Info Security

Subscribe to Info Security  feed
Updated: 2 hours 29 min ago

BSides London and 44CON Cancel 2020 Conferences

Tue, 09/08/2020 - 11:35
BSides London and 44CON Cancel 2020 Conferences

More British security conferences have recently been canceled.

Organizers of both 44CON, which was due to take place this week, and BSides London, which was due to take place October  23 and 24, have announced in recent weeks that their 2020 events will not take place.

In a statement released today, BSides London said it is “with a heavy heart that we, as event directors, have taken the decision to CANCEL this year’s event” based on the available data and its own risk evaluation. These factors included the likelihood of maintaining social distancing in networking areas, taking temperatures upon entry, the number of people actually able to attend and the possibility of a next wave of COVID-19.

“We want to thank all of you for being patient in these times and supporting the team,” the organizers added.

Also, the organizers of 44CON said there will not be a physical 44CON event this year, or until a COVID-19 vaccine is available and being used, as government rules “mean we can’t hold the physical event in September.”  

In the meantime, 44CON announced the first in a series of free-form war gaming exercises.

A host of British cybersecurity conferences have been pulled this year, including the majority of the UK BSides events which were due to take place after lockdown began, and Infosecurity Europe, which announced its physical event was to be replaced with a series of virtual events taking place throughout the year.

Categories: Cyber Risk News

Cybersecurity Companies Expose Sensitive Data Online

Tue, 09/08/2020 - 11:05
Cybersecurity Companies Expose Sensitive Data Online

Nearly all cybersecurity companies have exposed sensitive data including PII and passwords online, according to a new study from ImmuniWeb.

The security vendor selected 398 of the world’s top security vendors and then scoured surface, dark and deep web sites including hacking forums and marketplaces, WhatsApp groups, public code repositories, social networks and paste websites.

It claimed to have discovered verified sensitive data over 631,000 times, with 17% of these “incidents” estimated to have critical risk. This means they included logins with plaintext passwords, or data leaks such as PII and financial records that are recent and/or unique.

In total, the research revealed PII and corporate data accounted for half (50%) of all incidents, with credentials taking 30% and backups and dumps 15%.

Also concerning is the fact that 29% of the discovered passwords were “weak” — i.e. they featured less than eight characters, with no uppercase, no numbers and no special characters. In 41% of companies studied, employees were found to have reused passwords on different breached systems, further exposing their organization to breach risks.

The report also revealed that over 5100 stolen credentials came from breaches of adult content sites, meaning employees had registered on such sites with their work emails.

In total, 97% of cybersecurity firms studied in the report were found to have sensitive data exposed online, although some date back as far as 2012, and the majority of incidents were classed as low (25%) or medium (49%) risk.

Low risk refers to “mentions of an organization, its IT assets or employees in data leaks, samples or dumps without accompanying sensitive or confidential information,” while medium risk could include encrypted passwords or leaks of “moderately” sensitive data such as source code or internal docs.

ImmuniWeb CEO Ilia Kolochenko warned that third parties like security vendors are an increasingly popular target for attackers.

“In 2020, one need not spend on costly zero-days but rather find several unprotected third parties with privileged access to the ‘Crown Jewels’ and swiftly crack the weakest link,” he added.

Categories: Cyber Risk News

Webmaster Portal Leaks 63 Million Records

Tue, 09/08/2020 - 09:35
Webmaster Portal Leaks 63 Million Records

The world’s largest webmaster form has been found wanting in terms of its cybersecurity posture after researchers discovered an unprotected database leaking data on nearly 900,000 users.

Digital Point provides a platform for members to chat and buy and sell websites, domains and digital services.

Back in July, researchers at WebsitePlanet teamed up with Jeremiah Fowler to discover an Elasticsearch database belonging to Digital Planet that was left online without password protection, exposing nearly 63 million records.

These included emails, names, internal user ID numbers, internal records and user posts related to 863,412 users of the site.

Fowler warned that an attacker without administrative credentials could have edited, downloaded or even deleted this data.

The latter threat is particularly real given the recent spate of “Meow” bot attacks on exposed databases. An attacker could also look to steal the data before deleting it and holding it to ransom.

Another particular threat from exposure of this kind of data is domain hijacking, Fowler warned.

“Having the contact information, email and other details could allow a cyber-criminal to use acquired personal information about the actual domain owner to impersonate them,” he explained.

“Domain hijacking is exactly what it sounds like and criminals could try to change the registration information and ownership details. This type of theft would allow the domain hijacker to gain full control of the website name and can use the domain for their own purposes or try to sell it to a third party.”

Fowler described the dataset as a “treasure chest of information” for would-be domain hijackers.

“Many of the email accounts were admin@ or similar. Having a domain stolen can destroy a business or an organization and there is no guarantee that you will get it returned,” he continued.

“Anyone who has ever lost a domain name will tell you that dealing with lawyers, court costs and losing the trust of your clients would be devastating.”

