Info Security

Subscribe to Info Security  feed
Updated: 25 min 2 sec ago

Trend Micro Blocks 28 Billion Cyber-Threats in 1H 2020

Thu, 08/27/2020 - 11:15
Trend Micro Blocks 28 Billion Cyber-Threats in 1H 2020

Trend Micro blocked nearly nine million COVID-related threats in the first half of 2020, the vast majority of which were email-borne, it revealed in a new mid-year roundup report.

The security giant said it detected 8.8 million cyber-threats leveraging the virus as a lure or theme for attacks, 92% of which were delivered by spam emails.

However, the figure represents less than 1% of the total of 27.8 billion threats the vendor blocked in the first six months of the year.

This chimes with data from Microsoft and others which suggests that cyber-criminals merely repurposed existing campaigns to take advantage of COVID-19. As such, the pandemic itself has not prompted a rise in overall cybercrime levels.

However, the data does show conclusively that email remains the number one threat vector: 93% of total blocked threats were heading for users’ inboxes.

As part of this trend, Business Email Compromise (BEC) detections increased by 19% from the second half of 2019. This is due in part to scammers trying to capitalize on distracted home workers who may be more exposed to social engineering, and less able to check with colleagues if a money transfer request is legitimate or not.

Ransomware is another serious cyber-threat commonly carried via email. Trend Micro claimed that, although the volume of detected threats decreased, it saw a 45% increase in new ransomware families compared to the same time last year.

Software vulnerabilities also remain a perennial risk for organizations. Trend Micro’s Zero Day Initiative (ZDI) published a total of 786 advisories in the first half of 2020, which is a 74% increase from the previous six months. Some of these were part of Microsoft Patch Tuesday updates, which have fixed an average of 103 CVEs per month so far in 2020.

The report also detailed a 16% increase in vulnerabilities disclosed in industrial control systems (ICS), compared to the first half of 2019.

Categories: Cyber Risk News

BT Security Announces Vendor Partners to Simplify and Strengthen Protection

Thu, 08/27/2020 - 10:15
BT Security Announces Vendor Partners to Simplify and Strengthen Protection

BT Security has announced a collection of new industry partners.

Following an undertaking of its existing vendors, it said the final list of partners “reflects BT Security’s view of the market’s leading providers, who it will work closely with going forward to provide a range of solutions to its customers.” It claimed that the huge range of suppliers and products in the market can be bewildering, and lead to the adoption of multiple overlapping systems, and this in turn can render security estates difficult to manage, burdened with unnecessary costs and, ultimately, with lower overall levels of protection.

BT Security is reflecting its customers’ desire to reduce complexity by having a leaner set of partners and clearly laying out its view of the best providers for specific security requirements. The confirmed partners were agreed following a detailed evaluation of their respective capabilities across all security control and threat management technologies.  The final selection provides BT’s view of the security market’s leading providers, who will support a harmonized portfolio of solutions to its customers going forward.

McAfee, Palo Alto Networks and Fortinet were selected as BT Security’s Critical Partners, and each will provide a range of services and products that will be incorporated into BT Security’s global portfolio, as well as providing holistic support to its commercial and operational activities.

BT Security said it will also work with these partners to develop a roadmap of security solutions which continue to reflect evolving customer demands and integrate the latest developments in security automation.

Also Microsoft, IBM and Cisco were all confirmed as Strategic Partners for BT Security, reflecting broader activities and remit across the whole of BT. BT Security also confirmed a further nine Ecosystem Partners who will be incorporated into its global portfolio of solutions for customers due to their complementary technology capabilities: Skybox, Forescout, Zscaler, CheckPoint, CrowdStrike, Okta, Qualys, Netscout and F5

Kevin Brown, managing director of BT Security, said: “Our new security partner ecosystem showcases the benefits of BT Security as a managed security services provider. We’re able to use our deep experience and insight of the security ecosystem to help our customers navigate what can be an incredibly confusing market. We’re also ensuring that BT Security customers will benefit from working with the best suppliers from across the security industry.”

Categories: Cyber Risk News

UltraRank Digital Skimming Group Hit Hundreds of Sites

Thu, 08/27/2020 - 09:38
UltraRank Digital Skimming Group Hit Hundreds of Sites

Security researchers have uncovered a major new digital skimming group responsible for compromising hundreds of websites and multiple suppliers in a five-year period.

Dubbed “UltraRank” by Singapore-based security outfit Group-IB, the group’s activity was previously associated with Magecart Groups 2, 5 and 12, according to a new blog post.

However, these were in fact separate campaigns by UltraRank, with number two dating back to 2015 and number 12 ongoing to this day, the vendor claimed.

Over that time, the group changed its infrastrucrture and malware, throwing researchers off the scent. However, some elements stayed the same.

“In all three campaigns similar mechanisms to hide the threat actors’ server location and resembling patterns of domain registration were used. In addition, several storage locations for malicious code with identical contents were discovered in all the campaigns,” noted Group-IB.

