The Department of Homeland Security (DHS) has detected equipment that can eavesdrop on cell-phone conversations in the Washington, DC, area – and it doesn’t know who’s behind it.
According to a letter sent to Sen. Ron Wyden (D-OR) obtained by the Associated Press (AP), DHS uncovered deployed equipment known as StingRays (or IMSI catchers), which spoofs cell-phone towers. These fake base station simulators essentially dupe mobile handsets into connecting to them, which allows their operators to pinpoint user locations and, by downgrading the connection to 2G instead of encrypted 3G or 4G, spy on conversations. They can also be used to implant malware.
“IMSI catcher attacks are one of the most common and effective, though unspoken, threats in cellular cybersecurity, mostly because they are easily available and do not leave a trace on the device and traditionally cannot be blocked or adequately identified,” explained Dror Fixler, CEO of FirstPoint Mobile Guard, via email. “The hacker's continued interest in you after the initial attack has to do with what they discovered about you in those first minutes of the attack. These devices are particularly dangerous as attackers can continue the attack by implementing a man-in-the-middle attack to covertly connect the device to the cellular network, thus monitoring all of the device's data, voice, SMS, signaling and even delivering a dedicated malware attack.”
This type of equipment has been used by law enforcement for years, and its sale has been limited to public-safety uses. The detection of unauthorized gear suggests that foreign adversaries may be at work in the area to spy on US citizens and government officials.
Wyden had asked the DHS whether it found foreign governments using the devices, to which the department said it had not “validated or attributed such activity to specific entities or devices.” Other details were scant, though the DHS did say that malicious use of such equipment is a “real and growing risk.” It also admitted in a separate, unpublished letter obtained by the AP that DHS lacks the equipment and funding to detect StingRays on its own and instead partners with third parties to do so.
Fixler added that his company has uncovered unauthorized StingRays deployed on a widespread level: “In the last several weeks alone, FirstPoint has identified numerous such attacks around the world, near government agencies, in and around airports, and next to local police stations,” he said. “This means that anyone, US citizens and government officials included, are under threat of tracking by cell-phone site simulators (IMSI catchers) while traveling, and not only at home in DC.”
EMEA organizations take around 2.5 months longer to spot hackers inside their networks than the global average, but are getting better at discovering breaches internally, according to FireEye.
The security vendor’s annual M-Trends report put the global median dwell time at 101 days, growing to 175 days for EMEA, but standing at just 75.5 days in the Americas.
Dwell time is important as the longer an adversary is inside an organization’s network, the more information they could lift, the deeper into private systems they could penetrate and the more expensive the eventual clean-up and remediation may be.
On the plus side, global organizations are getting better at finding the attackers themselves, rather than being notified by law enforcement or another party.
Globally the median dwell time for internally discovered incidents was 57.5 days, dropping to 42.5 days in the Americas and just 24.5 days in EMEA.
Stuart McKenzie, vice-president of Mandiant at FireEye, claimed the growth in EMEA median dwell time of 40% from the previous year was disappointing, especially given the imminent arrival of the General Data Protection Regulation (GDPR), which mandates that organizations get better at spotting and preventing breaches.
“However, on the positive side, we’ve seen a growing number of historic threats uncovered this year that have been active for several hundred days,” he added. “Detecting these long-lasting attacks is obviously a positive development, but it increases the dwell time statistic.”
FireEye also claimed that skills gaps within organizations may be affecting their ability to respond quickly to incidents: either because staff aren’t experienced enough to spot attacks, or that they over-rely on automated systems which themselves have been poorly configured by inexperienced staff.
The finance sector was the hardest hit in EMEA, accounting for 24% of Mandiant investigations last year, followed by government (18%).
Interestingly, the report revealed that firms targeted once are likely to be hit again: 59% of Mandiant detection and response customers globally were targeted by the same or a similarly motivated group, and 49% of customers that experienced at least one “significant” attack were successfully attacked again within the next year.
The number of new software vulnerabilities discovered by Flexera in 2017 reached nearly 20,000 – an all-time high.
The firm’s Secunia Research division monitors more than 55,000 applications, appliances and operating systems to gain valuable insight into the level of potential risk organizations are exposing themselves to.
Its Vulnerability Review 2018 revealed an increase in software flaws of 14% – up from 17,147 in 2016 to 19,954 last year. Some 17% were rated as “highly critical,” although this figure was largely unchanged from the previous year.
As per the previous year, the primary attack vector used to trigger a vulnerability was via a remote network (55%), followed by a local network (32%).
The good news for firms is that avoiding attacks which exploit these vulnerabilities is possible, as patches were available for 86% on the day of disclosure. In fact, zero-day threats are increasingly rare: just 14 of the 19,954 known vulnerabilities in 2017 were zero-days, a 40% decrease from 2016.
