Info Security

Subscribe to Info Security  feed
Updated: 1 hour 32 min ago

Microsoft and 40+ Customers Hit in Russian Espionage Attack

Fri, 12/18/2020 - 09:30
Microsoft and 40+ Customers Hit in Russian Espionage Attack

Microsoft has notified over 40 customers that they have been compromised by malicious SolarWinds updates as part of a massive suspected Russian cyber-espionage campaign.

The attacks, which the US government admitted to for the first time on Wednesday, are thought to have compromised numerous departments including the Treasury and commerce, health, energy and state departments, plus the National Nuclear Security Administration (NNSA).

A malicious SolarWinds Orion update is thought to have been a primary attack vector for the suspected Russian state group, with the vendor claiming as many as 18,000 customers could be affected.

However, the attackers are likely to have targeted far fewer to achieve their strategic objectives. Yesterday, Microsoft president Brad Smith revealed the firm has contacted over 40 customers “targeted more precisely and compromised through additional and sophisticated measures.”

These include governments (18%), NGOs (18%), contractors (9%) and IT companies (44%), although the number of targets is suspected to grow over the coming days and weeks.

“While roughly 80% of these customers are located in the United States, this work so far has also identified victims in seven additional countries,” Smith continued.

These are: Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE.

“This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency,” argued Smith.

“While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.”

In fact, Microsoft itself was forced to admit that it was also caught up in the attack campaign.

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed,” it noted in a statement.

“We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

However, US security agency CISA has confirmed that the SolarWinds updates were not the only “initial access vectors” used in this campaign.

Categories: Cyber Risk News

Disinformation Spreaders Predicted by AI

Thu, 12/17/2020 - 19:22
Disinformation Spreaders Predicted by AI

Researchers at a British university have created a new algorithm that uses artificial intelligence to predict which Twitter users are going to spread disinformation before they do it.

The machine-learning algorithm was developed by a team of researchers at the University of Sheffield, led by PhD student Yida Mu and Dr. Nikos Aletras from the university’s Department of Computer Science. It can pinpoint with 79.7% accuracy which users are likely to share content from a news source deemed to be unreliable. 

To create the algorithm, the researchers analyzed over 1 million publicly available tweets from approximately 6,200 Twitter aficionados. Users were then split into those who shared unreliably sourced news and those who shared reliably sourced news, and this data was used to train the algorithm.

The study found that Twitter users who shared stories from unreliable sources were more likely to write about the world around them, posting on social media about politics or religion. Words used frequently by this category of users included "liberal," "government," "Islam," "Israel," and "media."

Twitter users who shared stories from news sources the study categorized as reliable were more focused on themselves, often tweeting about their emotions and personal lives and favoring the words "I'll," "birthday," "wanna," and "mood."

The reliable news sharers were found to express their views in language that was more polite than that used by the sharers of disinformation. Rude language and the spread of unreliable content were found to correlate with high online political hostility. 

“Social media has become one of the most popular ways that people access the news, with millions of users turning to platforms such as Twitter and Facebook every day to find out about key events that are happening both at home and around the world," said Dr. Nikos Aletras, lecturer in Natural Language Processing at the University of Sheffield. 

"However, social media has become the primary platform for spreading disinformation, which is having a huge impact on society and can influence people’s judgement of what is happening in the world around them."

The study, "Identifying Twitter users who repost unreliable news sources with linguistic information," was published in PeerJ journal.

Categories: Cyber Risk News Data Thief Jailed

Thu, 12/17/2020 - 17:58 Data Thief Jailed

An employee at a tech company based in Virginia has been sent to prison for stealing personally identifiable information (PII) from customers and exploiting it for profit. 

Colbi Trent Defiore accessed data belonging to more than 8,000 individuals without authorization while working at a contact center in Bogalusa, Louisiana. The 27-year-old then stole the data and used it fraudulently for his own personal financial gain, applying for credit cards and personal loans. 

At the time that he committed the offenses, Defiore was employed as a seasonal worker for a company that supported the Centers for Medicare & Medicaid Services (CMS) by operating contact centers to assist with Medicare enrollment and other processes.

The company, which was unnamed in the court documents, required all to undergo training on how to handle consumers’ PII appropriately. Despite the training, Defiore admitted to accessing and obtaining consumers' data on multiple occasions in November 2018 by improperly accessing the database.

The Carriere, Mississippi, resident conducted bulk searches of the database, an action that he was prohibited from doing. He then copied his search results onto a clipboard and emailed them to his work email account. 

After his working day had ended, Defiore accessed his work email remotely without authorization to retrieve the stolen data. 

The personal information of at least five consumers was used illegally by Defiore to apply for at least six credit cards, loans, and lines of credit for his personal benefit. 

Defiore was charged November 7, 2019, by a federal grand jury in a one-count indictment with intentionally accessing a protected computer in excess of authorization for the purpose of commercial advantage and private financial gain, and in furtherance of the commission of a felony.

"In total, Defiore's conduct caused reasonably foreseeable loss to the companies that operated the call center, including costs associated with responding to the offense, conducting a damage assessment, responding to and remediating damage, contacting consumers who were potential victims, and providing theft protection services for consumer-victims, in the amount of $587,000," said the Department of Justice. 

