Palmdale resident Ryan S. Hernandez, now aged 21, was still a minor when he and an associate used a phishing technique to steal the credentials of a Nintendo employee in 2016.
The credentials were exploited to access and download confidential files relating to the company's games and consoles, which were then leaked to the public. Pre-release information about the anticipated Nintendo Switch console was among the data leaked.
In 2017, FBI agents contacted Hernandez, also known as Ryan West and by his online moniker "RyanRocks," and his parents regarding the hack. Despite promising agents that he would not engage in any further cyber-criminal activity, Hernandez went on to hack into multiple Nintendo servers and steal confidential information about video games, developer tools, and gaming consoles from at least June 2018 to June 2019.
The indiscreet hacker boasted about his crimes on Twitter and Discord, the group-chatting platform that was originally built for gamers. He even created an online chat forum, eponymously named "Ryan's Underground Hangout," where he chatted with people about Nintendo products, shared some of the data he had stolen from the company, and highlighted possible vulnerabilities in Nintendo's computer network.
Hernandez' activities did not go unnoticed by the FBI, who searched his home in June 2019 and seized circumvention devices used to access pirated video games and software. Agents also seized numerous computers and hard drives, upon which were discovered thousands of confidential files belonging to Nintendo.
Forensic analysis of devices belonging to Hernandez revealed that the teen had used the internet to amass a collection of over 1,000 videos and images depicting minors engaged in sexually explicit conduct. This cache of child sexual abuse material was stored and sorted in a folder directory labeled “Bad Stuff.”
In January 2020, Hernandez pleaded guilty to computer fraud and abuse and to possession of child pornography and agreed to pay $259,323 in restitution to Nintendo. On December 1, Hernandez, who will now be required to register as a sex offender, was sentenced to three years in prison followed by seven years of supervised release.
Just over three-quarters of cybersecurity professionals have said they expect to see an increase in DNS-related security threats over the next few weeks.
In preparation, three in five (59%) have altered their DNS security methods in the run up to the holiday season, according to a new report from the Neustar International Security Council (NISC).
However, 29% have reservations around their ability to respond to DNS attacks, likely attributed to the shifting and complex DNS threat landscape, as some users admitted to having been hit by at least one DNS attack in the past year, including DNS spoofing/cache poisoning (28%), DNS tunneling (16%) and zombie domain attacks (15%).
“Acting as the internet’s address book and backbone of today’s digital services, it’s unsurprising that DNS is an increasingly appealing vector for malicious actors, particularly as more consumers turn to websites during peak online shopping periods,” said Rodney Joffe, chairman of NISC, SVP and fellow, Neustar.
“When successful, DNS attacks can have damaging repercussions to an organization’s online presence, brand and reputation. A domain hijacking attack, for example, can result in hackers taking control of a company’s domain and using it to host malware or launch phishing campaigns that evade spam filters and other reputational protections. In a worst-case scenario, this type of attack can even lead to an organization losing its domain altogether.”
In an email to Infosecurity, Jack Mannino, CEO at nVisium, flagged the threat of DNS tunneling as being a popular exfiltration technique “because DNS is frequently allowed for egress traffic.”
Mannino said: “Understanding your DNS traffic and having visibility into attacks is important because many command and control systems use DNS for this purpose, and attackers can exfiltrate data over the protocol through attacks like SQL injection as well, evading firewalls and filtering appliances.”
During September and October 2020, DDoS (22%) was ranked as the greatest concern for security professionals, followed by system compromise (19%) and ransomware (17%). During this period, organizations have focused most on increasing their ability to respond to vendor or customer impersonation (58%), targeted hacking (54%) and IP address hacking (52%).
Joffe said it was positive that organizations are aware of the severity of DNS attacks, but it is also important that they continue to take proactive steps to protect themselves and their customers against the different threats.
“This should involve regular DNS audits and constant monitoring to ensure a thorough understanding of all DNS traffic and activity,” he said.
“Crucially, DNS data can also provide organizations with timely, actionable and important threat insights, allowing them to not only protect against DNS-related threats, but also mitigate the vast majority of malware, viruses and suspicious content before critical systems are infiltrated.”
