Info Security

Subscribe to Info Security  feed
Updated: 6 min 45 sec ago

TrickBot Used in Tax Season Email Spoofing

Mon, 04/08/2019 - 15:38
TrickBot Used in Tax Season Email Spoofing

As April 15, the US tax-filing deadline, swiftly approaches, cyber-criminals are taking advantage of the season, using campaigns to deceive three of the biggest accounting, tax services and payroll companies in the US, according to researchers at IBM X-Force.

In monitoring tax-related malicious activity, researchers found that threat actors have been using the financial malware TrickBot to impersonate companies, including ADP and Paychex

“These campaigns attempted to deceive recipients into believing they were emailed by large accounting, tax and payroll services firms and carried malicious Microsoft Excel attachments,” IBM’s John Zorabedian, Dr. Martin Steigemann and Ashkan Vila wrote in today’s blog post.  

“The size of the spoofed firms suggests the criminals are likely to have some success in snagging individual users and businesses that are customers of these well-known companies.” All three of the sample emails that were analyzed were written in English, indicating that the attackers were targeting victims in the United States.

A highly effective piece of malware, TrickBot is commonly used to infect devices and steal valuable data, including banking credentials, according to researchers. While the campaigns seem to be targeting businesses, these tax refund scams also pose risks to the 150 million people expected to file this year, and annually cost taxpayers at least $1.6bn, according to researchers.  

Credit: IBM X-Force

“To reinforce the illusion of legitimacy, the signatures of each of the emails mimic typical business signatures, including a name, job title and contact details, as well as mock email footers that the cybercriminals may have copied from legitimate business emails,” the authors wrote.

IBM’s X-Force researchers advise that end users open attachments with caution, particularly as recipients are more likely to expect emails from their tax service providers at this time of year. While electronically filing taxes may be more convenient, consumers should remember that the US Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, phone, text messages or social media channels to request personal or financial information. To avoid tax scams, researchers warned not to respond to such requests.

Categories: Cyber Risk News

Nielsen Resigns Post as DHS Secretary

Mon, 04/08/2019 - 15:13
Nielsen Resigns Post as DHS Secretary

As part of what is being called a “massive reorganization” of President Trump’s senior-level management within homeland security, the Department of Homeland Security’s (DHS's) secretary, Kirstjen Nielsen, has submitted her resignation, according to CBS News.

“For more than two years of service beginning during the Presidential Transition, I have worked tirelessly to advance the goals and missions of the Department. I am immensely proud of our successes in transforming DHS to keep pace with our enemies and adversaries – whether it is in cyberspace or against emerging threats from new technologies,” Nielsen wrote in her letter of resignation.

Touting her successes, Nielsen stated that she is certain the nation is more secure now than when she started in her position as DHS secretary. “We have replaced complacency with consequences in cyberspace, we are holding digital intruders accountable, and we are stepping up our protection of American networks...And we have ramped up security measures to make it harder for our adversaries to attack us, whether it is with drones, chemical and biological weapons, or through other means.”

The abrupt departure does raise questions about the impact a change in leadership could have on cybersecurity. “DHS does not currently have a deputy secretary, which could also complicate the transition, but the Cybersecurity and Infrastructure Security Agency (CISA), which is under the DHS umbrella, has its own senior leader and I feel confident that the mission will carry on regardless of who the next secretary is,” said Terence Jackson, chief information security officer at Thycotic.

Regardless of Nielsen’s efforts to mitigate the risks of foreign interference in local, state and national elections in the US and improve the nation's overall cybersecurity posture, the Administration’s policy of separating children from their families at the US border with Mexico will be what Nielsen is most remembered for, CBS News reported.

“I hope the next secretary will have the support of Congress and the courts in fixing the laws which have impeded our ability to fully secure America’s borders and which have contributed to discord in our nation’s discourse,” Nielsen continued.

Categories: Cyber Risk News

Nine in 10 CNI Providers Damaged by Cyber-Attacks

Mon, 04/08/2019 - 10:04
Nine in 10 CNI Providers Damaged by Cyber-Attacks

Some 90% of critical infrastructure (CNI) providers claim that their IT/OT environment has been damaged by a cyber-attack over the past two years, according to a new Ponemon Institute report.

Sponsored by security vendor Tenable, the Cybersecurity in Operational Technology: 7 Insights You Need to Know report features responses from 701 firms that run industrial control systems (ICS) and operational technology (OT).

Some 62% claimed they had suffered two or more damaging cyber-attacks over the previous two years, resulting in data breaches, and/or disruption and downtime. Half said they’d experienced at least one attack resulting in OT downtime.

For the year ahead, respondents are most worried about third-party risk (65%), IoT/OT-based attacks (63%), and downtime-causing OT attacks (60%).

A lack of visibility into the corporate attacks surface was cited by the vast majority (80%) as the top barrier to their ability to prevent threats.