“What distinguishes the three operations is the choice of JS sniffer family employed — FakeLogistics in Campaign 2, WebRank in Campaign 5 and SnifLite in Campaign 12.”

Unusually for digital skimmer groups, UltraRank attacked both individual websites/organizations and supply chain players. Group-IB claimed to have identified 691 separate websites infected by the group plus 13 third-party providers of services including advertising and browser notification, web design, marketing and website development.

UltraRank “went far beyond the notion of ordinary JS sniffer operators,” by developing a separate business model. Rather that laundering funds by buying and reselling expensive goods, or selling to carders, the group monetized stolen data through an affiliated card shop: ValidCC.

Group-IB claimed that the administrator of ValidCC appears to be a Russian speaker.

ValidCC claims to have made $5000-$7000 per day in one week in 2019.

The JS-sniffer market is seeing massive interest on the cybercrime underground, with the number of distinct malware families having doubled over the past year to reach 96 today, Group-IB warned.

“Today, JS sniffers represent the end product of the evolution of tools intended for the compromise of bank card data, considerably decreasing the resource-intensity of such attacks,” concluded the firm’s threat intelligence analyst, Victor Okorokov.

“In the coming years, we will definitely see the growth in the use of this malicious instrument since many online shops and service providers still neglect their cybersecurity, using outdated CMSs that have vulnerabilities.”

Categories: Cyber Risk News

Dracula Network Pushes Out Pro-China Twitter Spam

Thu, 08/27/2020 - 08:45
Dracula Network Pushes Out Pro-China Twitter Spam

Eagle-eyed social network analysts have spotted a new Chinese influence operation on Twitter dubbed the “Dracula botnet.”

The network of inauthentic automated accounts was found to be pushing out pro-China political spam, according to Graphika’s Ben Nimmo. The botnet was so-named because the profile bios of all of its accounts are scraped from the famous Bram Stoker novel. Their profile pictures themselves are mainly of stock female models.

Created in summer 2020, the 3000 accounts in this network accrued few followers before being largely suspended or marked as restricted, according to Nimmo.

“Not all the suspect accounts in the network had bios at all, but all those which did used incomplete quotes from Dracula. Adding to the impression that the network had been automated to bleed Stoker’s novel, every account featured, as its first tweets, two texts copied from Dracula that consisted of incomplete sentences, with the spaces between the words replaced by the + sign,” he continued.

“This approach appears to use spammy text posts as camouflage, to give the account a more ‘human’ signature when checked by Twitter’s automated defenses; hence the term ‘spamouflage.’”

This is the name Graphika has given to a much larger Chinese-backed political spam network active across multiple platforms including Facebook, YouTube and TikTok.

It has in the past posted pro-China messages about the Hong Kong protests, exiled billionaire Guo Wengui, COVID-19 and, most recently, US politics and US-China relations.

Nimmo argued that the network underlying this latest “Dracula” discovery was probably a botnet-for-hire.

“In effect, deceptive behavior on social platforms is a continuum. Accounts that post Bitcoin spam today can be repurposed to post geopolitical propaganda tomorrow, if the purchaser desires,” he concluded.

“That gives influence operations an easy route to buy at least the appearance of popularity, but it also gives researchers a further way to identify potential operations.”

Categories: Cyber Risk News

Cybersecurity Community Concerned About Misinformation

Wed, 08/26/2020 - 17:38
Cybersecurity Community Concerned About Misinformation

Cybersecurity professionals want stricter measures to tackle the rising amount of online misinformation and fake domains, according to new research by the Neustar International Security Council (NISC).

A new report by NISC found that almost half (48%) of cybersecurity professionals regard these problems as a threat to their enterprise, while the other half (49%) rank the threat they pose as very significant.

To combat the threat, 91% of cybersecurity professionals called for stricter measures to be implemented on the internet if the issues are not resolved. 

Not content to wait for regulatory assistance, many professionals in the cybersecurity community are taking action against these threats themselves. Nearly half of organizations (46%) reported that they have plans in place to ensure greater emphasis on their ability to react to the rise of misinformation and fake domains. 

An additional 35% said that dealing with these threats will be a focus area for them in the next six months, while 13% would consider taking action if misinformation and fake domains continue to be an issue.

The research was based on a July 2020 survey of 306 professionals from across six EMEA and US markets in senior positions within their organizations who are able to give informed opinions on cybersecurity's most pressing issues.

“Misinformation is by no means new—from the beginning of time it has been used as a key tactic by people trying to achieve major goals with limited means,” said Rodney Joffe, chairman of NISC, senior vice president and fellow at Neustar. 

“The current global pandemic, however, has led to a sharp uptick in misinformation and the registration of fake domains, with cyber-criminals using tactics such as phishing, scams and ransomware to spread misleading news, falsified evidence and incorrect advice. While the motives of malicious actors may differ, the erosion of trust caused by misinformation poses a range of ethical, social and technological challenges to organizations.”

