Businesses are continuing to rely on passwords, and those that are implementing additional authentication factors are choosing outdated options like static questions and SMS codes that leave them vulnerable to data breaches.
That’s the word from Javelin Strategy & Research’s 2017 State of Authentication Report, based on two online surveys of 200 businesses with customer portals and 200 with employee portals. It found that half of all respondents still use only passwords to protect company IP and financial data. For the half that do offer at least two factors when authenticating their customers, they tend to use the weakest options: Static questions (31%) or SMS one-time passcodes (25%) are the most prevalent additional factors for customer authentication online.
Meanwhile, only 35% of enterprises use two or more factors for authenticating their employees to data and systems. Amongst both, high-assurance strong authentication (i.e., factors predicated on possession such as a security key or on-device biometrics) is rare — only 5% of businesses offer the capability to customers or leverage these within the enterprise. The most common authentication method after passwords is static questions (26%).
“Not all multi-factor authentication combinations are created equal, and it’s time to set a new yardstick with which to measure strong authentication methods, with the strongest deemed ‘high assurance,’” said Al Pascual, senior vice president and research director, Javelin Strategy & Research. “Many consumer devices are coming equipped with built-in capabilities that enable high-assurance strong authentication, reducing costs and complexity for all stakeholders. We believe that the adoption of high-assurance strong authentication will only increase in the months and years to com— and data breaches as the result of credential theft to decline.”
Integration and user experience are the priority: Companies’ implementation of authentication solutions is mostly driven by a solution’s ease of integration, according to the report. Also, if a solution has a perceived negative impact on the user experience, companies will resort to the easier second factors like static security questions.
“So many of our commercial transactions today take place over the internet, and we’ve seen time and again that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” said Brett McDowell, executive director at the FIDO Alliance, which sponsored the report. “Stronger ‘high-assurance’ authentication options that bind credentials to the device so they cannot be stolen are now widely available.”
A major offshore law firm has admitted a data security incident last year could lead to the imminent public exposure of its high net worth clients’ financial details.
Bermudan firm Appleby, which claims to be one the world’s largest providers of “offshore legal services”, came clean in a lengthy statement issued yesterday.
The statement seems to be an attempt to head off expected reports led by the International Consortium of Investigative Journalists and its media partners, which Appleby said would contain “allegations made against our business and the business conducted by some of our clients”.
“Appleby has thoroughly and vigorously investigated the allegations and we are satisfied that there is no evidence of any wrongdoing, either on the part of ourselves or our clients. We refute any allegations which may suggest otherwise and we would be happy to cooperate fully with any legitimate and authorised investigation of the allegations by the appropriate and relevant authorities.”
It's unclear what bombshells lie in store. However, the incident comes around 18 months after a huge volume of highly sensitive data was stolen from Panama-based law firm Mossack Fonseca, exposing the private financial dealings of the super-rich and world leaders including Vladimir Putin and Xi Jinping.
Appleby said a leading forensics firm has since reviewed its cybersecurity and “data access arrangements”.
The firm maintains that the allegations set to land “are unfounded and based on a lack of understanding of the legitimate and lawful structures used in the offshore sector”.
The incident once again highlights why law firms are such as highly prized target for hackers, containing highly sensitive data on clients.
In January, three Chinese nationals were charged with hacking the servers of two US law firms, using the info they stole to make millions in illegal trades.
“Many of the allegedly compromised documents are extremely sensitive and normally should exist only on paper. If the law firm digitized them without the highest degree of care, it may be found liable for negligence and have to compensate the victims of the breach,” argued High-Tech Bridge CEO, Ilia Kolochenko. “On their side, the law firm can try to implead the IT company who installed the digital system, especially if they had an indemnity clause in their contract.”
Businesses are not seeing the requirements of GDPR as serious, and continue to be confused by what is required.
According to the survey of 1,350 business decision makers, the Risk:Value report from NTT Security found that 39% of European respondents identified GDPR as a business risk, while 33% identified ISO 27001/2 as a compliance regulation to be subject to, and 23% identified PCI DSS.
According to the report, ‘many global companies are still unaware of how they will be affected by GDPR, and certainly don‘t understand the implications of the new rules‘.
Rory Duncan, head of security business unit for UK&I at Dimension Data said that this is being seen as something for the IT department to deal with, when it is in fact an issue for the entire business to deal with and about how it processes data.
“It is about how do we process that data within the organization and how do we respond to the other requirements that are not IT security requirements that GDPR requires, and there is a lot of talk about people focusing on the fines but in a way the fine will be incidental compared to the reputational loss,” he said.
“If you get breached, and the likelihood is you have been breached, you will have to declare that you lost that data and what happens next is how you declare that and that is the challenge to your organization. What will happen next is the ICO will come in and look at your processes and whether you were able to define what happened.”
Kai Grunwitz, Senior Vice President EMEA of NTT Security said that a lot of people struggle with knowing what to do with GDPR, and businesses have to consider dealing with ‘right to be forgotten’ and 72 hour breach notification, and it is a “handle turning process” of knowing what to do.
