Info Security

Subscribe to Info Security  feed
Updated: 18 min 30 sec ago

Toyota Japan Hacked, Vietnam Office Suspects Breach

Fri, 03/29/2019 - 16:07
Toyota Japan Hacked, Vietnam Office Suspects Breach

After a security incident in February at its Australian subsidiary, Toyota Motor Corp. has suffered its second security breach in the last five weeks, with today's breach announced by the company's main offices in Japan.

"On March 29, 2019, it was announced in Japan that Toyota Motor Corporation (TMC) learned it had possibly been the victim of a cyberattack targeting Toyota Tokyo Sales Holdings Inc., a TMC sales subsidiary, and its affiliated enterprises. Additionally, three other independent dealers in Japan are possibly involved. Toyota Motor North America (TMNA) is monitoring the situation closely and is currently unaware of any compromise of TMNA systems associated with this incident or evidence that Toyota or Lexus dealers in the United States have been targeted," Toyota Motor North America said in a statement.

The company reportedly said hackers breached its systems, gaining unauthorized access to data belonging to several sales subsidiaries, all based in Tokyo. Toyota said the servers that hackers accessed stored sales information on up to 3.1 million customers that included names and dates of birth but no credit card information, though the investigation remains ongoing.

In addition, Toyota Vietnam said that it is possible the company was also hacked, according to Tinmoi. “Toyota Vietnam Motor Company (TMV) has discovered that the Company is likely to have been attacked by the network and some customer data may have been accessed. So far we do not have any concrete evidence and details about the lost data, and are currently in the process of investigation. We will share as soon as information is available,” TMV said according to a translation of a statement shared with Tinmoi.

"In light of the Toyota security breach, it’s clear that automotive manufacturers need to be aware that as their technology continues to evolve there are more responsibilities involved to protect the consumer," said Amir Einav, VP of marketing at Karamba Security. "As car manufacturers are set to collect more data than ever before on drivers and vehicle behavior there is more personal information at stake. Following Toyota’s second breach in the last five weeks, there is a greater sense of urgency in the automotive industry around the need to take preventive cybersecurity measures, from the cloud to the in-vehicle technology."

Categories: Cyber Risk News

Magento Warns E-Commerce of SQL Injection Risk

Fri, 03/29/2019 - 15:52
Magento Warns E-Commerce of SQL Injection Risk

After researchers discovered an SQL injection vulnerability in Magento’s code, the company issued a security fix for more than 30 different vulnerabilities in its software, which reportedly has put more than 300,000 e-commerce sites at risk of card-skimming attacks.

Online businesses have been strongly urged to download the latest fix, warning that versions prior to 2.3.1 Magento code are vulnerable and being exploited in the wild.

According to the March 26 Magento advisory, "Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.1. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can."

With a common vulnerability scoring system (CVSS) severity rating of 9.8, PRODSECBUG-2192 would allow "an authenticated user with privileges to create newsletter or email templates that can execute arbitrary code through crafted newsletter or email template code."

No proof of concept yet exists, but exploitation is relatively easy according to Satnam Narang, senior research engineer, Tenable."Magento site owners should upgrade to these patched versions as soon as possible. Magento e-commerce websites have been a popular target for cybercriminals for years, so the existence of an unauthenticated remote code execution bug certainly won’t go unnoticed."

Instead of credential dumps, criminals are using stolen credit card dumps that can result in immediate financial losses for consumers and fraud losses for merchants, said Ameya Talwalkar, co-founder and CPO, Cequence. "This is a unique case of an application vulnerability being exploited for business logic abuse. We’ve detected and blocked similar attacks to this that have targeted our own retail customers. This particular attack is very similar to credential checking attacks on login applications using malicious automation or bots."

"Normally retail applications do not allow for $0 transactions, but due to the newly discovered vulnerability in Magento, it allows these $0 transactions and opens the door for checking stolen credit and gift cards for validation."

Categories: Cyber Risk News

Intel Microchip Intercepts Signals, Reads Memory

Fri, 03/29/2019 - 14:24
Intel Microchip Intercepts Signals, Reads Memory

At this week's Black Hat Asia 2019 conference, researchers from Positive Technologies revealed findings about an undocumented technology in Intel microchips that allow reading data from the memory of and intercepting the signals from peripherals.

On March 28, 2019, Positive Technologies experts Maxim Goryachy and Mark Ermolov spoke in Singapore, discussing the microchips in their session Intel VISA: Through the Rabbit Hole.

The PCH microchips (Platform Controller Hub) on modern Intel motherboards reportedly contain a logic signal analyzer called Intel Visualization of Internal Signals Architecture (VISA), which are disabled by default on commercial systems. However, the researchers discovered several different tactics an attacker could use to activate the technology that has access to virtually all the data on a computer. The researchers were able to intercept signals on displays, keyboards, and webcams.