Categories: Cyber Risk News

Newcastle Uni Ransomware Attack Will “Take Weeks” to Mitigate

Tue, 09/08/2020 - 08:34
Newcastle Uni Ransomware Attack Will “Take Weeks” to Mitigate

A leading UK university has warned staff and students that it will take weeks to recover from a recent ransomware incident, with a well-known threat group already posting stolen documents.

Newcastle University in the north-east of England is part of the elite Russell Group. It claimed to have been attacked on August 30 2020 with most university systems unavailable or restricted indefinitely.

“The nature of the problem means this is an on-going situation which we anticipate will take a number of weeks to address,” it said in an update on Monday. “We hope to have a better estimate at the end of this week.”

Still available to staff and students during this time are Office 365 including email, Office applications and Teams, Zoom, SAP core services and the Canvas virtual learning environment.

However, the university IT team (NUIT) also warned on Friday that services which are operating may need to be taken down without notice, that “colleagues may lose access to their IT accounts without notice and they may not be re-enabled quickly,” and that PCs, servers and other assets may need to be removed for investigation.

The attack happened at around the same time as Newcastle’s other higher education institution, Northumbria University, also suffered a ransomware outage.

They appear to have been timed to cause maximum damage as the universities prepare for the start of the new academic year — one in which online services will play a key part as remote students log-in to attend classes and receive assignments.

The bad news for Newcastle University is that the notorious DoppelPaymer group has begun posting documents it claims to have stolen from its servers to its dedicated “Doppel Leaks” site.

Previous victims of the group include Mexican petrochemical giant Pemex and SpaceX contractor Visser Precision.

According to Group-IB, DoppelPaymer ranks alongside Ryuk and REvil as one of the “greediest ransomware families with highest pay-off.”

Categories: Cyber Risk News

Ransomware Could Be Major Threat to 2020 Election

Mon, 09/07/2020 - 16:30
Ransomware Could Be Major Threat to 2020 Election

Ransomware could pose a significant threat to the US election infrastructure, as aging software and potentially vulnerable voting machines could be targeted by criminal elements or by foreign-based cyber-attacks.

According to NTT Ltd.’s global threat report for September, ransomware could be deployed and lay in wait to be activated on election day, or once voting machines are activated, and could pose a significant threat to voting processes and procedures, potentially bringing voting operations to a halt.

“Election threats from ransomware, or from other types of cyber-attacks, do not come solely from foreign governments,” the report said. “Cyber-attacks against the US election infrastructure can be launched by any criminal threat actor seeking financial gain.”

NTT claimed the US elections in November will involve a “a high stakes endeavor” in terms of ensuring and maintaining security, and threats to the US voting processes could involve: foreign interference, disinformation campaigns, potential changes in the US Postal Service operating procedures, ransomware attacks, aging technology (including hardware and end-of-life software), voter role purge, voter apathy – and particularly for this year – the fear of COVID-19 contagion at voting precincts.

“A cyber or physical attack on the election infrastructure, whether election systems or processes are interconnected or not, could potentially lead to overall election system dysfunction, errors in vote count, delays in voting results and erroneous election reporting,” the report said.

NTT claimed the most important elements of security are those which attackers will most likely target first, and the first line of defense against cyber-intrusion, and other threats, “must be a secure and resilient US election infrastructure.” NTT determined the threats to be in three areas: 

Threats to pre-election activities: Attacks of voter registration information could involve tampering with or deleting voter registration details so that he potential voter is unregistered and thus unable to vote. Also malware planted on a voter registration system could compromise the integrity of that data. Finally, voters’ data could be mined for personal identifying information and held for ransom, or it could be sold for criminal profit on the dark web.

Threats to election day activities: Voting on a Direct Record Electronic (DRE) voting machine could be susceptible to physical damage by a cyber-attack, while election results submitted electronically, or via email on election night, face cyber-threats, and an attacker could plant malware on the optical scan machine at any point from warehouse, to delivery, to set up at polling locations.

Threats to post-election activities: NTT admitted these are reduced, as the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency published the Cyber Incident Detection and Notification Planning Guide for Election Security among materials to help state and local election officials strengthen their election security.

NTT’  analysts recommend following the latest cybersecurity practices and maintaining good cyber-hygiene as a first line of defense against cyber-intrusions, as well as having proper patching and update processes, and proper custodianship of hardware and security awareness.

In an email to Infosecurity, Jake Moore, cybersecurity specialist at ESET, said he believed threat actors are clearly ready to attack what promises to be the hottest election yet, and there will no doubt be greater kudos to gain than ever, as the world watches on.

“Ransomware is a significant threat to all organizations at the best of times, but the spotlight of the election will add a huge amount of interest from criminal gangs from all over the globe,” he said.

“Ransomware is a genuine threat, but arguably no more likely than a DDoS or data breach. Threat actors of all types will be doing what they do best: looking for weaknesses and vulnerabilities to exploit in the hopes of a huge financial gain.”

He concurred with NTT Ltd’s advice on maintaining good cyber-hygiene – such as timely patches and updates – as well as offering the best, most up-to-date awareness advice to all staff, to help protect against the inevitable barrage of attacks.

