A group of “newbie” Iranian hackers have been blamed for attacks using the Dharma ransomware variant on targets in Russia and Asia.
The threat actors’ relative inexperience was highlighted by several characteristics of the attacks against companies in Russia, Japan, China and India, according to Group-IB.
First is the choice of a ransomware-as-a-service model employed by Dharma (aka Crysis) and publicly available IP scanning tool Masscan. They also used NLBrute to brute-force their way through weak RDP credentials and to check the validity of obtained credentials on other accessible hosts in the network.
“Interestingly, the threat actors likely didn’t have a clear plan on what to do with the compromised networks. Once they established the RDP connection, they decide on which tools to deploy to move laterally. For instance, to disable built-in anti-virus software, the attackers used Defender Control and Your Uninstaller,” the security firm continued.
“To scan for accessible hosts in the compromised network, threat actors used Advanced Port Scanner — another publicly available tool. After the network reconnaissance activities were completed, the adversary used collected information to move laterally though the network using the RDP protocol.”
The group also demanded a relatively small ransom of 1-5 BTC.
Senior digital forensics specialist, Oleg Skulkin, argued that in spite of the use of fairly common TTPs, the group appears to have been quite effective.
“It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage,” he added.
Group-IB recommended organizations change the default RDP port from 3389 to another, and enable account lock-out policies to tackle brute-force attempts, as well as invest in intrusion detection tools to spot unusual behavior inside the network.
Cyber-criminals have been impersonating the well-known Bitcoin BTC ERA trading platform in order to infect users of the online currency with malware, according to new research from Abnormal Security.
The cybersecurity firm found that malicious actors have been sending emails purporting to be from BTC Era that encourage users of Bitcoin to pay for what they believe is an investment.
The automated email addresses the recipient by name and says they have been approved to make a BTC transaction that requires a minimum deposit of $250 to start. The message includes a concealed URL with text that reads “create an account.” Once this link is clicked, there are multiple redirects before landing on the theverifycheck.com webpage, and once on the landing page a pop-up alert requests permission to show notifications from the website.
If the user clicks allow, it gives permission for Adware to run on their device. Although it appears as though nothing has happened, the website is in fact enabling the user’s behavior to be monitored through malware and for ads and spam to be launched that target them.
Abnormal Security added that the scammers utilized the email marketing provider, Constant Contact, which enabled them to deliver a widespread attack to multiple recipients at the same time. It noted that this “takes less effort than spoofing emails and is more effective in casting a wide net to catch unsuspecting recipients.”
Ken Liao, vice-president of cybersecurity strategy at Abnormal Security, commented: “We have seen that over the last few months the weekly volume of attacks impersonating Bitcoin platforms has remained relatively constant. We saw an increased rate of these impersonations between the end of March through the beginning of May, though.”
He added: “We would advise organizations and their employees to double check the senders and addresses for messages to ensure that they’re coming from legitimate sources. Don’t just trust the display name. In addition, we would advise everyone to always double check the webpage’s URL before signing in.
“Attackers will often hide malicious links in redirects or host them on separate websites that can be reached by safe links. This allows them to bypass link scanning within emails by traditional email security solutions. If the URL looks suspicious, don’t enter your credentials and always verify with your company’s IT department."
The first day of online classes at a North Carolina school was memorable for all the wrong reasons after a hacker disrupted a lesson with offensive content.
Virtual classes, taught via Google Meet, began at Lee County High School, Sanford, on Monday, August 17, as part of an effort to slow the spread of COVID-19.
Students who logged on to a virtual Spanish class were shown racist, violent, and pornographic content by an unknown person who gained access to the lesson. The upsetting incident was witnessed by parents, a teacher, and around 20 students in the 10th grade.
Mom Shauna Roberts, who was watching her daughter's computer screen as the cyber-attack unfolded, said she was shocked by what she saw.
"There were pictures of Nazi symbols. They were showing videos of African Americans being shot," said Roberts.
"There were also pictures of Donald Trump along with the KKK that were popping up. It was just disturbing all the way together."
According to Roberts, the prolonged attack lasted around 30 minutes and included the recital of racist slurs. She said parents, alerted to the incident, tried to protect their children from what was happening.
“You could actually see parents coming into the camera seeing the content as well. You could see a couple of parents actually making their kids move away from their computer so they could see what was going on," said Roberts.