"With VISA, we succeeded in partially reconstructing the internal architecture of PCH and, within the chip, discovered dozens of devices that are invisible to the user yet are able to access certain critical data," the researchers wrote. In their talk, the experts demonstrated "how to read signals from PCH internal buses (for example, IOSF Primary and Side Band buses and Intel ME Front Side Bus) and other security-sensitive internal devices."

Leveraging the previously identified vulnerability INTEL-SA-00086 in the Intel Management Engine (IME) discovered by researchers at Positive Technologies, Goryachy and Ermolov demonstrated that a malicious actor could attack the computers by injecting spyware in the subsystem’s code.

"ME can intercept and modify network packets as well as images on graphics cards; it has full access to USB devices. Such capabilities mean that if an attacker finds an opportunity to execute arbitrary code inside ME, this will spawn a new generation of malware that cannot be detected using current protection tools. Fortunately, only three (publicly known) vulnerabilities have been detected in the 17-year history of this technology," the researchers wrote.

"We found out that it is possible to access Intel VISA on ordinary motherboards, with no specific equipment needed," said Positive Technologies expert Maxim Goryachy, according to a press release. "With the help of VISA, we managed to partially reconstruct the internal architecture of the PCH microchip."

***UPDATED***This article has been updated to include the following statement from Intel.

An Intel spokesperson wrote in an email, ""This issue, as discussed at BlackHat Asia, relies on physical access and a previously mitigated vulnerability addressed in INTEL-SA-00086 on November 20, 2017. Customers who have applied those mitigations are protected from known vectors. Visualization of Internal Signals (VIS) is actually is included in our publicly-available documentation and is part of Intel Trace Hub – which is outlined in our developer manual (see section 3.1). We also talk about Trace Hub on our website." 

Categories: Cyber Risk News

Intel Microchip Intercepts Signals, Reads Memory

Fri, 03/29/2019 - 14:24
Intel Microchip Intercepts Signals, Reads Memory

At this week's Black Hat Asia 2019 conference, researchers from Positive Technologies revealed findings about an undocumented technology in Intel microchips that allow reading data from the memory of and intercepting the signals from peripherals.

On March 28, 2019, Positive Technologies experts Maxim Goryachy and Mark Ermolov spoke in Singapore, discussing the microchips in their session Intel VISA: Through the Rabbit Hole.

The PCH microchips (Platform Controller Hub) on modern Intel motherboards reportedly contain a logic signal analyzer called Intel Visualization of Internal Signals Architecture (VISA), which are disabled by default on commercial systems. However, the researchers discovered several different tactics an attacker could use to activate the technology that has access to virtually all the data on a computer. The researchers were able to intercept signals on displays, keyboards, and webcams.

"With VISA, we succeeded in partially reconstructing the internal architecture of PCH and, within the chip, discovered dozens of devices that are invisible to the user yet are able to access certain critical data," the researchers wrote. In their talk, the experts demonstrated "how to read signals from PCH internal buses (for example, IOSF Primary and Side Band buses and Intel ME Front Side Bus) and other security-sensitive internal devices."

Leveraging the previously identified vulnerability INTEL-SA-00086 in the Intel Management Engine (IME) discovered by researchers at Positive Technologies, Goryachy and Ermolov demonstrated that a malicious actor could attack the computers by injecting spyware in the subsystem’s code.

"ME can intercept and modify network packets as well as images on graphics cards; it has full access to USB devices. Such capabilities mean that if an attacker finds an opportunity to execute arbitrary code inside ME, this will spawn a new generation of malware that cannot be detected using current protection tools. Fortunately, only three (publicly known) vulnerabilities have been detected in the 17-year history of this technology," the researchers wrote.

"We found out that it is possible to access Intel VISA on ordinary motherboards, with no specific equipment needed," said Positive Technologies expert Maxim Goryachy, according to a press release. "With the help of VISA, we managed to partially reconstruct the internal architecture of the PCH microchip."

Categories: Cyber Risk News

IT Security Pros Slam State-Backed Encryption Backdoors

Fri, 03/29/2019 - 10:54
IT Security Pros Slam State-Backed Encryption Backdoors

Most IT security professionals believe governments that mandate end-to-end encryption backdoors are exposed to a greater risk of nation state cyber-attacks, according to Venafi.

The security vendor polled over 500 industry professionals at the recent RSA Conference in San Francisco on a topic which continues to be hotly debated in the US and Europe.

Nearly three-quarters (73%) said they thought laws effectively forcing tech companies to enable law enforcers to read encrypted communications would make their nation less secure. Slightly fewer (70%) claimed governments shouldn’t be able to mandate private tech providers to make their code less secure.

Some 69% argued that such moves would also put a country at an economic disadvantage globally, presumably because it will no longer be seen as a safe place in which to do business.

“This is not rocket science; backdoors inevitably create vulnerabilities that can be exploited by malicious actors. It’s understandable that so many security professionals are concerned because backdoors are especially appealing to hostile and abusive government agencies and more governments are considering these mandates,” argued Venafi VP of security strategy and threat intelligence.

