Info Security

Subscribe to Info Security  feed
Updated: 1 hour 32 min ago

Zurich Refuses to Pay Out for NotPetya ‘Act of War’

Fri, 01/11/2019 - 10:30
Zurich Refuses to Pay Out for NotPetya ‘Act of War’

Confectionary giant Mondelez is suing Zurich after the insurer refused to pay out over $100m on its insurance policy to cover losses incurred during the NotPetya ransomware campaign.

The owner of Cadbury believes it is owed the money to pay for the permanent damage to 1700 of its servers and 24,000 laptops as well as unfulfilled orders and other disruption to its distribution operations, according to reports.

It believes this falls under its policy’s provision to cover “all risks of physical loss or damage” to property, including “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

However, the insurance giant has claimed that an exclusion applies in this case because NotPetya falls under a “hostile or warlike action in time of peace or war” — meaning it doesn’t have to pay up.

Led by the UK, the Five Eyes nations came together in February last year to blame Russia for the attacks in June 2017.

“The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds,” a Foreign Office statement noted at the time.

However, despite their strong statements, the governments didn’t produce hard evidence to back up their claims, which could make it difficult for Zurich to prove its case, according to experts.

The insurer should instead have invoked a gross negligence clause, because Mondelez was hit by the same ransomware twice, argued Igor Baikalov, chief scientist at Securonix.

“The ‘fool me once’ proverb is fully applicable here: while many companies fall victims to ransomware, one of the first steps to recovery is to make sure it doesn't happen again,” he added.

“Zurich is likely taking one for the team here, testing the waters for the whole insurance industry on the efficiency of the war exclusion and their ability to attribute attacks to a nation-state. I wonder who insures the insurers: what kind of cybersecurity protection is on Zurich's own policy?”

NotPetya cost losses that ran into the hundreds of millions for the likes of FedEx, Maersk, Merck and many more. It was claimed in November that they have now exceeded $3bn.

Categories: Cyber Risk News

MongoDB Instance Leaks 200 Million Chinese CVs

Fri, 01/11/2019 - 09:36
MongoDB Instance Leaks 200 Million Chinese CVs

A huge MongoDB database containing detailed CVs for over 202 million individuals has been found exposed online.

The unprotected MongoDB instance was found via a simple BinaryEdge or Shodan search and was left without any password protection, according to Bob Diachenko, director of cyber risk research at Hacken.io and HackenProof.

The 854GB trove contained data on 202.7m Chinese job-seekers including “personal info, such as mobile phone number, email, marriage, children, politics, height, weight, driver license, literacy level, salary expectations and more.” Such information could be used to good effect in follow-on phishing attacks.

The source of the data is unknown, although it is believed it may have been scraped from third-party CV sites.

“The origin of the data remained unknown until one of my Twitter followers pointed to a GitHub repository which contained a web app source code with identical structural patterns as those used in the exposed resumes,” explained Diachenko.

“The tool named ‘data-import’ (created three years ago) seems to have been created to scrape data (resumes) from different Chinese classifieds, like bj.58.com and others. It is unknown, whether it was an official application or an illegal one used to collect all the applicants’ details, even those labelled as ‘private’.”

The database was secured “shortly after” Diachenko publicized his discovery on Twitter, although it’s unclear for how long it was exposed online before he first spotted it on December 28 last year.

He claimed that “at least a dozen” IPs may have accessed the database before it was taken offline, according to the MongoDB log.

Misconfigured security settings are likely to continue exposing organizations to preventable risk in 2019, especially as more of them migrate data and systems to the cloud, Trend Micro said in its 2019 predictions report recently.

Categories: Cyber Risk News

Phishing Attacks Bypass Two-Factor Authentication

Thu, 01/10/2019 - 15:53
Phishing Attacks Bypass Two-Factor Authentication

Using a new penetration testing tool to automate phishing attacks, hackers can potentially bypass two-factor authentication (2FA), according to a new post published by security researcher Piotr Duszynski. The tool was written to intentionally make phishing campaigns as easy and effective as possible, said Duszynski.

Dubbed Modlishka, a Polish word that means "mantis," the tool can reportedly bypass login operations for accounts protected by 2FA and enable an attacker to have full control of "cross" origin TLS traffic flow from the victims browsers, Duszynski wrote.

Phishing with Modlishka (bypass 2FA) from Piotr Duszynski on Vimeo.

