Info Security

Subscribe to Info Security  feed
Updated: 52 min 9 sec ago

UK Deems Huawei a Manageable Risk for 5G

Wed, 01/29/2020 - 09:45
UK Deems Huawei a Manageable Risk for 5G

Security experts have broadly welcomed the UK’s decision to allow Huawei to participate in non-core 5G network infrastructure, even if nearly half of consumers believe the Chinese firm represents a cyber-threat.

The government confirmed long-running rumors yesterday that it would defy Washington and allow the Shenzhen telecoms kit maker to contribute to its carriers’ 5G networks.

However, it appears to have dialed down tensions with the US by: designating the firm a “high risk” vendor, excluding it from core parts of the networks, nuclear sites, military bases and critical infrastructure and limiting its presence to no more than 35% of non-core networks.

National Cyber Security Centre (NCSC) CEO, Ciaran Martin, claimed the decision will give the UK “a very strong, practical and technically sound framework for digital security in the years ahead.

“The NCSC has issued advice to telecoms network operators to help with the industry rollout of 5G and full fiber networks in line with the government’s objectives,” he added.

“High-risk vendors have never been – and never will be – in our most sensitive networks. Taken together these measures add up to a very strong framework for digital security.”

This is despite some experts, such as Australian Signals Directorate director-general, Mike Burgess, warning that there is no distinction between core and non-core parts of a 5G network, meaning that a threat anywhere in the network could be hard to contain.

Malcolm Taylor, director of cyber advisory at ITC Secure and former GCHQ intelligence officer, welcomed the UK news as evidence of politicians listening to the UK’s security agencies, who have repeatedly claimed the Huawei risk is manageable.

A dedicated Huawei Cyber Security Evaluation Centre (HCSEC) staffed partly by GCHQ boffins has been running for years to scrutinize the firm’s products. Although it recently found serious security shortcomings, they were not thought to have been engineered deliberately.

“There is risk in using Huawei – the point is managing it. Already heavily monitored and managed, Huawei can expect to see that scrutiny only increase,” Taylor added.

“There is no hard evidence of any espionage using Huawei technology, globally, and Huawei senior figures have made this point again and again. The UK’s security apparatus believes the risk can be managed. What more do we need?”

Dimitris Mavrakis, research director at ABI Research, congratulated the UK for not being pressured by geopolitical tactics, and said it was a good compromise between security and 5G development.

“The fact that Huawei is quite well deployed for 5G in the UK means that it would be a massive disruption to stop or worse, remove this infrastructure. This could set UK operators years behind in the 5G market,” he continued.

“Plus, Huawei has already been well deployed for 4G across the UK. Even if Huawei is blocked for 5G, how can anyone guarantee that security-sensitive communications will go over these non-Huawei 5G networks, and not Huawei 4G networks?”

That said, a GlobalData poll this week revealed that UK consumers are virtually split down the middle in their view of Huawei: 47% said they thought the firm was a security threat while 53% did not.

Categories: Cyber Risk News

SEC Publishes Cybersecurity Practices of Financial Industry

Tue, 01/28/2020 - 18:01
SEC Publishes Cybersecurity Practices of Financial Industry

The US Securities and Exchange Commission (SEC) has published a 10-page document detailing cybersecurity practices observed to be in use in the financial industry.

The observations were gathered by the SEC's Office of Compliance Inspections (OCIE) and are based on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants.

OCIE issued the examination observations yesterday on the SEC website with the hope of providing firms with guidelines for how to strengthen their cybersecurity. 

The observations highlight certain approaches taken by market participants in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. They also examine how companies have responded with resiliency in the wake of a cybersecurity incident. 

While acknowledging that there is no one-size-fits-all approach when it comes to cybersecurity, OCIE recommended establishing an incident response plan and contacting local authorities or the Federal Bureau of Investigation (FBI) if an attack or compromise is discovered or suspected. 

Training employees on how to detect threats was advised, along with implementing a mobile device management solution for the workplace that covered all devices used by employees under a "bring your own device" policy.

"Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency," said Peter Driscoll, director of OCIE. 

"We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices."

To prevent data loss, OCIE recommended establishing a patch management program covering all software and hardware and verifying that the decommissioning and disposal of any hardware and software does not create system vulnerabilities.  

"Data systems are critical to the functioning of our markets, and cybersecurity and resiliency are at the core of OCIE’s inspection efforts," said SEC chairman Jay Clayton. 

"I commend OCIE for compiling and sharing these observations with the industry and the public and encourage market participants to incorporate this information into their cybersecurity assessments."

Categories: Cyber Risk News

UK Medical Products Manufacturer Shuts Plant Following Breach

Tue, 01/28/2020 - 16:57
UK Medical Products Manufacturer Shuts Plant Following Breach

A British company that specializes in making skin, bone, and organ grafts has temporarily closed its manufacturing plant in America following a cybersecurity breach.

Regenerative medical technology company Tissue Regenix Group PLC said on Tuesday that its computer systems and a third-party IT service provider in the United States were accessed without authorization. No details were given regarding how the incident occurred or when the company became aware that it had been compromised.

