Info Security

Subscribe to Info Security  feed
Updated: 36 min 45 sec ago

Cisco Announces Plans to Acquire Duo Security

Thu, 08/02/2018 - 13:06
Cisco Announces Plans to Acquire Duo Security

Cisco has announced its intent to acquire privately-held Duo Security.

The deal will purportedly see Cisco pay $2.35bn in cash and assumed equity awards for Duo Security’s outstanding shares, warrants and equity incentives on a fully-diluted basis.

Duo Security, headquartered in Michigan, provides unified access security and multi-factor authentication through the cloud, offering zero-trust authentication and access products.

“In today’s multicloud world, the modern workforce is connecting to critical business applications both on- and off-premise,” said David Goeckeler, executive vice-president and general manager of Cisco’s networking and security business.

“IT teams are responsible for protecting hundreds of different perimeters that span anywhere a user makes an access decision. Duo’s zero-trust authentication and access products integrated with our network, device and cloud security platforms will enable our customers to address the complexity and challenges that stem from multi-and hybrid-cloud environments.”

The deal is expected to be completed at some point during Q1 of Cisco’s fiscal year 2019, with Duo Security, which will continue to be led by Song, joining Cisco’s Networking and Security business led by Goeckeler.

“Our partnership is the product of the rapid evolution of the IT landscape alongside a modernizing workforce, which has completely changed how organizations must think about security,” said Dug Song, Duo Security’s co-founder and chief executive officer. “Cisco created the modern IT infrastructure, and together we will rapidly accelerate our mission of securing access for all users, with any device, connecting to any application, on any network.”

Categories: Cyber Risk News

Members of FIN7 Arrested, Face 26 Felony Counts

Thu, 08/02/2018 - 12:50
Members of FIN7 Arrested, Face 26 Felony Counts

Members of the cybercrime gang FIN7, also known as Carbanak and JokerStash and suspected of targeting more than 100 organizations in the US and others around the globe, were arrested by the Department of Justice (DOJ) on Wednesday 1 August 2018.

Ukrainian nationals Dmytro Fedorov, 44; Fedir Hladyr, 33; and Andrii Kolpakov, 30, are in custody, charged with 26 felony counts of alleged conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. The charges were filed in Seattle’s US District Court, according to news from the DOJ. As early as 2015, the crime gang has engaged in a malware campaign targeting hundreds of companies, including Chipotle Mexican Grill, Chili’s and Arby’s.

“FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations,” the DOJ wrote.

The arrest of these malicious actors responsible for prolific financial theft on an immense scale is good news to the industry experts at Kaspersky Lab, who have long been tracking the Carbanak threat. In 2014, Kaspersky researchers observed that Carbanak was the first to apply highly sophisticated tools to common financial crime, techniques and processes normally associated with nation-state backed threat actors.

“Following the publication of our findings, the gang did not disband and disappear as many others do; it stayed and in fact extended its activities,” Kaspersky Lab wrote in an email. “Our research shows that, over time, Carbanak turned into an umbrella for a range of cyber-criminal activities all sharing the same purpose of illicit financial gain. We believe that the kind of active international cooperation that led to these arrests is the key to catching and stopping the most sophisticated cyber-threats.”

The arrest of the Ukranian nationals tied to the FIN7 cybercrime group is significant, said Illumio's head of cybersecurity strategy, Jonathan Reiber. “It shows how hard work and international law enforcement cooperation leads to real results. German, Polish, and Spanish law enforcement agencies worked together to bring these criminals to justice. Cyber-space may be comprised of darknets and bits and bytes, but leadership, detective work and alliance cooperation are what bring down criminal organizations.”

Categories: Cyber Risk News

Amnesty International Staff Targeted with Spyware

Thu, 08/02/2018 - 12:17
Amnesty International Staff Targeted with Spyware

Amnesty International found hackers attempting to infect one of its researcher's phones with a tool from Israel-based NSO Group, long known as makers of spyware, the NGO reported.

Amnesty International’s tech team launched an investigation after one of its staff members received a suspicious WhatsApp message in Arabic, which detailed information about a protest at Washington D.C.’s Saudi embassy. The message included a malicious link for further details. Because the NSO Group spyware is mainly sold to government agencies, Amnesty International believes that it was targeted by a hostile government that takes issue with its work.

“The potent state hacking tools manufactured by NSO Group allow for an extraordinarily invasive form of surveillance,” said Joshua Franco, Amnesty International’s head of technology and human rights. “A smartphone infected with Pegasus is essentially controlled by the attacker – it can relay phone calls, photos, messages and more directly to the operator. This chilling attack on Amnesty International highlights the grave risk posed to activists around the world by this kind of surveillance technology.”

Had the victim clicked, they would have installed the highly sophisticated Pegasus surveillance tool. “Pegasus (the NSO spyware) almost found itself in the wild after one of its workers decided to try and sell it on the dark web,” said Koby Kilimnik, security researcher at Imperva, “but there isn’t a good way to prevent such hacking tools from falling into the wrong hands.”