“We know that attackers don’t abide by restrictions; they don’t follow the rules or buy products in controlled markets. Countries that enact these near-sighted restrictions harm law abiding businesses and court economic damage as well as intrusions focused on sovereign government processes.”

Last December Australia passed new laws which could force tech providers to engineer de facto backdoors into their end-to-end encryption products. In so doing, it joined the UK, whose Investigatory Powers Act has widely been viewed as one of the most intrusive surveillance regimes of any western democracy.

However, with most global tech firms based in the US, these powers are unlikely to be tested on the world’s most popular services. That makes the US a key battleground for privacy advocates.

Law enforcers and some lawmakers have long argued for such powers, claiming erroneously that backdoors could be provided to allow police access to encrypted comms only in specific cases, without making the entire ecosystem less secure for all customers.

Increasingly exasperated by this talk, the world’s leading cryptography experts last year backed demands for FBI director, Christopher Wray, to explain the technical basis for his repeated claims that backdoors can be engineered without impacting user security.

Categories: Cyber Risk News

Ex-NSA Contractor Pleads Guilty to Top Secret Data Theft

Fri, 03/29/2019 - 10:24
Ex-NSA Contractor Pleads Guilty to Top Secret Data Theft

A former NSA contractor has pleaded guilty to stealing top secret government documents over a two decade period, putting national security at risk.

Harold Martin III, of Glen Burnie, Maryland, confessed to “willful retention of national defense information,” having previously denied all charges against him, and will now serve nine years behind bars, according to the Department of Justice.

Former US Navy man Martin worked at multiple private contracting companies from December 1993 to August 27, 2016, gaining clearance to handle Top Secret and Sensitive Compartmented Information (SCI).

He’s thought to have taken as much as 50TB of data over a 20-year period starting in the late 1990s and ending with his arrest in 2016, storing them at home and in his vehicle.

It has been reported that Martin may have been linked in some way to the infamous Shadow Brokers data dump of classified NSA hacking tools.

He is alleged to have tried to communicate over Twitter with Russian AV firm Kaspersky Lab, sending five cryptic private messages requesting a meeting with founder Eugene Kaspersky, stating what he had to discuss had a “shelf life” of three weeks.

Just 30 minutes after the messages were sent, the Kremlin-linked Shadow Brokers began PR-ing their haul, according to Politico.

Kaspersky tipped off the FBI about the messages, which resulted in a major raid on Martin’s home in which were found the stolen classified documents — apparently including some of the same hacking tools leaked by the Shadow Brokers.

“This case shows that there is still work to be done when it comes to stopping criminals before they have a chance to actually steal large amounts of data over extended periods,” said Mohan Koo, Dtex Systems founder and CTO.

“We work with public and private sector organizations daily to help them prevent insider threats from getting out of hand. The ones that place equal emphasis on illegal activity detection and investigations experience fewer data theft incidents.”

Categories: Cyber Risk News

ICO Fines Pensions Firm for Spamming Millions of Users

Fri, 03/29/2019 - 09:52
ICO Fines Pensions Firm for Spamming Millions of Users

The Information Commissioner’s Office (ICO) has fined a pensions company for sending out nearly two million spam emails.

The UK’s privacy watchdog slapped Kent-based Grove Pension Solutions with a £40,000 penalty after it sent out the unsolicited marketing emails between October 31, 2016 and October 31, 2017.

Although the firm had sought advice over the use of third-party marketing agents from both a data protection consultancy and its lawyers, the counsel they gave proved to be inaccurate.

According to the Privacy and Electronic Communications Regulations (PECR), firms can’t send out marketing emails unless the recipient has given their explicit consent. The maximum fine under the regime is £500,000.

“Spam email uses people's personal data unlawfully, filling up their inboxes and promoting products and services which they don't necessarily want,” said ICO director of investigations and intelligence, Andy White.

“We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it.”

The moral of this cautionary tale is for organizations unsure about data protection and marketing laws to get in touch with the ICO directly, rather than spending money consulting with third party ‘experts’ which may do little except give them a false sense of security.

“The ICO is here to provide businesses with guidance about electronic marketing and data protection, free of charge. The company could have contacted us and avoided this fine,” explained White.

The fine follows another £40,000 penalty levied by the ICO last week, this time against Brexit organization Vote Leave, which sent out thousands of unsolicited text messages in the run up to the 2016 referendum.

That follows a similar fine for Leave.EU related to its sending of nearly 300,00 political marketing messages.

Leave.EU is now the subject of a criminal investigation by the National Crime Agency (NCA) over allegations that its funding came from outside the UK, breaking election laws.

Categories: Cyber Risk News

Mutli-Cloud Poses Backup Management Woes

Thu, 03/28/2019 - 14:48
Mutli-Cloud Poses Backup Management Woes

Though backup is a known best-practice approach to IT risk management, many companies are overwhelmed by the number of sites that need to be backed up, according to a new survey released today by Barracuda Networks.