"I think it’s just sad that our children are supposed to be online learning, but they are being exposed to this type of content."
In a statement given to WRAL News, Lee County High School wrote: "It appears that this was an inadvertent approval of an outside address requesting access; however, the incident is currently under investigation by both law enforcement and the district’s technology department. We take the security of online classes very seriously and are reviewing all protocols to make sure this does not happen again.”
Similar problems occurred at Oberlin Magnet Middle School on Tuesday, and at Millbrook Magnet High School in Raleigh, online lessons in Google Meet were disrupted by a group of students who "used inappropriate and offensive language as well as insulted students and teachers directly."
The United States has arrested a former US Army Special Forces officer for allegedly passing national defense information to Russian intelligence operatives.
Peter Rafael Dzibinski Debbins was arrested on Friday and charged with conspiring to provide United States national defense information to agents of a foreign government.
Debbins' arrest comes a week after Hawaii resident and former Central Intelligence Agency officer Alexander Yuk Ching Ma was charged with selling secrets to the People's Republic of China over the course of a decade.
It is alleged that Debbins conspired with Russian spies for an even longer period, from December 1996 to January 2011. Court documents state that the 45-year-old resident of Gainesville, Virginia, was assigned a code name by Russian intelligence officials in 1997 after he signed a statement saying that he wanted to serve Russia.
According to the allegations, Debbins provided the Russian intelligence service GRU with information about his chemical and Special Forces units. After leaving active duty service in 2008, Debbins passed on classified information about his previous deployments.
Debbins is further accused of helping Russian intelligence agents in their efforts to recruit other spies within the United States Army. He allegedly provided agents with the names of, and information about, his former Special Forces team members.
This information was used by agents when deciding who to approach regarding cooperating with the Russian intelligence service.
“Two espionage arrests in the past week — Ma in Hawaii and now Debbins in Virginia — demonstrate that we must remain vigilant against espionage from our two most malicious adversaries — Russia and China,” said John C. Demers, assistant attorney general for national security.
“Debbins violated his oath as a US Army officer, betrayed the Special Forces and endangered our country’s national security by revealing classified information to Russian intelligence officers, providing details of his unit, and identifying Special Forces team members for Russian intelligence to try to recruit as a spy. Our country put its highest trust in this defendant, and he took that trust and weaponized it against the United States.”
If convicted, Debbins faces a maximum penalty of life in prison.
A vulnerability in the TeamViewer app could allow malicious actors to steal passwords.
The high-severity flaw was discovered in the desktop version of the app for Windows before 15.8.3. By exploiting the weakness, authenticated threat actors operating remotely could execute code on victims' systems or crack their TeamViewer passwords.
TeamViewer is a proprietary software application that allows users to control a range of smart devices remotely to perform functions like file transfers, desktop sharing, and web conferencing.
As a result of flaw CVE-2020-13699, TeamViewer Desktop for Windows does not properly quote its custom URI handlers. Because of this, an attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking.
Victims could also be persuaded to go to a specific website set up by threat actors to steal credentials or personal data.
The flaw's discoverer, security engineer at Praetorian Jeffrey Hofmann, explained: "An attacker could embed a malicious iframe in a website with a crafted URL that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share."
According to Hofmann, most web browsers are set up to prevent attacks like this from happening.
He said: “Every modern browser except for Firefox URL encodes spaces when handing off to URI handlers which effectively prevents this attack.”
TeamViewer versions prior to 15.8.3 are vulnerable to the flaw, which has been fixed in the latest release.
Andy Harcup, VP, Absolute Software, commented: “Security flaws in certain software and applications will always be located and exploited by opportunistic cyber attackers, and this latest revelation could potentially impact millions of Windows users.”
Harcup advised companies to protect their operating system by keeping up with the latest security updates.
“For users to ensure that they are kept safe from the influx of cyber-attacks now facing them, the IT operations team must ensure their systems are kept up-to-date, whilst training their staff to simultaneously maintain a high level of online vigilance and awareness toward internet safety protocol. It is important for enterprises to keep the operating system up to date with the latest security updates in order to ensure maximum protection.”
The acquisition sees Kaseya boost its security offering and expand its IT Complete platform for MSPs and SMBs. The Graphus solution uses patented AI technology to defend Microsoft Office 365 and G Suite inboxes from a variety of threats delivered via email.