NISC researchers also highlighted a steep 12-point increase on the International Cyber Benchmarks Index year-on-year from July 2019 to July 2020. The Index, which is calculated based on the changing level of threat and impact of cyber-attacks, has maintained an upward trend since May 2017.

Categories: Cyber Risk News

Giveaway Scam Infects 65,000 Devices with Malware

Wed, 08/26/2020 - 16:24
Giveaway Scam Infects 65,000 Devices with Malware

A family of Android apps is using the lure of free items to distribute a novel ad fraud botnet.

Victims of the scam are told that they will receive a complimentary gift when they download an app from the Google Play Store. However, the only thing received by victims is an infection of malware that silently loads ads in the background on their smart device.

The ad fraud operation, discovered by White Ops’ Satori Threat Intelligence & Research team, which named it TERRACOTTA, started in late 2019. The team found that by the end of June 2020, more than 65,000 devices had been unwitting participants in the scam, over 5,000 apps had been spoofed, and more than 2 billion bid requests had been generated.

"What makes this unique is that the fraudsters were advanced in knowing how to pull off ad fraud verification plausibly," said a White Ops spokesperson. 

"This means the ads were never being reported via the Google Play Store for showing ads, nor were users complaining of seeing unwanted ads. Instead, they were lying dormant, and the only 'free product' being delivered to users was a payload of ad fraud malware."

Among the free gifts used as lures were boots, sneakers, event tickets, coupons, and expensive dental treatments. The real item that victims received was a customized Android browser packaged alongside a control module written in the React Native development framework. 

When loaded onto the victim's phone, the browser generates fraudulent ad impressions, sold into the programmatic advertising ecosystem to defraud advertisers.

Google Play Store reviews for the apps started out at five stars as victims applauded the giveaway idea. However, disappointed victims who didn't receive the promised freebies soon took to the review section to express their disappointment and share their suspicions that the app they had downloaded was malicious.

One victim's review read: "Terrible. I received confirmation of my free Nike Air Jordans but never received any delivery, tracking number or anything. Possibly a fraudulent site, do not give personal information."

Among the 20 apps most commonly spoofed by TERRACOTTA in July 2020 were, com.blapp.videodownloader,, and

Categories: Cyber Risk News

US Arrests Tourist Over Malware Conspiracy

Wed, 08/26/2020 - 16:23
US Arrests Tourist Over Malware Conspiracy

A man on vacation in Nevada has been charged with conspiracy after allegedly offering an employee $1m to infect their company's computer network with ransomware.

Egor Igorevich Kriuchkov was arrested in Los Angeles on August 22 and charged with one count of conspiracy to intentionally cause damage to a protected computer. The 27-year-old Russian was in the United States on a tourist visa at the time of the alleged offense.

Statements given before a federal court on Monday accuse Kriuchkov of working with co-conspirators from July 15, 2020, to August 22, 2020, to recruit an employee of a company in Nevada. Kriuchkov's alleged plan was to pay the employee to surreptitiously infect the company with malware that would give Kriuchkov and his co-conspirators access to the organization’s computer system. 

A spokesperson for the US Department of Justice said: "After the malware was introduced, Kriuchkov and his co-conspirators would extract data from the network and then threaten to make the information public, unless the company paid their ransom demand."

Kriuchkov contacted the employee via WhatsApp on or about July 16. After arriving in the United States on or about July 28, Kriuchkov allegedly met with the employee numerous times to discuss the conspiracy. 

The alleged meetings took place at the employee's residence and at public locations. Kriuchkov allegedly invited the employee to participate in a "special project" with him and his co-conspirators.

The Russian tourist allegedly offered to pay the employee $1m to successfully introduce the malware into the company's network. The employee was allegedly told that Kriuchkov's co-conspirators would launch a Distributed Denial of Service (DDoS) attack to divert attention from the malware.

Kriuchkov allegedly provided the employee with a burner phone and instructed him to leave the device in airplane mode until after the money had been transferred. The employee was allegedly advised to download Tor Browser and set up a Bitcoin wallet to receive the payment. 

After being contacted by the FBI regarding the alleged conspiracy, Kriuchkov attempted to flee the country. He drove overnight from Reno, Nevada, to Los Angeles and asked an acquaintance to buy him an airline ticket out of the United States.

Categories: Cyber Risk News

New Zealand’s Stock Exchange Hit by Cyber-Attacks Two Days in a Row

Wed, 08/26/2020 - 14:45
New Zealand’s Stock Exchange Hit by Cyber-Attacks Two Days in a Row

New Zealand’s stock exchange has been subjected to a cyber-attack for the second day running, it has been reported.

As covered by the Guardian today, at 11.24 am local time on Wednesday August 26, the NZX exchange went offline, causing some trading to be halted although connectivity was partially restored. The NZX acknowledged it had experienced “network connectivity issues,” leading to the NZX main board, NZX debt market and Fonterra shareholders market being placed on temporary hold. Those areas were subsequently allowed to resume trading at 3.00 pm.