Asked by Infosecurity if businesses understand the challenge of GDPR, Simon Williams, CEO of NTT Data said that there is a massive lack of understanding at the C-level. “I was sitting with the COO of a UK insurance company recently and he said ‘I’ve been doing some internet research on what is GDPR and what I need to do in my organization, is that something you can help us with’ and there was a stunned silence in the room as we said yes, but we too them on the journey to help them understand the potential impact to the organization. So there are a lot of people leaving it very late.”
Grunwitz said in the most successful projects he had seen where there was a dedicated team fully assigned working on GDPR as there has been a perceived business risk and some had put in an investment of ‘significant millions of dollars’ to do that, instead of being exposed to a fine.
In another statistic from the report, respondents were asked “if your information was stolen in a security breach, how would your organization be affected” to which 55% said that loss of confidence was the main concern, followed by damage to brand/reputation (51%) and direct financial loss (43%).
Consumer rights group Which? Is calling for changes to the UK Data Protection Bill to make it easier for breach victims to seek redress, after revealing that nearly 10% of UK adults believe their data has been stolen in the past year.
The group wants the legislation, currently being debated in parliament, to be changed so that independent organizations acting in the public interest can help groups of affected consumers collectively seek in the event of a breach.
Which? claimed 74% of over 2000 consumers it surveyed supported the idea.
A fifth of Brits (20%) said they wouldn’t know how to start a claims process following a data breach, and a similar number (22%) claimed they wouldn’t know who is responsible for helping them when data is lost.
The rights group said 8% of those it spoke to think they have been subject to a data breach in the past year, while 73% say they’re concerned the personal information they have shared online could be at risk of a privacy leak.
“Data breaches are now more commonplace and yet many people have no idea what to do or who to turn to when their personal data is compromised,” argued Alex Neill, managing director of Which? home products and services.
“The government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action following a data breach.”
David Emm, principal security researcher at Kaspersky Lab, welcomed the move but argued that it’s also important for the general public to recognize the value of personal information.
“New data protection laws are designed to make organizations more careful, but regardless of this, it is important that, at an individual level, we know what information is being kept and how it’s being handled – which will also reduce the likelihood of it falling into the wrong hands,” he added.
“Being vigilant online needs to become second nature. Undertaking simple steps, like regularly changing passwords, reviewing default settings on social media and using internet security software across all devices can significantly help protect data.”
The Data Protection Bill will effectively transpose the GDPR into UK law so it will still apply post-Brexit.
Kaspersky Lab has released the results of an internal investigation into the suspected theft by Russian spies of NSA hacking tools from a contractor’s laptop, which seem to clear it of wrongdoing alleged in US media reports.
The Moscow-headquartered vendor has been under fire over the past few months after reports in various outlets including the Washington Post and Wall Street Journal indicated its products may have been used by Russian intelligence to harvest the data; potentially with the firm’s knowledge.
A New York Times story earlier this month then claimed that Israeli spies which had also compromised Kaspersky Lab software had spotted Kremlin hackers using its tools, evidence it passed on to Washington, which then banned federal use of all products.
However, Kaspersky Lab now says it has reviewed telemetry logs in relation to “alleged 2015 incidents described in the media”.
Most notably, it claims the NSA worker in question, who took home the stolen classified materials, disabled the Kaspersky Lab software running on his PC after it detected new versions of Equation APT – malware linked to the US spy agency.
“Following these detections, the user appears to have downloaded and installed pirated software on his machines, as indicated by an illegal Microsoft Office activation key generator (aka ‘keygen’) which turned out to be infected with malware. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.
To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine. Our telemetry does not allow us to say when the anti-virus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run. Executing the keygen would not have been possible with the anti-virus enabled.”
This “full blown backdoor” could have allowed third parties to access the user’s machine, Kaspersky Lab claimed.
An unspecified time later, the same user re-enabled Kaspersky Lab and new malicious variants of Equation APT were sent back to the vendor’s servers for analysis.
“After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO,” it added. “Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.”
Kaspersky Lab claimed no further detections were received from the user in 2015 and there have been no other incidents or third-party intrusions to date, except the “Duqu 2.0” intrusion thought to be the work of Israeli spies.
What’s more, Kaspersky Lab confirmed it has never created any detection of non-malicious documents in its products based on keywords like “top secret” and “classified”, as alleged in a WSJ story.
The only question mark remains around the timing of the incident. Most reports have it as 2015, while Kaspersky Lab claimed it happened in 2014. The firm went public with its findings on the NSA’s Equation Group in February 2015.
As part of its efforts to prove its innocence, Kaspersky Lab this week launched a Global Transparency Initiative under which it plans to offer its source code for independent third party review.
The hackers responsible for hacking Netflix are back, claiming to have lifted reams of sensitive cosmetic surgery photos from a famous UK clinic catering to celebs and royals.
The Dark Overlord said that it plans to release the trove on the internet, naturally, including images of breast augmentation and other extremely private pictures.