Categories: Cyber Risk News

34% Increase in Whistleblower Reports to ICO in the Last Year

Mon, 09/07/2020 - 16:00
34% Increase in Whistleblower Reports to ICO in the Last Year

The number of whistleblower reports made to the Information Commissioner’s Office (ICO) about potential data breaches and the misuse of customer information by organizations has risen by 34% in the last year.

That’s according to RPC, a London-headquartered professional services firm offering legal and consultancy advice to a range of sectors. Of the record-high 427 whistleblower reports made in the last year, RPC stated that further action was taken with 68, including 23 being taken into consideration for investigations.

According to RPC, greater awareness of online fraud and other forms of data theft has caused more people to report businesses for not taking proper precautions with the data they hold.

Richard Breavington, partner at RPC, explained: “Whistleblowing is now a major risk for businesses that fail to deal with a data breach properly, or who have failed to take reasonable steps to protect the data they hold on their customers.

“This makes it more important than ever for businesses who do fall victim to a data breach to respond quickly and to inform the ICO of the data breach if necessary, within the right deadline and ensure customers are informed when they are exposed to a major risk.”

Breavington added that whilst the ICO has indicated that it is exercising some forbearance during coronavirus with regards to investigations and potential disciplinary action relating to data misuse, organizations should not misinterpret that as a “free pass” to neglect sound data security management.

“With millions of employees continuing to work from home, businesses need to have clear practices in place. For example, recommending multi-factor authentication if employees are using their own devices for work and advising employees to update software regularly so it’s at a lower risk of being hacked into.”

Categories: Cyber Risk News

Charing Cross Gender Identity Clinic Data Leak Victims Could Claim £30,000 in Damages

Mon, 09/07/2020 - 15:00
Charing Cross Gender Identity Clinic Data Leak Victims Could Claim £30,000 in Damages

Victims of the Charing Cross Gender Identity Clinic data breach – which occurred a year to the day yesterday – could be eligible to claim up to £30,000 each in damages, according to consumer action and data breach law firm Your Lawyers.

As was reported last year, the Charing Cross Gender Identity Clinic sent out mass emails to people using the CC function instead of the BCC function, mistakenly revealing the names and email addresses of close to 2000 people on its email list.

Your Lawyers has estimated that those most severely affected could receive up to £30,000 each in damages, whilst where there has been a catastrophic impact on the victim, awards could be higher.

Aman Johal, lawyer and director of Your Lawyers, said: “The Charing Cross Gender Identity Clinic severely breached patient trust through an inexcusable and completely preventable error. The sharing of sensitive and highly personal data could have an extremely negative impact on vulnerable people.

“Why organizations still rely on archaic methods of mass communication, when there is plenty of readily available software to use instead that will avoid a data leak, is absurd; especially given the additional clarity and focus that the GDPR has placed on data protection and information privacy since 2018.

“One year on, we continue to fight for justice for those affected. People deserve better when the consequences of a leak can be so damaging, and they are rightfully entitled to seek the compensation that they deserve.”

Consumers can sign up for legal representation here.

Categories: Cyber Risk News

Scottish Cyber Awards 2021 Open for Entry

Mon, 09/07/2020 - 14:00
Scottish Cyber Awards 2021 Open for Entry

The Scottish Cyber Awards 2021 are now open for entry until November 25 2020.

The awards, now in their fifth year, celebrate the individuals and organizations working to make a difference to Scotland’s cybersecurity across public and private sectors. Individuals can vote for themselves/their organization or nominate someone who they feel is deserving.

Comprising 11 categories, the awards are set to take place on February 25 2021 at the Sheraton Grand Hotel and Spa in Edinburgh. New categories for 2021 include Cyber Educator of the Year, whilst other categories recognize the Best Cyber Startup, Outstanding Woman in Cyber and Best Cyber Breakthrough. On the night, judges will also recognize a Champion of Champions.

Jude McCorry, CEO of the Scottish Business Resilience Center (SBRC), which oversees the awards, said: “The cyber-resilience shown by individuals and businesses over the last 12 months has been inspiring. Unfortunately, cyber-attacks show no sign of slowing, but we know that Scotland is home to a united cyber-defense community.

“The Scottish Cyber Awards 2021 will recognize the dedication and commitment of those within the industry to combat threats that might not only impact their own organization, but the wider population. Now, more than ever, we need to honor the achievements of those in this community and I can’t wait to celebrate with you all.”

As part of the 2021 awards, the SBRC has brought together a new judging committee from across the emergency services, public sector and industry.

ACC McLaren, member of the judging panel and executive lead for organized crime, counter terrorism and intelligence, Police Scotland, added: “The Scottish Cyber Awards judging panel represents a cross section of those with a close relationship to all things cyber – whether that is in defining policy, combatting crime or shaping business resilience plans. The efforts of the few within the cybersecurity sector are there to benefit the many, and so it is fitting that we recognize the hard work being done in this area across the length and breadth of Scotland.”