This incident followed a distributed denial of service (DDoS) attack on the stock exchange the previous day, Tuesday August 25, which forced it to call a halt to trading at 3.57 pm. In a statement published on August 26 referring to this attack, the NZX suggested foreign hackers were to blame: “Yesterday afternoon NZX experienced a volumetric DDoS attack from offshore via its network service provider, which impacted NZX network connectivity. The systems impacted included NZX websites and the Markets Announcement Platform.”

It added: “A DDoS attack aims to disrupt service by saturating a network with significant volumes of internet traffic. The attack was able to be mitigated and connectivity has now been restored for NZX.”

The new incidents have occurred shortly after a series of alleged state-sponsored attacks against a range of government and private-sector organizations in Australia.

Nick Turner, VP EMEA at Druva, said that attacks against high profile targets are more likely to be successful amid the ongoing COVID-19 pandemic: “Today’s second attack on New Zealand’s stock exchange is yet another reminder that remote work security challenges need to be addressed as a priority. Local governments and cities need to act fast, or risk putting their constituents’ health, safety, lives and most sensitive data at risk.

“Cyber-attacks have become a common threat against local governments who have become sitting ducks lacking the right infrastructure and technology to protect themselves against an attack as hackers look to seize critical data and take hostage over systems for hefty ransoms – or simply – to cause chaos on these establishments. From a hackers’ perspective, local governments and mission critical organizations are at their most vulnerable right now as a result of the pandemic.”

Jake Moore, cybersecurity specialist at ESET, added: “As the world becomes increasingly connected, more defenses are required to protect against the bombardment of attempts to take down a site. DDoS attacks are common threats that can usually be avoided with the correct mitigation techniques. However, when a site experiences a massive influx of traffic that it is not prepared for, even huge organizations can be knocked off their feet relatively easily – and for long periods of time.”

Categories: Cyber Risk News

TLS and VPN Flaws Offer Most Pen Tester Access

Wed, 08/26/2020 - 14:06
TLS and VPN Flaws Offer Most Pen Tester Access

Vulnerabilities in transport layer security and exposure to a 10-year-old botnet are the most common findings from penetration testing engagements.

According to data from investigations between June 2019 to June 2020 from 206 engagements by Rapid7, internal network configuration and patch management continue to provide “easy” soft targets to penetration testers, who can often use off-the-shelf commodity attacks to escalate privileges and move laterally about the network without being detected. It also found that issues with EternalBlue and Conficker are still not being excised from internal networks.

According to Tod Beardsley, research director at Rapid7, over the 12 months work, it also found password management and secondary controls such as two-factor authentication are severely lacking on the enterprise level, leading to “easy” compromises involving both password spraying and decrypting hashed passwords acquired during simulated breaches.

Also as there is more dependence on VPNs and internet-based applications, rather than traditional internal network controls, penetration testers were finding significant flaws in those VPN terminators and custom web apps.

“While none of this is particularly shocking to even the most Pollyanna security researcher (we are a cynical bunch), this is solid data that can help enterprises around the world understand what to expect from their next penetration test and be used as a checklist of what to investigate and remediate before then,” he said.

The report also found two vulnerabilities “as pretty standard go-tos for any internally scoped network assessment.” These were MS08-067, which was weaponized in the Conficker exploit back in 2008, and MS17-10, which was the central vulnerability to the EternalBlue exploit kit of 2017.

“These two issues are among the famous vulnerabilities of the past decade, so you would think that IT and IT security teams would have long ago excised these vulnerabilities from their internal networks,” Beardsley said.

Mark Kedgley, CTO at New Net Technologies (NNT), told Infosecurity he felt the cause of EternalBlue and Conficker still being so prominent because of the numbers of Windows-based systems that cannot easily be upgraded or even patched, such as EPoS and ATM systems.

“Even within the UK NHS, one of the highest profile victims of WannaCry, there are reports of still widespread use of Windows 7 due to budget and the practical challenges of large-scale IT,” Kedgley said. “It’s clear then upgrading and patching systems is a big challenge and while this remains the case, exploitable, known vulnerabilities will still be present and a threat. Other security controls, such as change control and breach detection, can play a role in compensating for environments where patching is an issue.”

Also, the top vulnerabilities encountered by external penetration testers were: weak transport layer security (10.48%), weak password policy (7.08%), missing strict-transport-security (STS) response headers (6.23%), user enumeration (5.67%).  

Kedgley said: “Public websites are naturally prone to attack. Therefore, this has been a critical security risk ever since older TLS implementations were found to be weak and prone to compromise. The PCI DSS outlawed SSL and early TLS versions five years ago as it was known then this was a major problem for virtually every website.

“TLS 1.3 will plug the holes known in earlier versions, but the same issues apply in that just having a patch or update available doesn’t make us secure – its only when it is fully implemented and tested that the attack surface is fixed.”

