Tracking the activity of nefarious groups affords defenders a deeper level of understanding that can be useful in not only understanding different types of threats but also in building defenses to withstand a cyber-attack.
Today, Dragos released its updated profile on CHRYSENE ICS, one of the seven groups that have come to fruition from long-running cyber-espionage activity. Sergio Caltagirone, director of threat intelligence, Dragos wrote in his blog post, “The current industrial threat landscape is very concerning. All of our intelligence suggests industrial security entering a massive growth of threat activity which will likely last at least the next decade. Nobody is facing a “cyber pearl harbor” as some pundits suggest. But, it is not a quiet and calm environment either."
All seven of the groups are ICS-focused, and it is believed that they are investing their time and money into attacking industrial systems. The CHRYSENE ICS-focused group has been well-known since coming onto the scene in 2012 with the Shamoon attack that targeted Saudi Aramco and disabled tens of thousands of workstations.
After a lull of activity in late 2017, CHRYSENE has begun to establish a new infrastructure to create a larger footprint for operations. According to Dragos, CHRYSENE has moved beyond email spear phishing and is now using strategic web compromise – watering holes – to exploit victims.
Analysis after the 2012 attack revealed that the group appeared to have some degree of involvement in the 2016 Shamoon 2 attack and remains active in targeting the Arabian Gulf region and the Middle East.
Currently, the group’s primary mode of operation is to compromise IT and do reconnaissance against industrial organizations. Dragos has not seen evidence of this group having any ICS-specific capabilities that could damage critical infrastructure. But, they do target oil, gas and manufacturing companies, mostly in Europe and North America, and focus on network penetration.
“The group specializes in initial penetration – CHRYSENE compromises a target machine and passes the victim to another group for further exploitation. The group operates in Iraq, Pakistan, Israel, and the UK, and is an evolution of previous campaigns focusing exclusively on the Arabian Gulf region,” wrote Caltagirone.
Defenders might find success if they shift the focus to the "kill chain", said Caltagirone. "The initial access, lateral movement, and intelligence gathering process which takes months or years before any disruption. Organizations and defenders have a higher chance of discovering and remediating ICS threats earlier in this process before any disruption."
On the heels of the Department of Homeland Security releasing its cybersecurity strategy, the US Department of Energy has unveiled its own Multiyear Plan for Energy Sector Cybersecurity, an effort to make US energy systems more resilient and secure.
While the nation's critical infrastructure has increasingly become a target for cyber-attacks that have the potential to cause damage and disruption to energy services, energy companies struggle to keep pace with – much less get ahead of – sophisticated attacks. Anticipating and reacting to the latest cyber-threat is a ceaseless endeavor that requires ever more resources and manpower.
"Despite the sector’s ever-improving defenses, the variety of threat actors and methods of attack are expanding, while the impact of incidents has evolved from exploitation to disruption to destruction. A 2015 survey of 150 IT professionals in the energy sector, conducted by Tripwire, showed that more than 75% of energy companies reported an increase in successful cyber-attacks in the previous 12 months, with many reporting increases of 50% or more," the plan stated.
In addition to planning to curb supply-chain risk and boosting threat-sharing with the private sector, the plan also sets forth the intention to accelerate research and development to make energy systems more resilient to hacking.
“Reliable energy and power is the cornerstone of our advanced digital economy and is essential for critical operations in transportation, water, communications, finance, food and agriculture, emergency services, and more,” the plan stated.
The White House administration has requested $96m in the 2019 federal budget, and the energy sector plan will also serve as as roadmap on how to best allocate funds for the new office of cybersecurity, energy security, and emergency response.
Many welcome the DOE’s efforts to raise awareness around the threats to the energy sector, but Ray DeMeo, chief operating officer, Virsec questioned whether laying out a strategy would be enough to overcome the obstacles inherent in legacy systems.
“While the strategy pillars are sound, making them actionable will be challenging. It's critical that we invest with speed and agility, and the roadmap’s goal to accelerate game-changing RD&D of resilient systems stands out. The administration’s funding request for $96m is hopefully just a down payment, because protecting our infrastructure adequately will cost billions."
UK businesses suffered the highest increase globally in costs associated with DNS attacks, with a fifth suffering the loss of sensitive data, according to the latest figures from EfficientIP.
The DNS security firms polled 1000 senior technology and security decision makers around the globe from January to April 2018 to compile its 2018 Global DNS Threat Report.
It revealed that 77% of organizations were hit by a DNS attack in 2018, with the average firm suffering seven attacks.
DNS attacks come in various flavors, but usually involve denial of service, infecting DNS infrastructure with malware designed to take the user to malicious sites, or exfiltrating data via DNS tunneling techniques.
EfficientIP found DNS-based malware and phishing (36%) were the most popular attacks, followed by DDoS (20%) and similar lock-up domain attacks (20%), and DNS tunneling (20%).
