on every online business to guarantee that their customers are as safe when navigating through their online stores as they are when visiting their physical ones,” explained Sectigo senior fellow, Tim Callan.

“The easiest and most efficient way to assure them of this is the Extended Validation certificate, which verifies that the website is genuinely operated by the expected online business and not some fraudster trying to cheat you. Businesses that use these certificates optimize their relationships with customers, increasing revenue and adding an essential competitive advantage to their side."

The news comes as retailers will be expecting a major rush of customers this weekend looking to grab any Black Friday/Cyber Monday bargains.

Categories: Cyber Risk News

US Postal Service Exposes 60 Million Users in API Snafu

Thu, 11/22/2018 - 10:06
US Postal Service Exposes 60 Million Users in API Snafu

The US Postal Service (USPS) is in the dock after an apparent API vulnerability exposed the account details of 60 million users of its online service.

The issue related to a service known as “Informed Visibility” which USPS offered to businesses, allowing them to access near real-time tracking data on packages. However, along with this data, the related API also allowed anyone logged in to USPS.com to query the account details of other users of the site and even modify some details.

These included email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and more, according to Brian Krebs.

It appears as if the developers forgot a key element of cybersecurity when designing the API: access controls.

USPS claimed in a statement that the incident has now been mitigated and that it has no information that it was used in any criminal endeavor.

“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously,” it continued. “Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

With APIs becoming increasingly popular, security concerns have started to emerge. An Imperva poll earlier this year claimed 69% of firms are exposing APIs to the public and their partners, managing 363 on average per organization.

Tim Mackey, senior technology evangelist at Synopsys, said organizations should view tracking of API dependencies as a core risk reduction strategy.

“Understanding the data transmitted to an API and a method to validate the sanity of the returned data should be part of the review process in all development and procurement teams,” he added. “Armed with this information, API consumers can then monitor for any security disclosures associated with their API usage.”

Bernard Harguindeguy, CTO of Ping Identity, added that the USPS snafu should be a wake-up call for developers.

“Effective API security starts with deep visibility into all API traffic, followed by strong authentication and data governance,” he argued. “Companies' crown jewels — their customers' data — are increasingly being made accessible via APIs, and protecting this infrastructure from vulnerabilities and cyber-attacks has to be the top priority for CISOs and CIOs everywhere."

Categories: Cyber Risk News

Amazon ‘Error’ Exposes Countless Customer Emails

Thu, 11/22/2018 - 09:41
Amazon ‘Error’ Exposes Countless Customer Emails

Amazon is remaining tight-lipped after sending an email to an unknown number of customers revealing that a ‘technical error’ disclosed their email address.

There has been no further information from the online giant about the incident except to confirm that it had been fixed and that all affected customers had been informed.

The email itself, tweeted many times by concerned customers, claimed: “Our website inadvertently disclosed your email address due to a technical error.”

It went on to say: “This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”

However, the information vacuum has led to speculation over the email.

One user, @PogoWasRight, branded the outreach “unsatisfactory.”

“For how long was my email address exposed? To whom was it exposed? The whole world? How did it wind up exposed? Could anyone seeing it also see orders linked to that email address?” they asked on Twitter.

Several other users complained that it appeared like a phishing email because of inconsistencies. For example, it’s not personalized and is signed off with “http://Amazon.com” — which is an insecure site, with an unusually capped “A.”

Researcher Brian Krebs has suggested the incident may be related to reports in early October of an Amazon employee being fired after sharing customer email addresses with an outside seller on its platform.

As the issue relates to Amazon.com, it’s unlikely to affect European citizens, but if that’s a possibility the firm would have had to come clean to the authorities of any serious breach within 72-hours of discovery.

The incident couldn't have come at a worse time for the e-commerce giant, just as Americans head into the Thanksgiving holidays when the online retailer will hope to make a fortune on the back of Black Friday and Cyber Monday.

Categories: Cyber Risk News

Mirai Used as Payload in Hadoop YARN Vulnerability

Wed, 11/21/2018 - 17:32
Mirai Used as Payload in Hadoop YARN Vulnerability

A Mirai variant has been discovered targeting unpatched Linux servers, shifting the use of the malicious payload beyond the internet of things (IoT), according to new research from NETSCOUT ASERT.

Using their honeypot network to monitor the tens of thousands of daily exploit attempts for the Hadoop YARN vulnerability, Arbor’s Security Engineering and Response Team (ASERT) researchers surprisingly found the all-too-familiar Mirai payload.

"Mirai botmasters have found they can target Linux servers just as easily as IoT devices. They attack the servers themselves rather than rely on the bots to propagate, since servers tend not to move around the network or get powered down,” said Matt Bing, security research analyst at NETSCOUT.

“Servers make an attractive target for DDoS bots for their network speed and hardware resources, compared to relatively underpowered IoT devices. What we've seen is Linux servers being conscripted to the same botnets as IoT devices. In the future we can expect more DDoS botnets with both infected IoT devices and Linux servers, like an army of foot soldiers being supported by tanks."

Tailored to run on Linux servers, the new variant of Mirai exhibited similar behaviors to those of the original version. This discovery marks the first time ASERT has seen Mirai used to exploit non-IoT systems in the wild.