However, organizations are not making the most of available intelligence on vulnerabilities, which would help them prioritize which ones to patch, the report claimed.
In addition, deficiencies in operational processes can create major disruptions when big breaches hit the headlines.
“There’s no question based on this year’s results, the risks remain high,” said Kasper Lindgaard, director of research and security at Flexera. “As the potential for breaches expands, the pressure is on executives to increase vigilance through better operational processes – instead of reacting to risks that hit media headlines and cause disruption. The Equifax breach and WannaCry attacks taught us that.”
He added that the gap between identifying and fixing vulnerable applications must close.
“The process cannot be ad hoc. Without a consistently applied patching methodology, organizations will slip, leaving vulnerabilities unpatched for long periods. This gives criminals a large window of opportunity to execute their attacks. We advise a formal, automated software vulnerability management process that leverages intelligence to identify risks, prioritize their importance and resolve threats.”
Several US gas pipelines have been hit after a cyber-attack targeted a third-party supplier.
Latitude Technologies, which supplies “electronic data interchange” (EDI) services to some of the country’s largest energy providers, appears to have been the target of the attack.
The computer-to-computer exchange of documents it facilitates allows providers to do business with their customers.
The last update from Latitude on Tuesday at 7:49 am revealed that the company had completed an initial restoration of its system.
“We are now working towards increasing performance. While we believe things to be fully restored, we will continue to monitor for gaps in functionality. Please notify us if you encounter any missing capabilities so we can address them ASAP.”
It’s still unclear whether the attackers were targeting customer data or looking to extract money from the company via DDoS or ransomware – although Latitude said it doesn’t think any customer data was compromised and its partners' gas supply wasn’t affected.
However, several pipeline providers confirmed to Bloomberg that they were affected by a cyber-attack in the past few days: Oneok, Boardwalk Pipeline Partners, Energy Transfer Partners and Eastern Shore Natural Gas.
The latter two are thought to be Latitude Technologies customers.
The attacks come at a time of heightened tension between the US and Russia, with the DHS and FBI issuing an alert last month that the Kremlin has been targeting US critical infrastructure for some time.
In the UK, the National Cyber Security Centre went public last year in naming Russian state hackers as targeting the country’s energy, telecommunications and media industries.
A Siemens-Ponemon study from 2017 claimed 68% of oil and gas companies had experienced at least one compromise over the past 12 months.
“The lesson is clear: if you’ve moved your business-critical operations to the internet then you’re going to need to have adequate cyber-security defenses to ensure resilience,” argued Andrew Lloyd, president of Corero Network Security. “Increasingly, customers and regulators have zero tolerance of unscheduled downtime. Consequently, investing in proactive cybersecurity protection should no longer be an option for digital enterprises.”
Fred Kneip, CEO of CyberGRX, added that the latest attacks on US gas pipeline infrastructure highlights the importance of third-party risk management.
“There is a good reason that hackers have been attacking weak links in targets’ digital ecosystems for years: it’s often the easiest path to accessing data or distributing malicious content,” he claimed. “It doesn’t matter how well an organization protects its own perimeter if third parties with weak security controls create vulnerabilities that can be easily exploited. While even the most thorough risk assessment can’t guarantee there’s no malware inside a staging target’s network, it can uncover red flags pointing to weak security controls that leave it vulnerable.”
The frequency of attacks on Americans’ personal information has fostered a feeling of inevitability among citizens: Nearly half of US adults (48%) think it is at least somewhat likely that identity theft will cause them financial loss in the next year. However, many of them are taking steps to change their behavior in order to protect themselves.
According to results from a telephone survey of 1,006 Americans adults conducted by The Harris Poll for the American Institute of CPAs (AICPA) in the fall of 2017, the frequency and scope of data breaches – such as the Equifax breach, which compromised almost every American adult – has many questioning the effectiveness of cybersecurity practices businesses currently have in place. In fact, 8 in 10 Americans (81%) said they are at least somewhat concerned about the ability of businesses to safeguard their financial and personal information, with 2 in 5 (40%) reporting that they are extremely or very concerned.
Accordingly, the survey found that four in five Americans (81%) have changed up their approaches to life. When it comes to the threat of cyber-breaches affecting credit card and debit card processing systems, a majority of respondents are increasing self-monitoring of credit and debit card accounts for fraudulent activity (56%), while about 40% are either using cash and/or checks more often (43%) or choosing to shop at locally owned stores more often instead of at national retailers (40%).
Less positively, while three out of five Americans (61%) have at least looked at their credit report, more than a third (35%) have never checked it. This is particularly alarming, as a majority of those who have checked their credit (66%) had to take steps with a credit reporting agency to correct inaccuracies, with the average being 13 specific corrections among those who have taken steps at least once.