The report clearly shows the potentially major impact DNS attacks can have on organizations: 40% of respondents claimed they suffered cloud outages, one-third (33%) were victims of data theft and 22% suffered lost business.
In the UK, 20% lost sensitive data, 15% had IP stolen, and 21% lost customers, according to EfficientIP.
The global average cost per DNS attack increased by 57% year-on-year, but in the UK the figure soared 105%, with firms paying nearly $4m annually.
An EfficientIP spokesman told Infosecurity that London’s position as a financial center may have led to the surge in attack costs.
“The research shows the cost and frequency of attacks have increased exponentially in the financial sector,” he said. “A likely explanation could be that the City is an ideal target for hackers as it provides lucrative and vulnerable targets. The TSB IT disaster is a good example of this: TSB made its customers ideal targets for phishing attacks.”
In fact, UK financial services firms faced on average eight attacks, more than any other industry, according to the report. These cost an average of £681,000 per attack, equating to around £5.4m each year.
The number of data security incidents reported to the UK’s Information Commissioner’s Office (ICO) jumped 17% between the final three months of 2017 and the first quarter of 2018, according to new figures.
In its last update before the EU GDPR takes effect, the privacy watchdog revealed a rise in incident reports from 815 to 957. Although cybersecurity-related incidents increased by 31% from the previous quarter, the first month-on-month increase since Q4 2016-17, human error dominated.
In fact, over the 2017-18 financial year, 3325 reports were filed with the ICO, with the number one breach type “data emailed to incorrect recipient,” (13%) followed closely behind by “data faxed to wrong recipient” (13%). Also high was “loss or theft of paperwork” (13%).
The healthcare sector accounted for by far the largest volume of reports (37%), although this figure is likely to be a result of mandatory reporting rules. After health came “general business” (11%), education (11%) and local government (10%).
Nominet CTO, Simon McCalla, argued that the rise in reported incidents may be the result of companies becoming more cautious ahead of the GDPR
“Interestingly, there are far more incidents caused by human error than there are external cyber-threats, suggesting that a lot more work needs to be done on training employees,” he added.
“Often, however, cyber-threats can lay unnoticed for months or even years and so this data may well be skewed towards incidents that are immediately identifiable. This information should not, therefore, lure anyone into a false sense of security. We’d encourage all organizations across the UK to up their vigilance against any and all threats, whether that’s external threats lying dormant or unwitting employees making mistakes.”
Egress CEO, Tony Pepper, claimed that the challenges presented by human error can be resolved by better arming staff via training and tools.
"Now the GDPR is upon us, it is more imperative than ever that organizations adopt an approach that’s focused on users, working out what technology and support they can give their employees to help them handle data safely at work,” he added.
President Trump has shelved the role of cybersecurity co-ordinator in a move heavily criticized by industry experts and lawmakers as a retrograde step.
Reports first emerged last week that new national security advisor, John Bolton, was looking to jettison the role, which was created by President Obama to help harmonize cybersecurity policy at the upper echelons of government.
Now it appears the National Security Council (NSC) head has got his way, after the White House chose not to replace Trump’s first appointee to the role, Rob Joyce, whose departure was announced in April.
It came amidst a spate of departures from the NSC following Bolton’s appointment; Trump’s third in this crucial position after just a year in office.
NSC spokesman Robert Palladino claimed in a statement that two senior cybersecurity policy directors within the NSC would take over Joyce’s role.
“Today’s actions continue an effort to empower National Security Council senior directors. Streamlining management will improve efficiency, reduce bureaucracy and increase accountability,” he’s reported as adding.
Senior lawmakers were quick to hit back, among them Democrat Mark Warner, who is vice chairman of the powerful Senate Intelligence Committee.
“It’s frankly mindboggling that the Trump Administration has eliminated the top White House official responsible for a whole-of-government cyber strategy, at a time when the cyber threat to our nation is greater than ever,” he tweeted.
“Our adversaries are investing heavily in 21st century cyber-warfare capabilities, and if we only view national security through a conventional 20th century lens, we’re going to find ourselves unable to respond to increasingly asymmetric cyber threats down the road.”
Ross Rustici, senior director, intelligence services, at Cybereason, added that the decision to ditch the role would leave the White Hosue “flat-footed” during the next major cyber-event.
“In situations where minutes matter, the most prepared person in the room almost always carries the day. In a room full of decision makers with no cybersecurity background and a general who is in charge of fighting cyber-wars, it is a foregone conclusion as to whom will have the strongest voice in the room,” he argued.
“Every cyber-event will become a military issue with a military solution. Regardless of the efficacy of the position or those who occupied it, the fact that the position existed demonstrated a commitment to understanding, managing and responding to cyber-threats in a way that was on par with the other major global issues of the day.”