The study, Closing Backup and Recovery Gaps, asked more than 1,000 IT professionals, business executives and backup administrators about their data protection strategies and found that despite a desire for business continuity, organizations still struggle to take all of the necessary steps to fully secure their business' data.

According to the report, the rise of multi-cloud and multi-site environments has resulted in 57% of respondents saying they have to back up more than two sites for their organization, while 7% of respondents manage backups for more than 26 sites.

"When you combine this data with the new push for multi-cloud deployments, it’s clear the simpler days of companies managing a single site and on-premises architecture are a thing of the past. This makes remote management a key consideration for any backup and recovery solution, to help save valuable IT time and effort during day-to-day tasks and urgent recovery efforts," the report said.

When looking at the number of small to medium-size businesses (SMBs), over 60% have migrated to Office 365. Of those, 40% are not using backup tools because they assume their cloud provider handles backup and disaster recovery.

Databases (91%), email (68%) and proprietary application data (62%) are the most common types of data that respondents said they are backing up, but the report found that, "Increasingly, everything is deemed mission critical."

A large number of respondents (37%) are backing up multimedia data, and more than a quarter (28%) back up research and development data. "However, of some concern is the small number of respondents (16%) wanting to back up their SaaS data. This inaction is putting their business continuity at risk," the report said.

Despite the risk management capabilities of cloud backup, over half (59%) of respondents do not plan to migrate on-premise services to the cloud, with only 18% of respondents reporting that they are currently migrating.

Categories: Cyber Risk News

Vulnerabilities in Pydio 8 Allow Escalated Admin Access

Thu, 03/28/2019 - 14:20
Vulnerabilities in Pydio 8 Allow Escalated Admin Access

In a coordinated vulnerability disclosure released today, researchers at SecureAuth said they had found multiple vulnerabilities in Pydio 8 (version 8.2.2) that would grant access to a malicious actor who could then escalate privileges and get administrator access. Pydio reportedly released a fixed version last week.

With privileged access to the application, the attacker could then leverage a separate vulnerability. Using the privileges of the user account running the web server, an attacker could perform OS command injection in ImageMagick plugin. In addition, SecureAuth found a cross-site scripting in file view feature and two information disclosure vulnerabilities in unauthenticated Pydio and PHP libraries.

An attacker with administrator access and exploiting the OS command injection could access any file being synchronized and shared.

According to the advisory, the privilege escalation vector, CVE-2019-10049, is based in multiple vulnerabilities, and "by chaining vulnerabilities it is possible for an attacker with regular user access to the web application to attempt to trick an administrator user to open a link shared through the application."

Security researcher Ramiro Molina from SecureAuth security consulting services discovered the vulnerabilities, and Leandro Cuozzo from SecureAuth advisories team coordinated with Pydio in the publication of the disclosure.

"While important to productivity, file-sharing services that host, store, share or synchronize files across devices are targets for attackers due to the highly sensitive data that these files often contain – including business plans, financial information and even passwords," said Leandro Cuozzo, security researcher, SecureAuth.

"Research from McAfee shows file-sharing services store 39 percent of all corporate data uploaded to the cloud including highly sensitive information. Even though 64 percent of documents in file sharing services are not shared, they are still accessible by administrators. In this case, an attacker with administrator access and exploiting the OS command injection could access any file being synchronized and shared in a Pydio implementation.

"In addition to applying the latest patches, organizations should implement adaptive authentication to improve security and limit access to sensitive information in file-sharing services."

Categories: Cyber Risk News

Vuls in Pydio 8 Allow Escalated Admin Access

Thu, 03/28/2019 - 14:20
Vuls in Pydio 8 Allow Escalated Admin Access

In a coordinated vulnerability disclosure released today, researchers at SecureAuth said they had found multiple vulnerabilities in Pydio 8 (version 8.2.2) that would grant access to a malicious actor who could then escalate privileges and get administrator access. Pydio reportedly released a fixed version last week.

With privileged access to the application, the attacker could then leverage a separate vulnerability. Using the privileges of the user account running the web server, an attacker could perform OS command injection in ImageMagick plugin. In addition, SecureAuth found a cross-site scripting in file view feature and two information disclosure vulnerabilities in unauthenticated Pydio and PHP libraries.

An attacker with administrator access and exploiting the OS command injection could access any file being synchronized and shared.

According to the advisory, the privilege escalation vector, CVE-2019-10049, is based in multiple vulnerabilities, and "by chaining vulnerabilities it is possible for an attacker with regular user access to the web application to attempt to trick an administrator user to open a link shared through the application."

Security researcher Ramiro Molina from SecureAuth security consulting services discovered the vulnerabilities, and Leandro Cuozzo from SecureAuth advisories team coordinated with Pydio in the publication of the disclosure.