Defiore was sentenced to 42 months’ imprisonment, 3 years of supervised release, and payment of a $100 special assessment fee.

Categories: Cyber Risk News

Indian Police Bust Illegal Call Center

Thu, 12/17/2020 - 17:03
Indian Police Bust Illegal Call Center

Police in India have arrested 54 people in a raid on an illegal call center that targeted foreign nationals with fraud scams.

The Delhi cybercrime unit launched an investigation after receiving intelligence that a large-scale fraud operation was being run from a location in Moti Nagar, New Delhi. 

Police were informed that a team of scammers were calling up targets in America and other countries and conning them into transferring money to criminals via Bitcoin wallets and the purchase of gift cards.

A variety of scams were practiced at the call center, including one that involved impersonating various law enforcement agencies and threatening the targets with arrest or legal action. Victims were told that they could avoid jail or being swept up in the court system if they chose to pay an Alternate Dispute Resolution. 

Victims who opted to pay the ADR were then asked to disclose all the details of their assets, including bank account details and the amount of money contained in the accounts. The scammers then told victims that the only way to move money safely was through the purchase of Google gift cards or via Bitcoin wallets. 

Other government agencies, including the United States Drug Enforcement Agency, Social Security Administration, and the US Marshals Service, were spoofed by the scammers. Victims were told their assets had been frozen as part of a criminal investigation into illegal transactions. 

A raid on the call center, led by Assistant Commissioner of Police Aditya Gautam, resulted in the arrest of 45 men and 9 women and the seizure of 89 desktop computers, cell phones, and a server. 

Among the suspects detained by Delhi's cybercrime unit were four alleged 'closers' whose job it was to close each fraudulent transaction by ensuring the victim transferred the money.

According to India TV News, the scammers would call up their victims and read from an elaborate script to dupe them into transferring money. The operation is reported to have conned more than 4,500 victims out of between $1.2m and $1.3m.

The news source states that initial investigations suggest that the owner of the call center is located in Dubai.

Categories: Cyber Risk News

Two-Thirds of Orgs Expect Increase in #COVID19 Phishing Attacks Next Year

Thu, 12/17/2020 - 14:36
Two-Thirds of Orgs Expect Increase in #COVID19 Phishing Attacks Next Year

Nearly two-thirds (64%) of business decision makers expect their company to face a rise in COVID-19 themed phishing attacks in 2021, according to a new study from Centrify.

In a survey of 200 business decision makers across large and medium-sized UK enterprises, over half (52%) also said they anticipated a growth in cyber-attacks targeting their organizations as a result of the most recent national lockdown in the UK, which ended on December 2.

Despite these fears, over a third (37%) are not planning to train new employees on data management policies and cybersecurity risks linked to the COVID-19 crisis. Additionally, 37% admitted they do not have sufficient access management systems in place to verify employee identities and credentials when they are accessing company data.

Security professionals have observed a huge rise in phishing attacks this year, with pandemic-related subjects providing especially strong lures. Research from Barracuda showed that phishing emails spiked by 667% in under a month when the pandemic struck, while last month it was reported that the HMRC detected a 73% rise in email phishing attacks from March to September in the UK.

Howard Greenfield, chief revenue officer at Centrify, commented: “COVID-themed email, SMS and web-based phishing attacks have not been uncommon over the last year, and so far we’ve seen cyber-attack campaigns using the guise of charity, government financial aid initiatives and business support schemes to lure thousands of victims into leaking sensitive information, such as log-in credentials and payment details.

“In fact, these phishing campaigns have been so sophisticated and widespread in 2020 that business leaders can only reasonably assume that a colleague or employee has already fallen victim to one – especially if they have been working remotely this year for the first time in their career.”

Categories: Cyber Risk News

Ransomware and Cyber-Extortion Payments Double in 2020

Thu, 12/17/2020 - 12:30
Ransomware and Cyber-Extortion Payments Double in 2020

The total cost of ransom payments doubled year-on-year during the first six months of 2020.

Based on incidents reported to Beazley’s in-house breach response team, BBR Services, ransomware attacks increased in terms of both severity and costs this year compared to 2019 and have become the biggest cyber-threat facing organizations.

Paul Bantick, Beazley’s global head of cyber and technology, said: “Our underwriting, claims and threat intelligence database shows that ransomware attacks are much more sophisticated and severe, thus, it is critical that organizations adopt a layered approach to security and take stringent measures to make it hard for threat actors at every step.”

Jack Kudale, founder and CEO of Cowbell Cyber, said those organizations who fall victim to a ransomware attack are often caught off guard with no backup, and their only option is to pay the ransom. “In other words, ransomware attacks are working for the criminals and they can demand higher payment,” he added.

Mohit Tiwari, co-founder and CEO at Symmetry Systems agreed, explaining that running a ransomware campaign (including tools, negotiations and money transfer) is becoming commoditized, and therefore paying the ransom is becoming an acceptable, and even normal, response for victims. 