The Department of Homeland Security (DHS) unveiled on Tuesday, 14 May, a new national strategy to be implemented to address evolving cybersecurity risks. The DHS strategy outlines strategic and operational goals and priorities to successfully execute the full range of the DHS secretary’s cybersecurity responsibilities.
“The strategy is built on the concepts of mitigating systemic risk and strengthening collective defense,” Homeland Security Secretary Kirstjen Nielsen said Tuesday as reported by The Hill. “Both will inform our approach to defending U.S. networks and supporting governments at all levels and the private sector in increasing the security and resilience of critical infrastructure.”
DHS aims to have improved national cybersecurity risk management and increased security and resilience across government networks and critical infrastructure by 2023.
The strategy is thorough in addressing cyber-threats. Recognizing that the proliferation of connected devices increases risk, DHS details its plans to manage threats from malicious actors with a wide range of motivations. Through a five-pillar strategy that includes risk identification, vulnerability reduction, threat reduction, consequence mitigation and cybersecurity outcome enablement, DHS will first look to gain a better understanding of our national risk posture.
“Understanding these risks at the strategic level will enable us to effectively allocate resources and prioritize efforts to address vulnerabilities, threats, and consequences across all of our cybersecurity activities,” the strategy states.
Driven by the guiding principles of cost-effective risk prioritization that takes a collaborative and global approach toward innovation and agility while balancing equities and honoring national values, DHS plans to mitigate cybersecurity threats at national and systemic levels.
The strategy also states that in order to protect critical infrastructure, DHS will partner with key stakeholders, “including sector specific agencies and the private sector, to drive better cybersecurity by promoting the development and adoption of best practices and international standards, by providing services like risk assessments and other technical offerings, and by improving engagement efforts to advance cybersecurity risk management efforts.”
While many applaud the release of the long-awaited national cybersecurity strategy to address the growing risks from nation-state attacks, some are concerned about the mixed messages coming out of the White House with the announcement that the cybersecurity coordinator position on the National Security Council has been eliminated.
“Eliminating the White House’s top cybersecurity job is vexing for a number of reasons. It comes at a time when our greatest cyber-adversaries, namely Russian, Iran and North Korea, are more relevant than ever on the global stage, and the county already lacks central cybersecurity leadership,” said Netskope's CEO, Sanjay Beri.
"The US needs cybersecurity leadership today more than ever, but the current structure of our top officials needs to be overhauled if we hope to correct course," Beri continued. "Forming a cohesive cyber-defense strategy has become nearly impossible as hundreds of departments report into a siloed set of decision makers. Instead of eliminating jobs we need to be creating them, and the first step in the right direction would be the appointment of a federal CISO to oversee all of our nation’s cybersecurity initiatives and promote interagency collaboration.”
Vulnerabilities can be tricky to detect. Identifying flaws in third-party and downline vendors can be even more difficult to detect, often because of the ways libraries interact with each other.
According to a blog posted on 15 May by Chetan Conikee, CTO and co-founder of ShiftLeft, a Java-deserialization–based remote-control-execution (RCE) vulnerability has impacted numerous software-as-a-service (SaaS) software development kits (SDKs).
"In the majority of cases, a subset of the gadget chain (circumstances to exploit the deserialization vulnerability) is being triggered by customer application’s dependency on one or more 3rd party Software-as-a-Service SDKs, which in turn depends on a vulnerable version of jackson-databind," Conikee wrote.
The gadget chain consists of a series of links uncovered by examining the application's DNA. By first delving into the application's attack surface and data flow analysis, researchers then looked at the software composition analysis, which was made up of the application logic, its open source framework and dependencies, and third-party SaaS SDKs.
"Note that this is entirely derived from connecting the semantic graph of the application with [its] direct transitive dependencies and 3rd party SDK dependencies," Conikee wrote. The culmination is looking at the attack payload detection and operational state characteristics.
These stages are sequential and time consuming, which often leaves security teams having to choose between suspending service or risking a known vulnerability being exploited.
Illustrating the widespread impact using the Jackson-Databind module of the Jackson library, Conikee wrote, "An application that uses jackson-databind will become vulnerable when the enableDefaultTyping method is called via the ObjectMapper object within the application. An attacker can thus compromise the application by sending maliciously crafted JSON input to gain direct control over a server."
A proof of concept (PoC) exploit for this vulnerability is publicly available.
Though ShiftLeft is currently in the midst of the disclosure process for the several vulnerabilities it has identified, two organizations have fixed the problem.
"We can share that the following SDKs have been impacted and we applaud these organizations for their rapid response: SendGrid (upgrade to v4.2.1) and GoodData (upgrade to v2.25.1-SNAPSHOT)," Conikee wrote. ShiftLeft will continue to offer public applause and announce each vendor as updates are provided.
Siemens, an industrial security provider, has issued a security advisory for a newly discovered vulnerability (CVE-2018-4850) that could lead to a denial-of-service (DoS).