Categories: Cyber Risk News

Security Flaws in Two Popular TV Set-Top Boxes Expose Customers to Attack

Wed, 08/26/2020 - 13:12
Security Flaws in Two Popular TV Set-Top Boxes Expose Customers to Attack

Serious security flaws have been discovered in two popular TV set-top boxes, potentially leaving customers at risk cyber-attack. According to an investigation by Avast, the THOMSON THT741FTA and Philips DTR3502BFTA devices contain vulnerabilities that can allow them to be accessed remotely by malicious actors, who can then launch botnet and ransomware attacks.

The internet-connected set-top boxes are often purchased by consumers who have television sets that do not support DVB-T2, the most up-to-date digital signal for terrestrial television.

The investigators found that both Internet of Things (IoT) devices are shipped by their manufacturers with open telnet ports, an unencrypted protocol used for communicating with remote devices or servers. This could allow cyber-criminals to launch attacks such as DDoS using botnets, with the Avast team successfully executing the binary of the Mirai botnet to both devices.

Another issue is that the privileged program Linux Kernel 3.10.23, installed on both boxes in 2016 to allocate sufficient resources to the software to enable it to run, was only supported with patches for bugs and vulnerabilities until November 2017. Users have therefore not received security updates since that time.

Avast also believe an unencrypted connection between the devices and a pre-installed legacy application of the popular weather forecasting service AccuWeather could enable malicious actors to modify the content users see on their TVs when using this app. This could potentially lead to ransom messages being displayed, claiming that the user’s TV has been hijacked and demanding a sum to free it.

Vladislav Iluishin, IoT Lab Team lead at Avast commented: “Manufacturers are not only responsible for ensuring safety standards are met before their products are made available for purchase, they are also responsible for securing them and therefore the security of their users.

“Unfortunately, it’s rare for IoT manufacturers to assess how the threat surface of their products can be reduced. Instead, they rely on the bare minimum, or in extreme cases completely disregard IoT and customer security in order to save costs and push their products to market quicker.”

The findings are part of an ongoing project by Avast to explore and test the security postures of IoT enabled devices.

Last week, IBM revealed it found a vulnerability in a component used in millions of IoT devices.

Categories: Cyber Risk News

FBI/CISA Warn US Firms of State-Mandated Tax Malware

Wed, 08/26/2020 - 11:00
FBI/CISA Warn US Firms of State-Mandated Tax Malware

The US government has been forced to issue another warning to organizations doing business in China after reports of a potentially widespread attempt to remotely target them with powerful malware hidden in tax software.

Red flags were originally raised by Trustwave researchers, who warned back in June that they had discovered a backdoor dubbed GoldenSpy in the tax software domestic banks force foreign companies to install.

This hidden malware could not be removed and provided its authors with a means to remotely install additional malware.

A few days later Trustwave discovered another backdoor, GoldenHelper, which had been deployed in a similar way from 2018-19. The naming convention comes from China’s “Golden Tax” VAT scheme, which mandates that banks require all companies to download software from either Aisino or Baiwang to comply.

Researchers at the vendor had also discovered an attempt to cover-up the scandal: just days after it first broke news of GoldenSpy, Trustwave spotted an uninstaller designed to remove any trace of the backdoor.

Now the FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued a Flash alert to US businesses warning that each new attempt to remove the malware requires attention from security teams, as the attackers try to evade network security rules.

“This reveals the actors’ high level of sophistication and operational awareness. The software service providers have not provided a statement acknowledging the software supply chain compromise,” it noted.

“The FBI assesses that the cyber-actors’ persistent attempts to silently remove the malware is not a sign of resignation. Rather, it is an effort to hide their capabilities. Organizations conducting business in China continue to be at risk from system vulnerabilities exploited by the tax software and similar supply chains.”

Categories: Cyber Risk News

Click Fraud Risk as Smartphone Discovered with Pre-Installed Malware

Wed, 08/26/2020 - 09:30
Click Fraud Risk as Smartphone Discovered with Pre-Installed Malware

Security researchers have discovered malware pre-installed on a Chinese smartphone and designed to facilitate mobile ad fraud on a massive scale.

Upstream’s Secure-D Lab said it recorded 19.2 million suspicious transactions, which would have covertly signed-up unsuspected users to subscription services without their permission.

It traced them back to around 200,000 Transsion Tecno W2 handsets used mainly in Egypt, Ethiopia, South Africa, Cameroon and Ghana — although suspicious transactions were also detected in 14 other countries.

The security firm analyzed Tecno W2 handsets to find out more, and discovered that they had been pre-installed with well-known backdoor and malware downloader Triada. This in turn installed a Trojan known as xHelper onto compromised devices as soon as they connect to the internet, Secure-D explained.

“When xHelper components were found in the right environment and connected to Wi-Fi or 3G network (e.g. inside a South African network), they made queries to find new subscription targets, and then proceeded to make fraudulent subscription requests,” it continued.

“These happened automatically and without requiring a mobile phone operator’s approval. The investigation found evidence in the code that linked at least one of the xHelper components (‘com.mufc.umbtts’) to subscription fraud requests.”

The umbtts application was apparently capable of generating clicks on ad banners without users’ knowledge.