Beazley claimed that ransomware is no longer the sole problem, as the rise of cyber-extortion events will involve threat actors who exploit access into networks, install highly persistent malware, target backups, steal data and threaten to expose the compromise. “Ransomware is avoidable but requires regular and thorough training of employees on how to avoid this evolving threat,” it said.

“Organizations should not only try to prevent a ransomware infection, but prepare in case they do get infected, through multiple layers of security, each reducing the risk and probability of ransomware.”

Beazley also claimed that the number of cyber-extortion demands being paid has doubled year-on-year.

Dirk Schrader, global vice-president at New Net Technologies (NNT) told Infosecurity that cyber-crooks are playing the game with all the cards they have in their hand, and the “reputation” card is one of them.

“If the victim is a valuable, known brand, serving thousands of customers, the threat to publish the data increases the chances to get what they ask for,” he said. “A prominent example for this approach is the case of the utilities provider in the German city of Ludwigshafen, where the attackers actually published the full data set as the provider refused to pay.”

Tiwari said the amount being paid may continue to increase since it is easier to scale attacks than to dramatically improve the security posture of a legacy company.

Kudale concluded: “Businesses have to consider the financial impact of a ransomware attack beyond the ransom payment; business interruption, loss of income and now breach damages such as compromised data. The best outcome for businesses is to have a backup and subscribe to a cyber insurance policy that covers recovery expenses and brings expertise in negotiating a ransom payment if at all needed.”

Categories: Cyber Risk News

Experts Urge Users to Ignore Facebook Christmas Bonus Scam

Thu, 12/17/2020 - 12:01
Experts Urge Users to Ignore Facebook Christmas Bonus Scam

Identity theft experts are warning Facebook users to be on the lookout for a “Christmas bonus” scam which appears to be endorsed by their friends on the social network.

Variations on these scams appear to have been circulating on Facebook since at least 2015.

Most recently, users are being targeted by messages claiming to offer them a “Christmas bonus” or “Christmas benefit,” according to the non-profit Identity Theft Resource Center (ITRC).

“Facebook users receive messages from individuals in their contact lists about winning a ‘Christmas bonus.’ The messages are coming from the cloned accounts of friends, and they state that the individual has won a Facebook Christmas Bonus Giveaway,” it explained. 

“The targeted victim is then directed to contact a ‘Facebook Agent,’ who will send a message that [it] is a random contest sponsored by [legitimate US lottery game] Powerball.”

Although there are variations on this theme, the bottom line is that the scammers want either victims’ personal information or their money, or both.

They will usually ask for personal details in order to process the ‘bonus.’ They may also ask for a small ‘transfer fee’ in order to wire the winnings into the victim’s bank account.

The ITRC urged users to delete any such messages and inform their friends that their account may have been hijacked or cloned. They can also report any attempted fraud like this to Facebook itself.

A COVID-fuelled recession in many parts of the world has provided scammers with an opportunity to trick more victims into parting with their money and/or personal data.

They’re also commonplace across email channels, according to new research from Barracuda Networks.

The security vendor claimed that 36% of spear-phishing emails it analyzed between August and October 2020 were “scams,” as well as 72% of all COVID-themed phishing missives.

Categories: Cyber Risk News

Malicious Chrome and Edge Extensions Affect Millions of Users

Thu, 12/17/2020 - 10:30
Malicious Chrome and Edge Extensions Affect Millions of Users

Three million Google Chrome and Microsoft Edge users could be at risk of data theft and phishing after researchers discovered malware hidden in multiple browser extensions.

At least 28 third-party extensions were found to contain malicious JavaScript which could download additional malware, according to Avast. The extensions themselves are mainly designed to help users download video from some of the world’s most popular sites including Facebook, Vimeo, Instagram and YouTube.

Avast claimed the end goal for those behind the scheme could be to monetize traffic by forcing users to visit third-party sites, which they then get paid for, although users could also end up on phishing sites.

“Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit,” the Prague-based security vendor explained.

“User privacy is compromised by this procedure since a log of all clicks is being sent to these third-party intermediary websites. The actors also exfiltrate and collect the users’ birth dates, email addresses, and device information, including first sign-in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user).”

At present it’s unclear whether the extensions were built deliberately with malware concealed within, or if malicious actors waited for them to become popular and then pushed a malware-laden update.

“It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards,” said Jan Rubín, malware researcher at Avast.

“The extensions’ backdoors are well hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover.”

Although Avast first detected the threat in November, the vendor admitted it could have been active for years.

Interestingly, if an infected user performs a web search on one of the malicious domains, the malware in question will cease activity on their machine, in order to hide from view. Avast claimed it will do the same if it detects that the user may be a web developer, although it’s unclear how.

As the extensions are currently still available, Avast recommended users disable or uninstall them.

Categories: Cyber Risk News

BEC Hits Double Digits as COVID-19 Scams Abound

Thu, 12/17/2020 - 09:35
BEC Hits Double Digits as COVID-19 Scams Abound

Business email compromise (BEC) attacks have surged over the past year-and-a-half, while scams designed to part users with their money remain a persistent phishing threat, according to Barracuda Networks.