The affected SIMATIC S7-400 CPUs improperly validate S7 communication packets, which could cause a DoS condition on a CPU. "The CPU will remain in DEFECT mode until manual restart," Siemens wrote.
An attacker only needs to be able to send the packets to a communication interface of the CPU via Ethernet or Process Field Bus (PROFIBUS), for example. No user interaction is needed in order to exploit the vulnerability. As of the security advisory publication on 15 May, there have been no known public exploitations.
The vulnerability, with a CVSS v3.0 base score of 7.5, affects the SIMATIC S7-400 CPU hardware v.4.0 and below, which are being phased out. The products in this family, which are used worldwide, have been designed for process control in industrial environments across the automotive industry and in mechanical equipment manufacturers, warehousing systems, building engineering, the steel industry, power generation and distribution, pharmaceuticals, the food and beverage industry and the chemical industry.
The vulnerability echoes the ongoing discussions about critical infrastructure security, and Andrew Lloyd, president of Corero Network Security, said that Siemens should be applauded for disclosing this vulnerability.
"There is a genuine risk of service disruption, malware infestation and/or safety if control equipment such as these PLCs is exposed on the Internet where the full pandemic of cyber-threats (including DDoS) is there to exploit their vulnerabilities," Lloyd said.
Also vulnerable are all firmware below v.5.2 and SIMANTIC S7-400H CPU hardware v.4.5 and below. For customers that have not yet upgraded their hardware and firmware, Siemens offered additional mitigation strategies. Customers can apply the cell protection concept, use a virtual private network (VPN) for protecting network communication between cells, and apply a defense-in-depth architecture.
"Best practice advice would have the control networks that these PLCs form be completely isolated from the Internet, " said Lloyd. "Older PLC equipment was not designed with Internet exposure in mind. Consequently, many have little or no security to protect them from being compromised."
The British Standards Institution (BSI) has launched a new kitemark for internet of things (IoT) devices in a move designed to help buyers better identify products they can trust to be reliable and secure.
The move comes after new voluntary measures were introduced in March by the government designed to encourage manufacturers to introduce security-by-design principles into the development of IoT products.
The new BSI Kitemark for IoT Devices is said to build on these guidelines by providing ongoing independent testing to ensure devices work properly and have security controls in place.
There are three types of kitemark: residential, commercial and enhanced.
A BSI spokesperson confirmed to Infosecurity: “the Commercial offering is typical for the enterprise market, unless the nature of the application requires enhanced security, in which case it is tested to the enhanced level.”
The new initiative, which the BSI claims is an industry first, will help IT buyers to sort through the huge variety of products on the market, and hopefully raise baseline security standards.
In order to achieve a kitemark, a manufacturer must first be assessed against ISO 9001, with the product in question required to pass an assessment of functionality and interoperability plus scanning for software vulnerabilities and other security flaws. Further functional and interoperability testing, pen testing and audits are undertaken after that and the kitemark will be withdrawn until deficiencies are rectified, the BSI said.
IoT threats represent a security challenge to IT bosses on several fronts. Compromised devices could be conscripted into botnets for mining crypto-currencies or launching DDoS attacks, unsecured endpoints can be hijacked to provide a stepping stone into corporate networks and mission critical facilities could be sabotaged.
The National Crime Agency warned in a new report this week that the development of IoT “will present opportunities for specific areas of criminal and law enforcement exploitation.” It added that IoT devices “represent the greatest emerging botnet threat.”
The first products to achieve the kitemark are expected to land in the summer.
Airports are ill-equipped to deal with a major cyber-attack, according to new research from PA Consulting Group.
The firm’s report Overcome the Silent Threat, based on in-depth analysis and interviews with four major international airports, outlines how the emergence of a hyper-connected model – where passengers in airports want fast internet and digital engagement with airlines and retailers – is increasing the cyber-risks airports face and creating more opportunities for cyber-criminals to exploit.
“Over recent years, the number of airport-related cyber threats has grown significantly. The damage caused by these successful threats confirms the need to address cybersecurity,” the report reads.
PA Consulting Group cited the following as trends that are increasing airports’ susceptibility to cyber-attacks: increased technology usage, hyper-connectivity, data-sharing obligations, customer centricity, IT/IoT towers, remote towers and airports as mega hubs.
“Fundamentally, the focus on physical security needs to be applied with the same rigor in the cyber-arena if airports are going to build resilience to potentially catastrophic cyber-attacks,” said David Oliver, global transport security lead at PA Consulting Group. “If the industry does not act now, it will find itself at increased vulnerability to cyber-attacks as new technologies become part of everyday operations.”