“The acquisition of Graphus catapults IT Complete to the next level and secures Kaseya’s position as the only comprehensive, tightly integrated, cost-effective platform in the industry to deliver all IT and security management needs for MSPs and SMBs in a single platform,” said Fred Voccola, CEO of Kaseya. “Kaseya can speak to Graphus’ impressive capabilities first-hand, having been a customer for nearly a year.
“With Graphus protecting over 3200 Kaseya inboxes and processing over 22 million of our emails, we’ve eliminated about 250,000 unsafe emails, quarantined nearly 15,000 phishing attacks and blocked 3400 executive spoofing and 2400 impersonation attacks. Having seen these outstanding results for ourselves, I’m even more excited to extend the same unmatched protection to our customers so they can close the security gaps of their cloud email platforms and, for MSPs, provide a low-cost solution to generate additional profits.”
Manoj Srivastava, CEO and co-founder of Graphus, added: “We’re thrilled to join the Kaseya family and integrate Graphus into Kaseya’s IT Complete platform. With phishing attacks on the rise, Kaseya customers can now amplify their existing suite of security tools with Graphus’ powerful automated email defense to create the most comprehensive, end-to-end security stack possible.”
Graphus will continue to operate as an independent business within Kaseya, led by Srivastava.
A detailed analysis of the APT group DeathStalker has been published today by Kaspersky, highlighting the scale of its operations throughout the world, from Europe to Latin America.
The ‘hacker-for-hire’ organization is known to have been active since at least 2012, primarily focusing on small and medium firms in the financial sector through commercial cyber-espionage campaigns.
Kaspersky said the research demonstrates that small and medium sized companies, as well as larger businesses and government organizations, must be prepared to deal with the threats posed by APT actors such as DeathStalker.
Through tracking the group from 2018, Kaspersky has been able to link its activities to the three malware families Powersing, Evilnum and Janicub, with “medium confidence.”
DeathStalker’s main method of attack is to deliver archives containing malicious files through tailored spear-phishing emails. A malicious script is executed and further components are downloaded from the internet when a user clicks the shortcut, which gives the attackers control of the victim’s machine.
Kaspersky added that in its Powersing campaigns, DeathStalker has become adept at evading detection by placing dead drop resolvers on legitimate social media, blogging and messaging services. Once infected, victims would reach out to and be redirected by these resolvers, which hides the communication chain.
Powersing-related attacks were detected by Kaspersky in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the UK and the UAE, while Evilnum victims were located in Cyprus, India, Lebanon, Russia and the UAE, demonstrating the extent of DeathStalker’s activities around the world.
Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT, commented: “DeathStalker is a prime example of a threat actor that organizations in the private sector need to defend themselves against. While we often focus on the activities carried out by APT groups, DeathStalker reminds us that organizations that are not traditionally the most security-conscious need to be aware of becoming targets too.
“Furthermore, judging by its continuous activity, we expect that DeathStalker will continue to remain a threat with new tools employed to impact organizations. This actor, in a sense, is proof that small and medium-sized companies need to invest in security and awareness training too.”
Last month, Kaspersky uncovered a new cyber-mercenary group known as the “Deceptikons,” which has been providing hacking services for hire for almost a decade.
The US government has been forced to issue an alert warning home workers of an aggressive new vishing campaign targeting corporate accounts.
The joint advisory came from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) at the end of last week.
It claimed that the attackers first registered domains, obtained SSL certificates and created legitimate-seeming phishing pages mimicking firms’ VPN log-in pages.
They then “compiled dossiers” on potential targets at certain companies by scraping publicly available info from social media profiles, recruitment tools and other sites, including their phone numbers.
Next came the vishing part of the scam, in which a smooth-talking fraudster socially engineers their victim into believing they are calling from the IT help desk, or other legitimate body. VoIP numbers were also spoofed to appear as if calls were originating from co-workers.
“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account,” the alert explained.
“In some cases, unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator. In other cases, attackers have used a SIM-Swap attack on the employees to bypass 2FA and OTP authentication.”
According to CISA/FBI, the attackers used their resulting access to employee accounts to carry out further research on victims and fraudulently obtain funds using a variety of methods.