A majority claimed skills shortages (61%) and a reliance on manual processes (55%) are major obstacles to assessing and remediating vulnerabilities effectively.

Some 70% claimed that improving communication with executives and board members is one of their governance priorities for 2019.

On the plus side, there are signs of growing maturity in this area. Nearly half of respondents (48%) said their organization attempts to quantify the damage to the business from cyber-attacks: an important element of a risk management approach.

Over half (60%) also claimed that C-level executives are most involved in the evaluation of this cyber risk.

“The issue with industrial systems is that many of them are old, 10-20 years old in some cases, and there is not necessarily a practical way to upgrade them due the criticality of their availability. Industrial networks were designed before cyber threats emerged and as a result, they lack the visibility and policy enforcement layers that enterprise IT networks have,” argued Exabeam co-founder, Sylvain Gil.

“We need more insight into the behaviors of these systems. They are rudimentary and were never thought to be vulnerable to people outside the operating facility — but they certainly are. We’ve seen enough examples that we know they can be manipulated, not just in terms of being used for cybercrime, but they can actually have physical consequences, as well, like a shutdown or explosion."

The report featured interviews with IT/OT and cybersecurity professionals in energy & utilities; health & pharma; industrial & manufacturing; and transportation sectors.

Categories: Cyber Risk News

Senators’ Bill Aims Swift Sanctions at Election Meddlers

Mon, 04/08/2019 - 09:22
Senators’ Bill Aims Swift Sanctions at Election Meddlers

US senators have introduced bipartisan legislation designed to punish with sanctions any nations found to be interfering in the country’s elections.

The Defending Elections from Threats by Establishing Readiness Act (DETER) is the work of Mark Rubio and Chris Van Hollen.

It requires the director of national intelligence (DNI) to make an assessment within 60 days of an election day as to whether a foreign power interfered, including whether any senior politicians or oligarch from that country knew of the meddling.

The bill defines “interference” as everything from buying advertising to sway voters, to spreading fake news under false identities online, and hacking or denying service for election infrastructure, such as voter registration databases.

Although the legislation names China, Iran and North Korea as foreign governments which may try to destabilize America during the next election cycle, it is Russia that is singled out for particular attention by Rubio and Van Hollen.

The bill includes a list of Russia-specific sanctions that could be applied if the country is found yet again to have been interfering in US elections.

Within 30 days of a DNI decision, it demands sanctions on key sectors of the Russian economy including finance, energy and defense, plus a blacklisting for any political figure or oligarch connected to the scheme.

They will also have assets blocked by the US authorities, who will be required to work with the EU to extend sanctions.

“The one clear message we can all take away from the Mueller Report — along with the consensus of our intelligence chiefs — is that Russia worked to manipulate the American people and undermine our democratic process in 2016. As we head into the 2020 election cycle, we must be vigilant against attacks from the Kremlin or anyone who seeks to follow their example,” said Van Hollen.

“The focus of our legislation is to prevent any future efforts to manipulate our elections. By making it clear in advance that attempts to interfere in our elections will be met with swift, harsh consequences, we can deter hostile foreign powers from taking future interference — but we must act now.”

Although the legislation is an updated version of a bill introduced to the Senate last year, but not voted on, there are signs it may be difficult to push through.

Reports suggest “sanctions fatigue” in Congress, although the forthcoming publication of parts of the Mueller report may strengthen the case for the legislation.

Categories: Cyber Risk News

London Council Fined £145K For Leaking Gangs Info

Mon, 04/08/2019 - 08:56
London Council Fined £145K For Leaking Gangs Info

A London council has been fined by the UK’s data protection regulator after accidentally leaking highly sensitive police intelligence to non-authorized third parties.

The Information Commissioner’s Office (ICO) handed the London Borough of Newham in East London a fine of £145,000 for revealing the identities of more than 200 suspected gang members.

A council employee accidentally emailed 44 recipients redacted and unredacted versions of the Gangs Matrix back in January 2017, the ICO revealed late last week. These recipients included the council’s Youth Offending Team and outside voluntary organizations.

Information contained in the so-called “Gangs Matrix,” which had been provided to the council by the Metropolitan Police, included dates of birth, home addresses, associated gang and information on whether they were a prolific firearms offender or knife carrier, the regulator claimed.

Worse was to follow when it appeared that this information leaked onto Snapchat, where rival gangs shared photos of the database between May and September 2017.

The ICO noted a spike in gang violence in 2017, with many of the victims having appeared on the database, although it fell short of making a direct connection between this and the data leak.

“We recognize there is a national concern about violent gang crime and the importance of tackling it. We also recognize the challenges of public authorities in doing this. Appropriate sharing of information has its part to play in this challenge but it must be done lawfully and safely,” argued deputy commissioner, James Dipple-Johnstone.

“Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organizations, when a redacted version was readily available. The risks associated with such a transfer of sensitive information should have been obvious.”

The local authority was also castigated for failing to notify the ICO promptly, beginning its own investigation only in December 2017.

The ICO has already issued an enforcement notice to the Met in November last year, requiring the police force to improve its data sharing arrangements regarding the matrix.

Newham council was prosecuted under the old data protection regime, given that the incident fell before the GDPR start date of May 25 2018.

Categories: Cyber Risk News

Attackers Target Home Routers with DNS Hijacking

Fri, 04/05/2019 - 18:11
Attackers Target Home Routers with DNS Hijacking

Hackers have been breaking into home routers to change DNS server settings and hijack the traffic to redirect it to malicious sites, according to Troy Mursch, security researcher for Bad Packets.

Researchers have detected different types of attacks that are targeting consumer routers, all of which were reportedly traced back to hosts on the Google Cloud Platform (AS15169) network. Mursch detailed three different waves of findings, which started in December 2018. In the most recent wave, discovered on March 26, “attacks came from three distinct Google Cloud Platform hosts and targeted additional types of consumer routers not previously seen before.”

According to Mursch, determining the scope and scale of these attacks is virtually impossible unless researchers use the tactics employed by the malicious actors.

“Home router vulnerabilities are a great nuisance for organizations, and in light of the latest news about hackers leveraging D-Link routers to hijack DNS traffic, organizations should put their guard up,” said Justin Jett, director of audit and compliance for Plixer.

“While home routers don’t directly connect with the corporate network, they are used by individuals at home and in many cases connect business assets like mobile phones and computers to the internet when employees are not on campus.”

Considering the growing number of remote workers, it’s not terribly difficult for malicious actors to go around the corporate defenses via employees’ home networks, which are often much less secure or have fewer safeguards in place. “By changing the DNS server settings at the home router, users may unknowingly connect to sites that will download malware onto their system,” Jett said.

“When the users return to the corporate network, or connect to the VPN, the malware can begin looking for ways to further exploit the organization. Network and security professionals should leverage network traffic analytics to understand normal user behavior. By doing so, when a user returns to the corporate network and starts to display unusual traffic behavior, the network and security teams can quickly identify that there is a problem and remediate.”

Categories: Cyber Risk News

Facebook Home to 74 Black Market Groups

Fri, 04/05/2019 - 17:18
Facebook Home to 74 Black Market Groups

Researchers at Cisco Talos detected an excess of 70 Facebook groups that have been selling black-market cyber-fraud services, some of which have managed to remain on Facebook for up to eight years, according to a Talos Intelligence blog post.

For several months, researchers have been investigating online criminal flea markets on Facebook, discovering a collective list of 74 groups. Members of the groups offer a wide range of services described as “shady (at best) and illegal (at worst) activities,” according to the research.

Though now removed, the groups were selling, buying or trading all types of illegal services, including "stolen bank/credit card information, the theft and sale of account credentials from a variety of sites, and email spamming tools and services. In total, these groups had approximately 385,000 members.” Credit cards were often sold with CVV numbers, as well as some of the victim’s additional identification documentation.

Cyber-criminals and users looking to engage in illicit exchanges were able to navigate Facebook with relative ease, as they reportedly only needed a Facebook account to conduct category searches.

“Once one or more of these groups has been joined, Facebook's own algorithms will often suggest similar groups, making new criminal hangouts even easier to find. Facebook seems to rely on users to report these groups for illegal and illicit activities to curb any abuse,” the authors wrote.

Credit: Talos Intelligence

Group members requested government shell accounts or instructions on moving large amounts of cash, while others offered forged identification documents.

“The majority of the time, these sellers asked for payment in the form of cryptocurrencies. Others employ the use of so-called 'middlemen' who act as a go-between between the buyer and the seller of the information and take a cut of the profits. These users usually promoted the use of PayPal accounts to complete the transaction,” according to the blog.

Categories: Cyber Risk News

Australia Law Bans Violent Content on Social Media

Fri, 04/05/2019 - 16:50
Australia Law Bans Violent Content on Social Media

Regulators in Australia are cracking down on social media sites in the aftermath of the deadly shooting at two mosques in Christchurch that killed 50 people, according to Reuters.

The Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 would prohibit social media sites and internet or hosting services from allowing “abhorrent violent material.” Such material would include any audio, visual or audio-visual material “that records or streams abhorrent violent conduct engaged in by one or more persons and is material that reasonable persons would regard as being, in all the circumstances, offensive,” regardless of whether the material was altered or the content had occurred outside of Australia, the Act states.

The Act additionally defines abhorrent violent conduct as a person engaging in any act of terrorism, murder, attempted murder, torture, rape or kidnapping another person. The penalties for offenses range from monetary fines to imprisonment.