The report concludes by outlining the elements required to ensure airport cyber-resilience now and in the future:
- Ensuring that an airport is secure by design
- Establishing strong cybersecurity leadership and effective governance
- Adopting a lifecycle approach to cybersecurity
- Aligning cyber, physical and personnel security
- Establishing a security monitoring and incident response capability
- Ensuring cybersecurity stakeholders are identified and managed
- Underpinned by the establishment of a strong cybersecurity culture
“With the EU Network and Information Systems Directive, which aims to improve the cyber-resilience of the UK’s essential services, now in force, UK airports risk penalties of up to £17m for failing to put in place appropriate cybersecurity measures,” Oliver added.
Big Brother Watch is calling for police to stop using facial recognition technology which it claims is “dangerous and inaccurate,” after revealing potential human rights violations.
The group’s Face Off report was launched in parliament on Tuesday, with shadow home secretary Diane Abbott and shadow policing minister, Louise Haigh, slated to speak at the event.
The research details Freedom of Information (FOI) responses from three police forces which use the controversial technology at sporting events and similar to identify suspects in real-time, including the Met and South Wales Police.
Big Brother Watch claimed that the tech is “almost entirely inaccurate,” with false positives at the Metropolitan Police of 98%, despite millions of pounds of taxpayers’ money being spent.
There are also serious privacy concerns, with South Wales Police said to have stored images of 2400 innocent people incorrectly matched by facial recognition for a year, without their knowledge.
The use of this technology could breach the Human Rights Act, according to the group.
“Real-time facial recognition is a dangerously authoritarian surveillance tool that could fundamentally change policing in the UK. Members of the public could be tracked, located and identified — or misidentified — everywhere they go,” warned Big Brother Watch director, Silkie Carlo.
“We’re seeing ordinary people being asked to produce ID to prove their innocence as police are wrongly identifying thousands of innocent citizens as criminals. It is deeply disturbing and undemocratic that police are using a technology that is almost entirely inaccurate, that they have no legal power for, and that poses a major risk to our freedoms.”
The campaign has the backing of MP David Lammy and 15 rights and race equality groups including Liberty, Article 19 and the Race Equality Foundation.
Big Brother Watch also raised a wider issue of police handling of custody images, claiming that the photos of innocent members of the public are still kept on file even if they’re released without charge.
They can then end up on the Police National Database and be turned into facial biometrics used to identify individuals via specialized software. The rights group argues that police should delete such images as they do fingerprints and DNA once an individual is found to be innocent or released without charge.
Facebook has found itself at the center of another privacy storm this week after it emerged that an app developer stored highly sensitive profile information on over three million users on a poorly secured website for years.
Developers of the myPersonality app harvested details including age, gender and relationship status from 4.3 million users of the app as well as psychological personality scores from 3.1 million users and status updates from over 150,000 people, according to the New Scientist.
The names of the users were then removed and the data stored on a site for registered academics and researchers at firms including Facebook, Google and Microsoft to query.
However, a publicly available username and password could be easily found on GitHub for four years. It is also thought that deanonymizing the data for many of the victims would be fairly easy given the wide range of information collected by the app and tied to unique user IDs.
The revelations have striking similarities to the now notorious thisisyourdigitallife case in which Cambridge University professor Alexandr Kogan is said to have broken Facebook’s former terms of service by sharing data he harvested on 50 million users with political consultancy Cambridge Analytica.
Although in this case the app’s developers are said to have refused overtures from the notorious political ads firm to access the data, Kogan was a collaborator on the project until 2014.
The case once again highlights the privacy challenges facing Facebook from rogue app developers and will add further weight to the argument that the social network was too trusting of third parties requesting access to its users’ data.
Facebook suspended the mypersonality app in April claiming it may have violated its terms. The social network revealed on Monday that its ongoing investigation, precipitated by the Kogan crisis, has seen around 200 such apps suspended.
When nation-state attacks are discussed, most people immediately think of those well-known adversaries in North Korea, China, and Russia, but new activity is coming from seemingly benign states such as Lebanon and the Netherlands.
An annual report published by Optiv today, The Cyber Threat Intelligence Estimate (CTIE) analyzed more than 7,000 cybersecurity trouble tickets. According to the report, there has been a dramatic increase in cyber-attack activities coming from countries like the Netherlands and Lebanon.
These lesser-known nation states are using more traditional means of exploits, with combinations of open source and custom-built tools. "They, and other actors like them, will continue to become more disruptive as they refine their tactics," the report said.
Though its difficult to discern the motivation for the increased attack activity, both countries made headlines this year with cyber-attacks.
Lebanon used an Android malware campaign to spy on thousands of people across 20 countries. "One of the more notable groups in 2017 was the Lebanese General Directorate of General Security, or Bld3F6. They were identified as being behind the Dark Caracal attacks in which the group used various techniques to harvest data," the report said.
Then the Dutch experienced a taste of the limelight when they uncovered the hack of the Democratic National Committee during the 2016 presidential election in the US by penetrating Russia’s Cozy Bear organization.