NSO Group reportedly told Amnesty International that its spyware is intended to be used as an investigative tool to prevent crime and terrorism and that any other use is a violation of its acceptable use policy. “While malware from firms such as the NSO Group can, and apparently has, been used to spy on human rights activists and others, the code itself is unbiased and has no agenda,” said Lee Munson, security researcher at Comparitech.

“For that reason and given the fact that its intended target was supposedly terrorists, it is very hard indeed to legislate against it. Additionally, malware propagates so quickly and in so many unusual ways that it is hard to block it completely," Munson continued.

“Whether or not governments should be dabbling in such surveillance code is an interesting question and the answer is not easy to come by – balancing privacy against security is a problem politicians will be fighting over for decades to come.”

Categories: Cyber Risk News

Nuisance Call Firm Hit with £100K ICO Fine

Thu, 08/02/2018 - 09:44
Nuisance Call Firm Hit with £100K ICO Fine

The Information Commissioner’s Office (ICO) has fined yet another marketing firm for nuisance calls which broke privacy and communications laws.

The UK’s data protection watchdog also enforces the Privacy and Electronic Communications Regulations (PECR), which govern the use of marketing emails, calls, texts, faxes and other aspects.

It has levied a £100,000 fine against East Sussex-based AMS Marketing, which made the calls to tens of thousands of individuals who had specifically opted out by registering with the Telephone Preference Service (TPS).

It claimed to have received over 100 complaints about the calls, which were made between October 1 2016 and December 31 2017.

An ICO investigation found that AMS bought lists of prospects from third parties but made no attempt to check whether they were on the TPS list.

“Firms that buy in lists of data are duty-bound to check whether people are registered with the TPS,” a spokesperson for the watchdog said.

“Firms that fail to make the proper checks, do so at their peril. The ICO can and will take action.”

The announcement is the latest in a long list of similar financial penalties levied by the ICO against nuisance calls companies, amounting to some of the largest fines ever issued by the watchdog.

In September last year Welsh marketer Your Money Rights was hit with a £350,000 fine after being found guilty of masterminding a campaign which made 146 million illegal automated calls to the British public.

A few months earlier in May, Keurboom Communications was fined £400,000 for nuisance calls made over an 18-month period, but its director placed the firm into liquidation before the money could be recovered.

The government is said to be planning a new law which will allow the ICO to fine the company directors behind nuisance call firms, hopefully putting an end to this practice.

In January this year the fines kept on coming, with Miss-sold Products UK forced to pay £350,000 after co-ordinating 75 million nuisance calls in just four months.

In this case its director applied to strike it off the Companies House Register — a move the ICO blocked in a bid to help it recover the money.

Categories: Cyber Risk News

UK Shipper Was Held to Ransom After 2017 Breach

Thu, 08/02/2018 - 09:12
UK Shipper Was Held to Ransom After 2017 Breach

Clarksons has finally released more details of a 2017 data breach, claiming the hacker demanded a ransom for the stolen information.

The UK-headquartered shipper said it discovered unauthorized access to its systems between May 31 and November 4 last year. The attackers got in via a “single and isolated user account” which was subsequently disabled.

However, the firm appears to have proactively been able to mitigate the worst effects of the attack.

“Through the investigation and legal measures, Clarksons was then able to successfully trace and recover the copy of the data that was illegally copied from its systems,” it claimed.

Although the firm believes it has recovered the data, it is notifying potentially affected individuals, as the range of data stolen is worryingly broad.

“While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV, driver’s license information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors,” the statement noted.

As the hackers were able to infiltrate the network via just a single entry point, the case highlights the need for strong authentication everywhere, according to Keith Graham, CTO at SecureAuth Core Security.

“Most data breaches happen because of misused user credentials, so if businesses focus on getting the access and authentication part right for users that’s half the battle. This helps ensure that privilege and roles from one side of the partnership cannot be used anomalously against the other side of the partnership, and vice versa,” he added.

“This approach limits the risk associated with the misuse of stolen or lost credentials, before authentication methods are even offered to the end user.”

This incident occurred well before the GDPR was brought into force, but the lack of transparency by the victim organization, the length of time it took to notify customers and the sheer range of highly sensitive data potentially compromised would certainly have warranted a serious investigation.

The regulation mandates that organizations operate a policy of data minimization so that they represent a smaller target to hackers.

Categories: Cyber Risk News

Reddit Breached After SMS 2FA Fail

Thu, 08/02/2018 - 08:43
Reddit Breached After SMS 2FA Fail

Reddit has become the latest big-name tech firm to admit to a major data breach, after hackers compromised staff accounts by intercepting SMS-based two-factor authentication codes.

The firm’s CTO, Christopher Slowe, explained in a lengthy Reddit post that it discovered the attack over a month ago, on June 19.

“We learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA,” he said.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”

Craig Young, security researcher at Tripwire, argued the incident proves the fallibility of SMS-based verification tokens, which can be stolen via a variety of techniques.