The victim, the London Bridge Plastic Surgery (LBPS) clinic, confirmed it had been hacked and said that it’s working with the Metropolitan Police to investigate what exactly has been stolen.
For its part, the Dark Overlord said it has terabytes of data.
"We're going to pitch it all up for everyone to nab. The entire patient list with corresponding photos,” the hackers claimed in a letter sent to The Daily Beast. "There are some royal families in here…The world has never seen a medical dump of a plastic surgeon to such a degree.”
The hackers also sent the outlet a selection of photos, many with close-ups of genitalia, to prove they have what they say they do. The Daily Beast ran an analysis:
None of a selection of tested photos returned any matches from Google reverse image searches, implying that they were indeed obtained from a private source. Several pictures include LBPS’ chief surgeon Chris Inglefield, wearing his distinctive, multi-colored head scarves. In one image, he is wearing an identical head scarf to that in an image on LBPS’ website.
In addition to its infamous Netflix heist, the group has struck out at healthcare information before, including releasing 9.2 million patient records on a Dark Web marketplace. The situation should serve as a reminder to businesses that criminals often go after more than just financial information.
"The attack highlights the importance for businesses to understand the data they store or process and the threats against them,” said Javvad Malik, security advocate at AlienVault. “More often than not, companies will place a lot of effort into securing financial records, but not so much into other forms of data they hold. Blackmail, extortion, and even embarrassment opportunities are enough for criminals to go after any form of data. Therefore, it is essential that assets are properly identified and classified and appropriate security controls are implemented, not just to protect the data, but also to monitor for threats so it can detect and alert when a breach is occurring or soon after."
As for apprehending the people behind the Dark Overlord, “If the cybercriminals here were professionals, they will likely keep the photos and silently demand ransom from all the victims,” said Ilia Kolochenko, CEO of High-Tech Bridge. “In this case, the police will unlikely be able to help, as technical means used by professional black hats assure almost absolute anonymity even when the ransom is paid.
He added, “Otherwise, if photos will be just leaked online—we can infer that the attack was conducted by hacktivists or script kiddies, and law enforcement may have some chance to track and prosecute them. We can also imagine a third scenario of a sophisticated attack organized by a competitor aimed just to ruin the image to the clinic, but it’s quite unlikely as it will undermine trust in the entire industry. In any case, it’s a clear message that cybersecurity can impact everyone regardless his or her wealth, activity or citizenship.”
Cybersecurity is in the lead when it comes to the areas that IT pros would like to work in—though many feel they lack the skills to do so.
According to a report from industry association CompTIA, a majority of the 820 IT professionals surveyed (51%) express an interest in working on cybersecurity-related issues, well ahead of other cutting-edge issues such as the internet of things (30%) and artificial intelligence or machine learning (20%).
However, the results show that the industry will struggle to fill the millions of jobs in cybersecurity and other areas that are expected to be available through 2024. For example, nearly one-quarter of respondents say they are concerned about their skills becoming obsolete.
“The tech industry’s challenge is America’s challenge: developing a robust workforce that can effectively fill the IT jobs of the 21st century, whether those jobs are in cybersecurity, IoT, AI or some new technology that’s still to come,” said Nancy Hammervik, executive vice president, industry relations at CompTIA.
Another major issue for the future of tech jobs is what CompTIA has identified as a “confidence gap,” where the lack of diversity in the tech industry has many potential workers thinking that a career in tech is not for them.
Among women IT pros surveyed, 34% say they ended up in an IT role after working in non-IT jobs. This finding aligns with earlier CompTIA research, which found that though boys and girls generally use technology in about equal numbers, girls and young women have less access to information about careers in the technology field. That includes opportunities for classroom instruction; through encouragement about career options from parents; and by the lack of access to female role models who work in the tech industry.
“In the United States alone, we expect 1.8 million tech workers to join the labor force through 2024,” Hammervik said. “We need to attract and recruit a diverse workforce of individuals, with and without college degrees, and support them in their career growth.”
In the good-news column, a net 79% of IT pros said they are satisfied with their jobs, up from 73% in 2015. Nearly three-quarters (73%) feel their job provides them with a sense of personal accomplishment; while 71% believe their job makes good use of their talents. Also, amidst the heightened interest in cybersecurity, respondents said they are seeing more opportunities for training and networking.
A ransomware dubbed BadRabbit, believed to be a Petya variant, is hopping its way across Eastern Europe and Russia. Details are just starting to emerge, but it could also be tied to a string of ransomware attacks on critical infrastructure in Ukraine.
BadRabbit was first spotted attacking Russian media outlets on Tuesday, including the news agency Interfax, according to security firm Group-IB, which posted a screenshot of the ransom screen. Other security firms have followed with their own early research and detections, with the consensus being that the malware is a variant of the Petya ransomware. The attackers are demanding 0.05 bitcoin as ransom—or about $280 at the going exchange rate.