Tissue Regenix responded to the cybersecurity incident by taking the affected system offline and shutting down operations at its plant in Texas. The company has appointed forensic cybersecurity specialists to investigate how and when the breach occurred and said that it is in talks with the relevant legal authorities. 

The cybersecurity incident is not believed to have affected any of Tissue Regenix's operations in the UK and is not thought to have impacted the company's financial systems. 

"Tissue Regenix has taken precautionary steps, including taking affected systems offline. This has restricted access to certain business operations, including the company's ability in the short-term to continue manufacturing in its United States facility, which has been taken offline whilst the incident is being investigated," said a Tissue Regenix spokesperson. 

"The company is engaged with its third-party IT service provider, the relevant legal authorities and cyber security experts to rectify the incident as quickly as possible and to minimize any impact on its operations. The time required to resolve the incident is currently unknown."

According to Reuters, news of the breach caused the share price of Tissue Regenix to tumble by as much as 22%. 

Tissue Regenix was formed in 2006 as an offshoot of the University of Leeds. The company is based in the historical city of York. Tissue Regenix set up its base in America in the tail end of 2012. 

The medical technology product that Tissue Regenix is known for producing is a special kind of tissue that can be used to repair worn-out or diseased human body parts. The tissue has been designed in such a way that the patient's body is unlikely to reject a graft. 

The cyber-attack has come at a particularly bad time for Tissue Regenix, which said last Wednesday that its funding is not guaranteed beyond April.

Categories: Cyber Risk News

NFL Twitter Accounts Hacked One Week Before Super Bowl

Tue, 01/28/2020 - 16:09
NFL Twitter Accounts Hacked One Week Before Super Bowl

The Twitter accounts of America's National Football League (NFL) and 15 of its teams have been hacked just one week before the biggest football game of the 2019–2020 season.

The first team to be compromised was the Chicago Bears, whose account @ChicagoBears was hacked at 8:40 a.m. on Sunday morning. 

Followers were shown an image of a man with a full, dark beard who was wearing the traditional Arabic head gear of a keffiyeh and an agal together. Along with the photo, hackers posted the caption: "Welcome to our new owner @Turki_alalshikh #ProBowl #Bears100 #ChicagoBears."

A Saudi "white hat" hacker group known as OurMine was quick to claim responsibility for the hacks, which the group said were carried out as a publicity stunt to "announce that we are back" and to "show people that everything is hackable."

Fans of rival American football team the Detroit Lions seized the opportunity afforded by the Bears hack to propose a trade. The account @PrideofDetroit tweeted at the Bears: "Hey, while you're still hacked @ChicagoBears, trade us Khalil Mack for a 6th rounder. Twitter is a binding contract."

The hackers decided to run with the joke and responded with "Done for 1$."

By 12:43 p.m. on Sunday, the Chicago Bears were back in control of their Twitter account and had posted a message apologizing to fans for the compromise. 

OurMine allegedly compromised the official Twitter account of the NFL on Monday. In a statement released yesterday, the NFL said: "On Monday, the NFL Cybersecurity department became aware of a breach of league-related social media accounts. Targeted breaches and additional failed attempts were discovered across the league and team accounts.

"The NFL took immediate action and directed the teams to secure their social media accounts and prevent further unauthorized access."

NFL reporter Dov Kleiman began a Twitter thread of screenshots depicting all the NFL team accounts compromised in the OurMine hack. By his reckoning, a total of 15 teams were hacked, including the Green Bay Packers

Other teams to be hacked were the Kansas City Chiefs and the San Francisco 49ers, who are due to compete on February 2 in the Super Bowl LIV game, which will decide the champion for the NFL's 2019–2020 (and 100th) season.

An anonymous individual who responded to questions from NBC News via an email account linked with OurMine would not reveal how the group carried out the hack. The individual did, however, reveal their pick for Sunday's big game, predicting a victory for the Chiefs.

Categories: Cyber Risk News

Suspected Magecart Hackers Arrested in Indonesia

Tue, 01/28/2020 - 12:10
Suspected Magecart Hackers Arrested in Indonesia

Three men have been arrested in Indonesia in a region-wide crackdown on gangs using the infamous Magecart digital skimming code, according to Interpol.

The law enforcement organization worked with private sector partner Group-IB to identify and analyze hundreds of e-commerce websites around the world infected with the malicious JavaScript.

Its Operation Night Fury saw Interpol’s central ASEAN Cyber Capability Desk send reports to police in the affected countries, including six in southeast Asia.

One of these was Indonesia, where three men were arrested on suspicion of running Magecart C&C servers there.

According to Interpol, the suspects are thought to have been using the stolen card details to buy luxury goods and electronics and then resell them to launder their profits.

Singaporean police have also been able to disable two further C&C servers following intelligence gleaned from the operation, while investigations in other ASEAN countries are ongoing, Interpol said.

“Strong and effective partnerships between police and the cybersecurity industry are essential to ensure law enforcement worldwide has access to the information they need to address the scale and complexity of today’s cyber threat landscape,” said Interpol director of cybercrime, Craig Jones.