“Protecting your information is an ongoing process that requires you to be vigilant, identify where you can improve and take action to firm up your safeguards,” said Gregory Anton, CPA, CGMA, chair of the AICPA’s National CPA Financial Literacy Commission. “This means regularly monitoring your credit card and bank statement and periodically checking your credit report for anything that looks out of the ordinary.”
Most distressing, those with a household income of less than $35,000 were found to be more likely to never have looked at their credit report than those with a household income of $100,000 (44% vs. 30%).
“Having a good credit score and access to favorable interest rates is something that benefits people of all income brackets, but it is particularly important for those who are in a financial situation where a few percentage points in interest would make a big impact on their financial well-being,” added Anton. “Everyone should check their credit score for free with one of the three major credit reporting agencies at least once a year and not wait until suspicious activity occurs.”
US citizens are taking other precautions to keep their information safe online. For instance, a quarter of Americans (26%) said they have reduced their online presence, either turning off social media or visiting fewer websites because of concerns about data security. One in five (20%) have signed up for additional fraud detection or credit monitoring. Roughly 10% report they are switching their shopping to different national stores because of concern about data breaches (11%), placing a freeze on their credit (11%) or shopping online more often, because they feel like it is safer (11%). About 5% said they use alternative forms of currency.
“While it’s positive that American are taking steps to mitigate the risk from cyber-breaches, each time there is a new breach in the headlines there is the risk that the public becomes numb,” added Anton. “Identity theft may seem like it’s inevitable, but our message is that it doesn’t have to be.”
Nearly 60% of executives at critical infrastructure operators polled in a recent survey said they lack appropriate controls to protect their environments from security threats.
While organizations have made significant investments to secure their IT infrastructures, they have not fully addressed threats to operational technology (OT) environments: 57 out of 100 executives from various critical infrastructure organizations surveyed by Indegy said they are not confident that their enterprise nor other infrastructure companies are in control of OT security.
The poll also underscores the lack of preparedness in key sectors, including energy, utilities and manufacturing. For instance, 35% of respondents said they have little visibility into the current state of security within their environment, while 23% reported they have no visibility. Meanwhile, 63% said that insider threats and misconfigurations are the biggest security risks they currently face.
“We have been tracking the escalation in cyber-threat activity specifically targeting critical infrastructures for some time,” says Barak Perelman, CEO of Indegy. “As the recent joint DHS/FBI CERT Technical Alert illustrates, adversaries have compromised facilities across the US to conduct reconnaissance and likely develop ‘red button’ capability for future attacks.”
The two agencies issued a joint alert saying that Russian government cyber-actors are actively targeting organizations in the US energy, nuclear, commercial facilities, water, aviation, government and critical manufacturing sectors. They characterized the activity as a “multi-stage intrusion campaign,” where the hackers first targeted peripheral organizations such as trusted third-party suppliers with less-secure networks and through them gain remote access into energy-sector networks.
The good news is that in tandem with this, 44% of all respondents indicated that their organizations plan to increase spending for industrial control system (ICS) security measures in the next 12–24 months. About a third (29%) reported that they were not sure.
An Android app dubbed WhatsApp Plus has been unmasked as a variant of Android/PUP.Riskware.Wtaspin.GB, which steals information, photos, phone numbers and so on from a mobile phone.
Fake WhatsApp riskware, usually found in third-party app stores, dates back to mid-2017. However, the newest version is notable in that its pathology indicates a copycat phenomenon occurring among malware developers.
The malware, once installed, tells users that their app is out of date and offers a download link. Once clicked, users are taken to a webpage written entirely in Arabic. The page calls the app “Watts Plus Plus WhatsApp” and purports to be developed by someone named Abu.
Looking into the code, researcher Nathan Collier at Malwarebytes found that while it has abilities to hide itself in various ways – “very spy-like behavior,” he said – it’s the same incriminating Android/PUP.Riskware.Wtaspin.GB code found within the receivers, services and activities of existing fake WhatsApp APKs.
“The only difference of the aforementioned version from above is the code points to the Arabic webpage to update,” Collier explained. “After analyzing several different versions of PUP.Riskware.Wtaspin.GB, it appears all have different URLs from which to update. Thus, everyone is just copycatting the original source code and adding their own update website.”
The original author of the riskware is unlikely to be the Arabic developer, Abu, he added.
“The code of this riskware is complex,” Collier said. “The webpage of the developer claiming to be owner – not so complex. Although I won’t completely rule out the possibility, let’s just say I am skeptical.”
To stay safe, users are given a simple prescription: Only download the real WhatsApp on Google Play.
According to initial research by Antoine Pultier, a researcher at SINTEF, and verified by Buzzfeed News, Grindr shared HIV status along with users’ GPS data, sexuality, relationship status, ethnicity, phone ID and email to Apptimize and Localytics, which help optimize apps. This information, unlike the HIV data, was sometimes shared via plain text.