Although the attacks aren’t new per se, they illustrate the willingness of cyber-criminals to push beyond typical targets for these scams, which are in the ISP/telco space.
“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate VPN and elimination of in-person verification, which can partially explain the success of this campaign,” said CISA/FBI.
As predicted, TikTok is taking the Trump administration to court over the President’s Executive Order which will effectively ban the app in the US.
The order, which was issued on August 6, alleged that the social firm’s data collection on large numbers of US citizens exposes them to Communist Party efforts to build “dossiers of personal information for blackmail, and conduct corporate espionage.”
It also argued that the app “reportedly” censors content unpopular among China’s leaders and could be used to spread misinformation. The Commerce secretary now has 45 days to come up with a list of currently ill-defined “transactions” involving TikTok owner ByteDance that should be banned.
In a new statement sent to Infosecurity, TikTok said it was taking legal action — that it had worked "in good faith" to try and allay Trump's concerns, but that it had been deprived of due process. It also argued that the administration "tried to insert itself into negotiations between private businesses."
“To ensure that the rule of law is not discarded, and that our company and users are treated fairly, we have no choice but to challenge the Executive Order through the judicial system,” TikTok said.
Any challenge, however, would not impact Trump’s decision to force a sale of the app in the US to an American company. That order came on August 14 and is not subject to judicial review.
These latest moves by the Trump administration, which included a similar ban on wildly popular messaging platform WeChat (Weixin) in the States, can be seen as part of a wider attempt to remove what are considered untrustworthy Chinese apps from the US.
However, they can also be viewed as an attempt to portray Trump as “strong on China” in the run up to the next Presidential election in November.
Among the suitors lined up with ByteDance for potential acquisition talks are Microsoft and Oracle.
The company behind one of India’s most popular travel booking sites exposed 43GB of customer and corporate data before it was deleted by the infamous “Meow” attacker, according to researchers.
A team at SafetyDetectives led by Anurag Sen discovered an Elasticsearch server without password protection or encryption on August 10.
It failed to get a response from the company in question, government-backed travel marketplace RailYatri, but the database was eventually secured after contact was made with India’s national CERT (CERT-In).
However, that was too late to save most of the information stored there: the Meow bot struck on August 12 and apparently deleted all but 1GB of the data.
The trove itself contained an estimated 37 million records linked to around 700,000 unique users of the popular site, a mobile app version of which has been downloaded over 10 million times on Google Play.
Exposed in the misconfiguration were users’ full names, age, gender, physical and email addresses, mobile phone numbers, booking details, GPS location and names/first and last four digits of payment cards.
“Exposed user information could potentially be used to conduct identity fraud across different platforms and other sites,” argued SafetyDetectives.
“Users’ contact details could be harnessed to conduct a wide variety of scams while personal information from the breach could be used to encourage click-throughs and malware downloads. Personal information is also used by hackers to build up rapport and trust, with a view of carrying out a larger magnitude intrusion in the future.”
The firm also warned that exposed data could have put customers in physical danger.
“RailYatri’s server recorded and stored users’ location information when booking their tickets, and also allowed users to track their journey progress with integrated GPS functionality. This information could be used by hackers to locate the nearest cell tower to the user, and potentially, the user’s actual location including current address,” it explained.
“Regular train users generate clear and distinguishable travel patterns which malicious actors could use to commit violent crime directly upon the individual.”
The bot-driven Meow attack campaign has so far destroyed data from thousands of victims, providing an even greater urgency for IT managers to ensure any cloud databases are properly configured.
The "2020 Speak Up" report audited 18 major tech conferences from around the world and, in December 2019, surveyed 500 women from the US and the UK who attended a tech conference in the previous 12 months.
Researchers found that women of color made up only 8% of keynote speakers at tech conferences over the last 3 years. Of the women of color who spoke at conferences, 80% said they were the only woman on the panel who wasn't white.
When it came to experiencing discrimination at a tech conference, 43% of white women said that they had encountered this issue, compared to 59% of women of color.
Of the 59% of women of color who experienced discrimination, 63% said it was race-based, compared to 47% who said it was gender-based.
One survey respondent said: “I have frequently been ignored or assumed to be a secretary or personal assistant because I am female. Men have talked directly to the male accompanying me even though he is my subordinate.”