“This successful operation is just one example of how law enforcement is working with industry partners, adapting and applying new technologies to aid investigations, and ultimately reduce the global impact of cybercrime.”

This could well be the first time Magecart hackers have been arrested by police. Digital skimming code is now used by multiple groups around the world, making it harder for police to tackle.

The news comes just weeks after Interpol celebrated another win: a public-private partnership with Trend Micro led to the identification of over 20,000 routers in southeast Asia infected with crypto-mining malware.

Thanks to Operation Goldfish Alpha, police managed to reduce this number by 78% and efforts are continuing to identify the remaining compromised devices.

Categories: Cyber Risk News

Staff Send 130+ Emails Per Week to Wrong Recipient

Tue, 01/28/2020 - 10:30
Staff Send 130+ Emails Per Week to Wrong Recipient

Staff in large enterprises send 136 emails per week to the wrong person, according to new data from Tessian released to coincide with today’s Data Protection Day.

The annual event was launched 13 years by the Council of Europe to recognize the date in 1981 that signatures were invited for Convention 108, the first legally binding international treaty on data protection.

However, despite the introduction of the GDPR nearly two years ago and the filing of over 160,000 breach notifications in the intervening period, poor data protection practices still appear to be rife.

Analyzing data from its global network of clients, Tessian claimed that corporate data is sent to unauthorized or personal email accounts nearly 200,000 times a year, for enterprises of 10,000 employees and up.

For large businesses of 1000 employees, the figure is nearly 20,000, while it drops again to around 5000 for SMBs.

Tessian CEO, Tim Sadler, claimed that human error is still the leading cause of breaches today — whether staff are deliberately breaking the rules or simply being negligent.

“Everyone has an email blunder story. After all, the average worker spends over a third of their working-week on email, so mistakes are bound to happen. But we’re seeing serious repercussions beyond just embarrassment over cc-ing the wrong person – more people are exposing personal and corporate data,” he added.

“These mistakes could see your data falling into the wrong hands and your company facing the regulator’s wrath under GDPR.”

Also known as Data Privacy Day in the US and elsewhere, the event is an opportunity to raise awareness among consumers and businesses of their respective online rights and responsibilities regarding data protection.

The GDPR has already done much to promote these within the EU and beyond, the European Commission claimed in a statement issued to mark the occasion.

“According to Eurobarometer results, the highest levels of awareness among citizens are recorded for the right to access their own data (65%), the right to correct the data if they are wrong (61%), the right to object to receiving direct marketing (59%) and the right to have their own data deleted (57%),” it revealed.

“Our priority and that of everyone involved should be to foster a harmonized and consistent implementation of data protection rules throughout the EU.”

However, the legislation remains a work in progress, according to Dob Todorov, CEO of HeleCloud.

“In truth, a chasm exists between the legal language used and the IT implementation needed to support it. And, while this chasm exists, some businesses will fail to meet the data protection standards that this regulation promotes — either accidentally or through the abuse of the grey areas,” he argued.

“As regulators look to hand out more fines, they should also focus on providing pragmatic and clear guidance at a technical level, without discriminating against current or future technologies.”

Categories: Cyber Risk News

UK’s IoT Law Hopes to Drive Security-by-Design

Tue, 01/28/2020 - 09:40
UK’s IoT Law Hopes to Drive Security-by-Design

The UK government has unveiled a new consumer IoT law designed to prohibit the sale of smart products that fail to meet three strict security requirements.

Drawn up by the Department for Digital, Culture, Media and Sport (DCMS), the proposals would ensure all IoT kit sold in the UK allows users to set unique passwords and not revert them to any factory settings.

This would seem to combat the scourge of Mirai-like malware, which finds exposed devices on the internet and cracks them open with a list of popular default password choices.

Manufacturers of IoT devices would also have to provide a public point of contact so that anyone can report vulnerabilities and have them acted on “in a timely manner.”

The same IoT kit-makers would have to explicitly state the minimum length of time a device will receive security updates at point-of-sale, allowing consumers to decide whether they’re happy with vendor promises.

However, there’s no mention of enforcing a 'kitemark' for consumers which would allow buyers to easily spot whether products have met a minimum standard of security and quality. Such a standard technically exists in the UK, after the British Standards Institution (BSI) introduced one in May 2018, and at a European level, with the launch of ETSI TS 103 645 around a year ago.

It’s also unclear exactly how the UK would prohibit the sale of non-compliant IoT kit, especially items which can be sourced online from China and elsewhere. The majority of the world’s smart gadgets are not manufactured in the UK.

That said, the UK is still ahead of the US in its moves to drive regulation of an industry that exposes consumers and businesses to growing cyber risk.

“Consumer IoT devices can deliver real benefits to individuals and society, but techUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up. TechUK is therefore supportive of the government’s commitment to legislate for cybersecurity to be built into consumer IoT products from the design stage,” argued techUK director of markets, Matthew Evans.

“TechUK has been working on these three principles for the past four years. We support the work to ensure that they are consistent and are influencing international standards.”

Carl Wear, head of e-crime at Mimecast, claimed that the UK push could have a beneficial impact on other parts of the world, although the nature of technology innovation would require revisions to the law.