A GitHub user inquired whether the 2FA is broken, to which Duszynski explained, “2FA isn't broken. At the end it is all about 'social engineering' that you will have to be stay alert about. Which can be e-mail, phone, post or face2face based.

“If you don't want to always verify if the domain name in the URL address bar of your browser isn't somehow malicious or worry if there's yet another URL spoofing bug, then consider switching to U2F [universal second factor] protocol."

"While cyber-criminals can get past 2FA, this should only be one piece in the authentication stack and not the only one,” said Don Duncan, security engineer for NuData Security, a Mastercard company.

“This is why companies are using multilayered authentication tools that can verify the legitimacy of a transaction from different angles," Duncan continued. "This way, if one of the layers is fooled by a bad actor, the other layers or tools can flag that activity. It is this in-depth defense that allows companies to provide an exceptional experience for customers while cutting out cyber-criminals.”

Still, Duszynski said that in his experience as a penetration tester, he has had the greatest success infiltrating customer networks by using social engineering. “One definitely does not need to burn a 0day exploit/s for all of those sophisticated top-notch security defenses that are protecting the perimeter, when often just few e-mails or phone calls will do just perfectly fine to compromise internal infrastructure and company's sensitive data.”

Categories: Cyber Risk News

Cooking Utensil Firm OXO Files Data Breach in California

Thu, 01/10/2019 - 15:35
Cooking Utensil Firm OXO Files Data Breach in California

Award-winning cooking tools company OXO revealed that it has suffered data breaches over the last two years that may have compromised customer and credit card information.

In a breach disclosure letter filed with the State of California, OXO said that the data security incident involved “sophisticated criminal activity that may have exposed some of your personal information.” The attacker is believed to have accessed credit card information, along with names and billing and shipping addresses, though the letter does not state the scope of impact.

“On December 17, 2018, OXO confirmed through our forensic investigators that the security of certain personal information that you entered into our e-commerce website (https://www.oxo.com) may have been compromised. We currently believe that information entered in the customer order form between June 9, 2017 – November 28, 2017, June 8, 2018 – June 9, 2018, July 20, 2018 – October 16, 2018 may have been compromised. While we believe the attempt to compromise your payment information may have been ineffective, we are notifying you out of an abundance of caution.”

OXO is currently working with security consultants and forensic investigators, who are looking at past vulnerabilities in the website as part of an ongoing investigation of the incident. Additionally, the company has taken measures to secure its site to prevent future incidents.

“This latest breach underscores the importance of 24/7 security monitoring,” said Matan Or-El, CEO of Panorays. “With the new year upon us, companies should perform an in-depth review of all their digital assets to ensure that they and their third parties have not been compromised. We expect that future hacks will be targeted towards entire industries so as to maximize the payout for cyber-criminals.”

OXO has also secured the services of risk mitigation and response firm Kroll in order to extend identify monitoring services to its customers.

Categories: Cyber Risk News

Hyatt First Major Hotel Chain to Launch Bug Bounty

Thu, 01/10/2019 - 15:17
Hyatt First Major Hotel Chain to Launch Bug Bounty

In the wake of the massive data breach suffered by Marriott, Hyatt has announced that it will launch a bug bounty program in partnership with HackerOne, making it the first major hotel chain in the world to have a public bug bounty program.

“By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers,” Hyatt stated in its program policy.

With the goal of better protecting its millions of global guests from cyber threats, the Hyatt program will engage with researchers around the globe, offering them the chance to earn cash rewards for reporting valid security flaws on Hyatt.com, m.hyatt.com, world.hyatt.com, and the iOS and Android versions of the Hyatt mobile app.

“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt chief information security officer Benjamin Vaughn in a press release. “As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”

Security researchers can earn $4,000 for critical vulnerabilities and $1,200 for each high vulnerability reported, while those deemed medium will be awarded $600 and low vulnerabilities will be paid $300. To date, Hyatt has paid a total of $5,650 bounties, with the average bounty worth between $150–300.

Hyatt only accepts disclosures from HackerOne researchers, and the vulnerability reports must meet all of the established requirements and contain “original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and/or availability of the services in scope.”

Categories: Cyber Risk News

Global DNS Hijacking Blamed on Iranian Hackers

Thu, 01/10/2019 - 11:54
Global DNS Hijacking Blamed on Iranian Hackers

Security researchers have spotted a new series of DNS hijacking attacks successfully targeting organizations globally on a large scale and traced back to Iran.