According to a Google investigation, Triada is the result of a vendor somewhere in the manufacturing supply chain placing it on device firmware, usually without the knowledge of developers or manufacturers.

Users of the device were urged to check for high data usage and unexpected charges.

“While Transsion may not have been aware of the malware when the devices were sold to consumers, they do suffer the consequences and negative press related to this issue,” argued KnowBe4 security awareness advocate Erich Kron.

“This is an example of how important it is to take supply chain security seriously, as something done by a supplier or business partner can seriously impact your brand or even lead to legal liabilities.”

Categories: Cyber Risk News

New Mercenary APT Group Targeted Autodesk Software

Wed, 08/26/2020 - 08:30
New Mercenary APT Group Targeted Autodesk Software

Security researchers have uncovered yet another hacker-for-hire group armed with APT-style capabilities, which has targeted at least one high-value victim in the real estate sector.

Bitdefender revealed details of the unnamed group in a new report out today: More Evidence of APT Hackers-for-Hire Used for Industrial Espionage.

It discovered a relatively sophisticated info-stealing campaign targeting a wealthy architectural and video production company engaged in billion-dollar luxury real-estate projects in New York, London, Australia and Oman.

To carry out its industrial espionage goals, the group utilized C&C infrastructure in South Korea and a zero-day malicious payload designed to exploit vulnerable Autodesk 3ds Max software used by the victim organization for 3D modelling.

This enabled them to gain a foothold onto victim machines and deploy additional malicious tools, said Bitdefender.

The group’s information stealing capabilities include: screen capture and collection of username, computer name, the IP addresses of network adapters, Windows product name, NET Framework version, information about the processors, total and free RAM, storage details, the listing of files set to start automatically when Windows starts up, process listing and recent files.

Bitdefender said it has no evidence of any other victims at this stage, although the C&C infrastructure is still active.

The discovery of the hackers-for-hire group comes after recent revelations about the existence of similar mercenary outfits including Deceptikons and Dark Basin, as well as StrongPity, which was linked to the Turkish military.

“This is beginning to be a new trend that we're likely to see more of in the future,” warned Bitdefender global cybersecurity researchers, Liviu Arsene.

“As cyber-criminal groups are becoming more sophisticated and act more like mercenaries, it’s likely they will continue making their services available to the highest bidders. This new APT-as-a-service business model seems to be the next evolutionary step in sophisticated attacks.”

Categories: Cyber Risk News

Cyber-Attack on Rialto School District

Tue, 08/25/2020 - 17:31
Cyber-Attack on Rialto School District

A cyber-attack has shut down virtual classes in a Los Angeles school district two weeks after the FBI issued a cybersecurity warning to schools offering online learning.

In a grim foreshadowing of what was to come, FBI supervisory special agent Corey Harris said on August 11: “We want all school districts to be prepared and understand that there’s a possibility that they could be attacked."

"With so many kids that will be conducting school virtually, that increases the risk. That opens the door for an attacker to actually compromise either the school district’s network or the kids’ computers."

Online classes were suspended at the Rialto Unified School District on Monday following a malware attack

statement posted on the district’s website on Sunday said that online learning hosted by its Bridge Academy had been halted indefinitely while an investigation was underway to determine the “nature and scope” of the cyber-attack. 

The statement read: “Rialto Unified School District has been affected by malware, which is software that is specifically designed to disrupt, damage or gain unauthorized access to the computer system. RUSD instruction will be suspended until further notice, while we investigate the nature and scope of the malware.

“We understand that this news is difficult in these already challenging times and we appreciate your patience while we work to address this issue."

District spokesperson Syeda Jafri said that information technology department staff were working “day and night” to give students back access to an education. She urged students who have assigned devices linked to the district’s server not to use them until the current situation has been resolved.

Computer equipment issued to students by the school will be collected and checked to make sure it is secure. 

The Rialto Unified School District includes three high schools, one alternative/adult education school, five middle schools, and 19 elementary schools. More than 25,000 students residing in Rialto or neighboring cities, including Bloomington, Colton, Fontana, Lytle Creek, and San Bernardino, attend school in the district.

Other school districts, including the Lake Elsinore Unified School District, also had disruptions on Monday after some teachers and students were locked out of Zoom.

Categories: Cyber Risk News

National Cyber League Registration Opens

Tue, 08/25/2020 - 16:53
National Cyber League Registration Opens

Registration for the fall season of the National Cyber League (NCL) opened yesterday.

The league provides an exciting virtual environment in which students of all levels can apply their cybersecurity skills to real-world scenarios encountered by professionals in the cybersecurity industry. 

Cyber league participants will be tasked with taking both offensive and defensive action to neutralize threats, break into websites, crack passwords, and expose the identities of hackers.

This season's mock challenges include catching an insider threat as they use a company's new remote working policy to secretly exfiltrate company data while working from home. 

Another scenario involves preventing a malicious actor from exploiting a vulnerability in a database to gain access to a computer. 

A spokesperson for the NCL said: "The puzzle-oriented, capture the flag style, offensive and defensive challenges are rooted in the CompTIA Security+ and EC-Council Certified Ethical Hacker performance-based exam objectives."

