Info Security

Subscribe to Info Security  feed
Updated: 2 hours 35 min ago

Email Fraud is a Top Business Risk for 2018

Tue, 03/20/2018 - 12:14
Email Fraud is a Top Business Risk for 2018

Email fraud is a top risk for 2018, resulting in employee termination.

Reports from Proofpoint and Clearswift show that businesses across the globe are concerned about email phishing campaigns.

Today, two reports highlight that email phishing is a top concern for global businesses. However, a third of employees believe it is lack of support from execs that is the biggest challenge to protection – demonstrating a disconnect between the board and IT.

Proofpoint’s 2018 Understanding Email Fraud Survey asked 2250 senior IT decision makers across the US, UK, France, Germany and Australia for their email fraud experiences from the last two years. The results found 75% of organizations had experienced at least one targeted email fraud attack, with 41% suffering multiple attempts in the last two years.

Concerningly, more than 77% of businesses expect they will fall victim to email fraud in the next 12 months, and only 40% have full visability into email threats.

“Email fraud is highly pervasive and deceptively simple; hackers don’t need to include attachments or URLs, emails are distributed in fewer volumes, and typically impersonate people in authority for maximum impact,” said Robert Holmes, vice-president of email security products for Proofpoint. “These and other factors make email fraud, also known as business email compromise (BEC), extremely difficult to detect and stop with traditional security tools. Our research underscores that organizations and boardrooms have a duty to equip the entire workforce with the necessary solutions and training to protect everyone against this growing threat.”

Clearswift also identified that UK organizations were concerned about ex-employees retaining access to business networks and human error.

A lax attitude by employees to sharing passwords was ranked as another concern as a source of cyber-weakness, with one-third of UK businesses listing this as one of the biggest threats. USBs sticks were the next offender, with 31% of respondents highlighting USB/removable storage devices as a major threat. Failure by firms to cut off access to the network for ex-employees was next on the list with more than one in four worried about the impact on the business.

Mike Turner, COO of Capgemini's cybersecurity global service line, believed organizations are not doing enough to combat against emailing phishing scams and are putting too much focus on changing user behavior. 

"For many organizations, their first line of defense is their users, which carries weaknesses," he said. "We are social beings and it takes quite a lot of effort to change the culture within humans – an example of this is changing the culture and attitude towards wearing a seatbelt – it took years for change.

"Companies are relying on user behavior and that's not enough – they need to fall back on a multi-layered approach that focuses on the other elements of the defense."

Categories: Cyber Risk News

UK Police Spend £1.3m on Cybersecurity Training

Tue, 03/20/2018 - 11:15
UK Police Spend £1.3m on Cybersecurity Training

According to a new report by think tank Parliament Street, the UK police forces have spent a total of £1,320,341 on cybercrime training courses in the last three years. The new Policing and Cybercrime policy paper, which launched today, also revealed that a total of nearly 40,000 police staff and officers have undergone training across the UK. 

North Wales Police topped the list with £375,488 spent on cybercrime training for officers and staff between 2015 and 2017. This included a dedicated five-day 'Main Stream Cyber Training' course for 147 key staff, totaling £160,000. There was also a one-day cybercrime input course for all new Initial Police Learning and Development Programme (IPLDP) recruits for 183 officers which cost £29,900. An additional £52,300 was spent on a similar course for 68 CID officers. 
West Mercia and Warwickshire Police submitted a joint response, totally £125,633, followed by Lincolnshire which stated it had spent £119,834. This was followed by West Midlands Police on £91,200 and Police Scotland on £83,121.

Patrick Sullivan, CEO of Parliament Street, said: “In terms of detail, Norfolk and Suffolk police forces provided information on their combined spend of £71,100. This included sending 3,882 staff on a Cyber Crime and Digital Policing First Responder (MCCT1/NCALT) course. 147 staff members were sent on a digital media investigator course costs £6,500. £15,000 was also spent on an open source level 2 course for 87 members of staff. South Yorkshire Police sent 71 officers on its Sy-Mainstream Cyber Crime training program. Other courses it offered included on entitled Sy/Hp-Cyber Hacking Inside The Minds Online Criminals.
“The lowest level of spending came from the Port of Dover Police, a small organization, which said none of its staff had been trained and no budget had been used for cybercrime training.”

While the report highlights an increase in spending, concerns remain that UK police forces are not spending enough on equipping themselves for cybercrime. Out of the total 198,684 officers and staff that are employed by the police forces, approximately less 20% (less than 40,000) have been trained over the past three years. 

Hal Hodson, technology correspondent, The Economist, commented on whether the police forces should spend more: “If [the amount quoted] is for a small station in Yorkshire, no. If it’s the Met’s budget for the year, definitely.”  

Compared to the £20m being pumped into 6000 secondary schools to train them in cybersecurity, this amount does seem low. 

Categories: Cyber Risk News

Cambridge Analytica: ICO Seeks Warrant to Search London Office

Tue, 03/20/2018 - 10:17
Cambridge Analytica: ICO Seeks Warrant to Search London Office

The company accused of harvesting and misusing the personal data of 50 million Facebook users may have its London Headquarters searched by the Information Commissioner's Office (ICO) today. Following another shocking expose from Channel 4 last night, the ICO confirmed that it was seeking an urgent court order to search the premises. 

According to The Guardian, an ICO spokesperson said the commission had issued a demand to access CA’s records and data: “Cambridge Analytica has not responded to the commissioner by the deadline provided; therefore, the information commissioner is seeking a warrant to obtain information and access to systems and evidence related to her investigation.” 

The ICO has also requested that Facebook, who engaged cybersecurity consultants, Stroz Friedberg, to an audit, leave the CA London office so it could pursue its own investigation. According to the ICO spokesperson, Facebook has agreed to stop its search. 