Social media sites received quite a bit of backlash after videos of the deadly shooting went viral and remained available for 20 minutes after the shooting, according to the House of Parliament

"The relevant footage was broadcast for 17 minutes without interruption and it was another 12 minutes after that point in time that the first user report on the original video was received by Facebook. The material was live-streamed on Facebook and available on that platform for almost an hour and 10 minutes until the first attempts were made to take it down. Simply put, we find that unacceptable."

After the law was passed, Australia’s attorney general, Christian Porter, said in a press conference, “This is most likely a world first in terms of legislating the conduct of social media and online platforms,” according to The Guardian.

“I would make the observation that appeared to us as a government that there was a near unanimous view among Australians that social media platforms had to take more responsibility for their content, that they could not and should not and the law should prevent them from live streaming or playing acts of the most horrendous violence and there was an expectation that the government would move urgently to ensure that such a law existed which is precisely what we have done today.”

Categories: Cyber Risk News

US Web Servers Hosted 10 Malware Families

Fri, 04/05/2019 - 10:06
US Web Servers Hosted 10 Malware Families

Security researchers have discovered a cluster of over a dozen US-based servers being used to host and distribute 10 strains of malware in large-scale phishing campaigns.

The web servers in question are owned by FranTech Solutions, a bulletproof hosting provider which uses a datacenter in Nevada, according to security firm Bromium.

Malware hosted on the servers apparently features five families of banking trojans including Dridex and IcedID, two families of ransomware including GandCrab, and three information stealers.

“The variety of malware families hosted, and the apparent separation of command and control (C2) from email and hosting infrastructure, suggests the existence of distinct threat actors: one responsible for email and hosting, and others in charge of operating the malware,” explained Bromium.

“Given the similarities between the campaigns delivering Dridex and the other malware families we identified, it is possible that this collection of web servers is part of the malware hosting and distribution infrastructure used by the operators of the Necurs botnet.”

The phishing campaigns used to distribute malware hosted on these servers appear to be pretty standard, using social engineering to trick recipients into running malicious VBA macros on the attached Word document, thereby triggering a covert malware download.

Bromium speculated that the US may have been chosen for this endeavor rather than a country more tolerant of malicious online activity as it could enable a higher success rate with the mainly US targets.

“The HTTP connections to download the malware from the web servers are more likely to succeed inside organizations that block traffic to and from countries that fall outside of their typical profile of network traffic,” it said.

A Bromium spokesperson confirmed to Infosecurity that the firm had contacted the relevant authorities, but as of Wednesday, some of the servers were still up and running.

Categories: Cyber Risk News

US Web Servers Hosted 10 Malware Families

Fri, 04/05/2019 - 10:06
US Web Servers Hosted 10 Malware Families

Security researchers have discovered a cluster of over a dozen US-based servers being used to host and distribute 10 strains of malware in large-scale phishing campaigns.

The web servers in question are owned by FranTech Solutions, a bulletproof hosting provider which uses a datacenter in Nevada, according to security firm Bromium.

Malware hosted on the servers apparently features five families of banking trojans including Dridex and IcedID, two families of ransomware including GandCrab, and three information stealers.

“The variety of malware families hosted, and the apparent separation of command and control (C2) from email and hosting infrastructure, suggests the existence of distinct threat actors: one responsible for email and hosting, and others in charge of operating the malware,” explained Bromium.

“Given the similarities between the campaigns delivering Dridex and the other malware families we identified, it is possible that this collection of web servers is part of the malware hosting and distribution infrastructure used by the operators of the Necurs botnet.”

The phishing campaigns used to distribute malware hosted on these servers appear to be pretty standard, using social engineering to trick recipients into running malicious VBA macros on the attached Word document, thereby triggering a covert malware download.

Bromium speculated that the US may have been chosen for this endeavor rather than a country more tolerant of malicious online activity as it could enable a higher success rate with the mainly US targets.

“The HTTP connections to download the malware from the web servers are more likely to succeed inside organizations that block traffic to and from countries that fall outside of their typical profile of network traffic,” it said.

Infosecurity has contacted Bromium to confirm the current status of the servers.

Categories: Cyber Risk News

BEC Gang “London Blue” Lines Up 8500 New Execs

Fri, 04/05/2019 - 09:30
BEC Gang “London Blue” Lines Up 8500 New Execs

A major Business Email Compromise (BEC) crime group discovered late last year has added a new list of thousands of executives to target in the US and Asia, according to Agari.

The email security provider uncovered the activity of organized crime group “London Blue” back in December, claiming it had used commercial lead-gen services to identify 50,000 executives to target.

The firm’s latest update claimed the group has, since November 2018, “amassed a new targeting database of nearly 8500 financial executives from almost 7800 different companies around the world.”