Buzzfeed News reported that under the app’s “HIV status” category, users can choose from a variety of statuses, which include whether the user is positive, positive and on HIV treatment, negative, or negative and on PrEP, the once-daily pill shown to effectively prevent contracting HIV.
In a statement, Grindr CTO Scott Chen said that as a company that serves the LGBTQ community “we understand the sensitivities around HIV status disclosure” and clarified that Grindr “has never, nor will we ever sell personally identifiable user information – especially information regarding HIV status or last test date – to third parties or advertisers.”
Chen clarified that it does work with highly-regarded vendors to test and optimize how it rolls out the platform, and these vendors are under strict contractual terms that provide for the highest level of confidentiality, data security and user privacy.
He also clarified that when information is sent, “it is always transmitted securely with encryption, and there are data retention policies in place to further protect our users’ privacy from disclosure.”
Chen added that it is up to each user to determine what, if anything, to share about themselves in their profile and the inclusion of HIV status information within the platform is always regarded carefully with users’ privacy in mind.
“We assure everyone that we are always examining our processes around privacy, security and data sharing with third parties, and always looking for additional measures that go above and beyond industry best practices to help maintain our users’ right to privacy.”
In a later update, Grindr said it would stop sharing users’ HIV status when the app's next update is released. Chief security officer Bryce Case defended Grindr's decision to share the data, arguing that Apptimize and Localytics are simply tools to help apps like Grindr function better, and that the information was not shared to make money or for other nefarious purposes.
Evgeny Chereshnev, CEO and founder of Biolink.Tech, said that this type of highly personal information can be used for blackmail, extortion or manipulation, where a lot of damage could be done to a person's life, and only we should have visibility as to where and how our personal data is used, and on what basis.
“All practices where a company has access to confidential information such as HIV status, sexual orientation or even information on deadly allergies, should be illegal to share with other parties,” he said.
“We need to totally rethink the way we approach data – our digital trail and dDNA (digital DNA). Privacy of personal data MUST become a constitutional right that everyone has from birth. Data is there forever, and it should be illegal to take it from users. It goes back to the age old question – what is self? Who owns it and what needs to be co-owned by third parties for self to coexist in the society that we live in? For example, a healthcare system needs access to my vital health records in order to administer the right treatment, but they don’t need to own that data. We should own our own self.”
Google is taking a stand on illegal crypto-mining by banning Chrome browser extensions that support crypto-jacking.
Extension platform product manager, James Wagner, claimed that there has been a rise in malicious extensions over the past few months — severely impacting users’ performance.
“Until now, Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it is the extension’s single purpose, and the user is adequately informed about the mining behavior. Unfortunately, approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store,” he explained.
“Starting today, Chrome Web Store will no longer accept extensions that mine cryptocurrency. Existing extensions that mine cryptocurrency will be delisted from the Chrome Web Store in late June. Extensions with blockchain-related purposes other than mining will continue to be permitted in the Web Store.”
There has been a significant spike in crypto-jacking in recent months, as cyber-criminals eschew ransomware in favor of nominally easier ways to make money.
Attacks soared by 8,500% in 2017 thanks to the increase in crypto-currency values. The UK ranked fifth-highest worldwide in terms of crypto-miner detections, with a 44,000% increase in 2017, according to Symantec.
Even students are apparently cashing in on the craze, using university power supplies to support their activities. That same report from Vectra claimed that students are also likely to be targeted by cyber-criminals looking to covertly infect their machines with mining tools.
In February, a researcher found mining malware on over 4000 websites including pages belonging to the ICO and UK and US government agencies.
IBM claimed to have seen a six-fold increase crypto-mining malware attacks between January and August 2017.
Panera Bread has become the latest US restaurant chain to be exposed by poor cybersecurity after its website leaked personal data on millions of customers, according to reports.
The popular bakery-café business, which has over 2100 outlets nationwide, failed to fix an issue with its website for at least eight months, according to journalist Brian Krebs.
He claimed that researcher Dylan Houlihan first notified the firm about the leak in early August 2017. Despite being told by director of information security, Mike Gustavison, a week later that the firm was “working on a resolution,” it remained unfixed, according to the report.
The leaked records apparently included names, email and physical addresses, birth dates and the last four digits of the credit card numbers. Even worse, the information was said to be easily indexable by automated tools.
The website was taken offline briefly and the data made inaccessible, but only after Krebs spoke to CIO John Meister.
A statement from the firm had the following:
“Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”
However, in a further twist, it has been claimed that the vulnerability affected far more customers than originally thought, extending to the firm’s commercial division. Estimates have put the figure in excess of 37 million.
The site was offline again at the time of writing.
Imperva CTO, Terry Ray, claimed the FTC and PCI regulators may be keen to scrutinize this particular incident.
“Panera appears to have had an application security practice in place, so any investigation will likely spend time understanding what Panera monitored of normal versus abnormal activity, did they have a regularly scheduled security assessment run against their public websites, and did they correct poor coding practices once found,” he explained.