ESET researchers meanwhile reported this morning on a ransomware attack affecting targets in Ukraine, including the Kiev Metro, the Odessa airport and various governmental organizations. ESET analysis revealed it to be a new form of the Diskcoder ransomware, also a Petya variant, which infamously hit organizations in the Ukraine and globally back in June, including pharma behemoth Merck and Maersk, the shipping giant. ESET indicated that it believes Diskcoder is also BadRabbit by another name, though other security firms haven’t linked the two waves of attacks yet.
“I caution everyone to look very closely and the organizations that are affected,” said JASK director of security research Rod Soto, via email. “Targeted campaigns can use several ‘look alike’ payloads, but in the background the code may do different things. In appearance it may look like another ransomware campaign, but actual payloads may differ depending on actual targets. This can only be determined by looking at all the malicious code that was distributed, which is not easy—but circumstantial and geopolitical factors may give us a clue.”
Analysis is just starting on this latest wave of attacks, but ESET researchers have determined that the code used in the Ukraine attacks incorporates Mimikatz as a tool to extract credentials, and that it spreads via fake Flash updates. Separately, another ESET researcher said that it uses the EternalBlue exploit, as WannaCry and the Diskcoder attack in June did.
Kaspersky Lab meanwhile said in a preliminary post on the malware that hit the news outlets that early indicators show that the attacks are targeting corporate networks, mostly in Russia but also Ukraine, Turkey and Germany, and that it uses an infection vector similar to Petya (which it calls ExPetr)—but that it couldn't confirm yet whether the two are related.
“It's important to separate the infection vector (and spreading mechanisms) from the payload. In the past, worms and other malware would spread more covertly, but with ransomware, the primary goal is to be detected,” said ex-NSA computer scientist and Obsidian Security CTO Ben Johnson, via email. “It's more [of an] in-your-face cyber-attack than in the past. For the infection vector, attackers are getting smarter about how they compromise more systems, and we will continue to see campaigns like this because they work.”
Beyond what is being seen, there's always the chance that the motive isn't actually ransomware, he added.
“Perhaps ransomware is a nice distraction, or it generates some extra cash, but rather there is a more sinister payload embedded in the attack,” Johnson said. “I haven't looked at any technical information to suggest this, but criminals and attackers are getting smarter and more deliberate in how they operate.”
This story is developing, and more details are expected soon as security firms make their way through their analysis.
A third man has pleaded guilty to charges relating to the 2014 'Celebgate' iCloud attacks in which explicit private photos of around 100 celebrities were stolen and leaked online.
Emilio Herrera, 32, of Chicago, admitted violating the Computer Fraud and Abuse Act by launching phishing attacks to access 550 Gmail and iCloud accounts, 40 of which belonged to male and female celebrities, according to Variety.
From April 2013 to August 2014, Herrera reportedly sent phishing emails spoofed to appear as if sent from official Apple, Gmail, Hotmail and other providers.
Once harvested, he’d use the log-ins to access his victims’ accounts, also employing software from Russian company Elcomsoft to download iCloud photos and videos at high speed in case log-ins were changed.
The plea entered by Herrera apparently maintains that he intended to keep the content himself, with no evidence to suggest he disseminated the material to the wider internet.
The two other men charged and jailed for similar crimes are said to have used the same phishing techniques to obtain the photos.
Pennsylvania man Ryan Collins was given 18 months behind bars after pleading guilty in March 2016 to hacking 50 iCloud accounts and 72 Gmail accounts, while Edward Majerczyk of Chicago was handed down just nine months despite breaking into the accounts of more than 300 people.
It should be added that not only celebrities were targeted by these attacks. Herrera, for example, reportedly accessed a neighbor’s Gmail account 495 times.
Law enforcers have yet to catch the perp who disseminated the hacked material to the internet.
The material first appeared at the end of August 2014 when a trove known as “the fappening” appeared online.
Phishing has become an increasingly popular tactic not just to target consumers but also corporate users, as the first stage in covert info-stealing raids.
Verizon claimed in its most recent Data Breach Investigations Report that the tactic played a part in 21% of breach-related attacks in 2016, up from only 8% the year previous.
In a time of ‘transformation and automation’ where robots could take our jobs, there is still room for the human to keep the robots sane, said BlackBerry CEO.
Speaking at the BlackBerry Security Summit in London, BlackBerry CEO John Chen focused on the growth of cybercrime and claimed that the cost of attacks will increase from the 2016 numbers of $400 billion, to $6 trillion by 2021; while the cybersecurity spend will increase from $80 billion to $1 trillion.
Talking about the growth of BlackBerry, Chen said that in enhancing security, machine learning and artificial intelligence (AI) were part of a new movement, and there were people working on this in universities it works with and within its own research departments. BlackBerry, he said, “continues to maintain to know how technology works”.
Speaking to Infosecurity, Chen said that this is an area of expansion as analytics is not something any technology company could avoid. “If anyone tells you they are not interested in or working on analytics then that is basically nonsense”.