Although most of the targets are located in the US, as per last time, a recent focus has seen the group gather contact information for and launch BEC campaigns against targets in Hong Kong, Singapore and Malaysia. However, although the employees themselves are working in these countries, the companies are US, European and Australian.

“Another interesting development is the fact that London Blue made a rather dramatic shift in their attack methodology starting in late-February,” explained Agari senior director of threat research, Crane Hassold.

“Rather than simply using a free and temporary email account with an imposter display name to send their BEC emails, a tactic the group has used consistently since 2016, they started spoofing the email address of the target company’s CEO as a way to add a bit more authenticity to their malicious attacks.”

The best way to stop these is to switch on DMARC with the strongest policy (“p=reject”) as default.

London Blue is Nigerian in origin but with collaborators in the UK, US and Europe. It’s highly organized, with members assigned specific functions such as lead generation, assignment of leads, customizing BEC emails, recruitment of money mules, and so on.

The gang was first brought to the attention of Agari when it made the mistake of targeting the firm’s own CFO. Since then, it’s tried it's luck against the same exec a second time, in January this year.

Categories: Cyber Risk News

Industry 4.0 at Risk as Manufacturers Fail to Patch

Fri, 04/05/2019 - 09:05
Industry 4.0 at Risk as Manufacturers Fail to Patch

Nearly two-thirds of manufacturing organizations run outdated operating systems, putting them at increased risk of WannaCry and other threats, according to new Trend Micro research.

The security firm issued the warning in a new report launched at Hannover Messe this week, Security in the Era of Industry 4.0: Dealing With Threats to Smart Manufacturing Environments.

Data collected from its Smart Protection Network between July and December 2018 revealed just 29% of manufacturers on Windows 10, with the vast majority (60%) still on Windows 7.

What’s more, a significant minority (4.4%) are still running XP — almost double the number of organizations from other industries (2.5%).

As a result of using old and unsupported operating systems, manufacturing environments had a high infection rate with old network-based worms like Conficker. The same IT systems could be dangerously exposed to ransomware and info-stealers targeting corporate IP, Trend Micro argued.

USB-borne malware could also represent a major risk to the sector, given that autorun detections were higher here (26%) than for any other industry, the report claimed. Infected thumb drives were famously used to help spread Stuxnet.

Human machine interfaces (HMIs) on industrial control systems (ICS) could also be exposed to threats, given many are used in isolated environments and therefore may not be adequately protected, or patched often enough, the report found.

In fact, HMIs accounted for the vast majority of reported vulnerabilities (61%) submitted to ICS-CERT last year, to the month of September.

Crucially, although manufacturing systems are often used in isolated environments they are still connected to the public internet for ease of administration, exposing them to remote threats.

While many security reports on the sector hype up the threat of industrial sabotage, this one foregrounds the potential for IP theft.

“Malicious actors could be motivated to steal intelligence on processes, products, or technologies in use, which may include blueprints of confidential designs, secret formulas, or detailed assembly processes,” it noted.

“Computer-aided design (CAD) or document files, for instance, contain proprietary information, and these can be illicitly obtained for the production of counterfeit goods, or even infected or trojanized to enable attackers to gain access to critical systems.”

To mitigate these risks, Trend Micro urged manufacturers to bring IT and OT teams closer together, and to focus on best practices like restricting user access, disabling unnecessary services, prompt patching and updates where possible, and end user education.

Categories: Cyber Risk News

Document-Based Malware on the Rise in 2019

Thu, 04/04/2019 - 18:08
Document-Based Malware on the Rise in 2019

Evolving malware continues to pose threats to business, and new research has revealed a rise in the use of document-based malware since the start of 2019.

According to the newest Threat Spotlight from Barracuda Networks, researchers analyzed emails and identified more than 300,000 unique malicious documents, representing 48% of all malicious files detected in the last 12 months. The frequency of document-based malware rose dramatically in the first quarter of 2019, with 59% of all malicious files coming from documents.

“For the past couple of years, script files were a very popular attack method. The percentage of these sort of files declined drastically, however, and was a significant source of the increase of documents as an infection method,” said Jonathan Tanner, senior security researcher at Barracuda Networks.

Although documents are good for targeted attacks, the document-based malware analyzed were all used in phishing campaigns. However, Tanner said they are used in targeted attacks as well since as a file type they are less suspicious and more common in clean emails than other file types that could contain malware.

“Documents are a natural evolution from script files, since the languages used are also the ones used for documents – namely VBScript and JavaScript (which was often just called VBScript). The same attacks could be converted to document-based ones with only slight modifications. The script authors had already become very adept at obfuscation techniques, so these could contribute greatly to document-based malware where scripting is already more common and thus deeper inspection of the script itself is required."

Though researchers have long been able to detect and stop malware strains using signature-based methodology, they are increasingly seeing a need for an indicator-based detection process that uses the common cyber kill chain model to determine what makes something malicious, according to the report.