Cambridge Analytica released a statement following the expose on Channel 4, which saw an undercover reporter posing as a fixer for a potential client have an exchange with CEO Alexander Nix. In the exchange, Nix seemingly confirmed that the company secretly campaigns in elections across the globe, including operating through a web of front companies or by using sub-contractors. 

Nix also seemed to confirm that the company used tactics such as bribery and honeypot traps to influence elections. Admissions were filmed at a series of meetings at London hotels over four months, between November 2017 and January 2018. 

In its statement, CA said: “The Channel 4 News report contained conversations between Cambridge Analytica senior executives and an undercover reporter posing as a Sri Lankan businessman. The report is edited and scripted to grossly misrepresent the nature of those conversations and how the company conducts its business.”

Elizabeth Denham, information commissioner, released her own statement last night, which said: “A full understanding of the facts, data flows and data uses is imperative for my ongoing investigation. This includes any new information, statements or evidence that have come to light in recent days.

"Our investigation into the use of personal data for political campaigns, includes the acquisition and use of Facebook data by SCL, Doctor Kogan and Cambridge Analytica.

"This is a complex and far-reaching investigation for my office and any criminal or civil enforcement actions arising from it will be pursued vigorously."

Rob Blackie, founder, Rob Blackie Digital Strategy, believes that this is one of the“most significant actions ever taken by the ICO". Historically they have been relatively passive and have worked on the assumption that companies do what they promise to do. This is a reasonable assumption with risk averse listed companies, but breaks down with organizations like CA.”

In regards to how this might affect other political parties UK, Blackie doesn't think they have much to worry about: “It seems unlikely that political parties in the UK will be in major trouble for data use. The UK’s political parties historically have their own large data sources - created by canvassing face to face and on the phone, as well as surveys posted to people. [The UK] historically has had much tighter data protection laws that the USA, so political parties can do their own modelling, with reputable partners, with no real need for anything underhand.

“If anything comes to light in the UK then it’s likely to be a supplier who hasn’t properly explained their product to the political party they work with. The Leave Brexit campaign is an exception because they’ve made their contempt for UK regulators clear – so if there are any skeletons to be found, they will be there.”

Categories: Cyber Risk News

Twitter Users Bilked out of Big Money by Elon Musk Clones

Mon, 03/19/2018 - 20:22
Twitter Users Bilked out of Big Money by Elon Musk Clones

Twitter users are collectively being conned out of tens of thousands of dollars per day via fraud schemes involving accounts impersonating celebrities, including Elon Musk and Vitalik Buterin, the man behind the Ethereum cryptocurrency.

The scam is elegant in its simplicity: When a verified account of a celebrity posts a tweet, a fraud account using the same image and display name simply responds, with an offer to give away the Ethereum cryptocurrency. The scam tweets ask for a small sum to be sent to an account, promising victims that they will receive much larger amounts back in a classic chain-letter gambit.

To an unsuspecting tweeter who doesn’t bother to look beyond the kimono, as it were, it looks like the reply is coming from the verified account of the celebrity.

Chainalysis, which works with Europol to help police track down anonymous users of cryptocurrencies, worked with a Sky News investigative team to discover that multiple independent copycats are behind the scams.

“In the largest scams, Sky News has observed hundreds of fake and automated accounts retweeting and liking the scam post, some responding with claims that they received money back; all providing the scammer with legitimacy and encouraging other users to take part,” the outlet reported.

An analysis of the Ethereum blockchain showed that the tactic is working, with thousands of dollars being sent to the bad actors. The fake accounts have struck hundreds of times over the last two months, with the most successful taking away over $70,000 per day.

“Unfortunately, much like the elderly individuals who get a call from their ‘grandchild’ traveling overseas who was mugged or the person who falls for the legal firm that has ‘millions of dollars of a long lost relative's’ just waiting to be handed over, these types of scams continue to trick people,” Tyler Reguly, manager of software development at Tripwire, told Infosecurity. “We can and should continue pushing for user education, but with the internet as open as it is, we need to look to technology companies to do everything they can to minimize the risk to individuals using their service.”

The indicators suggest that the campaign isn’t one large effort but rather a phenomenon of several copycats attempting the exact same tactic.

"The differences in the way these funds are being handled, such as different withdrawal patterns and the use of different exchanges, is indicative of different copycats attempting to do the same scam,” a  senior developer at Chainalysis told Sky News. "The simplicity of the attack, which requires little technical knowledge and preparation, also leads us to believe it's a trend more than an organized attack."

"Cryptocurrency thieves and other types of scammers are always going to find a platform on which to perform their crimes and it’s no surprise that Twitter has surfaced as one of the more popular of those mediums,” said Lee Munson, security researcher at Comparitech, via email. “While the social network is in no way culpable for any money lost by its users, it could seemingly be far more proactive in shutting down the fake accounts associated with this type of cryptocurrency ruse. Beyond that, it is largely a case of caveat emptor for anyone buying, selling, trading or giving away virtual currency on Twitter.”

For its part, Twitter told Sky News: "We are aware of coordinated spam activity around cryptocurrencies and related software products. The malicious use of automation, impersonation, and other deliberate attempts to deceive are prohibited under the Twitter Rules. Our teams are overseeing a technological process of batch suspending these networks of offending accounts at scale and at speed. If anyone sees suspicious account behavior relating to these issues, they should block the user immediately and report them directly to our dedicated support teams."

Categories: Cyber Risk News

Microsoft Debuts Bug Bounty for Spectre/Meltdown-Style Flaws

Mon, 03/19/2018 - 17:47
Microsoft Debuts Bug Bounty for Spectre/Meltdown-Style Flaws

Microsoft has launched a limited-time bounty program for speculative execution side channel vulnerabilities – the generic term for flaws such as Spectre and Meltdown.

The move comes as Intel launches the “virtual fences” initiative, to address such vulnerabilities in hardware.