The attacks have managed to compromise “dozens” of domains run by government, telecommunications and internet infrastructure in the Middle East and North Africa, Europe and North America. In so doing, they change DNS records to direct users to malicious but legitimate-looking, Let’s Encrypt certified domains where email credentials are harvested.

FireEye observed three attack methods, with activity first spotted in January 2017.

The first uses previously compromised credentials to log-in to a DNS provider’s administration panel with the aim of changing DNS A records.

The second exploits a previously compromised registrar or ccTLD to change DNS nameserver (NS) records. A third technique is used in combination with the previous two, to return legitimate IP addresses for users outside the targeted domains.

FireEye warned that a “large number” of DNS/SSL cert firms had been affected by these attacks, including telcos, ISPs, infrastructure providers and governments.

“It is difficult to identify a single intrusion vector for each record change, and it is possible that the actor, or actors are using multiple techniques to gain an initial foothold into each of the targets described above,” the vendor explained.

“FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account.”

There was less forthcoming information on the type of organizations and users targeted by the cyber-espionage itself, although FireEye claimed they include “Middle Eastern governments whose confidential information would be of interest to the Iranian government and have relatively little financial value.”

This, along with the fact that the attackers used IP addresses previously associated with Iranian raids, has led the vendor to attribute the campaign to Tehran with “moderate confidence.”

Categories: Cyber Risk News

IT Guy’s Help Snares Mexican Drugs Baron

Thu, 01/10/2019 - 11:01
IT Guy’s Help Snares Mexican Drugs Baron

The trial of a suspected Mexican drugs baron took an unexpected turn this week after it emerged that the FBI managed to persuade the accused’s IT consultant to hand over access to his secure comms infrastructure.

IT specialist Christian Rodriguez had worked for drug lords before, and was apparently recommended by one, Colombian Jorge Cifuentes to Mexican "El Chapo" Joaquin Guzman.

Once on board, he’s said to have built a bespoke encrypted communications network for El Chapo as well as installing spyware on others’ phones so the kingpin could listen in to their conversations.

In total, it’s reported that Guzman was tracking 50 devices including those of his wife, mistress and members of the cartel, with malware known as FlexiSPY installed on brand new handsets by Rodriguez before being gifted to the individuals.

The Feds’ big break came in 2010 when, posing as a Russian mobster, an undercover agent is said to have arranged a meeting with Rodriguez where he requested a similar system.

It’s unclear how, but the FBI eventually managed to persuade the IT guy to turn informant. In 2011 he apparently moved the network servers from Canada to the Netherlands in what he claimed was a routine upgrade, whilst handing over the all-important encryption keys to the authorities.

That allowed the FBI to tap 200 VoIP phone calls in which Guzman apparently discussed major drug deals, beating up the police, and even bribing a corrupt federal police commander.

However, it’s believed the IT consultant suffered a nervous breakdown in 2013 from the stress of working for, and colluding against, his employer.

Although the story at times reads like the script of a film, it highlights the vital role technology now plays in law enforcement investigations.

However, ultimately the breakthrough was achieved via old-fashioned undercover work.

Categories: Cyber Risk News

Reddit Locks Down Accounts After Security Incident

Thu, 01/10/2019 - 10:06
Reddit Locks Down Accounts After Security Incident

A large number of Reddit users have been locked out of their accounts as a precaution while the site’s admins investigate potential unauthorized access.

Staffer “Sporkicide” would not disclose exactly how many users were affected by the move, but claimed in a post yesterday that “a large group of accounts were locked down due to a security concern.”

“By ‘security concern,’ we mean unusual activity that did not correspond to the account’s normal behavior that may indicate unauthorized access,” the admin continued.

“The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services. If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk.”

These credential stuffing attacks, facilitated by automated software which injects breached credentials into other sites to crack accounts, is set to become ever more popular in 2019, according to one security vendor.

“Breached credentials will be actively and heavily used in fraudulent transactions as cyber-criminals take the next logical step after amassing data breach info dumps in past years: using these stolen credentials,” Trend Micro predicted in a recent report.

However, some of those commenting on the security notice claimed they used strong, site-specific credentials for Reddit. One even suggested the incident could be the result of a session hijacking attack of the same kind that led to the theft of access tokens for 30 million Facebook accounts last year.