The study found that conferences were designed with men in mind, with podiums and projectors placed too high, clip-on mic set-ups geared toward lapels and pockets, and bar stools offered that do not allow a wearer of an above-the-knee skirt or dress to sit modestly.
"Design bias takes a toll on women by making it more tiring, difficult and inconvenient to perform the same tasks that men do," noted researchers.
Tech conference restroom arrangements were similarly found to favor men. Only 24% of survey respondents said they had been to a conference with on-site facilities for nursing mothers, and some women reported attending conferences where there were no women’s bathrooms at all.
The report's authors called for tech conferences to include a provision for anonymous reporting of sexual harassment.
"Sadly, nearly half of sexual harassment victims and witnesses in our study didn’t report because they were afraid of retaliation from other conference attendees," wrote researchers.
The Tennessee Bureau of Investigation said yesterday that the number of tips received regarding cybercrimes against children has increased sharply since the outbreak of COVID-19.
Speaking to media, TBI Director David Rausch said investigators had received more than twice the usual number of tips concerning this type of cybercrime since the pandemic began.
In 2020, the bureau has recorded 450 tips on cybercrimes against children, with 122 tips received in the month of March alone.
Rausch said the rise might be linked to an increase in the amount of time people were spending online since remote working and social distancing became the norm. He warned parents to keep an eye on what their children are doing when they access the internet and to ensure smart devices are used under supervision.
“Our agents have seen children as young as five years old taking photos of themselves and at the direction of someone they communicated with online," said Rausch.
“We want to encourage parents to be vigilant. Just as you wouldn’t let strangers into your home, or certainly your children’s bedroom, you shouldn’t let cyber-criminals into your home through phones or other screen sources.”
He advised parents who believe they have witnessed a concerning online interaction between their child and someone else to record the name and contact information of that individual. Rausch said that parents should not try to interact with the individual but should instead contact their local bureau of investigation.
Speaking to WKRN in February, TBI Special Agent Robert Burghardt said that the bureau took a proactive approach to catching criminals who use the internet to sexually exploit children. Detectives create profiles on popular social media apps like Facebook, Instagram, Snapchat, Kik, and TikTok purporting to be children.
Burghardt said criminals are quick to connect online with users they believe to be minors.
“I’ve had over a dozen people reply within minutes,” said Burghardt.
“You see it on the news, and you think eh, it won’t happen here, but it does. It happens every day throughout the state of Tennessee.”
The vulnerability, described by the CWE as "improper neutralization of input during web page generation," was given a threat score of 46.82.
Describing the dangers posed by cross-site scripting (XSS), CWE wrote: "The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.
"Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim's machine, sometimes referred to as 'drive-by hacking.'"
By comparison, last year's CWE list topper was far more dangerous. The biggest software threat in 2019—improper restriction of operations within the bounds of a memory buffer—received a threat score of 75.56.
The CWE Top 25 is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years.
To create the 2020 list, the CWE team leveraged Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). The team also took into account the Common Vulnerability Scoring System (CVSS) scores associated with each CVE.
The second biggest weakness identified in this year's list was "out-of-bounds write." This vulnerability was given a threat score of 46.16, just marginally lower than the threat occupying pole position.
"These aren’t new risks, so why have organizations failed to find these problems before releasing code to production, or failed to protect these vulnerabilities against attack in production?" commented Jayant Shukla, CTO and co-founder of K2 Cyber Security.
"Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect."
Instacart has reported a security incident in which two employees working for a third party vendor accessed its customers’ personal information. The company noted these individuals “reviewed more shopper profiles than was necessary in their roles as support agents.”
Information potentially viewed includes customer names, email addresses, telephone numbers, driver’s license numbers and thumbnail images of the driver’s licenses.
The grocery delivery and pick-up firm said that following a thorough investigation, conducted with a forensic analysis company, it has concluded that “no shopper data was stored, downloaded or digitally copied in any way.”
Instacart has since emailed the 2180 shoppers affected to notify them of the incident and the preventative measures taken. It is also offering two years of free credit monitoring and protection to these shoppers.
The company added that it has worked with the third party to ensure the two employees never work on behalf of Instacart again and has also suspended work at the particular third party support location.
For those shoppers who believe they have been impacted by the incident, Instacart said it is introducing a new dedicated shopper support process, and to help prevent such incidents occurring in the future, it is adding two-factor authentication to more aspects of the Shopper app.