While China continues to top the charts with its nation-sponsored attack activity, aspects of these lesser-known nation-states give cause for concern. "These groups have shown that the bar for conducting successful operations is not as high as one might think, and that they can hide within the noise of modern day networks for as long as needed," the report said.
Regardless of their degree of infamy, nation-states attack vectors are expanding to include the use of social media to influence the opinions and actions of large populations. According to the report, "2017 saw the trend of state-sponsored exploits shift from cyber-physical to cyber-social with interference in several elections across Europe. 2018 is showing sharp repercussions for this information warfare with criminal indictments."
Using cyber-social attacks on European and American elections, Russia showed the relative ease with which it could pull off these cost-effective attacks. Based on its research, Optiv anticipates this class of attack will be exploited by a growing number of nation-states, hacktivists and other groups in the future.
As more vulnerabilities are reported, efforts to patch them can't keep pace. Yet the number of publicly disclosed vulnerabilities continues to rise. In fact, according to the 2018 Q1 QuickView VulnDB report from Risk Based Security, the number of vulnerabilities disclosed in Q1 2018 was at an all-time high.
The report looked at 5,375 vulnerabilities published during the first three months of 2018 and found an increase of 1.8% over the same period last year. Of all the Q1 disclosures, eight vendors accounted for 22.9% of the vulnerabilities.
Risk Based Security published 1,790 more vulnerabilities than common vulnerability exposures (CVEs) in Q1, suggesting that "organizations relying on CVE or sources solely obtaining data from CVE are missing a significant number of disclosed vulnerabilities," the report said.
Additionally, web-related vulnerabilities represent almost half (47.5%) of all Q1 2018 vulnerabilities and 49.1% of all publicly disclosed vulnerabilities able to be remotely exploited.
"As more and more vulnerabilities are reported, organizations are forced to spend an increasing amount of time and resources to stay properly informed about the weaknesses affecting their IT infrastructure and applications," the report said.
Organizations continue to grapple with vulnerability intelligence. Vulnerability disclosure and the issue of organizations better managing vulnerabilities are what many are looking to address of late.
A new report from Kenna Security and Cyentia Institute suggests that not every vulnerability presents a risk because not every vulnerability equates to an exploit. The research report, Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies analyzed five years of historical vulnerability data with data points compiled from over 15 sources, including 94,597 CVEs from Mitre, and confirms the findings that the volume and velocity of vulnerabilities are rapidly increasing.
In 2017, businesses were challenged with addressing an average of 40 new vulnerabilities every day, and 2018 is expected to meet or exceed those numbers. Yet "out of the thousands of new vulnerabilities published every year, the vast majority (77%) never have exploits developed, and even fewer (less than 2%) are actively used in an attack," the reported stated.
“Effective remediation depends on quickly determining which vulnerabilities warrant action and which of those have highest priority, but prioritization remains one of the biggest challenges in vulnerability management,' Karim Toubba, CEO, Kenna Security said in a press release. “Businesses can no longer afford to react to cyber threats, as the research shows that most common vulnerability remediation strategies are about as effective as rolling dice.”
The security industry has long lagged behind cybercriminals when it comes to sharing intelligence. But the trend toward building partnerships in order to protect businesses, governments and consumers from cybercrimes in today’s fast-expanding threat landscape is on the rise.
In a press release issued today, Europol announced that BT has signed on as a knowledge-sharing partner. The Memorandum of Understanding (MoU), signed at Europol's headquarters in The Hague in the Netherlands, sets forth standards for BT and Europol to not only share threat intelligence but also exchange information about new and emerging security trends and industry best practices.
A branch of Europol, the European Cybercrime Center (EC3) was created in 2013 to better protect EU citizens, businesses and governments against cybercrimes. EC3 head of business Steve Wilson anticipates that the partnership will enhance law enforcement's ability to both prevent and disrupt crime.
"Working co-operation of this type between Europol and industry is the most effective way in which we can hope to secure cyberspace for European citizens and businesses. I am confident that the high level of expertise that BT bring will result in a significant benefit to our Europe-wide investigations," Wilson said.
In early 2018, BT launched its free, collaborative platform for sharing malware information, which enabled the company to start sharing intelligence on malicious software and websites with other ISPs. BT has since identified more than 200,000 domains and shared actionable intelligence that has allowed customers to better defend against specific threats.
With the goal of creating a safer digital world, the agreement between BT and Europol is an important step forward when it comes to bridging the worlds of the private and public sectors.
“We’re working with other law enforcement agencies in a similar vein to better share cyber security intelligence, expertise and best practice to help them expose and take action against the organised gangs of cyber criminals lurking in the dark corners of the web. The signing of today’s accord with Europol sees BT take another significant step forward in making the internet a safer place for consumers, businesses and public sector bodies in the UK, Europe and beyond,” said Kevin Brown, VP, BT security threat intelligence.