“The most common technique is most likely use of smartphone malware which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity from the end-user but this seems less likely in such a targeted campaign,” he added.

“Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol which is at the heart of modern telephony routing or that they simply called up the victim’s cellular provider and convinced them to transfer the phone number to a new SIM.  An attacker within the same cellular coverage area as the victim could even intercept and decrypt SMS out of the air with just a couple hundred dollars of equipment.”

Reddit’s attackers managed to access two troves of data: an old back-up database from 2005-07 featuring “account credentials (username salted hashed passwords), email addresses, and all content (mostly public, but also private messages)” and email digest logs from between June 3 and June 17, 2018 containing username and email.

The passwords are probably safe if they’ve been salted and hashed as it would take a significant amount of effort by the attackers to crack them, explained Koby Kilimnik, security researcher at Imperva.

“Notwithstanding that, I would still recommend changing your Reddit password, and if you don’t like spam emails, you might also want to start using a different email account, since those leaked emails will probably find their way into some spammer’s database,” he added

“Another good idea is not to use the leaked password anywhere else. Although it’s hard to crack those passwords, once cracked, the chances are much greater that they will also be added to a dictionary in a future ‘credential stuffing attack’.”

The firm claimed it is notifying users about the older breach but has told users potentially affected by the newer one that they must proactively search their inbox for emails from between June 3-17, 2018.

It’s been reported that this trove could be far larger than the first and may help the attackers unmask anonymous users by linking their pseudonym to their username and email address.

The platform has over 300 million global users and US users have the email digest function switched on by default, so the number could theoretically top 200 million.

Because European citizens' data is presumably affected by the breach, and the incident occurred in June, it’s likely that GDPR regulators will get involved. There will be question marks for starters over the length of time it took to notify customers and the decision to force users to proactively check their emails to see if they were affected by the more recent breach.

Categories: Cyber Risk News

DHS Launches Cyber-Risk Management Center

Wed, 08/01/2018 - 14:03
DHS Launches Cyber-Risk Management Center

The Department of Homeland Security (DHS) has announced the creation of a new cyber-risk management center intended to protect the nation’s banks, energy companies and other industries from potentially crippling cyber-attacks on critical infrastructure, according to agency officials who spoke at the 31 July cybersecurity summit hosted by DHS.

DHS Secretary Kirstjen Neilsen led a panel discussion comprised of Department of Energy Secretary Rick Perry, Cyber Command and National Security Agency leader Gen. Paul Nakasone, FBI director Christopher Wray, Mastercard CEO Ajay Banga, AT&T CEO John Donovan and Southern Company CEO Tom Fanning. Hoping to launch the center in 90 days, the DHS has also established a task force that will focus on threats to the industrial supply chain.

“It is great to have the DHS take the lead to coordinate public–private partnerships that protect the national critical infrastructure,” said Joseph Kucic, chief security officer at Cavirin. “In the past, various agencies attempted to address critical infrastructure through single agency initiatives (i.e. FBI via InfraGard; Department of Commerce via NIST, etc.). Having one coordinated overall lead organization will reinforce our cyber vision.”

The goal of the new Cyber Hub is to define common risk management frameworks and security metrics, unifying the various approaches and tactics currently deployed so that a consistent peer measurement process can be implemented.

“The true success of this new coordinated effort would be to take an end-to-end approach and cover all areas of cybersecurity (infrastructure, applications, end points, IoT, ICS, data, user identity, and transactions) so that we can achieve an overall security posture to protect all Americans,” Kucic said.

Threats from nation-state attackers highlight the urgent need to better protect critical infrastructure and identify the risks within the supply chain. “Our cyber adversaries are far more powerful, motivated and well funded than ever before,” said Bill Conner, CEO, SonicWall.

“They are fueled by malicious intent to strike at the heart of the American economy, infrastructure and even our civil liberties. The Department of Homeland Security’s attention and commitment to cybersecurity is to be commended.”

Categories: Cyber Risk News

Phishing Attack Strikes UnityPoint Health

Wed, 08/01/2018 - 13:26
Phishing Attack Strikes UnityPoint Health

Iowa’s UnityPoint Health reported that it was the victim of a phishing attack, saying the attack put the sensitive information of 1.4 million patients at risk, according to local news media KCCI.  

The public notice regarding the security incident stated that UnityPoint Health received a series of phishing emails that successfully tricked some employees into clicking because the emails appeared to have come from one of the company’s trusted executives. Those who fell victim shared their confidential log-in credentials, giving attackers access to their internal email accounts from 14 March 2018 to 3 April 2018.

“Some of the compromised accounts included emails or attachments to emails, such as standard reports related to healthcare operations, containing protected health information and/or personal information for certain patients. While unauthorized access to patient information may have occurred, no known or attempted misuse of patient information has been reported at this time,” the notice stated.  

The healthcare sector has long been a target of attack, which is why healthcare cybersecurity expert Leon Lerman, CEO of Cynerio, warned, “Healthcare organizations need to be on high alert for these types of phishing attacks like the one that targeted employees of UnityPoint Health. Perhaps they think it won’t happen to them and that the cyber-criminals will go after very large organizations, so they don't really take action to protect themselves.”