“The legislation and any accompanying guidance will then need to be re-visited rapidly and updated to maintain an adequate minimum standard of security, as necessary,” he said. “I am certain that this move by the UK will likely prompt consideration of further regulation within other jurisdictions, in order to maintain trust in their own IoT and parity with the security of others.”

The UK’s proposals follow a “world first” voluntary code of practice introduced by the government in October 2018, on which the European standard was based.

Categories: Cyber Risk News

US Rolls Out New Bill to Reform NSA Surveillance

Mon, 01/27/2020 - 17:11
US Rolls Out New Bill to Reform NSA Surveillance

US senators have proposed a bill that would drastically reform the surveillance practices of the National Security Agency (NSA) and increase oversight of government surveillance.

Titled The Safeguarding Americans’ Private Records Act, the bill was introduced on Thursday by Senators Ron Wyden, Zoe Lofgren, Pramila Jayapal, Warren Davidson, and Steve Daines. 

According to a statement on Wyden's website, the changes proposed in the bill will "protect Americans’ rights against unnecessary government surveillance." 

The bill comes ahead of the March 15 expiration of Section 215 of the Patriot Act, which the National Security Agency "used to create a secret mass surveillance program that swept up millions of Americans’ phone calls." The phone record program was terminated last year.

The bill prohibits the "warrantless collection of cell site location and GPS information as well as browsing history and internet search history and ensures that the government cannot conduct collection for intelligence purposes that would violate the Fourth Amendment in the criminal context."

Furthermore, the bill aims to establish the Foreign Intelligence Surveillance Act (FISA) process as the only process by which the government is allowed to carry out surveillance. By doing this, the bill intends to close what it describes as "secret law" loopholes that have allowed the US government to clandestinely conduct surveillance outside the FISA process in the past

Other reforms proposed by the bill are the increase of congressional oversight of government surveillance activities with the addition of new public reporting requirements regarding Americans whose information has been collected under Sections 215 and 702 of the Patriot Act. 

Commenting on the new bill, Jack Mannino, CEO at Virginia-based application security provider nVisium, said: "These are important steps towards protecting the civil liberties and Fourth Amendment rights of citizens. Intelligence agencies do important work, and it's necessary for them to be able to do their jobs, while preserving legal and moral boundaries. States, such as California, have passed legislation to protect internet privacy, and other states are quickly moving in the same direction. Overreaching surveillance erodes trust in the systems we use and our expectation of privacy."

Categories: Cyber Risk News

Major Canadian Military Contractor Compromised in Ransomware Attack

Mon, 01/27/2020 - 16:31
Major Canadian Military Contractor Compromised in Ransomware Attack

A Canadian construction company that won military and government contracts worth millions of dollars has suffered a ransomware attack. 

General contractor Bird Construction, which is based in Toronto, was allegedly targeted by cyber-threat group MAZE in December 2019. MAZE claims to have stolen 60 GB of data from the company, which landed 48 contracts worth $406m with Canada's Department of National Defense between 2006 and 2015.

In an email to the Canadian Broadcasting Corporation (CBC), a Bird Construction company spokesperson wrote: "Bird Construction responded to a cyber incident that resulted in the encryption of company files. Bird continued to function with no business impact, and we worked with leading cyber security experts to restore access to the affected files."

MAZE's modus operandi is to demand a ransom from its victim to secure the return of data that the group has stolen and encrypted. Victims are warned that failure to pay up will result in the data's publication. If a victim refuses to pay, MAZE's next move is typically to publish a small quantity of the data it claims to have stolen to show it means business.

According to Emsisoft threat analyst Brett Callow, MAZE has now published data it claims to have stolen from Bird Construction. The published files contain employees' personal data and information relating to Canadian company Suncor Energy, with which Bird Construction has worked on multiple projects. 

Callow told Infosecurity Magazine: "Maze actually published some of Bird’s data. The files included documents relating to Suncor and records for a couple of Bird employees which included their names, home addresses, phone numbers, banking info, social insurance numbers, tax forms, health numbers, drug and alcohol test results—everything that a criminal would need to steal their identity. And all that info was posted on the clear web where anybody could’ve accessed it." 

The published data, which Infosecurity Magazine has viewed, consisted of two large PDF files, each relating to a separate Bird Construction employee, plus documents detailing vehicle entry authorization and alcohol and drug testing procedures at Suncor.

Callow added: "The big question is: what else did MAZE get and did any of the data relate to Bird's government and military contracts?" 

Bird Construction has not said whether a ransom was paid to its cyber-attackers. Callow advised any company that gets hit by ransomware not to pay up.

He said: "There is no way for a company to know that the data will be deleted after a ransom has been paid. In fact, it probably will not be deleted. Why would a criminal enterprise delete data that they may be able to use or monetize at a later date?"

Categories: Cyber Risk News

US Space Industry to Launch Cybersecurity Portal

Mon, 01/27/2020 - 15:11
US Space Industry to Launch Cybersecurity Portal

Spring 2020 will see the launch of a new US cybersecurity resource designed to protect the space industry. 