Spectre and Meltdown comprise three variants (two Spectre and one Meltdown) affecting multiple CPU hardware implementations, which can be described as “side channel” attacks that allow attackers to steal passwords, customer data, IP and more stored in the memory of programs running on a victim’s machine. They work across PCs, mobile devices and in the cloud.

“This new class of vulnerabilities was disclosed in January 2018 and represented a major advancement in the research in this field,” said Phillip Misner, principal security group manager for the Microsoft Security Response Center, in a post. “In recognition of that threat environment change, we are launching a bounty program to encourage research into the new class of vulnerability and the mitigations Microsoft has put in place to help mitigate this class of issues.”

Microsoft’s bounty will be open until 31 December 2018. New categories of speculative execution attacks will pay up to $250,000, and Windows and Azure speculative execution mitigation bypass flaws will earn up to $200,000. Instances of a known speculative execution vulnerability in Windows 10 or Microsoft Edge that enables the disclosure of sensitive information across a trust boundary will earn up to $25,000.

“Speculative execution is truly a new class of vulnerabilities, and we expect that research is already underway exploring new attack methods,” said Misner. “This bounty program is intended as a way to foster that research and the coordinated disclosure of vulnerabilities related to these issues.”

The move comes after Intel CEO Brian Krzanich detailed virtual fences architectural changes to the company’s hardware design.

Intel has already released microcode updates for all Intel products launched in the past five years that require protection against side-channel vulnerabilities. While variant one will continue to be addressed via software mitigations, the hardware changes will address variants two and three. To wit, Intel has redesigned parts of its processor to introduce new levels of protection through partitioning.

“Think of this partitioning as additional 'protective walls' between applications and user privilege levels to create an obstacle for bad actors,” said Krzanich in a blog.

The changes will begin with the next-generation Intel Xeon Scalable processors (code-named Cascade Lake), as well as the 8th Generation Intel Core Processors expected to ship in the second half of 2018.

Intel also launched a side-channel bug bounty earlier in the year, also valid through 31 December. Flaws rated from 9 to 10 on the Common Vulnerability Scoring System (CVSS) scale will pay out up to $250,000; those from 7 to 8.9 will pay up to $100,000; and lower-severity issues will pay up to $20,000.

“We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge,” said Rick Echevarria, VP and GM of platform security, in a blog.

Categories: Cyber Risk News

Dragonfly Compromises Core Router to Attack Critical Infrastructure

Mon, 03/19/2018 - 17:44
Dragonfly Compromises Core Router to Attack Critical Infrastructure

Dragonfly, the threat actor that was recently called out by the United States as an arm of the Russian government, has been observed using a compromised core router as one of its primary tools in attacks against government agencies and critical infrastructure in Western Europe.

According to analysis from Cylance, a core Cisco router relied upon by one of Vietnam’s largest oil rig manufacturers was penetrated by Dragonfly (aka Energetic Bear, Crouching Yeti, DYMALLOY and Group 24) to harvest credentials that were later used to attempt to penetrate a handful of energy companies in the UK last March.

“This is a discovery whose significance far outweighs its size, given that core router compromises are considerably harder to detect, analyze, patch, and remediate than compromises of PCs,” Cylance researchers said.

Cylance also discovered that Dragonfly has been active against targets in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors for longer than what was previously known.

As for the router, Cylance researchers in 2015 observed a phishing operation that targeted energy sector organizations in the UK. The attacks began with two phishing documents, which relied on the “Redirect to SMB” feature built into Windows.

Following the modus operandi of previous attacks, both documents purported to be the Curriculum Vitae of a Jacob Morrison. When an unsuspecting user would open one of the documents, it would fetch a remote template and attempt to automatically authenticate to the malicious SMB server at by providing the victim's encrypted user credentials. That IP address turned out to be an end-of-life Cisco Infrastructure Router belonging to a large state-owned Vietnamese energy conglomerate, further research has revealed. Dragonfly went on to use that core router to harvest phished credentials, including victims' passwords, which were later likely used to compromise the energy sector targets in the UK.

“The use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare,” researchers said. “That’s because the compromise of a router very likely implicates the router’s firmware and there simply aren’t as many tools available to the forensic investigator to investigate them.”

They added, “The fact that the threat actor is using this type of infrastructure is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated. While the end goals of these campaigns can only be speculated upon, their very existence across an array of power companies in several countries should be of great concern to governments, the companies themselves, and all those who rely upon their critical services.”

Dragonfly’s operations were initially exposed in 2013 and 2014; yet Cylance research has uncovered additional targets from earlier periods, the most notable of which is a large mining and power company in Kazakhstan.

The group’s journey has been significant. In 2014, Cylance observed the actor go dark for a period of about a year, during which time the firm believes the group was actively retooling. Then, in early 2015 – before US nuclear and energy companies became a target – energy companies in other countries were compromised, both in the nuclear and oil industries, including facilities in Ireland and Turkey.

In 2016, Dragonfly shifted to US targets; the US response to its escalating activities culminated earlier this month, when the US government announced new sanctions against what it termed “Russian cyber actors” for interference in the 2016 presidential election and the NotPetya attack. In the course of that announcement, it also said that “Russian government cyber-actors have also targeted US government entities and multiple US critical infrastructure sectors,” including energy and nuclear power companies.

Categories: Cyber Risk News

Firefox Bug Goes Unfixed for Nine Years

Mon, 03/19/2018 - 11:33
Firefox Bug Goes Unfixed for Nine Years

Mozilla was left red-faced this morning as a software developer discovered a flaw in Firefox and Thunderbird’s password manager which was nine years old.

Wladimir Palant, who developed the Adblock Plus extension, found a red flag when looking through the source code. He discovered the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password.

SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as a hexadecimal number, 40 digits long. Since 2005 SHA-1 has not been considered secure against well-funded opponents, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3.