Chen continued: “The machine has progressed to the point where it can do everything that the human can do, and some more. So analytics is what the point is now, and the driver of analytics will create opportunities in the AI world, into the machine learning world, and into the predictability world.
“So if you are like us in the security business, you have to have predictability, and forward looking machine learning has to be part of the equation as today’s security is very much a reactive and pattern-driven technology. We need to be more predictive...and there has to be companies focused on machine learning technology.”
Also with a strong focus on IoT, Chen said security is not about a magic pill that will solve things, and companies need a cybersecurity process and mindset that is enterprise and company-wide, and not department by department.
Under-25s are more than twice as likely to be caught out by phishing attacks as those over 55, according to new research from the UK government-backed Get Safe Online.
Some 11% of younger adults (18-24-years-old) have fallen victim to a phishing attack, versus only 5% of over-55s, according to new stats released to coincide with awareness-raising campaign Get Safe Online Week.
Younger adults are also likely to lose more money; on average £613, compared to £214 for the over-55s.
The research revealed that, contrary to popular belief, younger netizens are less tech-savvy than their older counterparts in that they are too trusting of online communication.
Some 40% of under-25s said they “carefully read and re-read all emails”, compared to 69% of over-55s, while half (51%) of younger adults admitted regularly “replying to or clicking links in unsolicited or spam emails”.
Almost half of all reported fraud in the UK is now online, according to the National Fraud Intelligence Bureau (NFIB), although the figure may be even higher.
While NFIB stats show 152,583 cyber-enabled crimes were reported to Action Fraud in the past year, the ONS revealed 1.9m online fraud incidents.
Tim Ayling, EMEA director of fraud and risk intelligence at RSA Security, claimed young people spend more of their time online, leaving a trail of personal information behind them.
“Cyber-criminals are adept at following this trail of breadcrumbs back to their target, and are ruthless when it comes to using this information against them for financial gain”, he added. “Young and old alike, the British public needs to have greater awareness of phishing attacks, and take better care to protect themselves online.”
Andrew Martin, CEO and founder of anti-fraud vendor DynaRisk, argued there’s a misconception that scammers only target older generations because they think they have more money and are more vulnerable.
“From using different passwords for each online account, to regularly checking to see if personal details have been lost in a breach, consumers of all ages need to be taught to be more vigilant online and know the red flags of phishing attempts like this,” he explained.
Two websites run by the Czech Statistical Office (CSU) were taken offline after a DDoS attack at the weekend tried to disrupt reporting of the country’s parliamentary elections.
The results of the election, held on Friday and Saturday, were posted to the sites; showing billionaire Andrej Babiš’ populist ANO party with the largest share of the vote at nearly 30%.
A statement on the CSU site reportedly had the following:
“During the processing, there was a targeted DDoS attack aimed at the infrastructure of the O2 company used for elections. As a result, servers volby.cz and volbyhned.cz had been temporarily partly inaccessible. The attack did not in any way affect either the infrastructure used for the transmission of election results to the CSU headquarters or the independent data processing."
The sites are now back up and running.
It’s unclear whether the attacks were launched in response to the result. Babiš is a controversial figure in the country and is currently facing fraud charges, although reports suggest he will still be named Prime Minister by President Milos Zeman.
Corero Network Security director, Sean Newman, claimed DDoS attacks targeting elections can have a serious impact on the democratic process.
“Organizations of all types and sizes, including governments, need to ensure they have effective protection in place,” he added. “Only the latest truly real-time DDoS protection solutions can automatically and surgically block attacks and leave regular traffic unimpeded, to ensure that web-based resources remain continually operational and, in this case, the democratic process is not impacted.”
Earlier this year, another cyber-attack was discovered targeting the Czech government, in what some claimed was an attempt to weaponize confidential information to sway voters.
The attack targeted Czech Foreign Ministry staff, with some reports claiming hackers managed to download private emails from foreign minister, Lubomir Zaoralek, and his deputy.
Zaoralek claimed the hack was similar to that which compromised the Democratic National Committee (DNC) ahead of the US presidential election.
The Russian hacking group known as APT28 (aka Fancy Bear or Sofacy) is back, ironically targeting people with an interest in cybersecurity using a decoy document relating to the Cyber Conflict US conference.
The CyCon US event is a collaborative effort between the Army Cyber Institute at the United States Military Academy, the NATO Cooperative Cyber Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence. Using the file name Conference_on_Cyber_Conflict.doc, it contains two pages with the logo of the organizer and the sponsors. The exact content of the document can be found online on the conference website—so the attackers probably copy/pasted it into Word to create the malicious document.
“Analysis of this campaign shows us once more that attackers are creative and use the news to compromise the targets,” said researchers at Cisco Talos, which uncovered the campaign. “This campaign has most likely been created to allow the targeting of people linked to or interested by cybersecurity, so probably the people who are more sensitive to cybersecurity threats.”
The firm found that the payload is a new variant of Seduploader, a reconnaissance malware that the group has been using for years. The new version has a few modifications to help it avoid detection based on public indicators of compromise.