Volume 5 of the security vendor’s Spear Phishing: Top Threats and Trends report details the activity of targeted email threats during the period August-October 2020, distilled from 2.3 million attacks during the period.

Barracuda Networks has created 13 classes of email threat, which are not mutually exclusive: spam, malware, BEC, data exfiltration, URL phishing, scamming, spear-phishing, domain impersonation, brand impersonation, extortion, conversation hijacking, lateral phishing and account takeover.

Of the spear-phishing attacks it recorded during the period, BEC detections grew by 5% from the period December 2018-February 2019 to reach 12% of the total.

The largest number of attacks (50%) were simply labelled “phishing,” meaning they involved some form of brand impersonation.

However, “scamming” attacks comprised over a third (36%). These typically try to trick the recipient into sending money or handing over their financial details. Examples include tech support scams, or fake exhortations from charities or political organizations requesting funds to support various causes.

COVID-19 attacks have not grown much since March, when Barracuda claimed to have recorded a 667% spike. Between June and October this year they represented around 2% of all spear-phishing attacks, with scams (72%) comprising the vast majority, followed by regular phishing (18%), extortion (6%) and BEC (3%).

Interestingly, 13% of all spear-phishing attacks were said to come from internally compromised accounts during the August-October 2020 time period.

“These internal messages do not pass through email gateways, leaving organizations exposed to threats they may deliver. Messages that originate from these compromised accounts, especially if they are coming from a colleague, can potentially have a higher success rate compared to other attacks because people trust messages sent from someone they know,” the report explained.

“Organizations need to invest in protection against account takeover, by scanning messages sent internally within the organization and training users to recognize signs of a compromised account and email messages that come from compromised accounts.”

Categories: Cyber Risk News

Analysis of 5G Network Security Reveals Attack Possibilities

Thu, 12/17/2020 - 09:10
Analysis of 5G Network Security Reveals Attack Possibilities

Exploitation of vulnerabilities within the 5G network architecture could allow Denial of Service (DoS) attacks and for attackers to conduct remote attacks.

According to new research from Positive Technologies on the security of the network architecture, interaction of network elements, and subscriber authentication and registration procedures, key areas of network security include proper configuration of equipment, as well as authentication and authorization of network elements. In the absence of these elements, the network becomes vulnerable.

Speaking on a webinar to launch the report, Positive Technologies CTO Dmitry Kurbatov said attacks had moved from SMS and call interception, and subscriber DoS, which were prevalent in 2015, and this led to mobile network operators (MNOs) implementing security defenses to mitigate these threats. However in 2020 with the introduction of 5G, and with the start of remote working, there was “burst of interest” in the use of 5G.

Kurbatov said that 5G was initially launched with “stand alone” terminals which used the previous LTE and 4G networks, allowing it to be rolled out fast, but also “they are quite vulnerable and still at risk of attacks because of a long list of long-standing vulnerabilities.” He said the big question now for all of telecoms and security, is “what will be the security situation within 5G once transition is over and after networks are deployed in pure stand alone mode?”

Having performed some test attacks, Kurbatov was able to perform a Man in the Middle attack, and this is critical as “this attack is performed by remote” and usually we expect attacks to require physical proximity. This factor is not needed “as the hacker can be far far away from the victim and still conduct this attack and be physically safe.” In doing that, they can download firmware to a device, and when you consider that 5G will be used in industrial environments, that is why its security is critical.

In a second demo, Kurbatov demonstrated a DoS attack which he said will be critical because of 5G’s use in critical applications, such as connected cars and industrial automation. “So a DoS is super critical because when the network or service is down, like point of sale, ATM, CCTV or any kind of safety control will be immediately disconnected,” he said. “So the ability to run the main functions will be distracted, so DoS is critical as it can impact the entire city of the future.”

Kurbatov said these two attack techniques were selected “in order to explain some of the deficiencies in the 5G architecture which can heavily impact both businesses and subscribers.” He also said there are other vulnerabilities which can be exploited, and he said there are three reasons why this is happening:

  • Internal protocols like PFCP is much like the previously known GTP which has been proven to be vulnerable, as this can assist attackers in exploiting deficiencies in the protocols to help them “run the network the way they would like to.”
  • Network exposure, due to misconfiguration, is a common problem. “Probably more than 70% of cybersecurity incidents happen because of misconfiguration or vulnerabilities,” he said. “Misconfiguration can allow an attack to get access to the core mobile network.”
  • 5G will still work in parallel with LTE for the next decade, but according to forecasts, by 2025 the majority of the traffic will be handled by LTE networks and only partially by 5G. “This is because the penetration of new technologies is not that big.”

Kurbatov said the “cost of failure is much more than remediation” and 5G is a critical infrastructure “not only for industry but for modern society, and that is why focusing on prevention will really save time, money and probably lives.”

Asked by Infosecurity  why these protocols are an issue now and have not been a problem in the past, Kurbatov said these are brand new vulnerabilities as they are used in 5G protocols, and have not used before, but “will be adopted soon in all of the networks.” He said the technology type in 5G is different as “all the same type of major risks can be executed on the larger scale as 5G is the technology of all the technologies.”