On his blog, Palant wrote: “Anybody who ever designed a login function on a website will likely see the red flag here. GPUs are extremely good at calculating SHA-1 hashes. A single Nvidia GTX 1080 graphics card can calculate 8.5 billion SHA-1 hashes per second. That means testing 8.5 billion password guesses per second. And humans are remarkably bad at choosing strong passwords.”

Palant then visited Bugzilla to find that the NSS bug had been identified nine years previously.

Source: Bugzilla

Palant said: “Turns out that the corresponding NSS bug has been sitting around for the past nine years. That’s also at least how long software to crack password manager protection has been available to anybody interested.”

However, according to Palant, this is not a hard issue to address: “NSS library implements PBKDF2 algorithm, which would slow down brute-forcing attacks considerably if used with at least 100,000 iterations. Of course, it would be nice to see NSS implement a more resilient algorithm like Argon2, but that’s wishful thinking seeing a fundamental bug that didn’t find an owner in nine years.”

It is not clear whether the bug has been fixed by Mozilla.

Categories: Cyber Risk News

Cambridge Analytica Under Fire for Data Harvesting

Mon, 03/19/2018 - 11:06
Cambridge Analytica Under Fire for Data Harvesting

A company linked to former Breitbart, Steve Bannon, is in the middle of an expose of what is considered the biggest data breach for Facebook. Cambridge Analytica, a data analytics firm which is currently under investigation by the ICO, was revealed to journalists working for the Observer to have used personal information taken without authorization in early 2014 to build a system that could profile individual US voters. It is thought the purpose of this was to target Facebook users with personalized political advertisements. 

According to the Observer: “Documents seen [by the Observer], and confirmed by a Facebook statement, showed that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals.” 

Whistleblower Christopher Wylie, who incidentally has had his Facebook account disabled since the revelations this weekend, worked with a Cambridge University academic to obtain the data. He alleges information on Facebook users was collected by Cambridge University professor Dr. Aleksandr Kogan through an app he created in 2014, called “thisisyourdigitallife.” 

The app, which offered users a small sum of money to take a personality test, was downloaded by 270,000 people.

He told the Observer: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”

Since the expose, UK Digital, Culture, Media and Sport Committee chairman and MP, Damian Collins, released a statement that said: “It seemed clear that [Nix, CEO of Cambridge Analytica] had deliberately misled the Committee and Parliament by giving false statements.” 

Cambridge Analytica has since released its own statement, which said: “Cambridge Analytica fully complies with Facebook’s terms of service and is currently in touch with Facebook following its recent statement that it had suspended the company from its platform, in order to resolve this matter as quickly as possible.

“In 2014, we contracted a company led by a seemingly reputable academic at an internationally-renowned institution to undertake a large-scale research project in the United States. This company, Global Science Research (GSR), was contractually committed by us to only obtain data in accordance with the UK Data Protection Act and to seek the informed consent of each respondent. GSR was also contractually the Data Controller (as per Section 1(1) of the Data Protection Act) for any collected data. GSR obtained Facebook data via an API provided by Facebook.

“When it subsequently became clear that the data had not been obtained by GSR in line with Facebook’s terms of service, Cambridge Analytica deleted all data received from GSR.”

The statement went onto say that “No data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign.”

The expose came after Facebook suspended Cambridge Analytica and SCL Group from its platform. In a statement, the tech giant said: “Protecting people’s information is at the heart of everything we do, and we require the same from people who operate apps on Facebook. In 2015, we learned that a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government and military work around the globe. He also passed that data to Christopher Wylie of Eunoia Technologies, Inc.”

Facebook updated this statement on the March 17, adding: “The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up for his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

Categories: Cyber Risk News

Researchers Discover Security Issue on Chrome RDP

Mon, 03/19/2018 - 10:24
Researchers Discover Security Issue on Chrome RDPSource: Check Point Research - The local machine receives the desktop of the other active user session.

Security analysts at Check Point Research have flagged a bug to Google relating to its Chrome Remote Desktop extension (RDP). The flaw, which affects macOS users and machines, allows a “Guest User” to log-in as Guest and yet receive an active session of another user (such as an administrator) without entering a password. 

Chrome Remote Desktop is an extension to the Chrome browser that allows users to remotely access another computer through Chrome browser or a Chromebook. It is fully cross-platform and supports macOS versions from OS X 10.6 (2009) and above, all from the Chrome browser on virtually any device.

The researchers, Ofer Caspi and Benjamin Berger, flagged the bug to Google on February 15 2018. Google responded that from a CRD perspective, the login screen is not a security boundary. However, Caspi and Berger disagree and believe users should be alert. 

According to the blog post, on macOS, it is possible to let other people use your Mac temporarily as guest users without adding them as individual users. To exploit the bug, once a Guest user connects to a remote desktop machine, the machine should have at least one active user in session (such as someone logged in and locked the screen/screen saver after x time).

Categories: Cyber Risk News

GandCrab Ransomware Finds a New Shell

Fri, 03/16/2018 - 19:10
GandCrab Ransomware Finds a New Shell

Ransomware actors are increasing their development agility week by week, as evidenced by the GandCrab ransomware. According to Check Point, this well-known malware has gotten around a free decryption tool meant to dull its claws.

GandCrab is distributed on the dark web, is probably Russian in origin and targets mainly English-speaking countries, according to Check Point researchers. It’s relatively virulent, having infected over 50,000 victims and extorted an estimated $300,000 to $600,000 in ransom payments. More than 70% of victims are in the US and UK.

GandCrab spreads via the RIG and GrandSoft exploit kits, as well as via email spam. However, the secret to its propagation success lies in its "franchise" model: The GandCrab Affiliate Program pays participants that commit to a set of OPSEC rules 60% to 70% of the ransom revenue in return for full technical support. GandCrab has 80 active affiliates, the largest of which has distributed over 700 different samples of the malware during the past month, according to Check Point.