"While important to productivity, file-sharing services that host, store, share or synchronize files across devices are targets for attackers due to the highly sensitive data that these files often contain – including business plans, financial information and even passwords," said Leandro Cuozzo, security researcher, SecureAuth.

"Research from McAfee shows file-sharing services store 39 percent of all corporate data uploaded to the cloud including highly sensitive information. Even though 64 percent of documents in file sharing services are not shared, they are still accessible by administrators. In this case, an attacker with administrator access and exploiting the OS command injection could access any file being synchronized and shared in a Pydio implementation.

"In addition to applying the latest patches, organizations should implement adaptive authentication to improve security and limit access to sensitive information in file-sharing services."

Categories: Cyber Risk News

Risks in Hidden UC Browser for Android Feature

Thu, 03/28/2019 - 13:49
Risks in Hidden UC Browser for Android Feature

More than 500 million Android users have been put at risk of a man in the middle (MITM) attack resulting from a popular web browser's ability to secretly download auxiliary components from the internet, according to blog posts from both Tripwire and Dr.Web.

Researchers noted that UC Browser for Android and UC Browser Mini for Android applications have the hidden ability to download and install extra modules from their own servers using unprotected channels and bypassing Google Play's servers altogether, a clear violation of the rules of the Google Play store.

"The browser receives commands from the command and control server and downloads new libraries and modules, which add new features and can be used to update the software," the Dr. Web blog stated.

"During our analysis, UC Browser downloaded an executable Linux library from a remote server. The library was not malicious; it is designed to work with MS Office documents and PDF files. Initially, this library was not in the browser. After downloading, the program saved the library to its directory and launched it for execution. Thus, the application is actually able to receive and execute code, bypassing the Google Play servers. This violates Google's rules for software distributed in its app store."

Researchers at Tripwire disagreed in part with Dr. Web's reporting noting that with the UC Browser, an attacker could take control of the browser developer’s servers and load malicious software using this hidden feature. However, with the UC Browser Mini, "this ability threatens 100 million Google Play users with the risk of a malware infection. It does not, however, enable criminals to conduct a MITM attack as with UC Browser."

That is not the only way that bad actors could exploit the browser, said Usman Rahim, digital security and operations manager at The Media Trust.

“Bad actors can insert their code through insecure third-party code suppliers. Browsers and other apps are being developed within ever shorter timescales and with a traditional security mindset where the security deficiencies of a product are determined after it has been designed, not before and during. Third parties are often not carefully vetted for security capabilities. Moreover, security considerations fail to receive the priority and resources they require and are, instead, treated as unnecessary costs—that is, of course, until a breach happens.”

Categories: Cyber Risk News

Microsoft Hails “Significant” Disruption of Iranian APT Group

Thu, 03/28/2019 - 11:17
Microsoft Hails “Significant” Disruption of Iranian APT Group

Microsoft is claiming its attempts at disrupting a well-known Iranian state-sponsored APT group have had a “significant impact.”

Unsealed court documents reveal the work of Microsoft’s Digital Crimes Unit (DCU) in targeting the Tehran-linked APT35 group, also known as Charming Kitten and Phosphorous, according to VP of customer security and trust, Tom Burt.

A court order allowed the unit to take control of 99 phishing domains — including outlook-verify.net, yahoo-verify.net, verification-live.com, and myaccount-services.net — which were used to harvest victims’ credentials.

“The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crimes Unit’s sinkhole. The intelligence we collect from this sinkhole will be added to [Microsoft Threat Intelligence Center] MSTIC’s existing knowledge of Phosphorus and shared with Microsoft security products and services to improve detections and protections for our customers,” explained Burt.

“Throughout the course of tracking Phosphorus, we’ve worked closely with a number of other technology companies, including Yahoo, to share threat information and jointly stop attacks.”

Burt thanked these other tech firms for their assistance, as well as the domain companies that were required to transfer websites registered by APT35 to Microsoft, under the court order.

While these efforts will certainly not put an end to the state-backed group’s activities, it will help the white hats discomfort their opponents a little whilst obtaining some valuable intelligence on their activities.

The group has been detected in the past targeting businesses, government agencies, activists and journalists with information-stealing raids.

It’s a similar tactic used by Microsoft to disrupt the notorious Russian APT28 (aka Strontium) group, which has been blamed for info-stealing attacks on Democratic Party officials ahead of the 2016 US presidential election.

Burt claimed Microsoft had used the approach 15 times, controlling 91 spoofed websites registered by the Kremlin-backed group.

Categories: Cyber Risk News

Hackers Queue Up to Exploit WinRAR Bug

Thu, 03/28/2019 - 10:42
Hackers Queue Up to Exploit WinRAR Bug

Security researchers have warned of a new wave of attacks on Middle Eastern companies from APT33, a group with links to Iran.

Known as “Elfin” and “Refined Kitten,” the group has been in operation since 2015, using a combination of custom malware, commodity malware, and open-source hacking tools.