Categories: Cyber Risk News

Sextortionists Deploy New Spyware

Wed, 12/16/2020 - 18:18
Sextortionists Deploy New Spyware

New spyware has been detected that targets iOS and Android users who patronize illicit sites that typically offer escort services. 

The malware, named Goontact by the Lookout researchers who discovered it, targets heterosexual users in China, Korea, Japan, Thailand, and Vietnam, stealing personal information from their mobile devices. 

Researchers noted: "The types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail."

Goontact frequently disguises itself as secure messaging applications. The malware has been observed exfiltrating a wide range of data, including device identifiers and phone number, contacts, SMS messages, location information, and photos on external storage.

Describing how users fall victim to the spyware, researchers wrote: "The scam begins when a potential target is lured to one of the hosted sites where they are invited to connect with women. 

"Account IDs for secure messaging apps such as KakaoTalk or Telegram are advertised on these sites as the best forms of communication and the individual initiates a conversation. In reality, the targets are communicating with Goontact operators."

By pretending that they are experiencing audio or video problems, the operators persuade their targets to install or sideload a mobile application that has no real user functionality beyond stealing the victim's address book.

Researchers believe that the threat campaign is being operated by "a crime affiliate" since sites associated with the spyware are similar in appearance, naming convention, and targeted geographic region. 

The sites use logos associated with domains caught up in a previous sextortion campaign exposed in 2015 by Trend Micro

Goontact appears to be a recent addition to a campaign that has been active since at least 2013. 

"The earliest sample of Goontact observed by Lookout was in November 2018, with matching APK packaging and signing dates, leading us to believe malware development likely started in this time frame," wrote researchers. 

The enterprise mobile provisioning profiles used by Goontact all reference apparently legitimate companies, including Linkplay Tech Inc and Jinhua Changfeng Information Technology Co.

Researchers said that it was unclear whether these signing identities have been compromised, or if they were created by malware operators spoofing representatives of the companies.

Categories: Cyber Risk News

Refinitiv Acquires GIACT

Wed, 12/16/2020 - 16:48
Refinitiv Acquires GIACT

Refinitiv has added to its cybercrime-fighting capabilities by acquiring an American digital identity, payments verification, and fraud prevention company.

The definitive agreement to acquire Giact Systems, LLC ("GIACT") was announced on November 2. News that the planned deal had officially closed was shared by Refinitiv on December 9. 

GIACT was founded in Texas in 2004 and now has over 100 employees supporting more than 1,000 leading blue-chip companies, payment merchants, and financial and insurance customers.  

The company helps businesses verify customers by providing real-time data, ID verification, OFAC screening, account verification, and authentication. GIACT has processed transactions for more than 1,000 customers since it was founded. 

Refinitiv will offer GIACT’s platform alongside World-Check and Qual-ID, giving customers a comprehensive fraud prevention, identity verification, and compliance platform that tackles money-laundering risks in addition to preventing financial loss through payments fraud.

“We’re pleased to complete this acquisition and now look forward to introducing our customers to GIACT and our expanded suite of product offerings,” said Phil Cotter, managing director of the risk business at Refinitiv. 

“GIACT’s real-time payment analytics are a great addition to our existing strength in anti-money laundering and digital identity verification. We now have a more holistic platform to help customers tackle new and emerging fraud threats, accelerated by the economic downturn and the Covid-19 pandemic.”

Refinitiv, founded in 2018, provides financial markets data, insights, and infrastructure to over 40,000 institutions in approximately 190 countries. 

“We’re excited about the opportunities as we bring our capabilities and expertise of our teams together,” said Melissa Townsley-Solis, co-founder and CEO at GIACT. 

“Refinitiv has a clear strategic vision for GIACT and our customers can look forward to hearing more as we turn that vision into a reality.”

Joy Wilder Lybeer, United States Information Solutions (USIS) chief revenue officer and senior vice president of global partnerships at Equifax, said that the company looked forward to continuing the relationship it had begun with GIACT in 2019.

“With the acquisition of GIACT by Refinitiv now complete, we will be able to continue our work in helping customers confront the challenges of identity verification and fraud prevention on a global scale,” said Wilder Lybeer.

Categories: Cyber Risk News

Lithuania Suffers "Most Complex" Cyber-attack in Years

Wed, 12/16/2020 - 16:06
Lithuania Suffers "Most Complex" Cyber-attack in Years

A carefully coordinated cyber-attack on Lithuania that occurred last week has been described by the republic's defense minister as one of the "most complex" security incidents to target the Baltic state in recent history.

On the night of December 9, cyber-criminals breached multiple content management systems to gain access to 22 different websites operated by Lithuania's public sector. The attackers then published articles containing misinformation on the sites.

Among the fake news posted by the threat actors was a story that alleged a Polish diplomat, carrying illegal drugs, weapons, and money, had been detained at the Lithuanian border. This fictitious story was shared on the website of the State Border Guard Service (VSAT). 

Another article claimed that corruption had been uncovered in the Šiauliai airport, where NATO’s Baltic air-policing mission is housed.