Reddit is no stranger to security incidents: last year it suffered a major breach of user data after hackers first cracked staff accounts by intercepting SMS-based two-factor authentication codes.

Sporkicide claimed yesterday that over “the next few hours” affected account holders will be able to reset their passwords.

Jarrod Overson, director of engineering at Shape Security, claimed Reddit accounts are prized as they can be used to push malicious content, exploit other users and make content go viral.

“Reddit is notoriously easy for attackers to manipulate — they don’t require an email to open an account; the signup form only uses basic reCAPTCHA, which has been ineffective for years; and the login form does not appear to use any automation prevention techniques to protect against credential stuffing attacks,” he added.

“Sites like Reddit are a dream for attackers, there are virtually no barriers to entry and the value of trusted accounts on social networks is so high.”

Categories: Cyber Risk News

IcePick-3PC Malware Strain Steals Device IPs

Wed, 01/09/2019 - 18:52
IcePick-3PC Malware Strain Steals Device IPs

IcePick-3PC has impacted a range of businesses, from publishers to e-commerce, across a variety of industries, including retail and healthcare, according to researchers from The Media Trust’s digital security and operations (DSO) team. The malware strain was first identified in spring 2018 and is able to steal device IPs en masse.  

When it was initially detected, IcePick-3PC was used to spam device owners using phishing in a campaign that fraudulently offered gift cards from big-name retailers, such as Amazon and Walmart, in return for users sharing their personal information.

In a January 9, 2019, blog post, researchers explained that a website’s third-party tools are designed to incorporate interactive web content, such as animation via HTML5, and are loaded onto client platforms by self-service agencies. In the attack, which has affected more than 100 clients, IcePick-3PC executes after malware writers successfully hijack a website’s third-party tools.  

“The malware conducts the usual checks on user agent, device type, whether the device is an Android device, battery level, device motion and orientation, and referrer,” the blog stated.

Additionally, before it downloads, the malware is able to examine the devices of those users who visit a website with a compromised third party library. “The extraction and collection of IPs represents the largest scale of IP theft the DSO has observed to date and marks a significant advancement in malware authoring, as stealing IP en masse with such efficiency demands rarefied coding skills,” researchers wrote.

“But now that this malware has overcome such hurdles and even breaks through VPNs in order to intercept IPs, it enables bad actors to identify users’ device vulnerabilities, and leaves the devices wide open for exploit targeting and potential future attacks.”

JavaScript tools used for animations in HTML5, called the GreenSock Animation Platform, were identified as the self-service agencies most often used, with malicious code injections found in TweenMax and CreateJS.

“In order to protect sites from this malware, publishers and e-commerce businesses should thoroughly vet the self-service agencies they work with for security weaknesses and avoid repeat offenders. They can also detect such offenders by scanning interactive ads and site pages for unauthorized code,” researchers said.

Categories: Cyber Risk News

Scapy-Sploit, Plugin Problems and the Year of Drupal

Wed, 01/09/2019 - 17:20
Scapy-Sploit, Plugin Problems and the Year of Drupal

A Python network tool, Scapy, is vulnerable to denial-of-service (DoS) attacks, according research published by Imperva. The company also released its 2018 State of Web Application Vulnerabilities, which found that injections represented 19% of the total vulnerabilities in 2018, while plugins were the root cause of 98% of the vulnerabilities in WordPress.

In the latest version of Scapy, the algorithm used to determine the type of network packet relies on port numbers, but the packet type can easily be spoofed.

According to researchers, “The vulnerability occurs when Scapy is tricked into thinking a network packet is a RADIUS packet. The vulnerability is due to a lack of input validation when reading the length field in the RADIUS packet’s Attribute Value Pairs (AVP). This can cause an infinite loop in the following code section if a certain byte is set to zero.”

In addition to the vulnerability in this tool, web application vulnerabilities are trending upward and WordPress vulnerabilities have tripled since 2017. Still, Drupal vulnerabilities were exploited en masse, targeting hundreds of thousands of sites throughout 2018.

There was, however, some good news in regard to other web app vulnerabilities. Last year saw a decline in both the number of the internet of things (IoT) and PHP vulnerabilities, as well as in vulnerabilities related to weak authentication. Still, API vulnerabilities did show some growth. In fact, 2018 saw a total of 264 API vulnerabilities, up 23% from the 214 reported in 2017.

“The overall number of new vulnerabilities in 2018 (17,142) increased by 21% compared to 2017 (14,082) and by 159% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch,” the report stated.