More information on the awards and the entry/nomination processes can be found here.

Categories: Cyber Risk News

Visa: New Baka Skimmer Designed to Avoid Detection

Mon, 09/07/2020 - 11:05
Visa: New Baka Skimmer Designed to Avoid Detection

Visa has issued a warning about new digital skimming malware with a sophisticated design intended to circumvent detection by security tools.

The card giant said its Payment Fraud Disruption (PFD) group first discovered the “Baka” skimmer in February whilst analyzing a command and control (C2) server associated with the ImageID variant. PFD subsequently founded seven servers hosting the Baka skimming kit.

“While the skimmer itself is basic and contains the expected features offered by many e-commerce skimming kits (e.g. data exfiltration using image requests and configurable target form fields), the Baka skimming kit’s advanced design indicates it was created by a skilled developer,” it said.

“The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code. PFD assesses that this skimmer variant avoids detection and analysis by removing itself from memory when it detects the possibility of dynamic analysis with developer tools or when data has been successfully exfiltrated.”

It’s currently unclear just how widespread the threat is. Visa said that it has identified the malware on “several” merchant websites around the world using its eCommerce Threat Disruption (eTD) capabilities.

However, the firm issued several recommendations for e-commerce providers including: regular scans for C2 communications, close vetting of third-party code and Content Delivery Networks (CDNs), regular website scanning and testing for malware an vulnerabilities, regular patching of shopping cart and other software and web application firewalls (WAFs) to block malicious traffic.

Visa also recommended merchants to restrict access to administrative portals, deploy two-factor authentication and to consider using a fully hosted checkout solution separate from the main e-commerce site.

The news comes just days after RiskIQ identified 1500 sites that had been infected with the prolific Inter digital skimmer.

At the end of August, Group-IB uncovered a new group, dubbed “UltraRank,” which it said was responsible for compromising hundreds of sites and multiple supply chain providers over the past five years.

Categories: Cyber Risk News

WordPress Sites Attacked in Their Millions

Mon, 09/07/2020 - 09:35
WordPress Sites Attacked in Their Millions

Millions of WordPress sites are being probed in automated attacks looking to exploit a recently discovered plugin vulnerability, according to security researchers.

Wordfence, which itself produces a plugin for the platform, revealed news of the zero-day bug at the start of September. It affects File Manager which, as the name suggests, is a plugin that helps users to manage files on their WordPress sites.

The plugin is installed on around 700,000 WordPress sites, and although Wordfence estimates that only around 37%, or 262,0000, are still running a vulnerable version, this hasn’t stopped attackers from trying their luck against a much larger number of users.

“Attacks against this vulnerability have risen dramatically over the last few days. Wordfence has recorded attacks against over one million sites today, September 4, 2020. Sites not using this plugin are still being probed by bots looking to identify and exploit vulnerable versions of the File Manager plugin, and we have recorded attacks against 1.7 million sites since the vulnerability was first exploited,” explained Wordfence’s Ram Gall.

“Although Wordfence protects well over three million WordPress sites, this is still only a portion of the WordPress ecosystem. As such, the true scale of these attacks is larger than what we were able to record.”

The vulnerability itself could allow a remote, unauthenticated user to execute commands and upload malicious files on a target site. Gall therefore urged users to patch the issue promptly by installing the latest version of the plug, v6.9.

“If you are not actively using the plugin, uninstall it completely,” he added. “Due to the breadth of file management functionality this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used.”

Categories: Cyber Risk News

US Issues Cybersecurity Principles for Space Systems

Mon, 09/07/2020 - 08:35
US Issues Cybersecurity Principles for Space Systems

The White House has issued a new set of cybersecurity principles designed to protect its commercial and critical infrastructure investments in space.

The Space Policy Directive-5 details a list of recommended best practices for securing the information systems, networks and “radio-frequency-dependent wireless communication channels” that together power US space systems.

“These systems, networks and channels can be vulnerable to malicious activities that can deny, degrade or disrupt space operations, or even destroy satellites,” the document stated.

“Examples of malicious cyber-activities harmful to space operations include spoofing sensor data; corrupting sensor systems; jamming or sending unauthorized commands for guidance and control; injecting malicious code; and conducting denial-of-service attacks.”

It added that such attacks could result in the loss of mission data, damage to space systems and loss of control over space vehicles such as satellites, space stations and launch vehicles, which could lead to collisions that generate dangerous orbital debris.

Amongst the recommended best practice principles was the use of “risk-based, cybersecurity-informed engineering” to develop and operate space systems, with continuous monitoring for malicious activity and of system configurations.

Other elements that will help ensure a good baseline of cybersecurity were: protection against unauthorized access to space vehicle functions, physical protection of command, control, and telemetry receiver systems, measures to counter communications jamming and spoofing, management of supply chain risks and improved collaboration between space system owners.

IT and OT systems on the ground should follow NIST best practices including logical/physical segregation, regular patching, physical security, restrictions on the use of portable media, AV software and staff awareness and training including insider threat mitigation.