Regardless of size, healthcare organizations deal with very sensitive data, which is why they are repeatedly targeted. “Hackers also take into account that smaller organizations typically have less protections and are easier to hack,” Lerman said.

Even though security awareness training programs teach users not to click links or download attachments from unknown or suspicious emails, when the email comes from a senior executive, employees continue to fall for the bait. For criminals, this tactic is “low-cost, easily deployed, easily targeted, and preys on the human capacity to suspend criticism in favor of a quick boost to our serotonin,” said Josh Mayfield, director of solutions marketing at Absolute.

To defend against these types of attacks, organizations can implement some sort of framework against which people, processes, and technology align. “In the world of healthcare, this takes the form of HITRUST or its parent, the NIST Cybersecurity Framework,” Mayfield said.

“Placing attention on the resilience of people, processes, and technology can help avoid many of the tragedies that make headlines or awaken alarms at the OCR. A marginal improvement in cyber hygiene will enhance your resilience and lower the probability of malicious attacks. There is no such thing as zero risk. We live in a world of oscillating probabilities. Those probabilities can be affected by human agents conspiring to bring robust cyber defense through persistent cyber hygiene.”

Categories: Cyber Risk News

Spam Click Rates High, 2FA Use Low at Work

Wed, 08/01/2018 - 12:42
Spam Click Rates High, 2FA Use Low at Work

Organizations continue to be at risk from insider threats because they lack strong identity management solutions, whether it's end users clicking on spam, issues with multifactor authentication (MFA), or companies keeping their decisions about security and identity separate, according to three new surveys released by F-Secure, SecureAuth Core Security and ObserveIT.

According to news from F-Secure, email spam, a decades-old threat, remains a popular attack method choice among cyber-criminals. “Spam is becoming an increasingly successful attack vector, with click rates rising from 13.4% in the second half of 2017 to 14.2% in 2018,” said Adam Sheehan, behavioral science lead at MWR InfoSecurity (which was acquired by F-Secure in June 2018), in a press release.

In addition to the risks from email spam campaigns, businesses continue to struggle when it comes to defending against insider threats. ObserveIT today released Multigenerational Workforce and Insider Threat Risk study, which found that there is a disconnect between cybersecurity awareness and insider-threat risk. Despite the fact that the survey found 65% of the 1,000 respondents know what insider threats are, those threats continue to rise.

The study went on to look at the different behaviors by generation and found that 90% of 45-54-year-olds adhere to their organization’s cybersecurity policy, while a third (34%) of 18-24-year-olds said they don’t know what is included in the cybersecurity policy of their employers.

Looking at the rise of email spam campaigns in conjunction with these statistics on insider threats highlights the formidable problem organizations face from their employees. Whether users click on malicious links is only one factor in the overall risks of insider threats, but defending against insider threats requires a strong identity management policy, which many organizations have yet to implement, according to SecureAuth Core Security.

Results of a Cybersecurity and Identity Gap Survey, conducted by SecureAuth Core Security, found that a majority of businesses continue to struggle with strengthening their overall cybersecurity posture because they’re not aligning cybersecurity measures with identity practices. Only half of the organizations surveyed reported using two-factor authentication (2FA) or MFA.

Of those who have implemented these strategies, 65% of respondents expressed dislike for 2FA and MFA. When it comes to downloading and using a mobile app to initiate the authentication process, 63% of respondents said they experience friction from employees.

“Despite increased spending on cybersecurity capabilities, breaches still continue to rise, showing the status quo is no longer good enough,” said Jeff Kukowski, CEO of SecureAuth Core Security, in today’s press release. “The industry must begin to approach cybersecurity and identity management together to better detect and mitigate risks, rather than treat them as disparate silos that don’t communicate with each other and actually increase the threat surface.”

Categories: Cyber Risk News

Firms Urged to Scour Dark Web for Breached Data

Wed, 08/01/2018 - 11:35
Firms Urged to Scour Dark Web for Breached Data

A security vendor has released a list of top activities organizations should watch out for on the dark web that may cause them harm or indicate they may have been compromised.

Security intelligence firm Terbium Labs claimed that organizations are losing the battle against their online adversaries, despite rising security budgets, and must look to the non-indexed web to give them a much-needed advantage.

To this end, with the right tools they can find customer PII, or financial information such as primary account numbers (PANs) and bank identification numbers (BINs), which are indicative of a breach, the firm argued. Data is sometimes updated daily on underground markets, so scanners must operate frequently.

This kind of intelligence could significantly shorten the window of opportunity for cyber-criminals to use stolen data. The latest stats from IBM claim the mean time to identify a breach dropped just five days over the past year to stand at 163 days. That’s bad news when you consider an average breach now costs $3.9m.

“These days, data breaches are inevitable, so the key to containing the fallout from an incident is proactive detection and response,” Terbium Labs CEO, Danny Rogers, told Infosecurity. “The statistics are clear — data breach costs are directly proportional to the time to discovery, so the earlier an organization can detect that something is amiss, the less damage occurs. Proactive data breach detection is the key.”