When looking at content management systems (CMSs), attackers spent much of their time targeting WordPress, which is used by 59% of all websites using a known CMS, according to the report. “Although Drupal is the third-most popular CMS, two of its vulnerabilities, CVE-2018-7600 and CVE-2018-7602, were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations.”

Categories: Cyber Risk News

Phone Carriers Selling Customer Location Data

Wed, 01/09/2019 - 16:49
Phone Carriers Selling Customer Location Data

Bounty hunters are able to leverage a somewhat dubious skeptical service available through major telecom companies, including T-Mobile, AT&T, and Sprint, according to Motherboard.

A researcher reportedly paid $300 to a bounty hunter who was then able to geolocate a phone down to a location in a specific neighborhood only blocks away from the actual location of the targeted phone. According to a blog post from Motherboard’s Joseph Cox, these surveillance capabilities are available to individuals and businesses and sometimes sold through word of mouth.

“At least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard,” Cox wrote.

In addition to telecoms selling cell phone location data to company, the researcher said that there is a trickle down effect with the information, which could land in the wrong hands.

“Your mobile phone is constantly communicating with nearby cell phone towers, so your telecom provider knows where to route calls and texts. From this, telecom companies also work out the phone’s approximate location based on its proximity to those towers,” Cox said.

As we rely more on connected devices, our data is everywhere and becoming accessible to parties often unknown to us, and we may not have given consent for our data to be shared. “With each data transaction, the potential for the new party to either leak data, fall victim to compromise, or further share the data means that very quickly there's no control or governance,” said Ben Johnson, co-founder and CTO, Obsidian Security.

“Sadly, most of us assume not only that what we deliberately put on the Internet will fall into unauthorized hands but that data generated by our devices, services and even our human networks will be utilized in various ways we haven't authorized. Every copy of data is a liability, and until those who collect or generate this data have better guiding principles and scrutiny, we must assume that our data and data about us is everywhere.”

Categories: Cyber Risk News

NHS Digital CISO Quits After Three Months

Wed, 01/09/2019 - 11:11
NHS Digital CISO Quits After Three Months

NHS Digital’s first chief information security officer (CISO) has resigned just three months into the job, dealing a blow to efforts to improve cybersecurity across the UK’s health service.

In a memo to staff seen by HSJ, NHS Digital deputy CEO, Rob Shaw, said that Robert Coles’ departure was due to personal reasons and that a search for a replacement would begin immediately.

“We have enjoyed working with Robert, and his resignation is accepted with great regret,” he’s reported to have said. “I would like to personally thank him for the passion he brought to the role and the early progress he has made in developing the system-wide cyber-strategy.”

Coles only started his job as NHS Digital’s first CISO on October 1 with a daunting task ahead of him, given scarce funds and well-documented systemic cybersecurity challenges.

In fact, his role was only created after recommendations by NHS England CIO, Will Smart, following the infamous WannaCry ransomware attack of May 2017.

That attack is said to have cost the NHS £92m: £19m as a result of access to information and systems being unavailable, leading to cancelled appointments and £72m spent on extra IT support.

An estimated 19,000 operations and appointments were cancelled as a result of the ransomware-related outages, which caused disruption at a third of NHS England’s trusts and infected a total of 603 primary care and other NHS organizations, including 595 GP practices.

Despite his resignation, Coles is reportedly set to return to work as an independent consultant in the coming months.

“I am very sorry not to be able to continue in my role at NHS Digital,” he explained in the memo. “I have enjoyed working with the very talented and passionate cybersecurity team at NHS Digital and seeing the commitment to improving cyber-resilience across the health and care system.”

Coles is no stranger to high-profile jobs, having held similar positions at pharma giant GlaxoSmithKline, the National Grid and Merrill Lynch.

Categories: Cyber Risk News

Firm Offers $2m for iOS Zero-Day Exploits

Wed, 01/09/2019 - 10:45
Firm Offers $2m for iOS Zero-Day Exploits

Controversial exploit broker Zerodium has upped its bug bounties for the majority of desktop/server and mobile exploits, offering security researchers millions of dollars for their work.

At the lower end, a Windows local privilege escalation or sandbox escape will now pay out $80,000, up from $50,000, while at the top of the server/desktop category are “zero click” Windows remote code execution exploits, which have doubled in value to $1m.