In July, the US and UK accused Russia of testing “anti-satellite weaponry" in a marked escalation of tensions in space.

Categories: Cyber Risk News

DDoS Attacks on Virtual Education Rise 350%

Fri, 09/04/2020 - 16:05
DDoS Attacks on Virtual Education Rise 350%

Distributed denial of service (DDoS) attacks against online educational resources are over three times more prevalent in 2020 than they were last year, according to new research by Kaspersky.

In a report published today, researchers found that between January and June 2020, the number of DDoS attacks affecting educational resources increased by at least 350%, compared to the corresponding months in 2019.

The largest month on month increase was noted in January, when attacks were up by 550%. 

Globally, the total number of DDoS attacks increased by 80% in the first quarter of 2020, compared to Q1 2019, with attacks on educational resources accounting for a large portion of that growth. 

DDoS attacks can last anywhere from a couple of days to a few weeks, causing significant operational disruption and, in the case of educational resources, denying students and staff access to critical materials.

Further findings of the report were that from January to June 2020, 168,550 unique Kaspersky users encountered a variety of threats distributed under the guise of popular online learning platforms/video conferencing applications. 

Impacted platforms included Moodle, Zoom, edX, Coursera, Google Meet, Google Classroom, and Blackboard. 

Educators also encountered a growing number of phishing pages and emails exploiting these educational online platforms in an attempt to get victims to download various threats.  

An unprecedented uptake of online educational resources occurred in 2020, triggered by school closures around the world designed to slow the spread of COVID-19. Attackers seeking to exploit the speedy mass migration from physical to virtual learning have been targeting this vast new attack surface, which grew without full consideration of security best practices.

“Remote learning became a necessity for billions of students this past spring, and many educational institutions were forced to make the transition with little or no preparation,” said Alexander Gutnikov, security expert at Kaspersky. 

“The ensuing increase in the popularity of online educational resources, coupled with this lack of preparedness, made the educational sector an ideal target for cyber-attacks. Moving forward this fall, as many schools and universities plan to conduct classes online—at least part of the time—it’s critical these organizations take steps to secure their digital learning environments.”

Categories: Cyber Risk News

Americans Offered Free Virtual Tech Bootcamp

Fri, 09/04/2020 - 15:33
Americans Offered Free Virtual Tech Bootcamp

Marginalized Americans interested in pursuing a career in technology received a boost yesterday with the launch of a free online training program.

The Agile Testing Bootcamp is a six-week program geared specifically toward upskilling individuals with non-technical backgrounds to obtain high-paying, high-demand technical jobs in software testing.

The program was created by Los Angeles software firm QualityWorks and is sponsored by the Count Me In Revival Grant.

Participants will be taught the foundational tools and techniques of software testing and will also receive support to find jobs that match their new skills. Job sourcing, job placement, and ongoing professional development mentorship by professional coaches after graduation are all included in the program.

Applicants have until October 5, 2020, to apply for the immersive program, which is taught virtually via weekly live sessions. To be eligible for the free training, applicants must have at least three years of experience in a professional capacity, be interested in the tech space, and be looking for new career opportunities.

Positive discrimination practices are being applied to give preference to applicants who are not white and to people who have been displaced as a result of the outbreak of COVID-19. 

A spokesperson for QualityWorks said: "Software Testing is one of the most in demand jobs in the tech market. There are currently over 9,000 unfulfilled jobs in the US alone. Our six-week immersive software testing bootcamp is designed to teach software testing from scratch for individuals without a tech background."

QualityWorks said software testing bootcamps can get people started in tech careers faster than coding bootcamps, as the learning curve is shorter. 

Over the past decade, the company has trained more than 150 persons from diverse professional backgrounds to become software testing professionals.

“We have successfully concluded two installments of our Testing Bootcamp, training over 70 individuals, 90% of whom did not come from a technical background," said QualityWorks founder and CEO Stacy Kirk. 

"We’ve proven that the model works, and so we are super excited to be able to extend the program to support black and minority communities by providing them with the skillset to land good jobs in tech."

Categories: Cyber Risk News

Warner Music Group Discloses Data Breach

Fri, 09/04/2020 - 15:08
Warner Music Group Discloses Data Breach

Warner Music Group has issued a data breach notification following a prolonged skimming attack on an undisclosed number of its e-commerce websites.

The cyber-attack was discovered by the multinational entertainment and record label conglomerate on August 5, 2020. 

E-commerce websites that are hosted and supported by an external service provider in the US but operated by Warner were found to have been compromised by an unauthorized third party.

By installing data-skimming malware on the sites, the threat actor was able to access information being entered by customers.

Personal data compromised in the attack included names, email addresses, telephone numbers, billing addresses, shipping addresses, credit card numbers, card expiration dates, and CVC and CVV codes. 

The as yet unidentified cyber-criminal accessed Warner customers' personal information entered into the affected websites during transactions made between April 25, 2020, and August 5, 2020. Payments made through PayPal were reportedly not affected by this incident.