While fun is a major component of the NCL challenges, students who complete them will walk away with more than just great memories.

"Players also receive Scouting Reports they can share with potential employers to highlight their success within each challenge objective," said the spokesperson.

"Players do not just build skills relevant to a lucrative career; they become part of a like-minded community of cyber heroes and heroines who join forces to better their skills."

Kaitlyn Bestenheider first competed in the NCL in 2015. Now the information security analyst at Tevora is the league's chief player ambassador, responsible for creating and managing the first and only coaching guide recognized and approved by the NCL. 

"I am just one of many success stories to come out of the NCL games," said Bestenheider. 

"Now, my team and I are listening to players and advocating for them; representing the views, perspectives and values of the players; and campaigning for new programs and partnerships. Our NCL Player Ambassador Board has many exciting things planned, and we can't wait to share all of this with our players."

The NCL is a nonprofit cybersecurity competition that was founded in 2011 by an alliance of public agencies dedicated to developing the next generation of cybersecurity professionals. Around 10,000 students compete in the league every year.

Categories: Cyber Risk News

FBI Investigates COVID-19 Patient Data Breach

Tue, 08/25/2020 - 16:38
FBI Investigates COVID-19 Patient Data Breach

The FBI is investigating a data breach that exposed the personal information of South Dakota residents who had contracted COVID-19. 

The data breach took place in June when a database shared between the Department of Health and law enforcement agencies was exposed by a third-party vendor.

Information stored in the database was used to establish an online portal designed to reduce the chances of law enforcement officers and medics' catching the novel coronavirus in the course of performing their duties. The portal allowed first responders to contact a dispatcher and find out if someone at an address to which they were being sent had tested positive for the virus., Inc., a web development company used by law enforcement agencies and fusion centers across the United States, hosted the database on its servers. The data breach happened on June 19 when Netsential added labels to a file that could allow a third party to identify a COVID-19 status if it were removed from the system.

Information exposed in the incident included names, addresses, dates of birth, and infection status. Department of Public Safety (DPS) officials said no Social Security numbers or financial data was compromised. 

The DPS informed COVID-19 patients in a letter dated August 17 that their data may have been exposed. The letter, signed by DPS director Paul Niedringhaus and seen by Rapid City Journal, warns patients that their information may now be accessible online.

“This information may continue to be available on various internet sites that link to files from the Netsential breach,” the letter states. “The list did not include any financial information, Social Security numbers, or internet passwords of any individuals.”

Recipients of the letter are advised to visit a webpage titled “South Dakota Consumer Protection” from the Office of the Attorney General. The page contains advice on preventing identity theft and securing information. 

“The letter speaks for itself, and because this is an FBI-led criminal investigation, we cannot comment any further,” said DPS public information officer Tony Mangan.

Netsential hit the headlines in June after thousands of US police records were exposed in a cyber-incident dubbed BlueLeaks.  

Categories: Cyber Risk News

Nearly Half of UK IT Leaders Have Not Upgraded to Cloud Security

Tue, 08/25/2020 - 14:00
Nearly Half of UK IT Leaders Have Not Upgraded to Cloud Security

Nearly half (47%) of UK IT leaders have not updated their security strategies to account for their move to cloud environments, putting their organizations at higher risk of cyber-attack, according to a new study by Trend Micro commissioned for CLOUDSEC Online.

This is despite the fact that traditional on-premises security such as firewalls, network intrusion prevention systems (IPS/IDS) and anti-virus are unsuitable for cloud environments as they tend to create performance bottlenecks and security gaps.

Yet the survey showed that many IT leaders are keen for a single platform to provide cloud and on-premises security, with lack of integration between the two types of tooling cited by 43% of respondents as the biggest barrier to the adoption of cloud security. Additionally, 33% stated that this integration issue was their biggest day-to-day operational headache.

Over half (55%) also expressed a desire for third-party security providers to integrate with multiple platform and application vendors, while 54% want a security vendor “aligned” to their cloud journey.

The report noted that security vendor integration is becoming more important as organizations increasingly shift to multi-cloud environments.

Bharat Mistry, principal security strategist at Trend Micro, commented: “This is particularly concerning as 23% of organizations explained that they’ve already moved partly or fully to a DevOps model in order to drive digital transformation. Container, serverless and other emerging technologies require specially designed security capabilities delivered as application program interfaces (APIs) in order to provide appropriate protection without interrupting development pipelines.”

Earlier this month, the 2020 Cloud Security Report revealed that configuration errors are the number one threat to cloud security in the view of industry professionals, with multiple barriers to the further adoption of cloud services outlined by those surveyed.

Categories: Cyber Risk News

Palo Alto Networks to Acquire Crypsis Group

Tue, 08/25/2020 - 12:45
Palo Alto Networks to Acquire Crypsis Group

Palo Alto Networks has announced its intention to acquire consultancy Crypsis Group.