“It seems at a minimum, they failed to either believe and test the first finding of this breach in August and quickly rectified the issue once it went public here in April. They certainly appear capable of fixing the issue as they did quickly today, so why didn’t it happen in August when they were first alerted?"
The US State Department wants to expand its vetting of visa applicants in a move which could expose their social media and other data to hackers.
The proposals, published on Friday as part of the Trump administration’s immigration ‘crackdown’, will require all applicants for immigrant and non-immigrant visas to detail their social media handles for the past five years, as well as telephone numbers, email addresses and details of international travel.
They will expand the list of visa applicants forced to divulge these personal details from the relatively small number (around 65,000) currently required to do so on account of being a suspected national security threat, to virtually all travelers – nearly 15 million.
The new plan was published in the Federal Register and is now subject to a 60-day public comment process. It must also be approved by the Office of Management and Budget before taking effect.
The Department of State claimed that the new Electronic Application for Immigrant Visa and Alien Registration (DS-260) form “will be submitted electronically over an encrypted connection to the Department via the internet.”
However, many will be concerned about the prospect of handing over their personal data to the US government, especially given its track record on protecting the data of its citizens and employees.
A recent Office of Inspector General (OIG) report highlighted serious deficiencies in the department’s cybersecurity posture.
Hina Shamsi, director of the American Civil Liberties Union’s National Security Project, slammed the proposals as “yet another ineffective and deeply problematic Trump administration plan.”
“The government has failed to disclose how this information – accurate or not – may be shared across government agencies and have consequences for individuals living in America, including US citizens,” she argued. “There is also no evidence that such social media monitoring is effective or fair, especially in the absence of criteria to guide the use of social media information in the visa adjudication process.”
Evgeny Chereshnev, CEO and founder of Biolink.Tech, said the rules may even violate international privacy laws like the GDPR.
“Other countries, such as Singapore, Israel, Japan, Russia and China also have their own laws, so when the United States requires private information from foreign citizens, it's technically illegal as it is a violation of home policies from most countries,” he added.
“This is not just about people having to share their social media history; it's giving the government a set of tools to manipulate your behavior."
The US Department of Defense (DoD) has announced its fifth bug bounty program, which will run through April 29, 2018, and focus on the internal enterprise systems relied upon by millions of employees for global operations.
“The DoD has seen tremendous success to date working with hackers to secure our vital systems, and we’re looking forward to taking a page from their playbook,” said Jack Messer, project lead at the DoD’s Defense Manpower Data Center. “We’re excited to be working with the global ethical hacker community, and the diverse perspectives they bring to the table, to continue to secure our critical systems.”
To be eligible to participate in the latest bug-bounty challenge, individuals from the public must be United States taxpayers or a citizen of or eligible to work in the United Kingdom, Canada, Australia or New Zealand. US government active military members and contractor personnel are also eligible to participate but are not eligible for financial rewards.
Reward amounts have not been disclosed.
“Millions of government employees and contractors use and rely upon key enterprise systems every day,” said Reina Staley, chief of staff at Defense Digital Service. “Any compromise of the system or the sensitive information it handles would be detrimental to our people and our mission. These bug-bounty challenges are a way to give talent outside the public sector a channel to safely disclose security issues and get rewarded for these acts of patriotism.”
Since the Hack the Pentagon program kicked off in 2016, more than 3,000 vulnerabilities have been resolved in government systems. The first Hack the Air Force bug bounty challenge resulted in 207 valid reports and hackers earned more than $130,000 for their contributions; the second Hack the Air Force resulted in 106 valid vulnerabilities surfaced and $103,883 paid to hackers; Hack the Army in December 2016 surfaced 118 valid vulnerabilities and paid $100,000; and Hack the Pentagon in May 2016 resulted in 138 valid vulnerabilities resolved and tens of thousands paid to ethical hackers for their efforts.
“The most security mature organizations look to others for help,” said Alex Rice, co-founder and CTO at HackerOne, the platform provider for the effort. “The Department of Defense continues to innovate with each bug-bounty challenge, and the latest challenge is no exception. We’re excited to bring a fresh, mission-critical asset to the hacker community with the goal of protecting the sensitive government data it contains.”
Luxury department store behemoth Saks Fifth Avenue and sister stores Saks OFF 5TH and Lord & Taylor have become the latest retail victim of a data breach. The incident impacts 5 million payment cards that were used at stores in North America, from May 2017 to March 2018.
Research firm Gemini Advisory uncovered a posting on the dark eb by a group of Russian-speaking hackers known as Fin7 (a.k.a., JokerStash), who said they had obtained a cache of stolen card numbers from the company; the thieves call the cache “BIGBADABOOM-2.” They also offered 125,000 of the records for immediate sale.