A data breach notice sent by Warner to the affected customers stated that "any personal information" customers had entered into the affected websites "after placing an item in your shopping cart was potentially acquired by the unauthorized third party."

Warner said that it was prompt to inform relevant credit card providers and law enforcement of the breach. The company has not yet disclosed how many customers were affected by the incident.

Affected customers have been offered 12 months of identity monitoring services free of charge by Warner. 

The cyber-attack comes three years after Warner fell victim to a phishing scam that resulted in the leak of 3.12 TB of internal data relating to Vevo, the company's premium music video provider.

“Digital skimming and Magecart attacks continue to be a lucrative source of revenue for hackers as they continue to seek large targets for maximum payouts. For example, data stolen from an attack on another e-commerce platform in 2019 was valued at $133M on the dark web," commented security evangelist at PerimeterX, Ameet Naik. 

"Third-party platforms, scripts, and services are ideal targets for attackers because the techniques can be reused to steal data from multiple e-commerce sites."

Categories: Cyber Risk News

Credit Card Skimmer Hits Over 1500 Websites

Fri, 09/04/2020 - 14:45
Credit Card Skimmer Hits Over 1500 Websites

A digital skimming solution has been described as “one of the most prolific and impactful parts of the Magecart ecosystem.”

Reportedly used by several different Magecart actors, research by RiskIQ into the Inter skimmer found it had been used to steal payment data since late 2018, affecting around 1500 sites.

In particular, the Inter Skimmer comes with a dashboard to generate and deploy skimming code and back-end storage for skimmed payment data to enable easier attack deployment. RiskIQ also found connections to ransomware, fast flux DNS services, and suspicious domains potentially used for phishing or malware command and control activity.

Based on a predecessor known as JS Sniffer or SnifFall, which RiskIQ described as “fairly simplistic”, the company said much of the functionality of the Inter skimmer is similar to its predecessor as it copies out all the data entered into forms on the page by looking for fields tagged "input", “select,” or “textarea” before converting extracted payment data to JSON format and base64 encoding it.

RiskIQ said the main variations it has observed between variants of the Inter skimmer is increased use of sophisticated obfuscation, which is a trend among skimmers in general. “The Inter kit includes the ability to integrate an obfuscation service if the actor has access to an API key,” it said.

“Throughout our tracking of this skimmer we continue to see a wide variance in the amount of obfuscation employed. Some implementations use clear skimming code, while others employ encrypted obfuscation to try to hide their activity.”

“Since the Inter kit is licensed out to many different actors, we cannot say whether these activities are definitely connected to Sochi,” it said. “Still, we do know that the Inter kit is part of an ever-growing web of malicious activity.”

Sochi is reportedly the actor behind it, and has been active in skimming since at least 2016 and appears to have been involved in other cybercrime spaces since 2014. RiskIQ said this actor is also involved in a wide variety of malicious activity beyond their prolific digital skimmer, including malware development and financial fraud.

Categories: Cyber Risk News

Sophisticated Phishing Scam Targeting Lloyds Bank Customers

Fri, 09/04/2020 - 13:45
Sophisticated Phishing Scam Targeting Lloyds Bank Customers

Lloyds Bank customers are being targeted by a sophisticated email and SMS messaging phishing campaign, according to an investigation by law practice Griffin Law.

An estimated 100 people have reported receiving fake communication purporting to be from Lloyds, which is one of the largest banks in England and Wales.

In the email scam, a realistic-looking email using Lloyds logos and branding is distributed containing the subject header: “Alert: Document Report – We noted about security maintenance.” The message, which has spelling errors and some Chinese characters, claims that the recipient’s bank account has been compromised, stating: “Your Account Banking has been disabled, due to recent activities on your account, we placed a temporary suspension until you verify your account.”

Users are then redirected to a fraudulent site called Lloyds[Dot]bank[Dot]unusual-login[Dot]com, which attempts to trick visitors into believing it is legitimate through the use of official branding. The site then requests customers’ log-in details including passwords, account information and security codes and other person data.

In the SMS version of the scam, people received a text attempting to entice them into visiting the same fraudulent site. It says: “ALERT FROM LLOYDS: New device attempted to set up a payee to XXX. If this was NOT you, visit: Lloyds[Dot]bank[Dot]unusual-login[Dot]com.”

In a tweeted response to a user who informed them they had received the scam email, Lloyds Bank said: “This isn't a genuine message from us; it’s a scam. If possible, could you please forward this email or text message to us at:”

Commenting on Griffin Law’s discovery, Chris Ross, SVP at Barracuda Networks, said: “Hackers often hijack the branding of legitimate companies in order to steal confidential financial data from unsuspecting victims.

“These scams can be very convincing, making use of official logos, wording and personalised details to lull the individual into a false sense of security. In most cases, the victim will be directed to a fraudulent but realistic looking website, where they are urged to enter account details, passwords, security codes and PIN numbers.