In a new wave of attacks in February, the group tried to exploit a known vulnerability (CVE-2018-20250) in popular file archiving utility WinRAR. Having gone undetected for nearly two decades, the bug is particularly dangerous as there’s no automatic update mechanism for WinRAR, which is installed on hundreds of millions of machines around the globe.

“If successfully exploited on an unpatched computer, the vulnerability could permit an attacker to install any file on the computer, which effectively permits code execution on the targeted computer,” Symantec explained.

The Elfin group usually begins its attacks with a classic spear-phishing email, and then proceeds to download and use a combination of custom and widely available malware/tools. These include the Autolt backdoor; RATs such as Remcos, DarkComet and Quasar; and credential stealers like Mimikatz and SniffPass.

Saudi Arabian targets account for 42% of total attacks since 2016, but the US is a close second with 34% before a big drop off with Belgium (6%) in third.

That WinRAR vulnerability, discovered in February, has also been exploited in multiple campaigns spotted by FireEye.

These include one using a phishing email impersonating an educational accreditation council; an attack on an Israeli military company; and a possible attack against an individual in Ukraine using a PDF letter from former president Viktor Yanukovych and the Empire backdoor as primary payload.

“We have seen how various threat actors are abusing the recently disclosed WinRAR vulnerability using customized decoys and payloads, and by using different propagation techniques such as email and URL,” warned FireEye research scientist Dileep Kumar Jallepalli.

“Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.”

Categories: Cyber Risk News

DLA Piper Set to Sue Insurer Over NotPetya Claim: Report

Thu, 03/28/2019 - 10:08
DLA Piper Set to Sue Insurer Over NotPetya Claim: Report

DLA Piper has become the latest big name to be denied a multimillion-dollar insurance claim following major losses caused by the NotPetya ‘ransomware’ campaign of 2017.

The multi-national law firm is said to be launching a legal case against its insurer Hiscox for failing to pay out. However, a spokesperson from the insurer confirmed to Infosecurity that the case, currently in arbitration, is not related to a specific cybersecurity policy and does involve an "act of war" exclusion, as has been reported.

The latter is the reason that insurance giant Zurich is said to be refusing to pay out a multimillion dollar claim from confectionary giant Mondelez. The Cadbury owner is said to be suing the insurer for over $100m to cover permanent damage to 1700 of its servers and 24,000 laptops as well as unfulfilled orders and other operational disruption.

Russia was directly blamed for the June 2017 attacks, which started in Ukraine but quickly spread around the world via the VPNs of multi-nationals with offices in the country.

However, the Five Eyes governments that issued these statements, led by the UK, failed to provide hard evidence to back up their claims, which won’t make it easy for the insurers to make their case in court.

DLA Piper was hit hard by the destructive ransomware strain, after becoming infected via a supplier. The company’s flat networks structure is said to have allowed the malware to spread fast across the globe.

The legal giant was forced to pay 15,000 hours of overtime to IT workers to help recover from the incident, which forced it to start afresh with its entire Windows environment, according to reports.

It’s unclear what kind of insurance policy DLA Piper had but the issues may come down to whether it covered cyber incidents like this. However, such disputes are becoming more common, warned Anjola Adeniyi, EMEA technical leader at Securonix.

“The increasing difficulties facing companies who try and claim insurance following a cyber attack is highlighting the growing need to implement preventative strategies,” he added.

“Whilst many companies will fall victim to a ransomware attack, one of the first steps they need to take is to ensure it doesn’t happen again. Computer systems need to be up-to-date on security patches, networks monitored for infections and employees educated on cyber hygiene.”

Categories: Cyber Risk News

DLA Piper Set to Sue Insurer Over NotPetya Claim: Report

Thu, 03/28/2019 - 10:08
DLA Piper Set to Sue Insurer Over NotPetya Claim: Report

DLA Piper has become the latest big name to be denied a multimillion-dollar cyber insurance claim following major losses caused by the NotPetya ‘ransomware’ campaign of 2017.

The multi-national law firm is said to be launching a legal case against its insurer Hiscox for failing to pay out. It appears as if the insurer is holding out because of an exclusion clause for attacks that are deemed an “act of war.”

That’s the same reason that insurance giant Zurich is said to be refusing to pay out a similar multimillion dollar claim from confectionary giant Mondelez. The Cadbury owner is said to be suing the insurer for over $100m to cover permanent damage to 1700 of its servers and 24,000 laptops as well as unfulfilled orders and other operational disruption.

Russia was directly blamed for the June 2017 attacks, which started in Ukraine but quickly spread around the world via the VPNs of multi-nationals with offices in the country.

However, the Five Eyes governments that issued these statements, led by the UK, failed to provide hard evidence to back up their claims, which won’t make it easy for the insurers to make their case in court.

DLA Piper was hit hard by the destructive ransomware strain, after becoming infected via a supplier. The company’s flat networks structure is said to have allowed the malware to spread fast across the globe.