The user behavior intelligence provider analyzed anonymized data about user behaviors taking place on public and private sector organizations’ endpoints in North America, South America and Europe. The data was compared to more than 5000 known bad-behavior patterns and then turned into intelligence that revealed where insider threat patterns were active.
The findings showed that 90% of assessments discovered that negligent employees were transferring company data to unencrypted and unauthorized USB devices, with 91% indicating that negligent employees were expanding the phishing attack surface by accessing personal web mail accounts on company machines – a behavior up 4% in the last 12 months.
What’s more, the research also highlighted issues surrounding the improper use of cloud apps such as Google Drive and Dropbox with 78% of assessments discovering instances of company data being accessible via the public web.
In terms of malicious intent, 67% of assessments uncovered cases where employees were visiting inappropriate and risky gaming, gambling and pornography websites – up 8% from last year – whilst 60% identified instances where malicious employees were using anonymous and VPN browsing to bypass security controls or to research how to bypass controls.
“While malicious users are always looking for new ways to defy security controls, not all internal risk comes from bad intent,” said Christy Wyatt, CEO, Dtex Systems. “Negligent employees don’t always understand when they are engaged in damaging activities. These trusted users can fall prey to bad actors looking to steal their credentials. The lack of visibility into all types of user behaviors is creating employee-driven vulnerability problems for every business.
“Organizations have to secure data, neutralize risky behaviors and protect trusted employees against attacks and their own errors. To accomplish all of this, they have to see how their people are behaving and have a mechanism that provides alerts when things are go wrong.”
“Business needs to get out of the cybersecurity denial phase it is stuck in. To do this, it must accept that it needs more visibility into what’s going on in its environment,” added IT-Harvest chief research analyst and Charles Stuart University lecturer Richard Stiennon. “This report is a needed reminder of just how oblivious organizations are to high-risk activities that lead to things like data breaches, ransomware attacks and IP theft.”
Adobe has issued fixes for 47 CVEs, including multiple critical vulnerabilities, less than a week after it released a scheduled set of Patch Tuesday updates.
Bulletin APSB18-09 is rated Priority 1 and fixes critical and important vulnerabilities in Adobe Acrobat and Reader for Windows and MacOS.
According to Adobe, the updates address vulnerabilities “whose successful exploitation could lead to arbitrary code execution in the context of the current user.”
CVE-2018-4947, CVE-2018-4948, CVE-2018-4966, CVE-2018-4968, CVE-2018-4978, CVE-2018-4982, and CVE-2018-4984 are heap overflow vulnerabilities.
The final bunch of 13 vulnerabilities — CVE-2018-4946, CVE-2018-4952, CVE-2018-4954, CVE-2018-4958, CVE-2018-4959, CVE-2018-4961, CVE-2018-4971, CVE-2018-4974, CVE-2018-4977, CVE-2018-4980, CVE-2018-4983, CVE-2018-4988, and CVE-2018-4989 — are use-after-free flaws.
The remaining “important” rated CVEs range from security bypass and out-of-bounds read laws to memory corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA submission.
They could allow information disclosure and security bypass, according to Adobe.
The firm also issued bulletin APSB18-17 on Monday, rated as a Priority 3 and addressing CVE-2018-4946 in Photoshop.
“Adobe has released updates for Photoshop CC for Windows and macOS,” the summary noted.
“These updates resolve a critical vulnerability in Photoshop CC 19.1.3 and earlier 19.x versions, as well as 18.1.3 and earlier 18.x versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.”
The security updates follow last week’s Patch Tuesday release of three bulletins covering Adobe Flash, Creative Cloud and Adobe Connect and fixing five important and critical-rated CVEs.
Kaspersky Lab has announced it will open a new data center in Switzerland to handle all data for customers in key markets like Europe, North America and Australia in a bid to improve transparency and rebuild trust following a challenging year for the company.
The Russian AV vendor has found itself at the center of a geopolitical storm after its products were banned for US federal government use following reports that Russian intelligence used them to spy on targets.
CEO Eugene Kaspersky has always maintained his company is innocent of any wrongdoing and never colluded with the Kremlin.
In fact, its Global Transparency Initiative was announced in October last year in response to the allegations. The opening of a new data center in Zurich is the latest stage in this plan, and will apparently see a number of “core processes” moved from Russia.
As well as data on Western customers plus those in Singapore, Japan and South Korea, the facility will host a “software build conveyer” — tools used to assemble ready-to-use software out of source code.
The vendor claimed that before the end of this year it would start to assemble and sign products and AV databases in Zurich before distributing them around the world.
A Transparency Center will also open in the Swiss city later this year, offering stakeholders the opportunity to review the firm’s source code
“In a rapidly changing industry such as ours we have to adapt to the evolving needs of our clients, stakeholders and partners. Transparency is one such need, and that is why we’ve decided to redesign our infrastructure and move our data processing facilities to Switzerland,” said Kaspersky in a statement.