Space News reported last Thursday that the Space Information Sharing and Analysis Center, or Space ISAC, is currently in the process of setting up an unclassified portal where companies can share and analyze information on cybersecurity threats. The portal will go live in the tail end of spring. 

The activation of the portal will mark the official start of operations for Space ISAC, which was formally established in April 2019 as a nonprofit organization during a classified session at the 35th Space Symposium in Colorado Springs, Colorado. 

The need to establish a Space ISAC to secure commercial, government, and military space communications from cyber-attacks on global space assets was recognized by the Science & Technology Partnership Forum in 2017. The Forum shared its vision for the organization’s conception in April 2018 at the 34th Space Symposium.

Space ISAC was founded initially by Kratos Defense & Security Solutions. Ten other companies have since joined as founding members, though some wish to keep their connection with the organization under wraps. Firms that have made their membership of Space ISAC public include Booz Allen Hamilton, SES, Parsons Corp, Lockheed Martin, and MITRE, which all joined as founding members.

The senior vice president of Kratos and chairman of the board for Space ISAC, Frank Backes, said that once the new portal is in operation, Space ISAC will work to recruit and vet potential members. The organization is hoping to sign up as many as 200 member companies from the civil, commercial, and national security space sectors.

Annual membership fees will be $10,000 for silver membership, $25,000 for gold, and $50,000 for platinum; however, the organization will consider offering lower rates to small enterprises and startups.

Along with the portal, Backes said that Space ISAC intends to set up a "space systems vulnerability laboratory" for NCC analysts and ISAC members at the National Cybersecurity Center (NCC) in Colorado Springs. 

Space ISAC plans to hold its first ever summit meeting at the NCC's Cyber Symposium in Denver on June 15 and 16 of this year.

Categories: Cyber Risk News

Royal Yachting Association Resets Passwords After Breach

Mon, 01/27/2020 - 11:11
Royal Yachting Association Resets Passwords After Breach

The Royal Yachting Association (RYA) is forcing a password reset for all online users after warning some that their data may have been compromised by a third party.

The UK’s national body for all things nautical appears to have moved quickly in response to the discovery.

“We have recently become aware that an unauthorized party accessed and may have acquired a database created in 2015 containing personal data associated with a number of RYA user accounts. The affected information included email addresses and RYA website passwords which were encrypted and therefore not visible,” it explained.

“The affected information included name, email and hashed passwords — the majority held with the salted hash function, which is used to secure passwords. The affected data did not include any financial or payment information and in this stage in our investigation there is no evidence that this data has been misused — it was legacy test data and it appears that the unauthorized party who gained access to a hosted server subsequently deleted that database.”

Despite passwords being salted and hashed, the RYA is taking no chances and will require all web users to choose a new credential. It is also urging members to be on the lookout for potential phishing scams attempting to capitalize on the breach notification.

“Please note that any email from the RYA about this issue (subject: Important notification regarding RYA Account Security) does not contain attachments and does not request your personal data,” it clarified.

“If you receive an email about this issue which suggests you download an attachment, or asks you for information, the email was not sent by RYA and may be an attempt to steal your personal data.”

Several yachters took to an industry forum warning of such an attempt, until they were reassured that the breach notification email was genuine. Some expressed surprise at receiving the email as they aren’t RYA members, although their email address may have found its way onto the “test” database another way.

Categories: Cyber Risk News

Chrome and Firefox Clamp Down on Suspicious Behavior

Mon, 01/27/2020 - 10:35
Chrome and Firefox Clamp Down on Suspicious Behavior

Both Chrome and Firefox administrators have had to take action recently to halt the spread of malware via extensions and add-ons.

Google developer advocate Simeon Vincent explained over the weekend that the Chrome Web Store team detected an increase in fraudulent activity earlier in the month attempting to exploit users of the popular browser.

“Due to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse,” he continued.

“If you have paid extensions, subscriptions, or in app-purchases and have received a rejection for ‘Spam and Placement in the Store’ this month, this is most likely the cause.

Extension developers will not be allowed to update their offerings while these temporary measures last. Those who want to publish an item that has been rejected are urged to reply to the rejection email and request an appeal.

“You may be asked to republish your item, at which point the review should proceed normally. You must repeat this process for each new version while this measure is in place,” said Vincent.

Unfortunately for developers, there’s no immediate end in sight for these temporary measures.

“We are working to resolve this as quickly as possible, but we do not have a resolution timeline at the moment. Apologies for the inconvenience,” concluded Vincent.

The news comes as rival browser Firefox experiences its own security issues. Mozilla administrators have begun removing scores of dodgy add-ons from the Mozilla Add-on (AMO) portal, and disabling any found in existing browser deployments.

Many of those marked for attention are thought to have been executing code from remote servers, installing malware, deliberately hiding code or eavesdropping on user searches.

Over 120 banned add-ons appear to have been published by a single developer, 2Ring, and were removed for executing remote code — which is illegal according to Mozilla’s add-on rule book.