Monitoring for customer data is not the only way companies can protect themselves. Leaks to the dark web of proprietary source code could also affect firms by enabling hackers to research vulnerabilities to exploit in attacks, said Terbium Labs.

In addition, third-party breach data dumps may reveal employee credentials that can be used in attacks, or follow-on phishing attempts.

The security firm also warned that “inexpert dark web searching” can actually increase an organization’s risk exposure. It revealed that one security vendor searched so many times for the name of a client CISO that the name made it to the trending section of the now-defunct dark web search site Grams.

Categories: Cyber Risk News

Over 600K Shoppers Affected by E-commerce Security Incident

Wed, 08/01/2018 - 09:32
Over 600K Shoppers Affected by E-commerce Security Incident

Over half a million shoppers have had their personal data put at risk after a security breach at an IT supplier to several e-commerce sites.

An undisclosed security issue at service provider Fashion Nexus allowed a white hat hacker to access a server containing a database of clients’ customer details.

Although the initial figure arrived at by security researcher Graham Cluley was 1.4 million affected customers, Fashion Nexus claimed far fewer were impacted.

“There are 922k unique email addresses which of these, around 280k were captured by audit processes in brute force login attempts from external unrelated already-breached email lists,” it claimed in a statement.

“This leaves limits the exposure of our clients' data to 642k customer records. The age of the data stores involved (as they were for test purposes) means that most of these customer records are between two and nine years old.”

The exposed data includes email addresses, encrypted passwords, names, telephone numbers and addresses for some but not all. The firm was at pains to point out that no financial data was compromised.

However, hackers can still do a lot with non-financial data, explained NuData Security VP, Ryan Wilk.

“The personally identifiable information accessed can easily fuel synthetic identity fraud and identity theft. With these types of fraud, PII such as name, address, or date of birth is traded on the dark web to steal a real identity or construct an entirely new fraudulent one for theft,” he argued.

“NuData has seen a 100% increase in purchase attempts with flagged — suspicious — credit cards, which are often used under a fake account that has been created with stolen information.”

Fashion Nexus recommended that customers of AX Paris, Granted London, Jaded London, ElleBelle attire and Traffic People change their account passwords.

“Whilst DLSB ( is named online, customer data was not taken from our server. The breach was quickly identified and the vulnerability removed. The ICO has been informed,” it added.

As pointed out by Cluley, in another security gaffe, the company does not have an HTTPS-enabled site, potentially exposing it to further compromise in the future.

The incident calls to mind a far more serious discovery last month. Threat group Magecart is said to have compromised as many as 800 e-commerce sites around the globe by injecting malicious code into the software supply chain.

Categories: Cyber Risk News

Facebook Removes Fake Accounts Linked to Russian Firm

Wed, 08/01/2018 - 08:54
Facebook Removes Fake Accounts Linked to Russian Firm

Facebook has been forced to remove 32 Pages and accounts from the site after spotting “coordinated inauthentic behaviour” linked to previous Russian attempts to influence political discourse.

The social network explained all in a lengthy series of posts on Tuesday, apparently keen to show it is taking the issue seriously after being criticized in the past for failing to react quickly enough to reports of Russian attempts to influence the 2016 US election.

The first of the eight Pages, 17 profiles and seven Instagram accounts were identified two weeks ago and the last of them were removed on Tuesday after co-ordination with law enforcers, Congress and others, explained Facebook’s head of cybersecurity policy, Nathaniel Gleicher.

They had created 9500 pieces of organic content on Facebook and one on Instagram, were followed by over 290,000 accounts, and created 30 events that thousands of followers were interested in attending.

The most popular Pages were “Aztlan Warriors,” “Black Elevation, “Mindful Being,” and “Resisters” — highlighting the range of diverse interests the bad actors were looking to promote.

Those behind the activity were more careful to disguise their identity than previous Russian actors, using VPNs and internet phone services and paying for ads via third-parties. However, there were still signs linking them to the infamous Russian Internet Research Agency (IRA) blamed for much of the pre-2016 election activity, Facebook claimed

“Given these bad actors are now working harder to obscure their identities, we need to find every small mistake they make. It’s why we’re following up on thousands of leads, including information from law enforcement and lessons we learned from last year’s IRA investigation,” said Gelicher.

“The IRA engaged with many legitimate Pages, so these leads sometimes turn up nothing. However, one of these leads did turn up something. One of the IRA accounts we disabled in 2017 shared a Facebook Event hosted by the “Resisters” Page. This Page also previously had an IRA account as one of its admins for only seven minutes. These discoveries helped us uncover the other inauthentic accounts we disabled today.”

Facebook is not attributing the activity to Moscow yet as it claimed its technical forensics are “insufficient,” but has handed over to US law enforcement. The incident comes just three months before the US mid-term elections.