That said, GandCrab’s reign of terror looked to be at an end after a joint operation by Romanian police, Bitdefender and Europol was able to hack into the malware’s infrastructure, gathering analysis that ultimately produced a tool allowing victims to decrypt their files for free. 

“The decryption tool exploited a basic flaw in the ransomware code that gave access to the master server, enabling recovery of all of the encryption keys used in the malware,” Check Point researchers noted. “It’s the equivalent of someone locking you out of your house but leaving a spare key for you under the doormat.  With this, it looked like ‘game over’ for GandCrab.”

But it wasn’t to be: Developers behind GandCrab quickly hit back with GandCrab 2, which fixes the critical encryption flaw that would have trivially allowed a universal decryptor.

Check Point pointed out that the GandCrab developer team could have fired the web developer and started afresh on a better-protected server; but instead they decided to restart, showcasing unprecedented agility.

“It seems that the GandCrab developers used an agile development process: They started by publishing the least well-built malware that could possibly work, and then have diligently improved it as they went along over a period of days – something that Check Point researchers have never seen in the wild,” the researchers noted.

Categories: Cyber Risk News

Walmart Jewelry Partner Exposes Millions in Latest Cloud Storage Misconfig

Fri, 03/16/2018 - 18:27
Walmart Jewelry Partner Exposes Millions in Latest Cloud Storage Misconfig

In the latest misconfigured Amazon Web Services (AWS) cloud storage snafu, Walmart jewelry partner MBM left personal data for more than 1.3 million customers in the US and Canada exposed without a password.

The Chicago, Illnois-based jewelry company, which operated under the name Limogés Jewelry, left names, addresses, ZIP codes, phone numbers, email addresses, IP addresses and passwords publicly available in an AWS S3 bucket – data that can be used to carry out targeted fraud or phishing attempts.

Originally detected by Kromtech Security, the data of MBM’s online visitors was housed in an MSSQL database backup named "walmartsql." Kromtech said that it’s unknown if the customer information came from the Walmart website or the Limogés Jewelry site.

“The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon S3 buckets is simple ignorance,” said Bob Diachenko, head of communications at Kromtech Security, in a post. “Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them.”

While the general consensus is that the fault for leaving data exposed lies with the enterprise customer, at least one researcher says that the sheer volume of these types of incidents, even though the misconfiguration pitfall is well publicized, indicates that there’s something wrong with AWS’s shared responsibility model that puts undue pressure on the end user.

"It is unfortunate that these types of issues continue to plague AWS customers,” said Sam Bisbee, CSO, Threat Stack, via email. “While organizations must understand where they are storing their data, whether the storage system is appropriate for the data they're keeping there, and whether they have the internal resources to responsibly secure those data systems, the onus must also be on AWS. The shared responsibility model for security is accurate and fair, but it is beginning to feel disingenuous as AWS continues to release point solution tools yet leaks keep occurring. This isn't limited to just S3 either, as our research indicates that nearly three-quarters of organizations have critical AWS misconfigurations of some kind.”

This is particularly true for large organizations that have grown rapidly over time, both organically and inorganically, and often rely on third parties, he argued.

“It can be very difficult to maintain security visibility into your infrastructure as assumed knowledge gets dispersed, particularly as business leaders continually prioritize speed over security,” said Bisbee.

Categories: Cyber Risk News

DHS, FBI Warn on Russian State Actors Targeting Critical Infrastructure

Fri, 03/16/2018 - 18:13
DHS, FBI Warn on Russian State Actors Targeting Critical Infrastructure

The US Department of Homeland Security (DHS) and the FBI are warning that Russian state-sponsored cyber-attackers are targeting critical infrastructure – and have been for quite some time.

The two agencies issued a joint alert saying that Russian government cyber-actors are actively targeting organizations in the US energy, nuclear, commercial facilities, water, aviation, government and critical manufacturing sectors. They characterized the activity as a “multi-stage intrusion campaign,” where the hackers first targeted peripheral organizations such as trusted third-party suppliers with less secure networks, before pivoting and gaining remote access into energy-sector networks. From there, they conducted network reconnaissance and launched spear-phishing and watering-hole efforts to move laterally and collect information pertaining to industrial control systems (ICS) across industries.

In all of this, the ultimate goal extends beyond espionage to include gaining access to the human-machine interfaces and other control platforms used to administrate critical infrastructure.

“Yesterday's DHS/FBI alert validates what the ICS community has known for months: Russian cyber-attackers have both the intent and the ability to successfully compromise our critical infrastructure networks, including in our nuclear facilities,” said Phil Neray, vice president of industrial cybersecurity at CyberX, via email. “It's easy to see how Russia could leverage these dangerous footholds to test our red lines and threaten us with sabotage in the event of escalating hostilities, such as new Russian incursions on former Soviet territories."

The activity goes back to at least March 2016, the agencies said, noting that among the APT groups involved are the Dragonfly group, aka Energetic Bear.

The tactics indicate sophistication. “The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity,” the alert noted.

“The threat actors sought information on network and organizational design and control system capabilities within organizations," according to the alert. "These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.”

Analysis further revealed that the threat actors used compromised staging targets to download the source code for several intended targets’ websites; they also attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections. On the watering-hole front, about half of the sites belong to trade publications and informational websites related to process control, ICS or critical infrastructure, which have become victims of code injection.

"We've been tracking Energetic Bear for some time now,” said Yonathan Klijnsma, a threat researcher at digital threat management firm RiskIQ, via email. “As we reported in November, where we showed the entire chain of events for the attack against critical Turkish infrastructure, this group has been targeting individuals with ties to infrastructure companies around the globe with the goal of influencing areas of influence to the Russian Federation. Over the past few years, supply-chain attacks via watering-hole attacks are becoming more and more prevalent and are one of Energetic Bear's favorite tactics."