“Rather than rely on the bots to propagate, the attackers have shifted their tactics to issuing exploits themselves. A relatively small number of attackers are using custom tools to exploit the Hadoop YARN vulnerability and deliver Linux malware,” Bing wrote.

The vulnerability leverages a command injection flaw, enabling the execution of arbitrary shell commands, a vulnerability used last month to install the DemonBot DDoS bot, according to the researchers.

Given that Linux servers have access to greater bandwidth than IoT devices running on the networks, the Mirai bots reportedly act as more efficient DDoS bots, capable of executing attacks that compete with a much larger IoT botnet.

Categories: Cyber Risk News

Phishers Up Their Game to Combat User Awareness

Wed, 11/21/2018 - 16:13
Phishers Up Their Game to Combat User Awareness

In an attempt to undermine the security industry’s effort to educate end users about phishing campaigns, malicious actors are evolving in their tactics, according to Zscaler.

In a recent blog published by Zscaler Threat LabZ, Deepen Desai and Rohit Hegde detailed findings of new research into phishing activities. According to the findings, Microsoft, Facebook and PayPal are the top brands that are being targeted by phishing campaigns.

Credit: Zscaler

The top five sector categories that are most commonly targeted are communications (41.4%), social media (18.3%), finance (16.7%), travel (12.4%) and dating (3.4%).

“In addition to the known brands, it was interesting to see phishing campaigns targeting Travel Visa portals (Canadian Visa and Australian Visa, for example) included in our top five most targeted brands. The attackers in this case were most likely interested in phishing for sensitive immigration information, such as passport details, date of birth and national identification numbers,” Desai and Hedge wrote.

Notably one of the best tools in a hacker’s toolbox, phishing is a successful tactic long used by attackers who are looking to steal personally identifiable information, such as Social Security numbers, credit card details, date of birth, and other sensitive data.

Wrote the authors, “About 65% of all phishing content we’ve seen in the past three months was over HTTP and the remaining 35% was over HTTPS. This represents a 300% increase in phishing content being delivered over HTTPS since 2016.”

Because the security industry has been diligent in its efforts to raise awareness, putting great effort into educating users how to identify phishing sites, cybercriminals have reportedly had to up their game. The attackers have had to get creative in order to trick better-informed users, and they are reportedly now carefully designing sites to look identical to the popular brands they are imitating.  

"As the end users become more vigilant against clicking suspicious links, attackers have also upped the ante by evolving the way in which the phishing content is being delivered as well as tactics being leveraged to make the phishing pages stay undetected for longer period," they wrote.

Categories: Cyber Risk News

13 Malware-Laden Fake Apps on Google Play

Wed, 11/21/2018 - 14:42
13 Malware-Laden Fake Apps on Google Play

A security researcher used Twitter to warn users about about malware embedded in fake apps available on Google Play. Lukas Stefanko, malware researcher at ESET, reported the malicious apps to the Google security team, noting that 13 apps have been installed more than 560,000 times.

While the app downloads, an additional Android Package Kit (APK) called Game Center downloads in the background, which then requests that the user install it. According to Stefanko, once the APK is installed, it hides itself and displays ads when the device is unlocked.

Malicious actors are able to deliver malware to a victim's phone through application repackaging, often by combing screen overlay attacks to fool users into installing malware payloads because they think the requests are legitimately connected to the app they are downloading.

Attackers hijacking applications is nothing new, according to Will LaSala, director of security solutions, security evangelist at OneSpan. "Application repackaging has been on the rise for a while now. Earlier this year it was reported that applications were being hijacked to install cryptocurrency miners.”

After governments addressed the process of the cryptocurrency conversion, it became more difficult for people to cash out anonymously, LaSala said.

“However, these repackage attacks did not stop; instead they got more sophisticated and refocused on other valuable data that can be converted to money just as quickly. New repackaging attacks make common or simple apps into nefarious payload delivery applications.

“These malware apps focus on harvesting credentials and injecting libraries that can cause applications to deliver sensitive information directly into the hands of the hacker. If your application becomes the target of one of these repackaging attacks, it will affect your brand’s reputation and may cause users to turn to competitors. Besides root and jailbreak detection, applications on iOS and Android should protect themselves with application shielding technology that detects and actively prevents repackaging,” LaSala said.

Categories: Cyber Risk News

Magecart Black Hats Battle it Out On Infected Site

Wed, 11/21/2018 - 11:29
Magecart Black Hats Battle it Out On Infected Site

Groups of cyber-criminals vying for supremacy on the dark web are sabotaging each other’s attempts to skim customer card details from victim e-commerce sites, according to researchers.

Two groups spotted by Malwarebytes head of investigations, Jérôme Segura, had both infected the Brazilian website of sportswear brand Umbro with the infamous Magecart skimming code.

The first loads its code via a fake BootStrap library domain bootstrap-js[.]com and exfiltrates the data in a standard JSON output, while the second group loads from g-statistic[.]com, is heavily obfuscated, and attempts to interfere with the operation of the first.