Categories: Cyber Risk News

Registry Keys Vulnerable with COM Hijacking

Tue, 07/31/2018 - 13:41
Registry Keys Vulnerable with COM Hijacking

Attackers are leveraging a new technique that allows them to run a specious file that looks legitimate but is actually malicious, according to the research team at Cyberbit. The component object model (COM) hijacking technique, usually used for attackers as a persistence mechanism, also has evasive capabilities.

A proof-of-concept experiment run by the Cyberbit research team and detailed in today's blog post reveals that the team discovered that hundreds of registry keys were vulnerable to this attack. While most modern malware creators use code injection to disguise malicious behavior within benign activity, the idea with COM hijacking is to run code within the context of a legitimate, whitelisted process, like a web browser.

Researchers wrote that their findings were alarming. “Another troubling finding is the fact that adding these DLLs doesn’t even require a boot. Since most keys were affected immediately upon running the target process, some keys did not even require execution of the target process for a process which is already running such 'Explorer.exe.'”

Using this technique, attackers are able to legally load and run the malware while evading detection, making it very easy for attackers to implement because it does not require sophisticated code injection. Yet it does have the privileges to perform sensitive actions, like connecting to the Internet, according to researchers.

“The purpose of this research was to uncover the scope of the problem, which is often overlooked by security products,” said Meir Brown, director of research at Cyberbit. “The scope of the risk is wide since we have seen many critical windows processes which load COM objects without verification. This generates an easy method of injection and persistence with minimal visibility."

"The mitigation is to have a security solution which alerts on COM hijacking and to monitor any system error carefully since it may imply on COM hijacking," Brown said. "In addition, I would suggest carefully monitoring specific registry keys like the one we present in our report which are used to load popular COM objects.”

Categories: Cyber Risk News

Criminals Avoid Detection Using Old Campaigns

Tue, 07/31/2018 - 13:03
Criminals Avoid Detection Using Old Campaigns

McAfee Labs has released its Threats Report June 2018, in which it highlights the notable investigative research and threat trend statistics gathered from Q1 2018. A key finding was a significantly high spike in the total coin miner malware, which rose by 629% in Q1 to more than 2.9 million samples.

Additional findings included in this report are the complex nation-state threat campaigns – driven by financially and politically motivated criminals – that had targeted users and enterprise systems worldwide.

“We have seen continued expansion of this criminal endeavor during the quarter,” the report state. “The goal of the perpetrators is to monetize their criminal activity by expending the least amount of effort, using the fewest middlemen, and executing their crimes in the shortest time possible and with the least risk of discovery.”

Bad actors continue to grow more innovative and demonstrate an impressive level of technical agility, improving on several of the attack schemes that emerged at the end of 2017. With some technical creativity, these actors have discovered new ways to avoid detection and mitigation.

Among the key campaigns were Gold Dragon, Lazarus and the cryptocurrency campaigns GhostSecret and Bankshot. “Gold Dragon is a particularly slippery instance of fileless malware because it is designed to be evasive, checking on processes related to antimalware solutions,” the report stated. 

Researchers believe the currently active and extremely complex campaign, GhostSecret, is associated with the international cybercrime group known as Hidden Cobra. The campaign, which “employs a series of implants to appropriate data from infected systems, is also characterized by its ability to evade detection and throw forensic investigators off its trail.”

The Lazarus cybercrime ring returned to target global financial organizations and Bitcoin users with a new Bitcoin-stealing phishing campaign dubbed HaoBao.

Overall, the June report highlights the efforts on the part of bad actors who strive to do better. To that end, they’ve shifted from PowerShell to LNK. “In 2017 we saw a surge in the exploitation of benign technologies for malicious purposes, such as PowerShell. In Q1 2018, we saw malicious actors turn away from PowerShell exploits, which dropped 77%, and take advantage of LNK capabilities. New LNK malware rose 59% in Q1."

Categories: Cyber Risk News

UK Consumers Prefer Security to Convenience

Tue, 07/31/2018 - 13:01
UK Consumers Prefer Security to Convenience

UK consumers prioritize security over convenience far more than IT and business executives, according to a new study from CA.

The firm commissioned analyst Frost & Sullivan to poll 990 consumers, 336 security professionals and 324 business executives across 10 countries, including nearly 600 respondents in Europe.

It revealed that 83% of UK consumers prefer security over convenience when authenticating during transactions, while the figure is much lower for cybersecurity professionals (60%) and business executives (59%).

Organizations often cite concerns about user friction as a reason not to tighten access controls and payment security with two-factor authentication — although many will be forced to put such measures in place by the new European banking rules known as PSD2.

The report also revealed a disconnect between customer trust in organizations to protect their personal data and the attitudes of business executives.

The Digital Trust Index for UK consumers stood at 56 points out of 100 — among the lowest in the world and much less than the global average of 61.

However, 88% of UK executives believe they are doing an “excellent” or “very good” job of protecting customer data. This is despite the fact that 56% admitted their organization has been involved in a breach of consumer data.