“Phishing attacks like this pose a huge risk both to individuals and the companies they work for, especially if hackers gain access to a business bank account. Tackling this problem requires robust policies and procedures as well as the latest email security systems in place to identify and block these scams before they reach the inbox.”

In July, Griffin Law uncovered a HSBC SMS phishing scam designed to trick victims into handing over details of their bank account.

Categories: Cyber Risk News

Cybersecurity Incidents Account for a Third of ICO Reports in 2020

Fri, 09/04/2020 - 13:15
Cybersecurity Incidents Account for a Third of ICO Reports in 2020

Just under 1500 incidents have been reported to the Information Commissioner’s Office (ICO) in the past nine months, with around a third classified as “cybersecurity incidents.”

According to 2020-21 statistics released this week, among the 1446 reported incidents, 412 were classified as cybersecurity incidents, and these include 266 instances of “data emailed to incorrect recipient,” 185 reports of  “phishing” and 140 incidents of “data posted or faxed to incorrect recipient.” Fewer than 100 were down to “unauthorized access” (87), ransomware (61) and malware (16).

Overall, the numbers are improved from the 2019 report, and Rick Goud, CEO and founder of ZIVVER, commented that there was a 50% decline in reported data leaks. “In a period with increased cyber-threats, a big shift to working from home, with more digital communication and more employee behavior change – inevitably leading to more data leaks – this suggests that UK organizations don't see the necessity to comply with GDPR in terms of reporting data leaks, because the consequences of not complying are considered less costly than the alternative,” he said.

However, Martin Jartelius, CSO at Outpost24, argued that things are improving, as “users have never been this aware, firewalls and anti-virus this advanced or security frameworks as widely adopted.”

He also added that attackers have never been this efficient, and more actors are entering the criminal market space. “The reason phishing and ransomware are open and visible is that they, in part, are easy to detect; ransomware is very hard to miss for example, and users report attempted or successful phishing,” he said. “A good old fashioned data breach, such as an employee reading medical records of someone not their patient – often tops those lists in countries with stringent record keeping and audit trails.”

Sam Curry, chief security officer at Cybereason, said the state of overall security is about changes in rates, that the attackers still win too much and enjoy the expectation of victory too much, but the rate of improvement among defenders is growing faster and it’s about speed. “I believe changes in 2020 are going to help reverse the hacker advantage long term, but it’s still a fight and one we shouldn’t let up on,” he said.

Javvad Malik, security awareness advocate at KnowBe4, said it is “natural that some of the trends may have shifted slightly” considering the COVID-19 pandemic, and with many people working remotely, there has been a change in infrastructure, and many organizations have had to move services to the cloud, implement VPNs, MFA and a whole host of other technologies.

He continued: ““The good thing is that many of these security technologies are quite mature and offer good protection. However, email has been the favored attack vector for criminals for some time now, and phishing seems to have only increased since lockdown. Without colleagues to bounce opinions off, and with the many distractions that home working brings, it can be easy for employees to fall for phishing emails. 

“Perhaps the biggest issue has been the psychological toll extended home working has taken on employees. Without clear boundaries between home and work life, it can be easy to make mistakes, or errors. So, emailing the wrong people, especially on BYOD laptops or computers which may autofill email addresses , is definitely something that can happen. 

“While technology can solve many security issues, it cannot account for all human error. For example, people taking photos of their meetings (thus exposing meeting IDs or other sensitive info) and posting them on social media can also inadvertently leak sensitive information.”

Categories: Cyber Risk News

NCSC: 60% Rise in Girls Applying to CyberFirst Summer Courses

Fri, 09/04/2020 - 12:00
NCSC: 60% Rise in Girls Applying to CyberFirst Summer Courses

There has been a 60% increase in the number of girls applying for online cybersecurity skills courses this year compared to 2019, according to the National Cyber Security Centre (NCSC), a part of GCHQ.

The NCSC stated on its website that the number of young people taking part in this year’s CyberFirst summer courses rose to a record-breaking 1770 after they moved from the classroom to online.

CyberFirst is a program of opportunities led by NCSC to help young people aged 11 to 17 years explore their passion for tech by introducing them to the world of cybersecurity.

Chris Ensor, NCSC deputy director for cyber-growth, said: “I’m delighted to see that more young people are exploring the exciting world of cybersecurity, and it’s especially encouraging to see such a level of interest from girls.

“Our online courses have provided new opportunities for teenagers of all backgrounds and we are committed to making cybersecurity more accessible for all.”

Schools minister Nick Gibb added: “This country has led the way in introducing computing into the national curriculum and a more rigorous computer science GCSE. The world renowned NCSC summer course is inspiring more young people to take up a career in a discipline so important for our country’s safety. I’m delighted too, that we are seeing more applications from girls, ensuring all talent is encouraged to pursue such a vital career.”

Categories: Cyber Risk News

APT Group Targeting FinTech Sector Changes Method of Attack

Fri, 09/04/2020 - 10:45
APT Group Targeting FinTech Sector Changes Method of Attack

APT group Evilnum, known for its targeting of financial technology companies via fake know your customer (KYC) documents, has undergone a significant change in tactics and armory recently that the FinTech sector must be made aware of, according to an investigation by Cybereason.