The likely mechanism for the theft is card-skimming malware installed on the stores’ point-of-sale (POS) checkout systems, though details are scant. Gemini told the New York Times that the initial attack vector was probably targeted phishing emails sent to employees at the chains’ parent company, Hudson’s Bay.
“People often think POS systems are high risk to deal with and are reluctant to patch them and secure them sufficiently,” said James Maude, lead security engineer at Avecto, via email. “Often this results in an environment where unpatched applications are running with admin privileges and very little protection in place, making for a hugely tempting target. Even within the general user population at most organizations, overprivileged users with local admin rights mean that they are one click away from a breach and total compromise. We need to stop making it easy for attackers and build strong defensible security foundations.”
The incident is now contained, according to Saks, which also stressed in a statement that the hackers weren’t able to gain access to its e-commerce or other digital platforms, nor to the payment systems of affiliated brands Home Outfitters or HBC Europe, nor at Hudson’s Bay itself. There’s also no indication that Social Security or Social Insurance numbers, driver’s license numbers or PINs have been affected, it said.
In the grand scheme of things, the breach doesn’t hold a candle to the near-legendary card thefts at Target in 2013 (40 million card numbers stolen) and Home Depot in 2014 (56 million card numbers). But the incident indicates that the near-constant cycle of these type of attacks is far from being broken. Also, the sheer amount of time that the malware was active without being discovered indicates institutional problems, according to Terry Ray, CTO of Imperva.
“The problem organizations have is the actual identification of a breach or infection, especially in a reasonable time frame,” said Ray. “Most attacks are designed to run under the radar and the methods of breach constantly evolve. This requires that cybersecurity teams have effective funding, adequate staff and vast expertise. Sadly, none of those three are common. Usually, cybersecurity teams are underfunded until a breach, then they get a little extra money. Their teams are generally small and stretched thin. Given all the areas than can be attacked, security team members need broad technology knowledge, which makes them highly desirable in the marketplace, going back to the underfunded point.”
The highly anticipated world-title boxing match between Anthony Joshua and Joseph Parker on Saturday night – in which Joshua triumphed to capture a bevy of titles – saw hundreds of pirated streams as fans found ways to tune in online or without paying the pay-per-view fee.
Content security specialist Irdeto identified 339 streams that illegally redistributed the fight. Aside from the theft of intellectual property and the revenue lost, many of the streams were lower quality that put consumers at risk of a poor viewing experience and missing key moments during the fight.
Social media was again found to have been a major vehicle for illegal streams, with 207 pirate streams detected using multiple social media channels, including Facebook, YouTube, Periscope and Twitch, reaching approximately 225,804 viewers.
Pirates also took advantage of illicit streaming plugins for Kodi, the popular media player, with 71 streams identified on that platform.
Further, pirates often create professional-looking websites and services to fool users into thinking their illegal content offering is legitimate. They tend to use popular e-commerce sites to proactively advertise their services to consumers, despite those sites explicitly banning the sale of illegal streaming devices. Irdeto identified 180 advertisements for illicit streaming devices offering Joshua vs. Parker on e-commerce websites, including eBay and Gumtree, in just one day in the week leading up to the fight.
“High-profile live sporting events like this are major targets for criminals looking to profit from illegal streams,” said Rory O’Connor, senior vice president of cybersecurity services at Irdeto. “Content owners and rights holders can combine state-of-the-art anti-piracy technology, proactive services and comprehensive cybercrime business intelligence services to shut down streams in real time and protect their content investments.”
Consumers should be vigilant as well.
“By watching illegal streams, knowingly or unknowingly, they could miss crucial sporting moments and are exposing their devices, data and families to risks of cybercrime, inappropriate content and other threats,” O’Connor added. “In addition, people who think about sharing events like this illegally should be aware that they could face charges or legal action as a result.”
Piracy continues to be a widespread scourge: Irdeto’s Global Consumer Piracy Survey, which surveyed more than 25,000 adults across 30 countries last year, found that 52% of consumers around the globe knowingly watch pirated video content.
A new strain of malware that targets vulnerable Linux-based systems is loose in the wild, with an interesting habit of avoiding government and military networks.
Dubbed GoScanSSH (a mash-up of its hallmarks: its Golang-based coding, its ability to scan for new hosts from infected machines, and use of the SSH port), the malware is being used in a widespread campaign that includes more than 70 unique malware samples and multiple versions, indicating that this threat is continuing to be actively developed and improved upon by the attackers. The earliest instance of a variant dates back to last summer, so the campaign has been ongoing for at least nine months.
It’s main effort seems to be in infecting as many machines as possible, potentially creating a botnet for future use in more damaging attacks.
According to Cisco Talos researchers, bad actors gain access to targets using an SSH-credential brute-force attack against publicly accessible SSH servers.