The payload features are similar to the previous versions of Seduploader, and allows screenshot capture, data and configuration exfiltration, remote code execution and file downloading. As opposed to previous campaigns performed by this actor, this latest version does not contain privilege escalation.
Also, unlike previous campaigns from the actor, the flyer does not contain an Office exploit or a zero-day, but simply contains a malicious Visual Basic for Applications (VBA) macro.
“Due to this change, the fundamental compromise mechanism is different as the payload is executed in a standalone mode,” Cisco researchers noted, in a blog. “The reasons for this are unknown, but, we could suggest that they did not want to utilize any exploits to ensure they remained viable for any other operations. Actors will often not use exploits due to the fact that researchers can find and eventually patch these which renders the actors' weaponized platforms defunct.”
Residents of Asia Pac, and in particular South Korea, are in the crosshairs of a resurgence in the Magnitude Exploit Kit, which is being used to distribute the Magniber ransomware.
According to FireEye, the Magnitude EK has been quiet since last September, when it was seen to mostly be targeting Taiwan victims. However, it roared back into action last week, now seen focusing solely on South Korea. It also switched up its payloads—previously it had been distributing Cerber ransomware.
The first reappearance of the EK in this latest campaign came as a malvertising redirection. Trend Micro, in a separate analysis, found that these malvertisements filter victims using the geolocation of the client IP address and system language. It’s a staple technique used by EKs and other cyber-criminal campaigns to evade detection and hide their activities from security researchers.
However, the analysis shows that the Magniber ransomware payload only seems to target Korean systems, since they won’t execute if the system language is not Korean; this makes Magniber one of the few country- or language-specific ransomwares out there.
“While many ransomware families like Cerber, SLocker and Locky are increasingly pinpointing their targets, they’re still distributed globally,” Trend Micro researchers said in a blog. “They typically integrate multi-language checklists and functionalities in their codes, such as when serving ransom notes and redirecting victims to their payment pages. Some borrow a publicly available source code and just customize it depending on their target. Last year, for instance, we saw KaoTear, a Korean language-specific ransomware based on Hidden Tear.”
Magniber is still in the experimental stages—perhaps under the auspices of Magnitude’s developers.
“Indeed, we’re bound to see more developments in both Magnitude and Magniber as their capabilities and tactics are fine-tuned,” said the researchers noted.
For now, Magnitude only exploits one vulnerability to retrieve and execute the payload: CVE-2016-0189 (patched last May 2016), a memory corruption vulnerability in Internet Explorer. It’s a flaw also used by other exploit kits like Disdain, Sundown-Pirate, Sundown and Bizarro Sundown, as well as by other threat actors.
As always, patching these older vulnerabilities is a first line of defense.
“Ransomware is a significant threat to enterprises,” said FireEye researchers, in its analysis. “While the current threat landscape suggests a large portion of attacks are coming from emails, exploit kits continue to put users at risk—especially those running old software versions and not using ad blockers. Enterprises need to make sure their network nodes are fully patched.”
Hackers are targeting users of the cryptocurrency exchange Poloniex, with two credential-stealing apps that masquerade as official mobile apps for the service.
ESET researchers discovered them on Google Play, built to not only harvest Poloniex login credentials, but also to trick victims into making their Gmail accounts accessible.
“Poloniex is one of the world’s leading cryptocurrency exchanges with more than 100 cryptocurrencies in which to buy and trade,” the researchers said, in a blog. “With all the hype around cryptocurrencies, cyber-criminals are trying to grab whatever new opportunity they can—be it hijacking users’ computing power to mine cryptocurrencies via browsers or by compromising unpatched machines, or various scam schemes utilizing phishing websites and fake apps.”
Both apps work the same way: First, they display a bogus screen requesting Poloniex login credentials, which are then sent on to the attackers. With the logins in hand, attackers can carry out transactions on the user’s behalf, change their settings or even lock them out of their account by changing their password.
The next step is a prompt, seemingly on behalf of Google, asking them to sign in with their Google account “for two-step security check.” The apps then ask for permission to view the user’s email messages and settings, and basic profile info. If the user grants the permissions, the app gains access to their inbox.
“With access to the user’s Poloniex account as well as to the associated Gmail account, the attackers can make transactions using the compromised account and erase any notifications about unauthorized login and transactions from the victim’s inbox,” the researchers said.
Users with two-factor authentication enabled are safe from attack.
Finally, in order to appear functional, the malicious app directs the user to the mobile version of the legitimate Poloniex website, which requests the user to sign in. After logging in, the user can access and use the legitimate Poloniex website. From then on, the app will only open the legitimate website each time it’s launched. Users are thus none the wiser that criminals have duped them—until money starts disappearing from their accounts.
The first app the security team analyzed was an app simply dubbed POLONIEX, published under the developer name Poloniex. It saw 5,000 installs between August 28 and September 19, despite mixed ratings and bad reviews.