Commenting on Instacart's statement, Keith Geraghty, solutions architect at Edgescan, said: “You can conduct all the vetting in the world of your employees, but it is not a sure fire way to protect yourself from these type of issues. What will help is good compliance standards. In technical terms, that means enforcing least privilege, keeping and reviewing logs and having the correct security awareness training for all staff.
“It is not clear whether any malicious intent was involved, so we are yet to find out if the action taken was on the strong side. You cannot leave the door wide open and expect that everyone will pass by and not take a peek in.”
Martin Jartelius, CSO, Outpost24, commented: “Looking at countries that log these breaches with great care, we cannot see the insider breaches where individuals access data to which they have permission to do so, however, without business justification is relatively common. Cases can be seen by police, in medical care and more.
“The interesting part is that this is generally only detected where there are strict requirements for logging and auditing, there is no reason to suspect that police or medical care, or in this case support workers, are more inclined to such breaches, but rather that if you look for deviations, you shall find deviations. This speaks nicely in favor of a good practice of logging and auditing where the breach occurred.”
Organizations’ increasingly work with third party vendors, who often hold their data or access their network, and this is adding to the risk of security incidents occurring.
Credential stuffing attacks against the media industry have grown substantially from an already large base during the COVID-19 pandemic, according to experts from Akamai speaking on a recent webinar.
This is borne out of a rise in people using online media during the lockdown, such as increased consumption of TV and streaming services for entertainment and news coverage regarding the pandemic. The growth in attempts to access media accounts is similar to spikes Akamai has observed in credential stuffing attacks during holiday periods over previous years, when such services are at their most popular. Martin McKeay, editorial director at Akamai, said: “This has become a more relevant discussion in 2020 than any year before it.”
In Q1 of 2020, Akamai figures showed that publishing was the sector most targeted by this type of attack due to a surge in popularity for news content about COVID-19.
Credential stuffing is essentially the use of a long list of usernames and passwords stolen from other sites to try and access accounts. This is often a successful tactic as many people use the same credentials across multiple online accounts.
Steve Ragan, security researcher at Akamai, outlined the scale at which this method was being used prior to the pandemic, with 88 billion credential stuffing attacks recorded between January 1 2018 and December 31 2019. Of these, 20% targeted the media industry, which in many ways is particularly vulnerable compared to other sectors.
“Unfortunately, password recycling and reuse in the media industry is very common,” Ragan explained. “A lot of users don’t see media accounts as something they need to protect and they often share these accounts with their friends and family.”
The ways in which cyber-criminals are doing this has also become more sophisticated, including merging of old and new lists of usernames and passwords against media services and the use of automation and bots to launch malicious login attempts at scale.
Ragan also noted that credential stuffing actors are increasingly acting as businesses, responding to market demands and even offering credentials for free to clients in order to build their reputation.
Defending against this type of attack is no easy task. Akamai highlighted that one way they’re helping protect their customers is to try and drive up the compute costs whenever a bot is running mass credentials against an account. “It’s trying to drag that cost up, disincentivizing that attack,” said Patrick Sullivan, senior director of global security strategy at Akamai.
Ultimately, however, the only effective way of preventing these types of attacks taking place is by encouraging better password habits amongst users of media services. Sullivan commented: “As long as we’re using simple usernames and password credentials for authentication we will have these types of attacks and adversaries will evolve and become more evasive in the way they go about validating credentials.”
Ragan added: “No matter what you may think about the risk proposition an account has when it comes to media and streaming services, the criminals don’t care. The criminals will target anything and everything that isn’t nailed down. There’s always value in something, particularly when they can take an account over.”
The volume of stolen payment cards up for sale on the dark web has plummeted in the first half of 2020 thanks in part to changing shopping patterns driven by COVID-19, according to Sixgill.
The cyber-intelligence company’s biannual Underground Financial Fraud report is distilled from its analysis of underground carding and other sites.
It revealed that around 45.1 million cards were put up for sale in the first half of 2020, a 41% decline from the 76.2 million offered on dark web sites in the second half of 2019.
The firm explained that much of the decline could be linked to unusual law enforcement activity in Russia which has led to the closure of several underground sites during the period.
Although Russian police are usually content to let cybercrime activity flourish inside the country as long as it is directed at foreign targets, investigators arrested 25 and shut dozens of online marketplaces back in March.