Categories: Cyber Risk News

Cyber-Attack on Bayer Shows No Signs of Data Theft

Thu, 04/04/2019 - 17:07
Cyber-Attack on Bayer Shows No Signs of Data Theft

As accusations of nation-state attacks from the Chinese government are becoming more prevalent, Bayer, Germany’s largest drugmaker, announced that it has managed to contain what appears to have been a cyber-attack from China, according to Reuters.

The attack, which was initially reported by German broadcasters BR and NDR resembles the work of Wicked Panda, a prominent Chinese hacking group that used the Winnti malware. 

“Our Cyber Defense Center detected indications of Winnti infections at the beginning of 2018 and initiated comprehensive analyses. There is no evidence of data outflow. Our experts at the Cyber Defense Center have identified, analyzed and cleaned up the affected systems, working in close collaboration with the German Cyber Security Organization (DCSO) and the State Criminal Police Office of North Rhine–Westphalia. Investigations of the Public Prosecutor’s Office in Cologne are ongoing,” a Bayer spokesperson wrote in an email.

For several years, the advanced persistent threat group (APT) has been actively targeting a broad scope of victims around the world. In 2018, CrowdStrike research suggested the group is “contractors who are supporting high-priority operations as needed,” adding that the group had “improved operational security and anti-analysis TTPs, evidenced by the use of machine-specific decryption keys.”

Attribution in these attacks can be challenging, though. “While the prevailing theory is that the attacker(s) are linked to China based on targeting and some previous analysis of the Winnti rootkit, it’s far from conclusive. The Winnti malware has been around for a few years now – plenty of time to be shared and repurposed by a loosely affiliated threat actor group, which may or may not have had state backing in this case,” said Mark Orlando, chief technology officer, Raytheon cyber protection solutions.

Still Orlando applauded Bayer’s comprehensive response, regardless of the source or motives behind the attack. “It seems clear in this case that that’s what Bayer did, and then provided the evidence to law enforcement to enable them to draw their own conclusions.”

Maintaining operational security and disclosing information only to those who need to know it while executing a measured response is often a challenge for organizations that discover they have been breached. Orlando said, “The fact that Bayer kept this incident under wraps and left the infected systems online to support an ongoing investigation makes this an interesting case study in incident response and disclosure. Taking these steps enabled the Bayer security team to determine the scope of the incident, analyze the malware on its systems and devise ways to detect additional infections prior to the incident being made public.”

Categories: Cyber Risk News

Consumers on Board with Securing Health Records

Thu, 04/04/2019 - 16:01
Consumers on Board with Securing Health Records

As the healthcare industry continues to struggle with tightening up its cyber-defenses, consumers increasingly believe they play a role in securing their health information, according to a new report published by Morphisec.

The 2019 Consumer Healthcare: Cybersecurity Threat Index asked more than 1,000 consumers their opinions on the number of cyber-attacks targeting health information to understand consumer perspectives on their provider's cyber-defenses.

“With nearly 90% of health organization CIOs indicating they purchase cybersecurity software to comply with HIPAA, rather than to reduce threat risk, consumers have a right to be worried about the cyber-defenses protecting their health data,” said Tom Bain, VP of security strategy at Morphisec, in today’s press release.

“Merely checking the box that cybersecurity defenses meet HIPAA requirements isn’t enough to protect healthcare organizations today from advanced and zero-day attacks from FIN6 and other sophisticated attackers.”

Even though HIPPA laws require healthcare providers to inform patients of a data compromise, the report found that 54% of consumers don’t know if their health provider has suffered a cyber-attack.

“With more than 2,500 healthcare data breaches since 2009, each involving more than 500 records, it’s estimated that about 190 million healthcare records have been exposed over the last decade. That’s equivalent to 59% of the U.S. population. So most of those who don’t know if their provider has been breached may actually have had their data compromised,” the report said.

Only 30% of respondents said they hold their providers solely responsible for securing their health records, 50% of respondents feel they are also responsible for securing their private health information. While 45% believe their personal health information is more secure on their own devices than it would be on the devices of their providers, the vast majority of consumers (80%) reported that they are not well prepared to respond to cyber-threats on their personal devices.

“As healthcare providers open up different channels for sharing data, and even encourage the sharing of patient-generated data (PGD), such as physical activity, heart rate, sleep, food, and blood glucose levels, they should be clear with consumers on who maintains ownership of that data as it is shared,” the report said.

Categories: Cyber Risk News

A Third of Brits Suffered Cybercrime Last Year

Thu, 04/04/2019 - 10:05
A Third of Brits Suffered Cybercrime Last Year

Around 17 million UK consumers have experienced cybercrime over the past year and a majority think it’s likely to happen in the future, according to the latest annual report from Norton.

The Symantec brand’s 2018 Norton LifeLock Cyber Safety Insights Report features answers from over 1000 British consumers who were polled as part of a global survey of more than 16,000 adults.