Categories: Cyber Risk News

Vulnerability Discovered in MikroTik RouterOS

Fri, 03/16/2018 - 12:01
Vulnerability Discovered in MikroTik RouterOS

Security researchers discovered a vulnerability in an operating system potentially used by companies such as NASA, Vodafone, and Ericsson. 

A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Server Message Block (SMB) is a protocol for sharing files, printers, serial ports and communications abstractions such as named pipes and mail slots between computers. 

MikroTik provides hardware and software for Internet connectivity in most of the countries around the world. RouterOS is MikroTik's stand-alone operating system based on Linux v3.3.5 kernel. According to the company’s profile, it services customers such as Vodafone, Ericsson, and NASA, and has over 500 distributors and resellers in 145 countries. 

According to the researchers, remote attackers with access to the service can exploit the vulnerability and gain code execution on the system. As the overflow occurs before authentication takes place, Core Security found it possible for an unauthenticated remote attacker to exploit it.

All architectures and all devices running RouterOS before versions 6.41.3/6.42rc27 - release 6.41.2 was released on 27 February 2018. 

On the Core Security’s blog, the researchers wrote: “The overflow takes place in the function in charge of parsing NetBIOS names, which receives two stack allocated buffers as parameters. 

“The first byte of the source buffer is read and used as the size for the copy operation. The function then copies that amount of bytes into the destination buffer. Once that is done, the next byte of the source buffer is read and used as the new size. This loop finishes when the size to copy is equal to zero. 

“No validation is done to ensure that the data fits on the destination buffer, resulting in a stack overflow.”

The timeline posted by Core Security showed that MikroTik confirmed it had fixed the vulnerability on 12 March 2018 and released a new version of RouterOS. MikroTik has also suggested disabling the SMB service in cases where installing the update isn’t possible.

This vulnerability was discovered and researched by Juan Caillava and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.

Categories: Cyber Risk News

Cybercrime Profits: Up to $200Bn Laundered Each Year

Fri, 03/16/2018 - 12:01
Cybercrime Profits: Up to $200Bn Laundered Each Year

Virtual currencies have become the primary tool used by cyber-criminals for money laundering, according to research by the University of Surrey

Drawing from first-hand interviews with convicted cyber-criminals and data from international law enforcement agencies, the study shows that many cyber-criminals are using virtual currency to make property purchases. This converts illegal proceeds into legitimate cash and assets. 

Websites such as Bitcoin Real Estate offer properties, all with the option to buy using bitcoins. Unlike cash purchases, properties purchased with cryptocurrency are not as closely scrutinized because they are not regulated by any central banks or governments.

However, the study also finds that while law enforcement agencies are on top of tracking bitcoin, this has encouraged criminals to use less-recognized currency such as Monero. This allows them to stay under the radar. With nearly 25% of total property sales predicted to be in cryptocurrency in the next few years, financial analysts are concerned. 

Researcher and report author Dr. Mike McGuire, senior lecturer in criminology at Surrey University, said: “Anonymity is also key, with platforms like Monero designed to be truly anonymous, and tumbler services like CoinJoin that can obscure transaction origins. Targeted organizations must do more to protect their customers.”

Rafael Amado, strategy and research analyst, Digital Shadows added: "Virtual currencies provide a layer of anonymity that can be leveraged by criminals to evade law enforcement – for example, virtual currency users usually mask their real identities behind aliases, and funds can be transferred across international borders to intermediaries that are also hidden. 

“These transfers are done as easily as sending a WhatsApp message or email, so it’s clear to see how this can quickly veer into the realms of illicit behavior.”

Cyber-criminals have also been found spending “considerable time” converting stolen income into video game currency or in-game items like gold. These are converted into bitcoin or other electronic formats. 

The report comments that “Games such as Minecraft, FIFA, World of Warcraft, Final Fantasy, Star Wars Online and GTA 5 are among the most popular options because they allow covert interactions with other players that allow trade of currency and goods."
Dr. McGuire added: “Gaming currencies and items that can be easily converted and moved across borders offer an attractive prospect to cyber-criminals. 

“This trend appears to be particularly prevalent in countries like South Korea and China – with South Korean police arresting a gang transferring $38 million laundered in Korean games, back to China.”

The final method in the study, collected from data in online forums and interviews, indicate that an estimated 10% of cyber-criminals are using PayPal to launder money. Methods like ‘micro laundering’, where thousands of small electronic payments are made through platforms like PayPal, are increasingly common and more difficult to detect.  

Dr. McGuire said: “Digital payment systems are most effective when combined with other digital resources, like virtual currencies and online banking. This hides the money trail and confuses law enforcement and financial regulators.”

The findings are part of a larger nine-month study titled Into the Web of Profit, sponsored by Bromium. The full findings will be presented at the RSA Conference in April 2018. 

Categories: Cyber Risk News

Sofacy Targets Government Agency with New Spear-Phishing Campaign

Fri, 03/16/2018 - 10:31
Sofacy Targets Government Agency with New Spear-Phishing Campaign

The Sofacy group, also known as APT28 and Fancy Bear, has carried out an attack on an unnamed European government agency using an updated variant of DealersChoice. 

Details of the attack, which have been published by Unit42 – part of Palo Alto Networks – describe the espionage group using doc.x files titled “Defence & Security 2018 Conference Agenda,” which appears to have been copied directly from the website for the “Underwater Defence & Security 2018 Conference.” 

Back in October 2016, the security researchers published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice. The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server. Sofacy continued to use DealersChoice throughout the fall of 2016, which was documented in December 2016. 

However, the attacks that took place on March 12 and 14 used a different variation of the spear-phishing attack, something not seen from Sofacy before.

Unlike in the fall of 2016, the Flash object in the document is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded in. Then the object contacts an active C2 server to download an additional Flash object containing exploit code.