The second app, the similarly straightforwardly named POLONIEX EXCHANGE, from the developer name POLONIEX COMPANY, appeared on Google Play on October 15, and reached up to 500 installs last week.
Both apps have been removed from the store upon ESET’s notification to Google.
Under-fire cybersecurity giant Kaspersky Lab has launched a new transparency initiative which will see its source code offered up for independent review.
The firm’s Global Transparency Initiative aims to restore trust in the company at a time when its products have been banned by the US government amid reports of Russian intelligence using them to spy on targets.
The initiative promises an independent review of the vendor’s source code by Q1 2018, to be followed by similar reviews of its software updates and threat detection rules after that.
Kaspersky Lab also set out plans for an independent assessment of its secure development lifecycle processes and its software and supply chain risk mitigation strategies by Q1 next year, and claimed it will ask an independent third party to test compliance with a newly developed set of controls governing data processing practices.
Other aspects of the initiative include the creation of three new Transparency Centres where trusted partners can access reviews of the company’s code, software updates, and threat detection rules, among other things.
These will be located in the US, APAC and Europe, with the first center planned to launch next year.
The Moscow-headquartered vendor also announced an increase in bug bounty payments for its Coordinated Vulnerability Disclosure program to £75,000 ($100,000).
The transparency initiative can be seen in the context of a raft of bad publicity for the firm stemming from Washington’s ban on its products for federal use.
It has been reported that this decision was influenced by intelligence from Israeli spies, who spotted Russian agents using Kaspersky Lab AV to scan for and steal information on top secret US government programs.
This apparently led to the theft of classified material from an NSA contractor’s home.
Kaspersky Lab has always maintained its innocence, and it is entirely feasible that Russian intelligence compromised its products without its knowledge; just as the Israelis are alleged to have done.
Chairman and CEO, Eugene Kaspersky, argued in a statement that there’s a strong need to re-establish trust between companies, governments and citizens.
“That’s why we’re launching this Global Transparency Initiative: we want to show how we’re completely open and transparent. We’ve nothing to hide. And I believe that with these actions we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet,” he added.
Google has launched a new bug bounty program dedicated to improving the security of its Android app ecosystem.
White hat Android hackers are encouraged to first report any vulnerabilities to the developer and work with them to resolve the issue.
Once the bug has been fixed, they can then apply for a reward, but only have 90 days after a patch was issued to do so.
Only developers “who have expressed a commitment to fixing bugs which are disclosed to them” will be invited to the program. So far, the list is pretty short: Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat and Tinder.
The new HackerOne program currently only accepts remote code execution (RCE) vulnerabilities and corresponding proof-of-concepts (POCs) that work on Android 4.4 devices and higher.
“Any vulnerability that requires collusion between apps, or where there is a dependency for another app to be installed is considered to be out of scope, and thus will not qualify for a reward,” noted Google.
Successful participants will be awarded $1000 for their efforts.
The new program will complement Google’s other rewards schemes for security researchers.
The Android Security Rewards program was launched in 2015 as part of the long-standing Google Vulnerability Rewards Program, although it is mainly focused not on apps but improving the security of Nexus devices.
Last year, the maximum reward was raised to $50,000 for a remote exploit chain or exploits leading to TrustZone or Verified Boot compromise.
The Department of Homeland Security (DHS) has issued a new alert warning businesses that the notorious Dragonfly APT group has been targeting CNI firms, including nuclear power providers, since at least May 2017.
The ongoing and potentially long-term campaign takes aim at firms in the energy, nuclear, water, aviation, and critical manufacturing sectors.
Attacks typically first attempt to compromise “staging targets” which are trusted third party suppliers with less secure networks, said the DHS.
The threat actors begin by collecting publicly available information on these targets; specifically related to “network and organizational design” and “control system capabilities”.
This kind of open source reconnaissance helps with spearphishing and can even provide useful info on equipment models and the like, the alert noted.
The next stage of the attacks is to target certain users with spearphishing emails containing malicious links:
“Email messages include references to common industrial control equipment and protocols. The emails leveraged malicious Microsoft Word attachments that appear to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, as well as invitations and policy documents that entice the user to open the attachment.”
Once log-ins have been harvested, the attackers seek to compromise the infrastructure of the “staging targets” so they’re capable of carrying out watering hole attacks on the real intended targets.
Typical sites manipulated to host malicious content include trade publications and informational websites related to process control, ICS, or critical infrastructure, DHS said.
Once they’ve gained access to an intended target – usually via compromised log-ins – the attackers will download additional tools from a remote server and begin the process of data exfiltration, with ICS and SCADA-related info the main focus.
The alert concluded with the following advice for CNI firms:
“DHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated YARA and .txt file to identify malicious activity.”
Symantec revealed in September that the notorious Dragonfly APT group had begun a new “highly focused” campaign targeting US energy firms, which may already have given them operational access to systems.
Some of the code was written in Russian and French, although one of these could be a false flag, the vendor said.
A brand-new, and massive, internet of things (IoT) botnet is poised to bring down the internet. Maybe. Probably.