“In this particular series of attacks, the attacker was leveraging a word list containing more than 7,000 username/password combinations,” they explained in a posting. “Once the attacker has discovered a valid credential set that allows successful SSH authentication, a unique GoScanSSH malware binary is then created and uploaded to the compromised SSH server. The malware is then executed, thus infecting the system.”
Immediately following infection, the GoScanSSH malware attempts to determine how powerful the infected system is and assigns the malware instance a unique identifier, which is all sent to the command-and-control (C&C) server. From there, it initiates SSH scanning activity to find additional vulnerable SSH servers exposed to the internet.
It specifically avoids IP addresses assigned to the US. Department of Defense and several in South Korea. The reason for this is unclear.
"It is difficult to fully get inside the head of attackers, but one theory could be that the attackers know that nation-states are resourced and have the political and networking connections to perform accurate attribution,” said Dan Matthews, director of engineering at Lastline, via email. He added, “This attack does not appear complex, although they have done two things which differ from recent commodity malware Written in Go, which is an efficient/cross-platform/modern/cool programming language; and added an IP address validation step prior to performing dictionary attacks against publicly reachable SSH servers.”
Once it has been determined that the selected IP address is an ideal candidate for additional attacks, the malware attempts to obtain valid SSH credentials by attempting to authenticate to the system using the aforementioned wordlist containing username and password combinations. If successful, the malware reports back to the C&C server.
Organizations should employ best practices to ensure that servers they may have exposed remain protected, including ensuring that systems are hardened, that default credentials are changed prior to deploying new systems to production environments and that these systems are continuously monitored for attempts to compromise them.
As Matthews said, “The best thing any organization can do to protect against password reuse attacks is to enable some type of multifactor authentication, particularly for services such as VPNs, SSH servers and web/cloud-based email services, which are reachable from the internet."
The higher-education landscape has become a fertile field for growing crypto-mining revenue. College students are crypto-mining from their dorm rooms, while outside actors are targeting their online activities for web-based attacks.
According to Vectra’s 2018 RSA Conference Edition of its Attacker Behavior Industry Report, higher education is a prime arena given that students are usually not protected by universities’ open networks. These same students also do their own crypto-mining, because they get free electricity.
“Students are more likely to perform crypto-mining personally as they don’t pay for power, the primary cost of crypto-mining,” said Chris Morales, head of security analytics at Vectra. “Universities also have high-bandwidth capacity networks with a large volume of easy targets, especially as students are more likely to use untrusted sites (like illegal movies, music and software) hosting crypto-mining malware.”
The report, which analyzed traffic and collected metadata from more than 4.5 million devices and workloads from customer cloud, data-center and enterprise environments, found that 60% of cryptocurrency mining detections occurred in higher education, followed by entertainment and leisure (6%), financial services (3%), technology (3%) and healthcare (2%). Mining overall has surged with the rising price of cryptocurrencies like Bitcoin, Monero and Ethereum.
Colleges and universities aren’t just over-indexing in crypto-mining. The highest volume of attacker behaviors per industry were in higher education (3,715 detections per 10,000 devices) followed by engineering (2,918 detections per 10,000 devices).
This is primarily due to command-and-control (C&C) activity in higher education, according to the report, and internal reconnaissance activity in engineering. To the former point, C&C activity in higher education, with 2,205 detections per 10,000 devices, is four times above the industry average of 460 detections per 10,000 devices. These early threat indicators usually precede other stages of an attack and are often associated with opportunistic botnet behaviors, Vectra said.
Higher education can only respond to students when they detect crypto-mining with a notice the activity is occurring. They can provide assistance in cleaning machines, or in the case of the student being responsible, they can issue a cease-and-desist. As such, the problem is likely to persist.
“Students are exceedingly intelligent and very enterprising,” said Daniel Basile, executive director of the Security Operations Center (SOC) at Texas A&M University. “This is a time that many of them are working with new technologies, and it is not surprising that they utilizing their machines for cryptocurrency mining. However, there is also a large increase in websites that will crypto-jack your PC while you are on their website. This new trend of mining Bitcoin for revenue instead of ads can directly affect students. With the increase in online video streaming resources, this creates a large amount of cryptocurrency mining.”
The MyFitnessPal virtual health and wellness assistant has copped to a data breach affecting 150 million accounts; hackers made off with user names, email addresses and bcrypt-hashed passwords.
While details of how hackers exploited the accounts are still emerging, this appears to be the largest data breach of 2018 to date.
The intrusion occurred in February, but the Under Armour–owned company said in a notice that it wasn't aware of the breach until March 25. Fortunately, the affected data did not include Social Security numbers or driver's license numbers, because the app doesn’t collect that information; nor did it affect payment card data, which in another win for network segmentation, is collected and processed separately.
While the event thankfully doesn’t impact financial accounts, John Gunn, CMO at VASCO Data Security, pointed out that there’s an opportunity to up the ante on data security across the board.