“We believe such action will become a global trend for cybersecurity, and that a policy of trust will catch on across the industry as a key basic requirement.”
As many as five Mexican banks may have been targeted by what appears to be a highly co-ordinated cyber-attack in which unauthorized transfers were made to bogus accounts.
The campaign seems to have focused on the domestic SPEI transfer network, and as such is reminiscent of the recent spate of sophisticated attacks on the global SWIFT inter-bank messaging system.
Lorenza Martinez, head of Banxico’s payment system, told Reuters that five lenders had seen unauthorized transfers and that they are currently running analysis to see if malicious insiders were involved.
SPEI itself is not thought to have been compromised but rather the software used by banks to connect to it, she added.
One source close to the government investigation into the incident told the newswire that hackers stolen over 300 million pesos ($15.4 million) from lenders including Banorte, by issuing unauthorized transfers of money to the fake accounts in other banks. Accomplices then withdrew the funds in dozens of branches, it is believed.
The campaign calls to mind an ongoing spate of attacks on the SWIFT network, which began with an $81m raid on Bangladesh Bank subsequently blamed on a North Korean cybercrime group.
Since then, tens of millions have been stolen from Taiwan’s Far Eastern International Bank, as well as lenders in Russian, Ukraine and other countries, all targeting the SWIFT network in some way.
Fred Kniep, CEO of CyberGRX, claimed the Mexican attacks represent a failure of third-party risk management.
“As the SWIFT Network learned after an attack on a member bank led to a costly breach, it only takes one vulnerability for attackers to gain access to your network and ride in on a trusted connection,” he added.
“Cyber-criminals are increasingly targeting third parties — suppliers, contractors, vendors and, in this case a software provider used by the central bank's SPEI interbank transfer system — to breach high-value networks. Collaboration and information sharing at all levels are the keys to effectively mitigating the persistent and potentially damaging threats posed by attackers.”
After targeting teachers with a phishing scam, a 16-year-old student at Ygnacio Valley High School was reportedly arrested by police in Concord, California, on 10 May. The young man hacked into the computer system of Mount Diablo Unified School District and changed not only his grades but those of other students as well.
KTVU reported that teachers began reporting suspicious emails in their inboxes two weeks ago, at which point the police called in the U.S. Secret Service and a Contra Costa County task force.
"We wrote numerous search warrants to get the IP addresses of the possible phishing site email. We got it and we did good old fashioned police detective work and we narrowed it down to an address," Sgt. Carl Cruz, the Concord Police financial crimes supervisor told KTUV.
Investigators traced the attack back to the student’s house, revealing that the messages were part of a phishing campaign. A malicious link within the messages directed the email recipients to a fake website.
Once on the fraudulent, student-created site, which mirrored the school’s portal, teachers were prompted to enter their user credentials. “The site would record any information entered, allowing the student to hijack the teacher’s account,” Gizmodo reported. According to Concord police, at least one teacher did enter their username and password, which gave the student access to the school’s grading system.
“This was a classic credential harvesting phishing scam – basic security awareness training could have prevented this attack. Maybe it was the teacher, but, whatever the reason, it’s no secret that the education sector has limited finances and cybersecurity is not a top priority,” said Bob Adams, cybersecurity expert, Mimecast.
Police believe the student changed the grades of 10–15 students, raising some, while lowering others. Because the student is a juvenile, his name remains withheld; however, he has been arrested on 14 felony counts.
In related news, another student in East Brewton, Alabama, who also hacked into the computer system at W.S. Neal High School to change grades, has yet to be identified. Seniors still don’t know who their valedictorian will be for their graduation ceremony scheduled for 22 May.
Escambia County superintendent of education John Knott wrote in an email today, "W. S. Neal High school administrators reported discrepancies where grades on report cards didn't match their transcripts. We reported our findings to the Alabama State Department of Education and law enforcement and began an investigation into the matter. We have also brought in additional resources that could aide in this investigation to determine the facts and resolve this matter.
"We are determined to make sure the records are correct, to ascertain how these changes happened, and hold all that may be involved accountable. We are working to complete this process in order to release to the top 10 students, including the valedictorian and salutatorian, by graduation."
High school hacking is nothing new, nor are phishing scams.
“Unfortunately, there isn’t one industry deemed ‘safe’ when it comes to targeted attacks. Hospitals, religious organizations, charities and even schools have all been, and will continue to be, targeted by any number of individuals for any number of reasons,” said Adams.
According to a 2017 survey on email security conducted by Glasswall Solutions, 75% of surveyed employees receive suspicious emails, and 62% admitted they do not usually check the legitimacy of email attachments that come from unknown sources.
“No matter what the size or type of organization, it only takes one employee and one click to open you up to risk,” said Greg Sim, CEO of Glasswall Solutions.