First identified back in 2018, Evilnum has upgraded its attack capabilities on multiple occasions. Its main purpose is to spy on its infected targets and steal information such as passwords, documents, browser cookies and email credentials.

Typically, Evilnum’s infection chain would begin with spear-phishing emails that deliver zip archives containing LNK files masquerading as images, which then drop a JavaScript Trojan with different backdoor capabilities.

According to Tom Fakterman, threat researcher at Cybereason, the group’s infection procedure has changed substantially in recent weeks. Instead of delivering four different LNK files in a zip archive that will be replaced by a JPG file, only one LNK is archived, which masquerades as a PDF containing several documents such as utility bills and credit card photos.

When the LNK file is executed, a JavaScript file is written to disk and executed, replacing the LNK file with a PDF. This version of the JavaScript is the first stage of the infection chain, which leads to the delivery of a new Python Rat developed by Evilnum, which has been dubbed PyVil RAT.

This new Python Rat was found to have several functionalities including keylogger, running cmd commands, taking screenshots and opening an SSH shell. It can also deploy new tools, adding further functionalities for the attack when needed.

Fakterman said: “This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to see more in the future as the Evilnum group’s arsenal continues to grow.”

In addition, Cybereason revealed Evilnum has ramped up its infrastructure recently, with the list of domains associated with its C2 IP address, which changes every few weeks.

Despite these changes, Fakterman noted that “the primary method of gaining initial access to their FinTech targets stayed the same: using fake KYC documents to trick employees of the finance industry to trigger the malware.”

Speaking to Infosecurity, Fakterman commented: “Evilnum has gone to great lengths to evade prevention-focused security tools which underscores the need for organizations to invest in effective detection and response capabilities that allow for deep threat hunting on the network in order to identify threats designed to bypass initial layers of security.

“In addition, enterprises should provide their employees with regular security awareness training to better them for cyber-risks such as phishing. Also, employees should never open attachments from suspicious sources or visit dubious websites and should send suspicious emails to the IT/security team for vetting.”

Categories: Cyber Risk News

Australia Introduces Code of Practice for the Manufacture of IoT Devices

Fri, 09/04/2020 - 09:30
Australia Introduces Code of Practice for the Manufacture of IoT Devices

The Australian government has published voluntary best practice guidelines to help device manufacturers, IoT service providers and app developers improve the security of Internet of Things (IoT) devices. Developed jointly by the Department of Home Affairs and Australian Cyber Security Center (ACSC), the Code of Practice is described as the “first step in the Australian government’s approach to improve the security of IoT devices in Australia.”

It is expected there will be over 21 billion IoT devices connected to the internet by 2030, and the Australian government believes the new standards are necessary to “help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption.”

IoT devices encompass an increasing number of everyday home items, such as smart TVs, security cameras and baby monitors. Yet there have been numerous concerns raised over potential security threats to these devices, such as hacking. For example, last month, a team of IBM hackers discovered a vulnerability in a component used in millions of IoT devices and in June an investigation by Which? found that more than 100,000 indoor security cameras across UK homes and businesses may have critical security flaws that make them vulnerable to hacking.

The new code outlines 13 principles for domestic and international IoT manufacturers to follow, with the Australian government recommending that the first three are prioritized. These are to ensure there are no duplicated or weak passwords, implement a vulnerability disclosure policy and keep software securely updated.

It added that the guidance aligns with and is built upon UK government guidance as well as being “consistent with other international standards.”

There have been increasing moves to bring in tighter regulation regarding the manufacturing of IoT devices around the world. Earlier this year, the UK government unveiled a new consumer IoT law designed to prohibit the sale of smart products that fail to meet three strict security requirements: unique device passwords which are not resettable to factor defaults, a public point of contact at the manufacturer to report bugs to and clearly visible information stating the minimum length of time updates will be available for.

Speaking to Infosecurity, Bruce Esposito, global strategist at One Identity, commented: “The Australian government’s new code of practice for IoT devices is a much needed and long overdue focus on securing consumer smart devices. After many years of reporting on high profile hacking, malware and viruses most consumers are aware of security threats to their personal computers. Consumers are more educated about protecting their home networks and computers and are cautious when confronted with requests for personal information. However, the same cannot be said about the ever increasing number of smart devices in the household.”

Although welcoming of the introduction of further new standards for IoT devices, Boris Cipot, senior security engineer at Synopsys, said there may be a need for a more international approach in the future: “While the issuance of governmental standards and/or guidance to manufacturers is a step in the right direction, even if there are general measures in which countries might have the same opinion, there are other measures that might differ.

“Therefore, a globally aligned IoT standard would need to be created which manufacturers around the globe would follow. This would also support the import and export of such devices, as well as the usage of a technology that is by all means a global technology and not limited to a specific country.”

Categories: Cyber Risk News