A third piece of misinformation promulgated in the attack inflated figures to make it appear as though more Lithuanians had been drafted into the military than was the case.  

An investigation into the attack by the Defense Ministry’s National Cyber Security Centre (NKSC) found that the websites targeted by the attackers were mostly run by regional municipalities. 

In a statement published on Wednesday, Lithuania's defense minister, Arvydas Anušauskas, described the digital assault as one of the "biggest and most complex" cyber-attacks to hit the republic in recent years. 

Anušauskas added that the attack, which took place “on the eve of the government’s transition [...] was prepared in advance and with a goal in mind.” 

After hacking into the systems and posting the false articles, the attackers launched an email spoofing campaign to spread the misinformation as far as possible. The attackers impersonated the defense and foreign ministries as well as the Šiauliai Municipality Administration to send out emails containing links to the fallacious stories. 

“This shows huge gaps in cybersecurity of the public sector,” said Anušauskas.

Following the attack, the NKSC has submitted a number of cybersecurity recommendations to municipalities. These include actively searching for vulnerabilities, limiting access to content management systems, installing a firewall, and avoiding the use of passwords that are easy to guess. 

Categories: Cyber Risk News

Cloudhouse Acquires UpGuard Core to Help Customers Resolve Compliance Issues

Wed, 12/16/2020 - 16:00
Cloudhouse Acquires UpGuard Core to Help Customers Resolve Compliance Issues

Tech firm Cloudhouse Technologies has announced the acquisition of UpGuard Core, an infrastructure monitoring platform previously owned by UpGuard Inc. Cloudhouse said the move will help enable its customers to find, manage and resolve configuration and compliance issues throughout their IT infrastructure.

UpGuard Core will now be renamed Cloudhouse Guardian and will form part of Cloudhouse’s application compatibility packaging solutions. Cloudhouse Guardian can identify what businesses have in their infrastructure estate as well as pinpoint anything that’s out of date and non-compliant. Additionally, compliance can be automatically achieved by aligning with best practice configuration.

A number of major global organizations are currently using Cloudhouse Guardian to monitor and manage their IT infrastructure, including The New York Stock Exchange and NASA.

Cloudhouse added that the acquisition will help it scale its existing operations in the US as well expand its presence in Europe and APAC regions.

Cloudhouse founder and CEO, Mat Clothier commented: “The launch of Cloudhouse Guardian is an important step in our development, allowing us to offer our customers a wider set of capabilities that build on our core skills. This is a hugely exciting time for Cloudhouse. Having just been named the 13th Fastest Growing Technology Company in the UK by Deloitte, we are eager to build on that and Cloudhouse Guardian will be important to our continued growth.”

Alan Sharp-Paul, co-founder and co-CEO of UpGuard said: “With the rapid growth of our security offerings we are pleased to have found a great home for Core and are looking forward to the development of this product under Cloudhouse, while we continue to cement our position as leaders in the third-party risk management space.”

Categories: Cyber Risk News

Society at Increasingly High Risk of Cyber-Attacks

Wed, 12/16/2020 - 15:00
Society at Increasingly High Risk of Cyber-Attacks

Cyber-attacks are becoming easier to conduct while conversely security is getting increasingly difficult, according to Kevin Curran, senior IEEE member and professor of cybersecurity, Ulster University, during a virtual media roundtable.

“Any company you can think of has had a data breach,” he commented. “Whenever a data breach happens it weakens our credentials because our passwords are often reused on different websites.”

He observed that the art of hacking doesn’t necessarily require a significant amount of technical expertise anymore, and bad actors can receive substantial help from numerous and readily accessible tools online. “You don’t have to spend seven years in college to learn how to hack, you just have to know about these sites and what terms to use,” noted Curran.

A number of legitimate online mechanisms that can help damaging attacks to be launched by hackers were highlighted by Curran in his presentation. These include Google Dorks, which are “search strings which point to website vulnerabilities.” This means vulnerable accounts can be identified simply via Google searches.

Another are free penetration testing toolkits online such as Metasploit, which can enable hackers to undertake exploits very easily. He said that “with a bit of training you can do a lot of damage with this one tool.”

Curran also demonstrated the free online tool Shodan, which scans the internet and categorizes publicly accessible devices, such as webcams. As with Metasploit, the primary users are cybersecurity professionals, but can be utilized by those with malicious intent as well to hack such devices.

Denial of Service (DoS) attacks, whereby websites can be brought down through sending too many packets, can also be conducted relatively easily nowadays, according to Curran. “If you have a complete collection of compromised webcams, you can have them all point to and bring it to its knees,” he said.

As attacks get easier to conduct, cybersecurity is becoming more complex due to the growing reliance on digital technology and internet connections; something that has been exacerbated by the COVID-19 pandemic.

The security issues associated with IoT devices, such as watches, doorbells and webcams are well documented, but reliance on internet connections is going much wider than this, including even cars and aeroplanes. Curran cited a recent IEEE survey, which showed that the top security concern for chief information officers and chief technology officers was employees bringing their own devices to work and securing IoT.