Categories: Cyber Risk News

Citrix Flaw Exploited by Ransomware Attackers

Mon, 01/27/2020 - 09:45
Citrix Flaw Exploited by Ransomware Attackers

Reports have emerged of multiple attempts to exploit a Citrix vulnerability, delivering ransomware to enterprise victims including a German car manufacturer.

Citrix began patching the CVE-2019-19781 bug in its Application Delivery Controller (ADC) and Citrix Gateway products last week. If successfully exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

At the time, FireEye warned that attackers were exploiting the flaw to deploy a backdoor, named “NotRobin,” in order to maintain access to exposed systems.

In an update, the security vendor claimed on Friday that it had detected efforts to deploy coin miners and ransomware via exploits for the vulnerability.

It traced attacks on dozens of FireEye customers back to ransomware named “Ragnarok,” which appears to have been created in mid-January. The ransom note demands 1 Bitcoin ($8600) to decrypt one infected machine or five ($43,002) for all.

“FireEye continues to observe multiple actors who are currently seeking to take advantage of CVE-2019-19781. This post outlines one threat actor who is using multiple exploits to take advantage of vulnerable internal systems and move laterally inside the organization,” it concluded.

“Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point.”

As FireEye mentioned, there appear to be multiple groups looking to exploit the Citrix flaw in ransomware attacks.

Researchers took to Twitter to reveal efforts by attackers using the Sodinokibi variant, also known as REvil. Victims include German car parts manufacturer Gedia Automotive Group.

“I examined the files #REvil posted from Gedia after they refused to pay the #ransomware. The interesting thing I discovered is that they obviously hacked Gedia via the #Citrix exploit,” explained @underthebreach. “My bet is that all recent targets were accessed via this exploit.”

The news comes after white hats pointed to a critical unpatched flaw in Pulse Secure VPN products as being behind the Travelex ransomware outage.

Categories: Cyber Risk News

Russian Pleads Guilty to Running Online Criminal Marketplace

Fri, 01/24/2020 - 16:10
Russian Pleads Guilty to Running Online Criminal Marketplace

A Russian man has pleaded guilty to running an illegal online marketplace that sold stolen payment card credentials to criminals, who used them to make over $20m in fraudulent purchases.

Before a United States court, Aleksei Burkov admitted operating the Cardplanet website, which sold card data acquired through illegal computer intrusions. Many of the cards offered for sale belonged to United States citizens, with the result that over $20m in fraudulent purchases were made on American credit cards. 

According to the Associated Press, prosecutors said Burkov offered a money-back guarantee to his customers if a stolen card number no longer worked.

The 29-year-old also pleaded guilty to running a second website that served as an invite-only club where elite cyber-criminals could advertise stolen goods and criminal services.

Items for sale on the site included personal identifying information, malicious software, and money laundering and hacking services. 

"To obtain membership in Burkov’s cybercrime forum, prospective members needed three existing members to 'vouch' for their good reputation among cybercriminals and to provide a sum of money, normally $5,000, as insurance," said the Eastern District of Virginia US Attorney's Office.

"These measures were designed to keep law enforcement from accessing Burkov’s cybercrime forum and to ensure that members of the forum honored any deals made while conducting business on the forum."

Burkov was arrested at Ben-Gurion Airport near Tel Aviv in December 2015, and in 2017, an Israeli district court approved his extradition to the United States. Burkov was finally extradited to the United States from Israel on November 11, 2019, after appeals to the Israeli Supreme Court and the Israeli High Court of Justice were denied.

In front of Senior US District Judge T.S. Ellis, III, Burkov pleaded guilty to access device fraud and conspiracy to commit computer intrusion, identity theft, wire and access device fraud, and money laundering. 

Burkov faces a maximum sentence of fifteen years in prison when sentenced on May 8.

Russian officials objected to Burkov's extradition from Israel. According to the Associated Press, Israeli officials have suggested Russia sought Burkov’s release by offering an exchange for Naama Issachar, a 26-year-old Israeli woman who received a seven-year prison sentence in Moscow for drug-related charges.

Categories: Cyber Risk News

US Issues Cybersecurity Warnings Over Flawed Medical Devices

Fri, 01/24/2020 - 15:10
US Issues Cybersecurity Warnings Over Flawed Medical Devices

Warnings have been issued in the United States after cybersecurity flaws were detected in medical monitoring devices manufactured by GE Healthcare Systems (GEHC). 

Safety notices were published yesterday by both the US Food and Drug Administration (FDA) and the US Department of Homeland Security's Industrial Control Systems—Cyber Emergency Response Team (ICS-CERT) regarding vulnerabilities in certain clinical information central stations and telemetry servers.

Exploitable flaws in the ApexPro and CARESCAPE telemetry servers, in version 1 of the CARESCAPE Central Station, and in CIC Pro Clinical Information Center Central Station version 1 were discovered by CyberMDX.

The flawed devices are used mostly in health care facilities for displaying information regarding the physiologic parameters of a patient, such as heartbeat and blood pressure. They are also used to monitor the status of a patient from a central location in a facility, such as a nurse’s workstation.

The FDA said the vulnerabilities "may allow an attacker to remotely take control of the medical device and to silence alarms, generate false alarms and interfere with alarms of patient monitors connected to these devices."