It defines “cybercrime” as a crime committed online, including detecting unauthorized access to an account, learning information was exposed in a data breach, and detecting malicious software on a device.

A third of respondents said they’d experienced such a crime last year, around the same as for the 2017 report. A further 62% said it’s likely they’ll suffer an attack in the coming year and 60% claimed they are as likely or more so to experience cybercrime as they are to get the flu.

Yet according to the hard figures, UK losses connected to cybercrime have plummeted over the past year, from £4.6bn in the 2017 report to just £1.7bn this year. The average number of hours it took respondents to deal with the aftermath of an attack also appears to have significantly fallen: from 14.8 hours to just 5.5 hours.

However, a Norton spokesperson told Infosecurity that it was impossible to compare the two reports like for like "as there are a huge number of variables."

"Even the types of cybercrime differ each year, as methods evolve," they said.

The report also highlighted the growing threat to smart devices and endpoints, especially in the connected home.

Worryingly, a quarter (25%) of Brits were unaware that smart devices can be hacked, a figure rising to 28% for smart door locks and 32% for smart baby monitors.

The report also pointed to something of a contradiction between consumer attitudes to privacy and their behavior online.

While 82% said they are concerned about privacy and 95% said they have little or no trust in social media companies when it comes to protecting their personal info, 65% accept certain risks to make life more convenient.

Over half claimed they were even willing to sell or give away data on their location (57%) and internet search history (53%).

Categories: Cyber Risk News

Iranian Hackers Target UK Organizations in Ongoing Attack

Thu, 04/04/2019 - 09:23
Iranian Hackers Target UK Organizations in Ongoing Attack

State-sponsored Iranian hackers have been blamed for a newly disclosed cyber-attack campaign against UK government and private sector targets last December.

The ongoing campaign has already compromised the personal details of thousands of employees, including those working in banks, local government and the Post Office.

The latter two were hit in a raid on December 23, according to Sky News.

The National Cyber Security Centre (NCSC) told the broadcaster it is “aware of a cyber-incident affecting some UK organizations in late 2018" and that it is “working with victims and advising on mitigation measures.”

The email address and mobile phone number of Post Office chief Paula Vennells is said to be among the compromised personal details.

It’s unclear what the end goal is, although the data collection exercise could be followed by spear-phishing-led campaign to steal more sensitive information from government and private sector networks.

The Iranian Revolutionary Guard-linked group behind the campaign is apparently the same one blamed for the 2017 brute force attack on parliamentary accounts. In that raid, around 1% of the 9-10,000 accounts targeted were successfully compromised, with some individuals also being subjected to vishing attempts to trick them into divulging log-ins.

MPs were also targeted by a phishing campaign in February after a Tory lawmaker’s email account was compromised and dozens of his colleagues were added to a WhatsApp group by the hacker.

David Atkinson, CEO of Senseon and former government “cyber operative,” argued the news demonstrates how nation state attacks can affect a wide sweep of organizations.

“This attack also shows that we need to change awareness of what constitutes critical infrastructure. Again, we are not just talking about the energy sector, communications, and industrial organizations,” he added.

“Threat actors will also target the economy and if a large-scale attack is launched against the UK’s banks, you can bet the situation will quickly become critical. The government has a responsibility to ensure a good standard of security and defense across all major organizations to safeguard the UK.”

Darren Anstee, CTO at NETSCOUT, argued that Iranian groups are increasingly combining custom-made tools with commodity crimeware to extend their reach and impact.

“Political disruption provides a fertile ground for cyber-attacks against government, non-government and international organizations, meaning it’s hardly surprising malicious actors in Iran have mounted an attack against the UK,” he added.

“As a result, it is critical that governments and organisations make themselves aware of these new methods to disrupt and interfere with domestic and international affairs. It is also essential that governments and businesses collaborate closely to neutralize threats and prevent attacks on national institutions.”

Categories: Cyber Risk News

Third Parties Leak Data on 540 Million Facebook Users

Thu, 04/04/2019 - 08:50
Third Parties Leak Data on 540 Million Facebook Users

Over half a billion personal Facebook records have been publicly exposed to the internet by two third party app developers, according to researchers at UpGuard.

The security company claimed in a blog post on Wednesday to have found the two datasets stored in Amazon S3 buckets, configured to allow public download of files.

By far the larger of the two comes from Mexico-based media company Cultura Colectiva. The 146GB trove contained over 540 million records including comments, likes, reactions, account names, Facebook IDs and more.

UpGuard claimed the data was being collected by the firm to help it better predict which type of content will generate the most traffic.

The second S3 dataset relates to an app titled At the Pool and includes entries for the following data: fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password and more.

Although the volume of data was much smaller, it still contained 22,000 plain text passwords for the app, which could put users at risk if they reuse credentials across multiple sites.