“We’re moving towards a world where we’re increasingly relying on technology,” he said, outlining recent examples where essential services have been disrupted as a result of this growing connectivity, including the power outage in Ukraine in 2016. This is an issue that countries must be prepared to for in the future.

Curran added: “Everything seems to be moving towards smart cities, but what happens when they crash?”

Categories: Cyber Risk News

Microsoft Set to Block SolarWinds Orion Binaries

Wed, 12/16/2020 - 11:55
Microsoft Set to Block SolarWinds Orion Binaries

Microsoft is preparing to quarantine malicious versions of the SolarWinds Orion application used in recent nation state attacks, in a move that may crash systems.

The computing giant had previously released detections to alert customers of its Windows Defender security product if they were running the malicious updates. Although it was recommended that such customers isolate and investigate any such devices, the decision was down to them.

However, in an update yesterday Microsoft effectively said it was taking the decision out of the hands of its customers.

“Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries,” it said.

“This will quarantine the binary even if the process is running. We also realize this is a server product running in customer environments, so it may not be simple to remove the product from service.”

Over the weekend reports emerged that a previous attack on FireEye was part of a much larger Russian intelligence plot to steal sensitive information from US government and countless other unnamed organizations.

The vector was Orion updates which the attackers managed to seed with malicious binaries used to install the Sunburst (aka Solarigate) backdoor malware. SolarWinds confirmed to the SEC that 18,000 customers were affected.

However, as the product performs crucial network management operations, Microsoft’s decision could theoretically cause some disruption.

“It is important to understand that these binaries represent a significant threat to customer environments,” it argued. “Customers should consider any device with the binary as compromised and should already be investigating devices with this alert.”

Microsoft urged victim organizations to immediately isolate affected devices, identify accounts used on the device and assume they have been compromised, reset passwords, look for lateral movement tools and more.

Categories: Cyber Risk News

NCSC Names Academic Centers of Excellence in Cybersecurity Education

Wed, 12/16/2020 - 11:00
NCSC Names Academic Centers of Excellence in Cybersecurity Education

Abertay University has been named among the first eight UK universities to be awarded Academic Centre of Excellence in Cyber Security Education by the National Cyber Security Centre (NCSC).

Abertay University is the first university in Scotland to receive the Academic Centre of Excellence in Cyber Security Education Gold Award, along with Lancaster University, University of Southampton, University of South Wales, University of Surrey, University of the West of England and University of Warwick.

The announcement comes as the region receives £11.7m of UK and Scottish Government funding through the Tay Cities Region Deal, which will unlock major investment in Dundee’s cyberQuarter project which brings a new research and development center to Abertay’s campus in Dundee.

In granting Abertay Academic Centre of Excellence recognition, the NCSC recognized the plans for the Dundee cyberQuarter, which is designed to attract existing cybersecurity firms to Dundee, support the creation of new companies and boost the security and resilience of the Scottish business community, as well as the high quality of the University’s degree programs.

The Academic Centre of Excellence will become the pathway for Abertay students to interact with and benefit from the research and knowledge exchange activities of the cyberQuarter and its business links.

Professor Nigel Seaton, principal of Abertay University said: “Being named a UK Academic Centre of Excellence in Cyber Security Education and the launch of the cyberQuarter project will place the University and the city of Dundee at the heart of Scotland’s cybersecurity sector.

“We are confident that by combining academic expertise, student talent, enterprise support and industry knowledge in this way, we have all the ingredients for significant sectoral growth and new job opportunities, as well as innovation in research and business development.”

UK Government Minister Iain Stewart said: “Congratulations to Abertay University on this important and prestigious accolade from the UK’s National Cyber Security Centre. I am delighted that we are seeing Tayside go from strength to strength as a national hotbed of cyber research and innovation. The UK Government is supporting this through its £150 million investment in the Tay Cities Region Deal, which will create thousands of jobs and support our economic recovery from coronavirus.”

Chris Ensor, NCSC deputy director for Cyber Growth, said the first tranche of universities as Academic Centres of Excellence in Cyber Security Education complement its existing programs which recognize high quality cybersecurity research and degree courses.

“It is a testament to the continual efforts of academics, support staff and senior management that cybersecurity remains high on their agenda,” Ensor said. “We very much look forward to working with them over the coming years and strongly encourage other universities to work towards achieving similar recognition in the future.”

Categories: Cyber Risk News

New Account Fraud Surges 28% in the UK as Global Rates Drop

Wed, 12/16/2020 - 10:15
New Account Fraud Surges 28% in the UK as Global Rates Drop

New account fraud surged by 28% year-on-year in the UK as global rates fell by nearly the same amount, according to new data from Jumio.

The online verification firm analyzed tens of millions of global transactions over the past year up to November, to compile its annual Holiday Fraud Report.

It revealed that while the global average for new account fraud rates dropped 23% year-on-year, it increased by over a quarter in the UK. The country has the second-highest fraud levels in Europe after Spain, which recorded a 25% increase in ID-based fraud in 2020.