Robert Falcone, the author of findings, wrote: “The Sofacy threat group continues to use their DealersChoice framework to exploit Flash vulnerabilities in their attack campaigns. In the most recent variant, Sofacy modified the internals of the malicious scripts but continues to follow the same process used by previous variants by obtaining a malicious Flash object and payload directly from the C2 server. 

“Unlike previous samples, this DealersChoice used a DOCX delivery document that required the user to scroll through the document to trigger the malicious Flash object. The required user interaction turned out to be an interesting anti-sandbox technique that we had not seen this group perform in the past.”

However, due to the several steps and vulnerabilities required for this attack to exploit its victim, it's considered that chance of success is low. 

Categories: Cyber Risk News

US Treasury Department Sanctions Russians Over NotPetya, Election Meddling

Thu, 03/15/2018 - 17:36
US Treasury Department Sanctions Russians Over NotPetya, Election Meddling

The US Treasury Department has issued new sanctions against 5 entities and 19 individuals (unnamed) in response to Russia’s cyber-activities, including election meddling and the NotPetya attack last year. Those slapped with the restrictions will be denied access to any of their property and interests held within American jurisdictions; additionally, US citizens are prohibited from engaging in transactions with those sanctioned. 

The department cited what it referred to as “Russia’s continuing destabilizing activities”: The NotPetya campaign, it noted, was the “most destructive and costly cyber-attack in history,” resulting in billions of dollars in damage across Europe, Asia and the United States, with disruptions to global shipping, trade and the production of medicines. Additionally, several hospitals in the United States were unable to create electronic records for more than a week. The US and other nations officially attributed the attack to the Russian military last month.

“The Administration is confronting and countering malign Russian cyber activity, including their attempted interference in US elections, destructive cyber attacks, and intrusions targeting critical infrastructure,” said US Treasury Secretary Steven Mnuchin in a statement. “These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia. Treasury intends to impose additional [targeted] sanctions, informed by our intelligence community, to hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the US financial system.”

The Treasury also acknowledged, in a stark contrast to the line held by America's President Donald Trump for months leading up to the US election and after, that Russian government cyber-actors have targeted US government entities and multiple critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors, since at least 2016. 

Also in contrast to Trump’s ongoing insistence that US intelligence could be flawed, the Treasury said that “indicators of compromise, and technical details on the tactics, techniques and procedures, are provided in the recent technical alert issued by the Department of Homeland Security and Federal Bureau of Investigation.”

Categories: Cyber Risk News

WhatsApp Agrees to Stop Sharing User Data with Facebook

Thu, 03/15/2018 - 16:49
WhatsApp Agrees to Stop Sharing User Data with Facebook

After an injunction from the UK’s Information Commissioner’s Office (ICO), WhatsApp has said that it will no longer share personal data with its parent company, Facebook, until the upcoming EU General Data Protection Regulation (GDPR) rules can be met.

The popular mobile messaging app, which the social network acquired for $19 billion in 2014, had reserved the right to share user information across the Facebook family of properties (which also includes Instagram) for the purpose of advertising targeting, marketing, making “suggestions” such as who to follow on social media and cybersecurity. Now it has signed an “undertaking” with the ICO making a commitment to not share such user information for these or any other purpose until it can guarantee compliance with the GDPR.

“People have a right to have their personal data kept safe, only used in ways that are properly explained to them, and for certain uses of their data, to which they expressly consent,” said Information Commissioner Elizabeth Denham in a blog. “This is a requirement of the Data Protection Act…WhatsApp has not identified a lawful basis of processing for any such sharing of personal data.”

Concerns about possible inappropriate data sharing have been raised by media reports, civil society groups and data protection authorities globally since at least 2016, as a result of Facebook and WhatsApp updating their terms and conditions and privacy policy to be able to share phone numbers and other data. Those concerns have not fallen on deaf ears: In addition to the UK’s ban, the issue has been seized upon by European Data Protection Authorities, and the Higher Administrative Court (OVG) Hamburg banned Facebook from using WhatsApp user data in Germany. The French data protection authority (CNIL) is in the process of bringing enforcement action against WhatsApp, and other EU data protection authorities also have ongoing investigations.

“At the heart of these concerns lies a desire for improved transparency, control and accountability at a time when personal data is ever more central to the business models of key players in the digital economy,” said Denham.

The move is seen as a win for UK consumers, who have expressed concern about not only marketing data being shared but also a potential lawful intercept provision in the service.

"For a public that is increasingly aware and concerned about its privacy rights but, perhaps, not so clear on how that privacy is eroded, the decision by WhatsApp to not share personal data with Facebook is a very welcome step,” said Lee Munson, security researcher at, via email. “While the undertaking will need to be monitored in the future, especially when the General Data Protection Regulation comes into effect, it should have the desired effect of raising transparency and increasing trust with a public that may already be concerned about its own government’s desire to insert a backdoor into the popular chat app.”

Categories: Cyber Risk News

Minority Cyber-Pros Are Better Educated but Paid Less

Thu, 03/15/2018 - 16:19
Minority Cyber-Pros Are Better Educated but Paid Less

When it comes to diversity in the cybersecurity workforce, it turns out that minority representation is actually higher than in the broader US workforce as a whole (26% vs. 21%). However, these professionals are disproportionately found in non-management roles, and they tend to earn lower salaries while being more likely to hold a master’s degree or higher.

According to the just-released Innovation Through Inclusion report from (ISC)², cybersecurity professionals of color earn $115,000 on average, while the overall US cybersecurity workforce average is $122,000. Similarly, just 23% of minority cybersecurity professionals hold a role of director or above, compared to 30% of their Caucasian peers. This is despite the fact that 62% of minorities have obtained a master’s degree or higher, compared to 50% of professionals who identified as White.

Also, disappointingly, 32% of cybersecurity professionals of color said they have experienced discrimination in the workplace.