However, the biggest bucks go to researchers looking for flaws in mobile platforms.

A local pin/passcode or Touch ID bypass for Android or iOS will net you $100,000, up from $15,000, while a zero click Apple iOS remote jailbreak with persistence is now worth $2m, up from $1.5m

“Zerodium pay outs for eligible zero-day exploits range from $2000 to $2m per submission,” the firm’s website explained.

“The amounts paid by Zerodium to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc).”

The firm claims it was founded to “build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”

However, unlike Trend Micro’s Zero Day Initiative, for example, exploits submitted to the firm are usually sold on privately rather than shared with the white hat community and vendors.

Law enforcement and intelligence services around the world are keen to get their hands on the latest security research, to monitor terrorists and criminals but also dissidents, journalists and others.

Categories: Cyber Risk News

Microsoft Kicks Off 2019 With Medium Patch Load

Wed, 01/09/2019 - 09:59
Microsoft Kicks Off 2019 With Medium Patch Load

Microsoft started the new year yesterday by issuing fixes for a near half century of vulnerabilities, although only seven were rated critical.

Many of these were remote code execution (RCE) bugs, with experts agreeing that CVE-2019-0547 should be top of the priority list. This RCE vulnerability in the Windows DHCP Client was given Microsoft’s highest exploit index rating.

“DHCP is a network management protocol often used to dynamically configure things like IP addresses for systems when they connect to a router,” explained Rapid7 senior security researcher, Greg Wiseman. “Any untrusted network, such as a random Wi-Fi hotspot in a coffee shop, is a potential vector for this attack.”

Other critical flaws to look at first include three Chakra scripting engine memory corruption vulnerabilities (CVE-2019-0539, CVE-2019-0567, CVE-2019-0568); two Hyper-V RCEs (CVE-2019-0550, CVE-2019-0551); and CVE-2019-0565, a Microsoft Edge memory corruption vulnerability.

Unlike the past few months, there were no zero-day flaws for admins to tackle, but there was one which had been publicly disclosed although not actively exploited in the wild.

CVE-2019-0579 is an RCE in the Jet Database Engine: one of 11 CVEs which could lead to RCE in the product.

Also on the list is Exchange memory corruption vulnerability CVE-2019-0586, which could allow an attacker to take control of a victim machine by sending a specially crafted email.

System administrators are also spared the regular task of patching Adobe Flash this month, although the vendor released fixes for two critical vulnerabilities in Reader and Acrobat last Thursday.

Qualys director of product management, Jimmy Graham, also reminded IT teams not to forget the out-of-band patch Microsoft released on December 17 for CVE-2018-8653, fixing a bug affecting Internet Explorer 9-11 which has been actively exploited in the wild.

“This patch should also be prioritized to all workstation-type devices,” he said.

The Zero Day Initiative has a full list of CVEs for January 2019 here.

Categories: Cyber Risk News

Sophos Acquires Avid Secure, Expands Cloud Security

Tue, 01/08/2019 - 17:00
Sophos Acquires Avid Secure, Expands Cloud Security

Network and endpoint security company, Sophos, announced today that it has acquired Avid Secure, a cloud infrastructure security company that uses artificial intelligence to deliver cloud security analytics, according to a press release.

No further details about the acquisition have been released, though a spokesperson for the company said in an email that Sophos will be holding meetings during RSAC 19 to discuss the company’s recent acquisition and overarching cloud business strategy.

“The accelerated adoption of public cloud environments is presenting new data security challenges to organizations. With the cloud workload protection and the cloud security posture management software from Avid Secure, Sophos will expand its current capabilities in cloud security and drive leadership in this growing space,” said Dan Schiappa, senior vice president and general manager of products at Sophos.

“We welcome the Avid Secure team to Sophos and are excited to bring their transformational technology into our portfolio, strengthening our ability to offer the best protection for our customers’ data on endpoints and networks, wherever their services are hosted.”

Since 2017, Avid Secure, a privately owned company headquartered in San Francisco, California, has offered its AI-based platform that provides public cloud protection for services such as AWS, Azure and Google.  

“We built the Avid Secure platform to revolutionize the security of public cloud environments in a process efficient way,” said Nikhil Gupta, CEO and co-founder at Avid Secure in the press release.