The report recorded attempts to bypass fraud checks using both government-issued IDs and selfies. Fraud rates in the UK based on ID documents almost doubled from 2017 levels, and fraud levels in November were a third higher than those from January to October in 2020, it revealed.

Jumio claimed the relatively high rates of fraud in the UK could be attributed to the large number of financial services customers based there.

The industry is by far the most affected by fraud of any surveyed globally, although it did manage to record a drop in rates from 2019. However, in the UK it was the online gaming and cryptocurrency verticals that had the highest levels of new account fraud during the year; an indication of ongoing money laundering activity, Jumio claimed.

Interestingly, the global drop in new account fraud came during a year in which many experts have been claiming fraud rates have risen.

“One possible explanation is that more legitimate customers were opening accounts through online channels instead of in person, so the percentage of bad actors in the total transactions we processed dropped as a result,” the report noted.

“Another possibility is that fraudsters redirected their efforts to easier targets where security was more lax and they did not have to divulge personal information about themselves, such as providing a selfie, which is self-incriminating.”

The firm argued that by adding selfie-based authentication to government ID uploads, organizations have the best chance of weeding out scammers. It claimed to have seen 80% less fraud using this method compared to customers who only require a government-issued ID.

Categories: Cyber Risk News

Total Published CVEs Hits Record High for Fourth Year

Wed, 12/16/2020 - 09:30
Total Published CVEs Hits Record High for Fourth Year

The past 12 months have seen a record number of CVEs published by the US authorities, the fourth year in a row volumes have risen.

As of December 15, the number of vulnerabilities in production code discovered and assigned a CVE number by the US-CERT Vulnerability Database, topped the 2019 figure.

Last year there were 17,306 CVEs published, including 4337 high-risk, 10,956 medium-risk and 2013 low-risk flaws. As of yesterday, 17,447 were recorded in total, including 4168 high-risk, 10,710 medium-risk and 2569 low-risk bugs.

Between 2005-16 numbers ranged from around 4000 to 8000 vulnerabilities each year, according to the official figures from the National Institute of Standards and Technology (NIST)’s National Vulnerability Database.

However, in 2017 the number skyrocketed to over 14,000, and each year since published volumes have hit a record high.

K2 Cyber Security, which noticed the recent record spike, argued that the pandemic may have had an impact on disclosures this year.

“Companies still struggle to find the balance between getting applications to market quickly, and securing their code. The COVID-19 pandemic is a major factor this year,” argued the vendor’s co-founder and CEO, Pravin Kothari.

“It's pushed many organizations to rush getting their applications to production; they run less QA cycles, and use more third-party, legacy, and open source code, which is a key risk factor for increased vulnerabilities.”

To mitigate these risks, DevOps teams should shift security as far left in the lifecycle as possible, while sysadmins should patch as soon as they can to ensure operating systems and critical software are up-to-date, he said.

“Finally, it’s important to have a security framework that offers a defense-in-depth architecture. It’s time to take a hint from the recent finalization of NIST’s SP800-53 that was just released on September 23,” said Kothari. 

“The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) as an added layer of security in the framework.”

Categories: Cyber Risk News

Ohio Couple Sold Secrets to China

Tue, 12/15/2020 - 18:17
Ohio Couple Sold Secrets to China

An Ohio man has admitted to conspiring with his spouse to steal scientific trade secrets from a children's hospital and sell them to the People's Republic of China. 

Former Dublin resident Yu Zhou and his 47-year-old wife, Li Chen, confessed to establishing a company in China to personally profit from cutting-edge research work done at Nationwide Children's Hospital in Columbus, Ohio.

Zhou and Chen worked in separate medical research labs at NCH's Research Institute for 10 years each, Zhou starting his job in 2007 and Chen beginning hers in 2008.

The couple were arrested in California in July 2019 and charged with conspiring to steal exosome-related secrets concerning the scientific research, identification, and treatment of a range of pediatric medical conditions.

While working at the institute, 50-year-old Zhou's research included a novel isolation method in which exosomes could be isolated from one drop of blood.

"This method was vital to the research being conducted in Zhou’s lab—because necrotizing enterocolitis is a condition found primarily in premature babies, only small amounts of fluid can safely be taken from them," said the Department of Justice. 

Husband and wife monetized this secret research by creating “isolation kits” then starting a company in China to sell their product. The couple received benefits from the Chinese government, including the State Administration of Foreign Expert Affairs and the National Natural Science Foundation of China.

Zhou pleaded guilty in US District Court on December 11 to conspiring to steal trade secrets and to one count of wire fraud. Chen pleaded guilty to the same crimes on July 30. 

As part of their pleas, the couple has agreed to forfeit property or gains associated with their crimes. For Chen, this included approximately $1.4m, 500,000 shares of common stock of Avalon GloboCare Corp., and 400 shares of common stock of GenExosome Technologies, Inc. The details of Zhou’s forfeiture will be finalized through the sentencing process.

“China’s endemic efforts to rob, replicate and replace products that they do not have the ability to develop themselves will not go unchecked, and those who seek to profit from the theft of trade secrets will be held accountable,” said John Demers, assistant attorney general for national security. 

Categories: Cyber Risk News