According to Check Point’s research team, this new baddie, ominously dubbed “Reaper,” is recruiting IoT devices such as IP wireless cameras and DVRs at a far faster rate than the Mirai botnet did in 2016—and it already is estimated to have infected multiple devices in more than a million organizations globally.
The analysts don’t know the intentions of the threat actors behind it, but “with previous botnet DDoS attacks causing widespread, large-scale disruption, it’s likely that an attack is being prepared,” they said.
Any DDoS attack could be far more devastating than the attack on Dyn last year—the anniversary of which is coming up. In that attack, large portions of the internet were knocked offline. A move from Reaper on the other hand could threaten the public IP infrastructure en toto.
"The end of the world may not be nigh but the internet appears to be at severe risk of compromise,” said Lee Munson, security researcher at Comparitech.com, via email. “As information security experts have been warning forever, it seems, a number of internet-connected fridges, kettles and lightbulbs, along with the ever-vulnerable batch of routers and cameras, have all been marked for takeover by a new botnet. That this should be devastating if it comes to pass is hardly a surprise, given how many manufacturers of IoT devices care little for security before selling their shiny new products.”
Any DDoS attack would be “the likes of which have not been seen before,” he said.
But wait, there’s more: It also appears that Reaper is still merely a baby botnet. It continues to grow in the shadows, without carrying out—as yet—any attacks. Its authors instead seem consumed with adding as many devices to its ouvre as possible.
After first being picked up via Check Point’s global Intrusion Prevention System (IPS) in the last few days of September, activity has snowballed, with the malware evolving “on a daily basis” to exploit vulnerabilities in additional devices from vendors including GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others, the researchers said.
Check Point said in an analysis that it has also become apparent that the attempted attacks were coming from many different sources and a variety of IoT devices, meaning the attack was being spread by the IoT devices themselves—thus gaining the ability to propagate exponentially. In its own analysis, Qihoo 360 Netlab put a finer point on it: It said that it observed, over the course of a single day, more than two million infected devices waiting to be processed in the C&C servers' queue.
As of this week, approximately 60% of the corporate networks which are part of Check Point’s ThreatCloud global network are expected to be infected.
Interestingly, while some technical aspects initially led researchers to suspect a possible connection to Mirai, the botnet behind the Dyn attack, it turns out that this is an entirely new and more sophisticated campaign.
“The biggest difference between the two is that Mirai tried to connect to devices via telnet, utilising default or weak passwords to take control of devices,” said Tristan Liverpool, director of systems engineering at F5 Networks, via email. “In contrast, the Reaper botnet is looking to use exploits on unpatched devices, to take control of them and add it to the command and control (C&C) platform. This means that it can continue to grow and be harnessed for all kinds of criminal activities.”
As for mitigation, a simple password upgrade is not sufficient to protect against the botnet.
“To stop the propagation of this botnet, all companies and consumers should ensure all their devices are running the latest firmware versions, which will have security patches included,” Liverpool said.
In the meantime, “everyone needs to prepare for the worst, as it is still unknown whether the motive of the perpetrators is chaos, financial gain or to target specific states or brands,” he added. “For organizations to protect themselves, they must identify which information is critical and needs to be available anytime, anywhere. In summary, security can be built around these key areas and a contingency plan must be developed.”
Munson added that the IoT ecosystem must be put on notice. “It is vital that manufacturers do their part in securing the devices of tomorrow before they are allowed to destroy or severely disrupt the internet world they will be ultimately be joining,” he said.
The UK’s Office for National Statistics (ONS) has released its crime in England and Wales statistical bulletin, noting a preponderance of cyber-related fraud within its year-long analysis timeframe.
Between June 2017 and one year prior, there were 3.3 million incidents of fraud in England and Wales alone, according to the Crime Survey for England and Wales (CSEW). The report said that the most common type of fraud reported was bank and credit-card fraud, with more than 2.5 million incidents in the period.
Of these, more than half (1.9 million incidents or 57%) were cyber-related, according to the bulletin.
“This level of recorded fraud figures is astounding, and bad news for consumers who often bear the brunt of many direct costs and pains—especially in account takeover and new account fraud,” said Ryan Wilk, vice president at NuData Security. “The increasing volume of attacks globally has also been attributed to more fraudsters willing to commit the crime, more data available on the black market and more financial institutions and merchants that are vulnerable to attacks. It’s incumbent upon companies to secure their customers’ trust by keeping their accounts safe from hackers without hurting their customer experience. They can’t afford to hear their customers say, ‘My account got hacked again.’”
The CSEW also said that of the roughly 1.6 million adults who experienced a computer misuse crime, about two-thirds (67%) were related to computer viruses and malware. The rest involved personal data breaches and various hacking incidents.
“To detect out of character and potentially fraudulent transactions before they can create a financial nightmare for consumers, we must adopt new authentication methods that they can’t deceive,” Wilk said. “Solutions based on consumer behavior and interactional signals are leading the way to provide more safety for consumers, and less fraud in the marketplace.”