ICS-CERT said that an attacker could use the flaws to obtain protected health information (PHI) data and to make the device unusable. 

In a statement published yesterday, GEHC said: "In the instructions provided with the devices, GEHC requires that the MC and IX networks are properly configured and isolated from other hospital networks. If those instructions are not followed, a vulnerable situation can exist where an attacker could gain access to the MC and IX networks via the hospital network."

GEHC has published instructions for risk mitigation along with instructions on where to find software updates or patches when they become available.

The FDA said yesterday that it was "not aware of any adverse events related to this vulnerability," while also saying that such incidents may be extremely hard to detect. 

"These vulnerabilities might allow an attack to happen undetected and without user interaction. Because an attack may be interpreted by the affected device as normal network communications, it may remain invisible to existing security measures," said the FDA.

In a statement published yesterday, GE Healthcare said: "There have been no reported incidences of a cyber-attack in a clinical use or any reported injuries associated with any of these vulnerabilities."

In July 2019, ICS-CERT issued a warning after vulnerabilities were detected in GE anesthesia and respiratory devices, GE Aestiva and GE Aespire (models 7100 and 7900).

Categories: Cyber Risk News

London Police Adopt Facial Recognition Technology as Europe Considers Five-Year Ban

Fri, 01/24/2020 - 14:14
London Police Adopt Facial Recognition Technology as Europe Considers Five-Year Ban

London's Metropolitan Police Service has announced that it will start using live facial recognition (LFR) technology to scan public areas for suspected criminals. 

After trialing the technology for two years, the Met has said that it will have cameras up and running within a month. The cameras will be linked to a database containing images of suspects. In the event that a suspect is identified by the camera, an alert will be generated.

According to senior technologist with the Met, Johanna Morley, the facial recognition technology has an accuracy rate of 70%. Morley said false identifications were made by the cameras one in a thousand times. 

Nick Ephgrave, an assistant commissioner, said: "As a modern police force, I believe that we have a duty to use new technologies to keep people safe in London. Independent research has shown that the public support us in this regard."

Civil liberties groups have described the planned introduction of the technology as "a breathtaking assault on our rights."

The Met said the cameras will only be deployed after consultation with local communities. Active cameras will be displayed overtly, leaving the public in no doubt that they are being watched as they go about their daily lives. 

Commenting on the Met's decision to introduce LFR, the director of Big Brother Watch, Silkie Carlo, said: "It flies in the face of the independent review showing the Met’s use of facial recognition was likely unlawful, risked harming public rights and was 81% inaccurate."

A spokesperson for the campaign group Liberty said: "This is a dangerous, oppressive and completely unjustified move by the Met. Facial recognition technology gives the state unprecedented power to track and monitor any one of us, destroying our privacy and our free expression."

In September 2019, Cardiff's high court ruled that police use of automatic facial recognition technology to search for people in crowds is lawful. The technology is currently being used by South Wales police.

The Met is the biggest force in the UK, with jurisdiction over London and Greater London, with the exception of the City of London, which has its own territorial police force.

News of the Met's decision comes a week after the European Commission revealed it is considering a ban on the use of facial recognition in public areas for up to five years while regulators try to work out a way to prevent the technology from being abused.

Categories: Cyber Risk News

#BSidesLeeds: Credential Stuffing Often Seen as “Volume” Cybercrime

Fri, 01/24/2020 - 14:00
#BSidesLeeds: Credential Stuffing Often Seen as “Volume” Cybercrime

Speaking at BSides Leeds, security researcher Darren Martyn explored the issue of credential stuffing, calling it an “exploding problem on the internet” and the “cyber-equivalent of volume crime.”

Saying that credential stuffing is “aided by data leaks,” Martyn argued that nothing much has been done about it “as it is not cool like ransomware, but the problem exists, and it affects everyone.”

The problem is further enhanced by tools created to enable credential stuffing to be done much more easily, and tools which are sold purely “to engage in post-compromise monetization strategies.” He said that as little as $10 can get you dumps of passwords which has been done by “low level hacking” and most of the tools are “idiot proof.”

He added that “kids revolutionized testing while we were writing Python scripts, and the kids write things that actually work.” As well as low level hacking efforts, you can build tools to do searches for data sets for you, and in his research he had stumbled across hundreds of accounts

In terms of how this makes money, he said that he had “cosplayed as a cyber-criminal” to find more information, and said that there is a “fantastic secondary market for logins” as people can add cash to gift cards using stored credit cards, or in video games where you can pay for in-game items.

Martyn said that despite the scale of the problem, “no-one cares as it affects the consumer who cannot pay for pen testing” and they are left out of pocket, “while the criminals laugh all the way to the bank.”

In terms of protection, he recommended consumers use a password manager and two-factor authentication to better protect their details and logins, while businesses should look to make automated login testing hard, but there were problems with rate limiting, temporary IP blocks and captchas as they can be bypassed.

Asked by Infosecurity what a good first step would be to better prevent credential stuffing attacks, Martyn said that, if you are a company, start by trying to make it expensive for the attacker.