Jarad Carleton, industry principal, cybersecurity at Frost & Sullivan, argued that the information age is at a crossroads as more firms are being publicly held to account for failing to protect customer data.

“What the survey found is that there is certainly a price to pay — whether you’re a consumer or you run a business that handles consumer data — when it comes to maintaining data privacy,” he added. “Respect for consumer privacy must become an ethical pillar for any business that collects user data.”

The study was conducted in March and April, before the GDPR came into force across the EU, so it will be interesting to see if the report tells a different story next year.

Categories: Cyber Risk News

STEM Teachers Focus on Cyber at Summer Camp

Tue, 07/31/2018 - 12:30
STEM Teachers Focus on Cyber at Summer Camp

Underway this week is NittanyGenCyber Camp, a five-day summer camp offered at Penn State University’s College of Information Sciences and Technology’s (IST) and designed for middle and high school STEM teachers. The week-long camp kicked off yesterday and will run through Friday, 3 August 2018.

This first-of-its-kind summer camp aims to provide teachers with fundamental cybersecurity principles, delivering them hands-on experience to inform them of cyber’s intersection with data science. Applications were due on 25 May 2018, and attendees include teachers from different New Jersey school districts and Pennsylvania’s West Essex Regional School District.

The summer camp is part of the GenCyber program, which offers cybersecurity summer camps to students and teachers at the K-12 level. It’s an effort to not only increase awareness in cybersecurity careers but also to diversify the cybersecurity workforce.

NittanyGenCyber camp is funded by a grant from the National Security Agency and the National Science Foundation, which is why it was able to provide the camp at no charge fee to its participants. Attendees also received a stipend to cover travel expenses.

Led by Penn State’s IST GenCyber principal investigator, Dongwon Lee, associate IST professor, and two co-principal investigators, Anna Squicciarini, associate IST professor, and Nick Giacobe, assistant teaching IST professor and director of the college’s undergraduate programs, the first workshop included a hands-on course using a security board game. Additional topics covered include OS basics, social engineering attacks, cryptography basics, online frauds and fakes, steganography basics, password, forensics, cyber competitions, ethics and access control.

“Researchers and other organizations have identified somewhere between 130,000 and 209,000 unfilled cybersecurity jobs exist in the U.S. today,” Giacobe told TAP into West Essex news.

“Worldwide, those estimates climb to 2.5-3.5 million unfilled cyber jobs by 2025. Regardless of which numbers you follow, the point is that there is a significant gap between the skills of the talent pool we have today versus what companies need today and tomorrow.”

Categories: Cyber Risk News

Dixons Carphone: Breach Hit 10 Million Personal Records

Tue, 07/31/2018 - 09:23
Dixons Carphone: Breach Hit 10 Million Personal Records

Dixons Carphone has revised up its estimate of how much customer data was stolen in a recently disclosed breach by almost nine million records.

The UK retailer revealed in June that hackers had accessed personal data on 1.2 million Currys PC World and Dixons Travel store customers — including names, addresses and email addresses.

However, in a new statement today it claimed that 10 million records containing personal data “may have been accessed” in the 2017 incident, whilst also admitting that “there is now evidence that some of this data may have left our systems.”

However, the high street giant was again at pains to point out that the compromised records “do not contain payment card or bank account details and there is no evidence that any fraud has resulted.”

Alongside the 1.2m records containing personal data, the original breach saw an ‘attempt’ to compromise 5.9m cards held in its systems. Dixons Carphone said that 5.8m of these had chip and PIN protection and that the stolen data did not include pin codes, card verification values (CVV) or authentication data — making it more difficult for the hackers to monetize although still exposing customers to a serious CNP fraud risk.

“Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorized access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today,” said CEO Alex Baldock.

“As a precaution, we’re now also contacting all our customers to apologise and advise on the steps they can take to protect themselves. Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers.”

Mark Adams, regional VP for UK & Ireland at Veeam, argued it was worrying that Dixons Carphone got the scale of the breach so wrong.

“These days the public care a lot about how their data is handled and by whom, and they want organizations to be more proactive in managing that data, so the size of the breach is going to translate into a much higher loss than many will imagine,” he added. “With so much competition for business, this will be an expensive breach with a long tail of damage for the organization's brand and reputation.”

Categories: Cyber Risk News

Pentagon Reveals "Do Not Buy" Software List

Tue, 07/31/2018 - 08:58
Pentagon Reveals "Do Not Buy" Software List

The security stand-off between the United States and Russia and China is set to intensify after the Pentagon revealed it has been developing a “do not buy” list of software originating from the two hostile nations.

The Defense Department’s acquisitions boss, Ellen Lord, told reporters that the list was begun six months ago in concert with US intelligence agencies.

As the name suggests, once a vendor is included on the list, their products will be boycotted by the Pentagon as a security risk.

However, drawing up the list has apparently not always been easy given that Beijing and Moscow are keen to hide the true origin of some companies.

"What we are doing is making sure that we do not buy software that is Russian or Chinese provenance, for instance, and quite often that is difficult to tell at first glance because of holding companies," Lord reportedly said. "We have identified certain companies that do not operate in a way consistent with what we have for defense standards."