The two companies have entered into a definitive agreement which will see Palo Alto Networks acquire the incident response, risk management and digital forensics consulting firm for a total purchase price of $265m. The proposed acquisition is expected to close during Palo Alto Networks’ fiscal first quarter, subject to the satisfaction of regulatory approvals and other customary closing conditions.

Part of the ZP Group, an organization with a portfolio of companies specializing in breach response, national security solutions and IT staffing, the Crypsis Group consists of more than 150 security consultants, responding to more than 1300 security engagements per year. The firm’s CEO, Bret Padres, will join Palo Alto Networks, and he said: “We have dedicated ourselves to creating a more secure world through the fight against cybercrime. Together with Palo Alto Networks, we will be able to help businesses and governments better respond to threat actors on a global scale.”

Palo Alto Networks said the acquisition will strengthen the ability of its Cortex XDR to collect rich security telemetry, manage breaches and initiate rapid response actions. It said it expects to integrate Crypsis Group’s processes and technology into Cortex XDR to further enhance its ability to safeguard organizations at every stage of the security lifecycle.

Nikesh Arora, chairman and CEO, Palo Alto Networks, said: “The proposed acquisition of the Crypsis Group will significantly enhance our position as the cybersecurity partner of choice, while expanding our capabilities and strengthening our Cortex strategy. By joining forces, we will be able to help customers not only predict and prevent cyber-attacks but also mitigate the impact of any breach they may face.”

Categories: Cyber Risk News

Eight Million Freepik Users Suffer Data Compromise

Tue, 08/25/2020 - 11:30
Eight Million Freepik Users Suffer Data Compromise

Popular stock photo site Freepik has disclosed a major data breach affecting over eight million customers.

The incident also affected users of the sister site Flaticon, which claims to run the world’s largest database of free icons.

In a breach notice over the weekend, the firm claimed an attacker had compromised an SQL injection vulnerability in the Flaticon site which allowed them to access user information in a database.

Of the 8.3 million customers affected, all had their email address taken, and nearly 3.8 million had a hashed password for the site also stolen.

Most (3.6 million) were encrypted with bcrypt, whilst 229,000 were protected with the less secure MD5. The latter have since been upgraded to bcrypt.

The remaining 4.5 million users logged in with their federated Google, Facebook or Twitter credentials so the hacker only got away with their emails. However, these could still be used to craft phishing emails requesting password confirmation.

The firm does appear to have acted swiftly to mitigate the issue, claiming to regularly review customer emails and passwords that end up on the web and notify affected customers if they find one.

“Those who had a password hashed with salted MD5 got their password cancelled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site (a practice that is strongly discouraged),” explained Freepik.

“Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.”

Jayant Shukla, CTO and co-founder of K2 Cyber Security, argued that firms need to do more to mitigate the risk of SQL injection exploitation, which remains one of the most popular among attackers.

“Organizations need to take action to better protect themselves against SQL vulnerabilities: 1) implement better coding practices to prevent SQL injection, 2) run better tests for SQL injection vulnerabilities before code makes it to production and 3) make sure they have protection against SQL injection attacks during runtime,” he said.

Categories: Cyber Risk News

F-Secure: Enhance EDR to Stop Lazarus Group

Tue, 08/25/2020 - 10:15
F-Secure: Enhance EDR to Stop Lazarus Group

Security researchers have urged organizations to upskill incident detection and response teams, after revealing a new Lazarus Group attack which managed to bypass advanced EDR and network security at a cryptocurrency firm.

The tactical intelligence report details an attack which took place last year as part of the North Korean state-sponsored group’s wider multi-year campaign against crypto firms. Active since 2018, the attackers are likely to have used the same artifacts in at least 14 countries: the United States, China, the United Kingdom, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan and the Philippines.

Lazarus Group invested “significant effort” to bypass the victim organization’s cyber-defenses, such as by disabling AV on compromised hosts and removing evidence of malicious implants. However, these actions were “noisy” in themselves and served as clear signs that should have been picked up, said F-Secure.

The group also used native OS utilities to blend in, but again “elements of the commands used will often be anomalous and use specific esoteric strings that offer blue teams detection opportunities,” said F-Secure.

“These commands can blend in with standard activity, so it may not be possible to build high fidelity detection for all the techniques used,” the report noted.

“In this situation the use of lower fidelity detections that are then aggregated on a host basis in order to correlate activity and build intelligent thresholding in to alerting systems can help to detect malicious activity without generating too many false positives.”

In fact, Lazarus Group has been using the same family of tooling observed back in 2016. It is still effective because of these obfuscation techniques, although this offers further opportunities for detection.

F-Secure concluded that effective detection and response is not simply about having the right tools, but also the users who know what to look for.

“The target in this investigation had a leading EDR and network security tool installed that captured telemetry of Lazarus Groups actions, but this did not result in a positive detection that was actioned,” it argued.

“It is F-Secure’s view that people play an important role in building effective detection capability, and this incident serves as an example of the need to invest in people as well as technology.”

Categories: Cyber Risk News