“Before the form data is being sent, it grabs the credit card number and replaces its last digit with a random number. By tampering with the data, the second skimmer can send an invalid but almost correct credit card number to the competing skimmer," Segura explained.

“Because only a small part of it was changed, it will most likely pass validation tests and go on sale on black markets. Buyers will eventually realize their purchased credit cards are not working and will not trust that seller again.”

Multiple infections on a single site are not uncommon, and stem from poor web security, but the direct competition from the two groups highlights the popularity of Magecart among the black hats, and the potentially large financial rewards on offer.

RiskIQ recently revealed that card details belonging to BA and Newegg customers went up for sale within a week of being harvested, potentially generating millions in revenue. That report lists six groups operating the Magecart code, although there are likely to be more.

In fact, RiskIQ threat researcher, Yonathan Klijnsma tweeted that the above skirmish involved Group 3 “being bullied” by a Group 9.

“Website owners that handle payment processing need to do due diligence in securing their platform by keeping their software and plugins up-to-date, as well as paying special attention to third-party scripts,” concluded Segura.

“Consumers also need to be aware of this threat when shopping online, even if the merchant is a well-known and reputable brand. On top of closely monitoring their bank statements, they should consider ways in which they can limit the damage from malicious withdrawals.”

Categories: Cyber Risk News

Online Fraud Losses Set to Hit Nearly $50bn by 2023

Wed, 11/21/2018 - 10:48
Online Fraud Losses Set to Hit Nearly $50bn by 2023

Online payment fraud losses are set to more than double over the next five years to reach a staggering annual figure of $48bn, according to Juniper Research.

The analyst’s latest report, Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2018-2023, covers e-commerce, airline ticketing, money transfer and banking services.

It claimed that the astonishing growth in fraud will be fuelled by a continued epidemic of data breaches.

Increasingly common will be moves by the fraudsters to use pieces of this breached identity data plus PII on other individuals and/or made-up information to create new, “synthetic” identities.

“Synthetic identity is currently the low-hanging fruit because, even though it takes time for fraudsters to establish, many of their targets are not set up to detect the behavioral giveaways that indicate this type of fraud,” said research author Steffen Sorrell.

“Fraud management providers have solutions on the market to combat this, but the industry as a whole is playing catch-up.”

Synthetic fraud is reportedly the fastest-growing type of identity fraud in the US, accounting for an estimated 80-85% of the total.

“The point to remember is that with Synthetic ID Theft is that since it is not your name, address, phone number or credit file….credit monitoring, fraud alerts or credit freezes will not inform you or stop synthetic ID theft,” warned the FTC.

As instant payments become more prevalent, but fraud teams continue to focus on transactional rather than behavioral risk, losses in the money transfer sector could rise by 20% per year to hit $10bn by 2023, the Juniper research continued.

The underground fraud-as-a-service’ economy will also continue to mature, resulting in greater complexity, the report warned.

Categories: Cyber Risk News

Volume of Suspended UK Domains Doubles Again

Wed, 11/21/2018 - 10:18
Volume of Suspended UK Domains Doubles Again

The number of .uk domains suspended for criminal activity doubled over the past year, as cyber-criminals continued to target users with malicious content and phishing.

Nominet, the official registry for the TLD, revealed figures on Tuesday claiming the number surged from 16,632 last year to 32,813 during the period November 1 2017 to October 31 2018.

There are 10 organizations that report any offenses in to Nominet and, of these, five had cause to do so over the past year. These were led by the Police Intellectual Property Crime Unit (PIPCU), which made over 32,000 requests, followed by the National Fraud Intelligence Bureau (NFIB), Medicines and Healthcare Products Regulatory Agency (MHRA), Trading Standards, and the Financial Conduct Authority (FCA).

The majority of these requests related to IP infringement, although phishing sites also remain popular.

“The upward trend we are seeing in suspended domains confirms that criminals are continuing to seek opportunities in the UK namespace — be it the issue of counterfeits online, or where criminals relentlessly target consumers with malicious content, via domains registered for phishing,” explained Nominet CEO, Russell Haworth.

“Our ongoing efforts to keep the namespace safe can also be seen through our Domain Watch initiative that uses a technical algorithm to promptly suspend newly-registered domains with a very high phishing risk. Since July this year, 129 domains targeting the private and public sector have been suspended — for example barc1ays.co.uk or security-paypal.co.uk.”

The number of dodgy domains has doubled over the past three years, although the overall percentage of those suspended remains low, rising from 0.08% in 2016 to just 0.27% today.

“Working closely with the law enforcement community and using our established processes, network analytics and cybersecurity tools, will ensure that .UK remains a difficult space for criminals to operate,” said Haworth.

However, the efforts of law enforcers and researchers to investigate malicious domains has been severely impeded by the GDPR, which frequently prohibits access to the WHOIS database of registrants.

This means they can’t determine the identity of those who’ve registered a criminal or fraudulent domain or use that info to find other domains registered by the same bad actors.

“That devastates our ability to find all of the fraudulent domains registered by the same entity,” wrote one respondent in the joint Anti Phishing Working Group- Messaging, Malware and Mobile Anti-Abuse Working Group report.

Categories: Cyber Risk News

Pages