The At the Pool data was taken offline before UpGuard even had a chance to send a notification email. However, despite having been notified on January 10, it took until April 3 for the larger dataset to be secured.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control. In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security,” explained UpGuard.

“The surface area for protecting the data of Facebook users is thus vast and heterogeneous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”

Categories: Cyber Risk News

A Spot of Ransomware Hits AriZona's Tea

Wed, 04/03/2019 - 19:33
A Spot of Ransomware Hits AriZona's Tea

Another ransomware attack has struck, but this time the massive attack on AriZona Beverages was targeted.

After more than 200 company-networked computers displayed the message “Your network was hacked and encrypted,” the company’s IT department had to rebuild the network, according to a post from Cloud Management Suite. Infosecurity was unable to reach AriZona Beverages by phone, and the company has not responded to request for comment.

“AriZona Beverages may have been relying on age-old IT systems. In light of this, the news that AriZona Beverages was hit with a ransomware attack last month and subsequently has spent a fortnight rebuilding its network might not come as a massive shock to some,” said Caroline Seymour, VP of product marketing at Zerto.

Some have speculated that the company had Dridex. According to experts at CrowdStrike, if the company had Dridex, then most likely the ransomware package was BitPaymer, which is something that a lot of people aren’t privy to yet. It is also believed that iEncrypt can interchangeably be used with BitPaymer.

CrowdStrike Intelligence tracks INDRIK SPIDER, a sophisticated e-crime group that has been actively developing the Dridex malware since early 2014, though it was first publicly reported in July 2014, according to Adam Meyers, VP of intelligence.

“It has evolved into an affiliate model where there are multiple customers/users of Dridex who use it for various purposes. Initially it was used to steal credentials to enable wire fraud, but since 2017 it is more commonly observed running more targeted and higher value operations. CrowdStrike Intelligence has observed this malware being used to deploy enterprise ransomware, which we call ‘Big Game Hunting.’”

With daily revelations of ransomware, the threat of a large scale attack – the possibility of which was suggested in a recent Lloyd’s of London report – looms large. The report poses a scenario in which a large-scale attack launched through an infected email is forwarded to all of the recipient's contacts and able to encrypt the data of 30 million devices within 24 hours.

“Despite the high costs to business, the report shows the global economy is underprepared for such an attack with 86% of the total economic costs uninsured, leaving an insurance gap of $166bn,” the report said.

The potential volume of unreported attacks is of great concern to industry experts. “For every one reported attack,” said Marcus Chung, CEO at BoldCloud, “it is likely there are at least 5–10 unreported ransomware attacks. It is also very likely that some of these attacks are targeted and simply attempts to gain insights and intelligence towards identifying soft targets and possibly entire industries. Now, more than ever, it is more important to take a proactive approach towards protecting your data!”

Categories: Cyber Risk News

UK Orgs, Charities Improving in Cybersecurity

Wed, 04/03/2019 - 16:21
UK Orgs, Charities Improving in Cybersecurity

Businesses and charities are showing progress in defending against breaches and ensuring General Data Protection Regulation Compliance (GDPR), according to a new report published by the Department for Digital, Culture, Media and Sport.

The Cyber Security Breaches Survey 2019 found that less than a third (32%) of business and less than a quarter (22%) of charities reported a cybersecurity breach or attack in the last 12 months. The reported number of businesses identifying breaches or attacks is lower than it was in both 2018 (43%) and 2017 (46%). Similarly, the number of breaches or attacks for charities also declined.

“While fewer businesses have identified breaches or attacks than before, the ones that have identified them are typically experiencing more of them. These are consistent trends since the 2017 survey...Among the 32% of businesses that did identify any breaches or attacks, the typical (median) number they recall facing has gone up, from 2 attacks in 2017 to 6 in 2019,” the report said.

The statistics suggest that GDPR may be influencing cybersecurity awareness, which is driving change for enterprise security; however, the study also recognized that more can be done to protect against new and emerging cyber-threats. While companies are receptive to guidance on how to improve aspects of cybersecurity, the study found that companies need to be more proactive.

“Six in ten businesses (59%) and just under five in ten charities (47%, up from 36% in 2018) have sought external information or guidance on cyber security in the last 12 months," the report said. "However, only seven per cent of businesses and nine per cent of charities have sought information or guidance from the Government or public-sector bodies (such as the National Cyber Security Centre).”

Despite the majority of these businesses (75%) admitting that the information they receive is useful, the statistics gave evidence that companies and charities fail to seek information out for themselves.

“While cybersecurity is climbing up the ladder to becoming a top business priority, this survey is a clear sign that there is more to be done to really move the needle on protecting businesses and charities from potential disruptive breaches,” said Hiwot Mendahun, cybersecurity analyst at Mimecast.

Categories: Cyber Risk News