“We are proud of our innovative AI powered technology that provides enterprises with end-to-end continuous security analytics, visibility, and compliance to protect their data and maximize their investments in public cloud services. The opportunity to join Sophos in their mission to evolve cybersecurity into an intelligent, integrated system presented a perfect fit for our engineering vision. I, and the whole team at Avid Secure look forward to what we can achieve together.”

Categories: Cyber Risk News

Detection Limited Hacker Access to EWN Database

Tue, 01/08/2019 - 16:25
Detection Limited Hacker Access to EWN Database

Swift detection of a malicious insider that used stolen credentials to gain unauthorized access to Australia’s Early Warning Network (EWN) allowed EWN staff to shut down systems and limit the number of messages the hacker was able to disperse, according to a 7 January 2019 update on the company’s website.

The anomalous activity of the hacker who had illegally accessed the EWN alert system was detected around 9:30 EDT on 5 January 2019. While news of companies being hacked becomes more commonplace, the ability to swiftly detect and respond to malicious insiders continues to be critical to an organization’s overall security strategy.

After gaining access to the alert system – which is designed to alert users to weather emergencies – the attacker was able to send what the company describes as “nuisance” messages by way of email, text messages and phone calls to landlines, then to part of EWN’s database.

Included in the message was a link to opt out of future messages, and those who received the fraudulent alert are advised to not click on the links and delete the message.

“EWN staff at the time were able to quickly identify the attack and shut off the system limiting the number of messages sent out. Unfortunately, a small proportion of our database received this alert. Our systems are back up and running providing ongoing alerts for severe weather and natural hazard events. Investigations are continuing with police involvement,” the website said.

“The unauthorized alert sent on Saturday night was undertaken by an unauthorized person using illicitly gained credentials to log in and post a nuisance spam-notification to some of our customers. The links used in this alert were non-harmful and your personal information was not compromised in this event. Investigations are continuing with the police and Australian Cyber Security Centre involved.”

Infosecurity Magazine contacted EWN, but the company has not responded. According to the Australian Broadcasting Corporation (ABC), EWN's managing director, Kerry Plowright, said the breach was the result of compromised login details believed to have come from within Australia. No personal data has been compromised, as the system reportedly holds only "white pages" and no personal information. 

Categories: Cyber Risk News

Disgruntled Man Behind German Cyber-Attack

Tue, 01/08/2019 - 15:43
Disgruntled Man Behind German Cyber-Attack

Citing annoyance at government officials as his motive, a 20-year-old man has confessed to be the hacker responsible for releasing private information on hundreds of politicians in Germany, according to Reuters.

The news comes one day after investigators at the Federal Criminal Police Office (BKA) in Wiesbaden, Germany, reportedly searched the home of a 19-year-old man believed to have been connected with the suspected hacker who admitted he exposed the personal data of several German politicians.

On the evening of 6 January 2019, the BKA searched the suspect’s home in Central Hesse as part of its investigation on the suspicion of spying and the unauthorized disclosure of personal data of politicians, journalists and public figures, according to a BKA statement. The suspect was provisionally arrested but released due to a lack of evidence.

Infosecurity Magazine contacted the BKA to clarify whether the suspect is currently under arrest and being detained, and this article will be updated with any further details.

“During the interrogation, the defendant stated that he had acted alone in the data spying and unauthorized data releases. The investigations have so far revealed no evidence of third-party participation. To his motivation, the defendant stated that he acted out of annoyance over public statements made by the politicians, journalists and public figures concerned,” the statement said.

Through its preliminary investigation, the BKA learned that the suspect reportedly used a hijacked Twitter account and accessed his internet connections through a VPN service for anonymization. Investigators seized the suspects computers and data carriers, which are being fully evaluated.

“According to the accused, a computer that he had set aside two days before the search and a data backup from a share-hosting service could be found and secured,” the statement said.

Categories: Cyber Risk News

Malvertising Campaign Delivers Info-Stealer Plus Ransomware

Tue, 01/08/2019 - 11:38
Malvertising Campaign Delivers Info-Stealer Plus Ransomware

Security researchers have warned users of P2P sites of a new malvertising campaign featuring a twin threat: info-stealing malware and ransomware.

By registering rogue advertising domains, the attackers are able to direct torrent site visitors to two different exploit kits: Fallout EK and GrandSoft EK, according to Malwarebytes.

Those unlucky enough to be pushed according to geolocation to the Fallout EK will then encounter Vidar, an info-stealer available on the cybercrime underground for $700, according to the vendor’s security researcher, Jérôme Segura.