“Rate limiting, temporary IP blocks and captchas don’t prevent, they just slow down,” he said, “but actually put in logging as you will know straight away when you are getting lit up by some script kiddie with Sentry, and your application logs start showing 'gajillions' of logins. See if your API is being brute forced, as no one really checks.”

Categories: Cyber Risk News

#BSidesLeeds: Cyber is Running the World, More Innovation to Come

Fri, 01/24/2020 - 11:35
#BSidesLeeds: Cyber is Running the World, More Innovation to Come

In the opening keynote at BSides Leeds head of cybersecurity research Daniel Cuthbert said that we are “in the best industry in the world” and, having spent 27 years doing cybersecurity, he has seen that it is the “misfits and weirdos who are doing amazing things.”

Cuthbert said that we are “going through interesting times” in what we are calling the 'fourth industrial revolution,' “and it is good as it is about cyber” and there has been a fundamental change in how we relate and talk.

Pointing to the 1984 film Revenge of the Nerds, he explained that if you look at the most powerful people in the world, they are people like Elon Musk and Mark Zuckerberg, and “people in technology impact how we work.”

Cuthbert also pointed out that law makers and politicians are getting more involved in cybersecurity issues, as once 'Spot the Fed' was played at DEFCON, distinguishable by their smart-casual clothing, eventually “they saw the need to get people like us back in the fold.”

This was made further evident by the likes of San Bernadino district attorney Michael Ramos using the term “lying dormant cyber-pathogen” after the shooting and locked iPhone debate, and Cuthbert also pointed at the FBI now having a dedicated page for cyber-criminals, which was mostly made of foreign nationals.

“Don’t stop what you’re doing; we do amazing stuff and people watch what we do,” he said.

Categories: Cyber Risk News

European Energy Firm Targeted by RAT Linked to Iran

Fri, 01/24/2020 - 11:30
European Energy Firm Targeted by RAT Linked to Iran

Security researchers have discovered a new cyber-espionage operation with links to Iranian state hacking groups targeting a major European energy organization.

Recorded Future’s Insikt Group detected command-and-control (C&C) communications between a C&C server and the victim organization, from late November 2019 until at least January 5 2020.

The C&C server is associated with PupyRAT, an open source, post-exploitation remote access Trojan (RAT) used in the past by multiple Iranian threat actor groups such as APT33 and Cobalt Gypsy.

“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion,” the security vendor wrote.

“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe.”

Recorded Future emphasized that the activity pre-dates the current escalation in tensions between the West and Tehran, following the US assassination of a leading Iranian general and the downing of a civilian aircraft by Iranian soldiers.

Security experts have warned that the stand-off could lead to a new wave of Iranian attempts to compromise and disrupt critical infrastructure in the US and elsewhere.

In fact, as Recorded Future argued, Iranian state hackers have been “amassing operational network infrastructure throughout 2019,” and shifted their focus from IT networks to physical control systems in utilities, manufacturing facilities and oil refineries.

The firm urged organizations take a defence-in-depth approach to guard against RATs like PupyRat.

This includes: implementing multi-factor authentication, and/or using a password manager to store unique, strong credentials, monitoring for sequential login attempts from the same IP against different accounts and analyzing and cross-referencing log data.

Categories: Cyber Risk News

Ransomware Payments Doubled and Downtime Grew in Q4

Fri, 01/24/2020 - 10:25
Ransomware Payments Doubled and Downtime Grew in Q4

The average ransomware payment more than doubled quarter-on-quarter in the final three months of 2019, while average downtime grew by several days, according to the latest figures from Coveware.

The security vendor analyzed anonymized data from cases handled by its incident response team and partners to compile its Q4 Ransomware Marketplace report.

It revealed that the average payment in the quarter was $84,116, up 104% from the previous three months. Coveware claimed the jump highlights the diversity of hackers utilizing ransomware today.

“Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout. For instance, Ryuk ransom payments reached a new high of $780,000 for impacted enterprises,” it argued.

“On the other end of the spectrum, smaller ransomware-as-a-service variants such as Dharma, Snatch, and Netwalker continue to blanket the small business space with a high number of attacks, but with demands as low as $1500.”

That said, Sodinokibi (29%) and Ryuk (22%) accounted for the majority of cases spotted in Q4 2019. Attackers using the former variant began during the quarter to use data theft to force firms to pay-up, which may have increased the figure for total losses.

Also during the quarter, the amount of downtime experienced by victim organizations increased from the previous three months — from 12.1 to 16.2 days. This increase was driven by the larger number of attacks targeting major enterprises with more complex network architectures, which can therefore take weeks to restore and remediate, Coveware claimed.

Phishing, RDP targeting and vulnerability exploitation remain the most popular attack methods, it added. Professional services (20%), healthcare (19%) and software services (12%) were the top three sectors targeted.

According to the data, 98% of organizations that paid a ransom received a decryption key, and those victims successfully decrypted 97% of their data. However, with multi-million-dollar ransoms now commonplace, the official advice is still not to give in to the hackers’ demands, especially as it will lead to continued attacks.

Categories: Cyber Risk News

Pages