The legal giant was forced to pay 15,000 hours of overtime to IT workers to help recover from the incident, which forced it to start afresh with its entire Windows environment, according to reports.

It’s unclear what kind of insurance policy DLA Piper had and whether or not it specifically covered cyber incidents. However, such disputes are becoming more common, warned Anjola Adeniyi, EMEA technical leader at Securonix.

“The increasing difficulties facing companies who try and claim insurance following a cyber attack is highlighting the growing need to implement preventative strategies,” he added.

“Whilst many companies will fall victim to a ransomware attack, one of the first steps they need to take is to ensure it doesn’t happen again. Computer systems need to be up-to-date on security patches, networks monitored for infections and employees educated on cyber hygiene.”

Categories: Cyber Risk News

Grindr Dating App Deemed Security Risk

Wed, 03/27/2019 - 17:56
Grindr Dating App Deemed Security Risk

An LGBTQ dating app, Grindr, has come under fire after Reuters reported that the Committee on Foreign Investment in the United States (CFIUS) told the app's China-based parent company that its ownership posed a national security risk.

Now, the Chinese gaming company, Beijing Kunlun Tech Co Ltd, is reportedly looking to sell Grindr LLC, which it has owned since 2016.

Though CFIUS has not responded to request for comment, Grindr has been under scrutiny for some time now. In 2018, Sens. Edward Markey and Richard Blumenthal wrote to Grindr's then interim CEO to inquire about its policies for protecting the sensitive information of its users after a press report claimed that the company had shared sensitive information of the app users without their consent.

"The data includes personally identifiable and sensitive user information such as HIV status, email address, telephone number, precise geolocation, sexuality, relationship status, ethnicity and 'last HIV tested date,'" the letter stated.

The security vulnerabilities in the app won’t be remediated by Kunlun's selling Grindr, but it will transfer ownership from a Chinese company, which is reportedly among the undisclosed reasons why CFIUS deemed it a national security risk, according to Reuters.

Though CFIUS is supposed to be involved in the review process of American companies going through foreign mergers and acquisitions, Kunlun twice bypassed the agency during the acquisition process in both 2016 and 2018.

"The issue is not one of internal company policy, but instead one of jurisdictions. Companies must abide by the laws and regulations of the country in which they are headquartered, in addition to the laws and regulations of the country in which their data is stored. Should one country have looser or less rigorous standards for privacy or security, those are the standards which de-facto will be applied," said Eric Silverberg, CEO of SCRUFF.

"All apps should be open and transparent with their users about where their data is stored, the jurisdictions within which they fall, and the third parties with whom their data is shared."

Categories: Cyber Risk News

Privacy in Digital World Is Impossible, Survey Says

Wed, 03/27/2019 - 16:39
Privacy in Digital World Is Impossible, Survey Says

Privacy in the digital world is not possible, according to a new report from Kaspersky Lab that looked at consumers' attitudes about the security of their personal information online.

The new report surveyed 11,887 consumers in 21 countries and found that 56% of people think complete privacy in the modern digital world is impossible, despite regulations like the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) and the ensuing talk about the need to secure the personal data of consumers.

"While more and more transactions are carried out online, and are consumers constantly told by media pundits and regimes to safeguard personal and confidential data, people are still more worried about what happens in the physical world than in the digital space. Less than half (41%) of consumers are more apprehensive about what happens to their information online than offline. Yet those who are concerned about cybercrime are made to feel even worse by the seemingly daily occurrence of data breaches or cyberthreats hitting the headlines – striking doubt into the mind of even the most tech savvy user," Kaspersky Lab wrote in a blog post.

In large part, the recent high-profile data scandals at Facebook and Equifax diminished what might have existed of consumers' trust that their digital information could ever be truly secure. In fact, Kaspersky Lab's research found that 26% of people have had their private data accessed by someone without their consent, rising to almost a third (31%) for those who are between 16 and 24 years old.

Convinced that companies are incapable of ensuring their complete privacy, 39% of people said that they would exchange their private data for monetary payment, even if that meant giving a complete stranger full access to their information. In addition, nearly two in 10 (18%) of respondents said they would hand over their data if they received something free in return.

"Despite our fears and the realities associated with online data use, data privacy is and should be achievable by everyone," Kaspersky Lab wrote. "Secrets can stay safe and data loss should not be an expectation but an exception when transacting online. Good digital hygiene and an awareness about the importance of online privacy and how to safeguard yourself could stop you and your data from becoming compromised."

Categories: Cyber Risk News

Competitors Flout Rules in a Digital Cold War

Wed, 03/27/2019 - 15:53
Competitors Flout Rules in a Digital Cold War

Emerging information security threats will continue to impact business, and the Threat Horizon 2021 published by Information Security Forum (ISF) forecasts nine major threats that organizations can expect to face over the next two years.