“While minority representation within the cybersecurity field is slightly higher than the overall U.S. minority workforce, our study did reveal that racial and ethnic minorities tend to hold non-managerial positions, and pay discrepancies, especially for minority women, is a challenge,” said (ISC)² CEO David Shearer. “In order to build strong, adequately staffed cybersecurity teams, employers – and the cybersecurity profession as a whole – must make cybersecurity a rewarding and welcoming career for everyone. Understanding the challenges our profession faces related to diversity is a critical first step to accomplishing that goal and ultimately addressing the widening cybersecurity workforce gap.”

Based on survey responses from 9,500 U.S. cybersecurity professionals, the study also found that men of color are behind their Caucasian male peers in salary by $3,000.

Interestingly, the report also found that 17% of the cybersecurity workforce who identify as a minority are female, proportionally exceeding overall female representation (14%) by a margin of 3 percentage points. However, women of color make an average of $10,000 less than Caucasian males and $6,000 less than Caucasian females.

In addition to a higher average salary, Caucasian workers were more likely to have received a salary increase within the past year, as compared to other races and ethnicities.

“The under-participation by large segments of our society represents a loss of opportunity for individuals, a loss of talent in the workforce and a loss of creativity in shaping the future of cybersecurity,” said Aric Perminter, president of the International Consortium of Minority Cybersecurity Professionals (ICMCP). “Not only is it a basic equity issue, but it threatens our global economic viability as a nation. This research underscores the importance of our mission. The ICMCP Educational Security Operations Centers (ESOCs) provide innovative, effective and timely solutions to the cybersecurity demands of employers – from cyber-ranges and certification training to NICE curriculum and job placement.”

To foster diversity in the workplace, 49% of minority cybersecurity professionals in the survey said mentorship programs are “very important.”

Categories: Cyber Risk News

Cybersecurity Incident Response Still Major Issue

Thu, 03/15/2018 - 12:17
Cybersecurity Incident Response Still Major Issue

Over 75% of respondents across the globe admitted that they do not have a formal cybersecurity incident response plan in place across their organization, according to research conducted by Ponemon Institute and sponsored by IBM Resilient.

More worryingly, half of the respondents reported that their incident response plan is either informal, ad-hoc or completely non-existent. 

However, nearly three-quarters (72%) of organizations report feeling more cyber-resilient today than last year and feel confident about their skilled personnel. This confidence may be misplaced, with the analysis revealing that 57% of respondents said the time to resolve an incident has increased, while 65% reported the severity of the attacks has increased. 

“Having the right staff in place is critical but arming them with the most modern tools to augment their work is equally as important,” said Ted Julian, VP of product management and co-founder, IBM Resilient. “A response plan that orchestrates human intelligence with machine intelligence is the only way security teams are going to get ahead of the threat and improve overall cyber-resilience.”

With the General Data Protection Regulation (GDPR) coming into effect in May 2018, the lack of a consistent cybersecurity incident response plan could prove costly for businesses. However, most countries surveyed did not report confidence in their ability to comply with GDPR, which is concerning given the closeness of the deadline.

Furthermore, IBM found that the cost of a data breach was nearly $1m lower on average when organizations were able to contain the breach in less than 30 days, showing the financial benefits of having a good response plan in place.

“A sharp focus in a few crucial areas can make a big difference when it comes to cyber-resilience,” said Dr. Larry Ponemon. “Ensuring the security function is equipped with a proper incident response plan, staffing, and budget will lead to a stronger security posture and better overall cyber-resilience."

Categories: Cyber Risk News

Geopolitical Malware Attacks on the Rise

Thu, 03/15/2018 - 10:51
Geopolitical Malware Attacks on the Rise

Malware attacks surged around geo-political events in 2017, according to the second quarter of Comodo’s Global Malware 2017 report.

The firm’s research found many countries in Europe and the Middle East were subject to trojan, worm and virus attacks around events such as elections, social unrest and military strikes.

When many think about political intervention using cyberhacking, Norway probably doesn’t spring to mind. An example was Norway, with the country coming under fire from trojan malware on September 5 2017, less than a week prior to it's parliamentary elections. 

Comodo also found coloration between trojan attacks in the Czech Republic and domestic social upheaval. During Spring 2017, malware detections spiked during a period of domestic and international tension when a government reshuffle was taking place. 

“It makes perfect sense that geopolitical events would lead to spikes in malicious activity,” says Tim Helming, director of product management, DomainTools. “Cyber-criminal groups and nation-state actors alike are just like normal criminals – opportunists – and using big global events which gain a lot of traction in the media is one way to ensure that traction is achieved for their campaigns, as well as opportunities to retaliate towards organizations hostile to them.”

With concerns about cyber-attacks affecting political elections, Kaspersky Lab recently launched a customizable online voting platform for non-commercial organizations, businesses and communities. The system uses blockchain technology and is secured with transparent crypto algorithms.

‘Polys’, a new commercial solution created by a team of developers from the Business Incubator, is based on smart contracts in Ethereum which allows ballot verification and vote tallies to be performed in a decentralized manner. This provides anyone with the ability to conduct secure, anonymous and scalable online voting with results that cannot be altered by participants or organizers. 

During the company’s recent annual Cyber Security Weekend event, Vartan Minasyan, head of investment and innovation at Kaspersky Lab, said: “One such area [where safety and security are important] is online voting and, when exploring the possible implementations of blockchain in particular, our team realized that this technology combined with the company’s cybersecurity expertise could solve key problems related to the privacy, transparency and security of online voting.”

However, Helming warned that the general public also need to be vigilant during these periods of political interest: “These large events, as well as dominating the news agenda, are likely to dominate people’s inboxes, providing the perfect cover for phishing, smishing or social engineering attacks, which could in turn lead to personal information being compromised. 

“Companies, governments and individuals should be aware a large global event is just as vulnerable to cybercrime as any other company, person or event."

Categories: Cyber Risk News