“This event, like similar ones where credit-card data is not taken in a breach, demonstrates the value of enforcing security requirements,” he said, via email. “If businesses applied the Payment Card Industry Data Security Standards (PCI DSS) to all data and not just credit-card information, you would see a lot less personal information, such as user names, email addresses and passwords, getting into the hands of hackers.”
MyFitnessPal users are being required to change their passwords. In terms of mitigation, users should of course immediately do that, but they should also be aware that the information taken could be used for phishing attacks, which is where the real danger lies. Any user should avoid clicking on links in emails, social media posts or other messages that seem to have come from Under Armour or MyFitnessPal.
Also, if a user repurposes the MyFitnessPal password on any other websites, especially for banking accounts or similar websites, they should immediately change their passwords on those websites – and choose a different, strong password for each one.
“The reuse of passwords in situations like this may seem like short lapse in judgment, but this data that aligns names and email addresses with passwords is a potential disaster for anyone who reuses their passwords across multiple sites and accounts,” said Lisa Baergen, marketing director of MasterCard-owned NuData Security, via email.
Infosecurity Magazine will be undergoing a system upgrade from Friday March 30th until Sunday April 1st 2018. During this time users will be unable to access their member accounts and any member only content. All other content will be available to access as normal.
Thank you for your patience during this upgrade.
Any questions or queries please contact us on: firstname.lastname@example.org
The majority of vulnerabilities used by cyber-criminals last year in phishing attacks and exploit kits were found in Microsoft products, with some dating back several years, according to Recorded Future.
The security vendor followed-up a similar 2016 report by analyzing thousands of sources — including code repositories, deep web forum postings, and dark web onion sites — to spot “co-occurrences” with known software flaws.
Unlike the 2016 and 2015 reports, where Adobe Flash dominated the rankings, Microsoft led the way with seven out of the top 10 vulnerabilities.
The most commonly observed vulnerability was CVE-2017-0199, found in several Microsoft Office products and allowing attackers to download and execute a Visual Basic script containing Powershell commands from a malicious document.
It was spotted in multiple phishing attacks and linked to 11 separate pieces of malware, while exploit builders for the flaw were seen on the dark web last year being sold for between $400-$800, according to the report.
The second most frequently cited vulnerability, CVE-2016-0189, appeared on the 2016 rankings. It’s an Internet Explorer vulnerability which served as a popular avenue for exploit kits in 2017, Recorded Future claimed.
Alongside these two were five more Microsoft vulnerabilities dating from 2017, 2016 and even 2014. The three Adobe Flash bugs on the list were first published in 2015 and 2016.
The continued popularity of these flaws should be a timely reminder of the need to patch known vulnerabilities. Just this week, for example, Boeing was caught out after some machines in its South Carolina facility were infected with WannaCry.
Overall, however, Recorded Future claimed to have seen a decline in exploit kit activity — a 62% drop in new variants.
“The observed drop in exploit kit activity overlaps with the rapid decline of Flash Player usage,” explained report author, Scott Donnelly. “Users have shifted to more secure browsers, and attackers have shifted as well. Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void.”
The firm urged users to switch to Google Chrome as their primary browser; improve user training; frequently back-up to mitigate the risk of ransomware; use ad-blockers to prevent malvertising; and remove affected software if it doesn’t impact key business processes.
It also warned firms to be aware that social sites like Facebook may use Flash, exposing users to cyber-risk.
Aerospace giant Boeing was struck with the notorious WannaCry ransomware this week, but initial fears it had infected a production facility have since been dismissed as speculation.
Chief engineer, Mike VanderWel, sent an “all hands on deck” email round internally on Wednesday, according to the Seattle Times.
“It is metastasizing rapidly out of North Charleston and I just heard 777 [automated spar assembly tools] may have gone down,” he’s reported to have said. “We are on a call with just about every VP in Boeing.”
Once the dust had settled, an official statement indicated that the incident was limited to a “few machines” which were subsequently patched and remediated. However, head of communications, Linda Mills admitted that it had taken time to assess the scale of the problem at Boeing’s South Carolina facility.
“Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems. Remediations were applied and this is not a production and delivery issue,” the statement noted.
The incident is a timely reminder of the latent risk posed even by cyber-threats for which there are security updates available.
The Windows SMB vulnerability exploited by WannaCry was actually patched by Microsoft a couple of months before the ransomware struck in May 2017, causing catastrophic damage around the world on hundreds of thousands of endpoints.
The NHS was perhaps most notably affected, with an estimated 19,000 operations and appointments cancelled and a third of the health service hit.
Sporadic outbreaks have appeared ever since, with Honda forced to temporarily close a plant in June last year, weeks after the first attack struck.
Still, it appears as if ransomware is increasingly being eschewed by the black hats in favor of crypto-currency mining malware.
Trend Micro claimed the number of ransomware-related threats it blocked last year stood at 631 million, down from over one billion in 2016.