These accounted for 54% of the world’s stolen card trade, according to Sixgill.
“It’s likely that many of the accused criminals had drawn the ire of authorities by violating domestic criminal laws,” wrote cyber-threat intelligence analyst, Michael-Angelo Zummo.
“In arresting the suspects, police found illicit narcotics, firearms, fraudulent Russian passports and Russian law enforcement identification. In other words, these select criminals seemed to have violated the first rule of cybercrime: don’t hack where you eat.”
However, more dark web markets subsequently rose to take the place of those shut down.
The dramatic drop in card volumes in fact can’t be explained by increased Russian law enforcement activity alone.
Rather, fewer people are now shopping in stores where point-of-sale malware and skimmers may be installed to steal their card data, said Zummo.
These “dumps” are used to clone cards for face-to-face fraud, whereas only internet-based attacks such as Magecart can harvest the CVVs cyber-criminals need to commit online fraud, he explained.
In Europe, where EMV is more widespread, online attacks and fraud are by far the most popular type.
“Activity on dark web marketplaces shows that the coronavirus lockdowns have changed the fraud landscape. As in-person shopping declined, so did the types of credit card fraud that depended on it,” Zummo concluded.
“This sequence of events points to a shifting strategy for cybersecurity professionals, and consumers as well. Merchants need to make sure they have tools in place to prevent e-skimming attacks like Magecart, and, as in-person shopping continues to tick upward, retailers should only use chip-enabled point-of-sale systems.”
A majority of global organizations have been spending more on cybersecurity and compliance during the pandemic, whilst also reporting increased pressure to reduce costs, according to new Microsoft data.
The Redmond giant polled nearly 800 business leaders from organizations with over 500 employees in the UK, US, Germany and India to better understand how COVID-19 has impacted cybersecurity.
The report revealed that 58% had increased security budgets and 65% upped compliance spending, although 81% said they’re also under pressure to cut overall security costs. Organizations with mostly on-premises environments are apparently more likely to feel squeezed on budgets.
In terms of technology spending, multi-factor authentication (20%), endpoint device protection (17%) and anti-phishing tools were the top targets for investment.
That tallies with respondents’ claims that phishing has been the biggest risk, with 90% citing it.
In the longer term, 40% said they are prioritizing investments in cloud security tools such as Cloud Access Security Broker (CASB), Cloud Workload Protection Platform and Cloud Security Posture Management (CSPM), followed by data security (28%) and anti-phishing (26%).
Part of the increased spending on security has also gone on new hires, according to the Microsoft data.
Over two-fifths (42%) said they’d brought in new talent to help out, while 40% outsourced the work. On the other side, 31% said they’d instituted a hiring freeze and 19% had downsized their security team.
The pandemic has also accelerated plans to transition to a Zero Trust environment for more than half (51%) of respondents, perhaps linking back to the large numbers investing in MFA.
“Security technology is fundamentally about improving productivity and collaboration through inclusive end user experiences. Improving end user experience and productivity while working remotely is the top priority of security business leaders (41%), with ‘extend security to more apps for remote work’ identified as the most positively received action by users,” argued Microsoft Security general manager, Andrew Conway.
“Not surprisingly, then, ‘providing secure remote access to resources, apps and data’ is the biggest challenge. For many businesses, the journey begins with MFA adoption.”
A former Uber CSO has been charged with obstruction of justice after allegedly concealing the facts of a major 2016 breach of the firm from law enforcement, regulators and senior management.
Joseph Sullivan, 52, of Palo Alto, was the car hire giant’s security supremo from April 2015 to November 2017.
The criminal complaint against him, filed in a federal court on Thursday, alleges that he failed to inform the FTC about the compromise of personally identifiable information (PII) on 57 million customers and drivers.
Ironically, he apparently received an email from the hacker informing him of the breach just 10 days after having completed testimony to the regulator about a previous 2014 breach.
Instead of coming clean, Sullivan is alleged to have paid the cyber-criminals $100,000 in Bitcoin through a bug bounty program and forced them to sign an NDA claiming falsely that no data was taken or stored.
The indictment claimed that Uber personnel were able to discover the identities of two of the attackers, whose real names were placed on the NDA.