Chinese telecoms firm ZTE and Russian AV firm Kaspersky Lab have been early casualties in an escalating Balkanisation of global technology flows.

Kaspersky Lab was banned for government use after fears of ties to Russian intelligence which it claims were never substantiated by lawmakers, while both ZTE and Huawei could yet face similar bans on their products if a defense authorization bill for fiscal 2019 passes Congress.

“It really speaks to cybersecurity writ large, which is one of our greatest concerns right now," Lord said. "This is a challenge for us in terms of how to deal with the industrial base, particularly small companies who don’t always have the resources."

Terry Ray, CTO at Imperva, argued that governments have always placed strict controls on foreign technology providers.

“It is common for the US government to scan software used in its environments for backdoors and other embedded code, or configurations that may allow hidden or previously unidentified connections, inbound or outbound to the technology,” he said.

“At the moment, I have not seen details on any new inspection processes which makes me think the technical review will utilize existing techniques. However, it’s important to note that other well-developed countries operate similarly and prefer to purchase and implement in-country or open source technology, in lieu of off-the-shelf products offered by the US or its allies.”

Categories: Cyber Risk News

Malvertising Campaign Delivers Millions of Bad Ads

Mon, 07/30/2018 - 14:03
Malvertising Campaign Delivers Millions of Bad Ads

By using the HiBids advertising platform, cyber-criminals have been delivering malicious advertisements to millions of victims worldwide in a large-scale malvertising and banking Trojan campaign, according to researchers at Check Point.

These malicious ads can infect the PC or mobile device of the person viewing the ads with malware, such as a crypto-miner, ransomware or a banking Trojan. Master134, the criminal reported to be responsible for the campaign, redirected stolen traffic from over 10,000 hacked WordPress sites, then sold it to Adsterra, the real-time bidding (RTB) ad platform, according to today’s blog post.

From there, Adsterra sold the traffic to advertising resellers, including ExoClick, AdKernel, EvoLeads and AdventureFeeds, which passed it on to the highest-bidding ‘advertiser.’ “Our discovery revealed an alarming partnership between a threat actor disguised as a Publisher and several legitimate Resellers that leverage this relationship to distribute a variety of malware including Banking Trojans, ransomware and bots,” researchers wrote.

The key to the campaign's success was that the advertisers were seemingly legitimate companies; however, they were actually criminals looking to distribute ransomware, banking Trojans, bots and other malware, which is how the infected ads – not legitimate ads – appeared on thousands of publishers’ websites worldwide.

During this campaign, which is still active, Check Point reportedly saw 40,000 clicks per week on these malicious ads. Cyber-criminals, who measure the return on investment of their ad spend by comparing it to the money they make from crypto-mining and ransom, are compromising the legitimate business of online advertising, exploiting it to display malware-infected ads.

Recognizing that threat actors will always search for new ways to spread their attack campaigns, researchers anticipate seeing more of these types of attacks, though the involvement of seemingly legitimate online advertising companies is of great concern. “We can’t help but wonder – is the online advertising industry responsible for the public’s safety? Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?” the researchers wrote.

Categories: Cyber Risk News

Three Campaigns Targeted as Senate Pushes Security

Mon, 07/30/2018 - 13:15
Three Campaigns Targeted as Senate Pushes Security

During a 29 July interview on “Face the Nation,” Sen. Jeanne Shaheen (D-N.H.) expressed concern over widespread phishing attacks against the Senate and political parties, according to The Hill.

“I don't know who else is on the list but I do know that we've had an experience in our office with people getting phishing emails with social media accounts,” Shaheen said in the interview. “There has been one situation that we have turned over to authorities to look into. And we're hearing that this is widespread with political parties across the country, as well as with members of the Senate.”

Sunday’s “Face the Nation” interview came only days after Microsoft confirmed that the campaign of Sen. Claire McCaskill (D-Mo.) was one of the three congressional campaigns in which Russians had unsuccessfully targeted staff and computer systems.

Russian meddling in midterm election campaigns has been a growing concern since the 2016 election. News that the Mueller investigation indicted 12 Russians for election meddling has renewed concerns, particularly as the 2018 midterm elections are swiftly approaching. President Trump met with his National Security Council (NSC) on Friday, 27 July, to address these and other cybersecurity concerns.

After the meeting, the White House released a statement affirming that “the President has made it clear that his Administration will not tolerate foreign interference in our elections from any nation state or other malicious actors.”

Prior to the NSC meeting, Defense Secretary Jim Mattis reportedly told reporters that US cyber-defenses have already been deployed, according to the Washington Examiner’s Daily on Defense newsletter. “Rest assured, there are actions underway to protect our elections or to expose any external efforts by anybody to influence the American public, to show false news, that sort of thing,” Mattis said.

As confirmation of foreign meddling continues to mount, the Senate Rules Committee aims to prioritize the Secure Elections Act, which is reportedly slated for markup in mid-August.

Categories: Cyber Risk News