Among the threats that will likely come from increased advancements in technology, ISF predicts the internet of things (IoT) will not only continue to proliferate but that digital connectivity resulting from IoT expansion will expose hidden dangers.

As our lives and our businesses become more dependent on connectivity, ISF forecasts that organizations will continue to face existing security challenges with new ones coming to light.

"Vulnerabilities will be shared across interconnected systems; malware attacks will be amplified by superfast networks; and business models using machine learning techniques will become a prime attack target. Nation states will exploit this digitisation, creating the battlefield for a new digital cold war," the report said.

This digital cold war is expected to cause significant damage to business, and ISF foresees that "The race to develop strategically important, next generation technologies will provoke a period of intense nation state-backed espionage – intellectual property (IP) will be targeted as the battle for economic and military dominance rages on," according to a press release.

"By 2021 the world will be heavily digitized. Technology will enable innovative digital business models and society will be critically dependent on technology to function," said Steve Durbin, managing director, ISF. "This new hyperconnected digital era will create an impression of stability, security and reliability. However, it will prove to be an illusion that is shattered by new vulnerabilities, relentless attacks and disruptive cyber threats."

Competition in the digital marketplace will challenge not only social norms but existing regulatory frameworks, according to the report. What will likely result, said ISF, is that current rulebooks will be tossed out. The report said organizations will see more frequent vulnerability disclosures, but by 2021, the time to fix will be lessened.

Categories: Cyber Risk News

Norsk Hydro Admits Ransomware Costs May Have Hit $41m

Wed, 03/27/2019 - 11:13
Norsk Hydro Admits Ransomware Costs May Have Hit $41m

Norsk Hydro is still in the process of restoring its IT systems after a devastating ransomware attack last week which has already caused the firm as much as £40m ($41m).

The Norwegian firm, one of the world’s largest producers of aluminium, was forced to call in national security authorities after it suffered a malware attack on March 18.

It soon emerged that the culprit was a strain of ransomware known as LockerGoga. However, the firm refused to pay the ransom and began the process of restoring from back-ups, drafting in experts from Microsoft and other third-party tech partners to “get business critical systems back in normal operation.”

In an update on Tuesday, the firm claimed that “most operations” are now running at normal capacity. However, the most affected area, Extruded Solutions, is only at 70-80% and its Building Systems business unit is still at a standstill.

Norsk Hydro expects Building Systems to gradually ramp-up production and shipments over the coming week.

“Based on a high-level evaluation, the preliminary estimated financial impact for the first full week following the cyber-attack is around NOK 300-350 million (£26-40m, $35-41m), the majority stemming from lost margins and volumes in the Extruded Solutions business area,” the update noted.

“Hydro has a solid cyber risk insurance policy with recognized insurers, with global insurer AIG as lead.”

It will be hoping that its insurance policy hasn’t been invalidated by a lack of adequate security measures, and/or that there are no surprises in the small print.

Both DLA Piper and Cadbury’s owner Mondelez are locked in legal disputes with their insurers over multi-million claims to cover losses from NotPetya. In the latter’s case, Zurich is claiming the attack was an 'act of war' and therefore not covered.

“Recovering the costs of the cyberattack even with reputable cybersecurity insurers can be non-trivial,” argued Securonix VP of threat research, Oleg Kolesnikov.

“Fortunately, NotPetya had a number of differences from LockerGoga, particularly in that, as UK officials believed, a nation-state-level malicious threat actor was involved with NotPetya, and the purpose of the NotPetya attack was more along the lines of a cyber sabotage than a classic ransomware attack.”

Categories: Cyber Risk News

Polish Regulator Issues First GDPR Fine

Wed, 03/27/2019 - 10:44
Polish Regulator Issues First GDPR Fine

The Polish privacy regulator has issued its first GDPR fine, penalizing an unnamed firm over £187,000 for scraping public data on individuals and reusing it commercially without notifying them.

The firm is said to have taken personally identifiable information (PII) on over six million Polish citizens from the country’s Central Electronic Register and Information on Economic Activity.

However, it only informed the 90,000 individuals it had email addresses for, claiming that “high operational costs” prevented it from doing more, according to the regulator, the Personal Data Protection Office (UODO).

In fact, it should have used the postal addresses and telephone numbers it had to notify individuals about the data it used, the source of their data, the “purpose and the period of the planned data processing,” and their rights under the GDPR, it continued.

“The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because — as it was established during the proceedings — the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons,” the UODO said in a notice.

“While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so.”

Some 12,000 individuals out of the 90,000 that were notified by the company apparently objected to its use of their data.

The move is another sign of the growing readiness of regulators to issue major fines to companies found to have deliberately violated the GDPR.

The biggest penalty so far was the €50m (£43m) levied against Google in France related to how the tech giant personalizes ads. However, as of February, over 59,000 breaches had been reported to GDPR regulators since the law was introduced in May 2018, with 91 fines issued, according to DLA Piper.

Categories: Cyber Risk News

Pages