The Department of Justice complaint said that in August 2017, Sullivan briefed Uber’s new CEO, Dara Khosrowshahi, about the incident via email, editing the summary prepared by his team. It apparently stated falsely that payment had been made only after the hackers had been identified and also removed details about the type of data taken.
Sullivan now faces one count of obstruction of justice, carrying a five-year maximum term, and one count of misprision of a felony, which could land him three years. The latter offense is one in which an individual fails to inform the authorities of a felony they know has been committed.
The two hackers pleaded guilty last October to computer fraud conspiracy charges.
“Silicon Valley is not the Wild West,” said US attorney David Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”
Casey Ellis, CTO and founder of Bugcrowd, argued that the case may have negatively influenced the public’s view of the hacking community and of bug bounties.
“Historically, hackers were strictly viewed as malevolent, but the industry’s understanding of ethical hackers within the industry has progressed within the last few years to include the much larger community,” he added.
“In fact, there’s a global community of ethical hackers who operate above board and in good faith, and are committed to helping organizations improve their security postures.”
Funding for UK cybersecurity startups has surged by 940% since the start of the COVID-19 lockdown, with this sector experiencing substantial growth because of the health crisis, according to a new report by recruitment firm Robert Walters.
The research, entitled Cybersecurity - Building Business Resilience, showed that the £496m raised by investors in these companies in the first half of 2020 almost reached the entire figure for 2019 (£521m). These figures were first outlined by LORCA last month.
The new report also highlighted UK government figures showing there has been a 44% rise in companies providing cybersecurity products and services, suggesting that a new business in this area is registered every week on average.
The growth of this sector is largely due to the shift to home working during COVID-19, according to the report, with 48% of UK companies stating they do not have adequate cybersecurity capabilities to enable this safely in the long-term.
As a result, there was a 6% rise in vacancies in cybersecurity roles during the first half of 2020 in the UK. Cybersecurity consultancies were also found to be one of the fastest growing types of startups in the UK, with organizations increasingly looking externally for these services due to the skills shortage in the sector, estimated to be at 140,000 across Europe.
Ajay Hayre, senior consultant technology at Robert Walters, commented: “Historically, IT security has represented only 5% of a company’s IT budget but due to remote working and transition to online or cloud-based solutions, cybersecurity has been thrust to the center of business continuity plans – having proved its worth in enabling business objectives during lockdown.
“Not only will every company see the benefit of having this expertise in-house, but they will be looking externally for tools, services and advisors to help guarantee the future-proofing of their business by way of solid and robust cybersecurity provisions.”
Researchers have discovered a sophisticated new peer-to-peer botnet that has been actively breaching Secure Shell servers since January.
FritzFrog, which executes a worm malware written in Golang, was unearthed by a team at Guardicore. The malware deployed by the botnet is multi-threaded and fileless and disconcertingly leaves no trace on the disks of the machines it infects.
It creates a backdoor in the form of an SSH public key, providing the attackers with ongoing access to victim machines.
Organizations in the government, education, and finance industries have all been targeted by the botnet, which has managed to successfully breach over 500 servers. Victims include a railway company and universities in the United States and Europe.
Researchers wrote: "FritzFrog has attempted to brute force and propagate to tens of millions of IP addresses of governmental offices, educational institutions, medical centers, banks and numerous telecom companies."
The botnet is considered to be sophisticated because its peer-to-peer (P2P) implementation was written from scratch and is completely proprietary. Researchers believe that this shows the botnet was created by "highly professional software developers."
FritzFrog uses a decentralized infrastructure to distribute control among all its nodes.
Describing how the botnet functions, researchers wrote: "In this network with no single point-of-failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date. P2P communication is done over an encrypted channel, using AES for symmetric encryption and the Diffie-Hellman protocol for key exchange."
Guardicore Labs has developed a client program in Golang capable of intercepting FritzFrog’s P2P communication. However, researchers have not been able to pin down the origins of the malicious botnet.
"While we are unable to attribute the FritzFrog botnet to a specific group, we have found some resemblance to a previously-seen P2P botnet named Rakos," wrote researchers.
Guardicore Labs first noticed this malicious campaign in January as part of its ongoing Botnet Encyclopedia research. Researchers have identified 20 different versions of the malware executable.
Offering advice on how to avoid becoming a FritzFrog victim, researchers wrote: "Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public key authentication."