The malware will take system and victim details from the machine including specs, running processes, IP address and ISP, as well as more sensitive personal and financial info.

“Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in,” said Segura. “Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also scrape an impressive selection of digital wallets.”

Vidar also serves as a loader for second-stage malware to improve the attackers’ chances of monetizing their raid, in this case GandCrab 5.04 ransomware.

“Threat actors can use ransomware for a variety of reasons within their playbook. It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted,” explained Segura.

“As a result, victims get a double whammy. Not only are they robbed of their financial and personal information, but they are also being extorted to recover the now encrypted data.”

Although many reports suggest that attackers are increasingly turning their attention away from ransomware and towards cryptomining malware, ransomware will continue to be a top threat for firms for several years to come, according to Europol.

Categories: Cyber Risk News

Coinbase Disables ETC After Double Spend Attacks

Tue, 01/08/2019 - 11:04
Coinbase Disables ETC After Double Spend Attacks

A leading cryptocurrency exchange has been forced to halt trading of Ethereum Classic (ETC) after spotting double spend attacks amounting to over $1m.

San Francisco-based Coinbase first detected the suspicious activity on January 5, noting a “deep chain reorganization of the Ethereum Classic blockchain that included a double spend.”

This was followed by another 12 double spends, totalling 219,500 ETC ($1.1m).

However, soon after spotting the first reorg, the exchange halted send/receive activity in the blockchain to protect customer funds.

Double spend or “51%” attacks are made possible when an entity manages to gain control of more than 50% of a blockchain’s hashrate, meaning they can reverse any transactions they make to respend their cryptocurrency funds.

The bigger picture problem is that by gaining majority control of the network, the attacker can raise questions about its integrity. That seems to have been borne out by the sharp drop in the value of ETC over the past 24 hours, although it is now starting to climb again.

ETC buy and sell activity is not affected by the shutdown, but at the time of writing sends and receives remained disabled by Coinbase while it monitored the situation.

“The Coinbase team is currently evaluating the safety of re-enabling sends and receives of Ethereum Classic and will communicate to our customers what to expect regarding support for ETC,” it said.

Double spend attacks are relatively common in the cryptocurrency space. In September last year exchange Bittrex was forced to delist Bitcoin Gold (BTG) currency after the latter refused to pay $250,000 in losses resulting from a 51% attack which may have stolen as much as $18m.

A researcher last year revealed that hackers could launch a double spend attack on a $2bn network like ETC for as little as $1.5m investment, potentially netting over $1bn in profit.

Categories: Cyber Risk News

Contactless Fraud Losses Double but Remain Low

Tue, 01/08/2019 - 10:23
Contactless Fraud Losses Double but Remain Low

The value of contactless card fraud has almost doubled in the UK over the past year, although still remains a tiny fraction of overall card losses, according to Action Fraud.

The national fraud reporting service claimed that there were 2739 reports of contactless fraud in the first 10 months of the year, costing victims nearly £1.2m. That’s up from 1440 cases with a value of £711,000 in the same period in 2017.

Losses ranged on average from £90 all the way up to £625. The largest single amount stolen was £400,000 — which would require a large number of tap-and-go payments on the part of the fraudster, as there’s a £30 maximum limit on each transaction.

Although there have been widely reported concerns about the possibility of fraudsters using fake readers to extract data from contactless cards, the reality is different, according to UK Finance.

The banking lobby group claimed last year that “no contactless fraud has been recorded on cards still in the possession of the original owner.”

Instead, it’s believed that most fraud via this channel happens when cards are stolen from the victim.

Whereas in the past reports have suggested criminals had a long window of opportunity before cards were finally cancelled, that too has changed, according to UK Finance.

“Technical changes have since been introduced, resulting in the majority of contactless transactions going online, meaning the transaction is authorized directly with the card issuer and an attempted purchase with a cancelled card would be declined,” it said.

It’s also true that contactless fraud remains low relative to overall card spend and total fraud levels.

UK Finance’s fraud round-up for the first half of 2018 claimed that contactless fraud represented just 3% of overall card fraud during the period.

“Fraud on contactless cards and devices remains low with £8.4m of losses during the first half of 2018, compared to spending of £31.9bn over the same period,” it revealed. “This is equivalent to 2.5p in every £100 spent using contactless technology, the same as it was in the first half of 2017.”

Categories: Cyber Risk News

Pages