Angela McLaren has been announced as the new assistant commissioner of the City of London Police, with responsibility for economic and cybercrime.
McLaren joins from Police Scotland, where she was the executive lead for organized crime, counter terrorism and intelligence. “I feel privileged to be joining such a talented team of individuals who are already leading the way in preventing and detecting economic and cybercrime, and look forward to working with them to protect the public against these threats,” McLaren said.
“Both fraud and cybercrime present real and increasing threats to communities; this has been particularly evident in the last year, as more people have been confined to their homes, relying on technology to live their lives. Unfortunately, criminals continue to exploit this situation, often targeting the most vulnerable within our society, and this must stop.”
The appointment follows the announcement of the City of London Police being named as the national lead force for cybercrime, which prompted the creation of a new assistant commissioner role to specifically oversee the significantly greater responsibilities the force now holds within the NPCC cybercrime portfolio.
Ian Dyson, City of London police commissioner, said protecting organizations and individuals from fraudulent activity, including cybercrime, is a priority for the City of London Police looking ahead to 2021, “and assistant commissioner McLaren will be instrumental in what I am sure will be a success.”
Operational technology (OT) security company Claroty has announced the appointments of Adi Weisz as VP of engineering and Brian Dunphy as VP of product management as the firm looks to continue its growth and innovation in the field of industrial cybersecurity.
Weisz joins Claroty from Lusha and brings 20 years of technology experience to the role, having previously served at firms such as Fornova, Gigya and AfterDownload. He will be in charge of building and maintaining Claroty’s product offerings as well as building and developing a modern, effective and efficient engineering organization.
“I chose to join the elite team of professionals at Claroty to help companies focus on their business without sacrificing security,” said Weisz. “In the world of cybersecurity today, there is no more challenging yet rewarding arena to be in than that of OT infrastructure, where the stakes couldn’t be higher.”
As VP of product management, Dunphy will be responsible for identifying and driving key product improvements. He has 25 years of cybersecurity industry experience and most recently led product management for RSA’s NetWitness Platform.
“OT is the next cyber-battleground as there is no higher value target for threat actors – just imagine the potential impact of a compromised production line, water utility or chemical plant,” Dunphy said. “I joined Claroty because it has been an early pioneer in a space that has an enormous impact on the world. We are not just securing OT systems; we are protecting the lifeblood that powers enterprises’ core functionalities and all of our daily lives.”
Commenting on the appointments, Claroty CEO Yaniv Vardi, said: “We’re thrilled to have Adi and Brian join us here at Claroty. Their enthusiasm for our mission combined with their deep industry expertise are great assets to our company leadership and product development.”
Rights groups have expressed serious concerns over reports that a UK supermarket chain recently completed a trial of controversial facial recognition technology.
The Southern Co-operative, whose stores cover 10 counties across the south of England, revealed the trial in a little noticed update dated two months ago. However, recent media coverage has spurred interest from privacy campaigners.
London-based Privacy International said it has written to the chain requesting urgent assurances over its partnership with UK startup Facewatch. Describing its technology as a cloud-based facial recognition system designed to safeguard businesses against crime, it says the tech “sends you instant alerts when subjects of interest enter your business premises.”
Aside from concerns over whether the Co-op’s use of Facewatch complied with strict data protection and privacy laws, the rights group wants to know whether the trial may have exposed innocent shoppers to unwarranted police scrutiny.
“In October 2020, Privacy International urged authorities in the UK to investigate evidence that Facewatch is offering to transform its crime alerting system into another surveillance network for UK police forces, by offering them the ability to ‘plug-in’ to the system. We are still awaiting responses,” it said.
“We are concerned that such a deployment at Southern Co-op stores – even at trial level – could mean that, in order to purchase essential goods, people might be in effect left with no choice but to submit themselves to facial recognition scans.”
An October blog penned by the supermarket chain’s loss prevention officer, Gareth Lewis, explained that the trial covered a select number of stores that had experienced high levels of crime. Customers were made aware of the trial by “distinctive signage,” and no facial images are stored “unless they have been identified in relation to a crime.” He claimed this made it GDPR-compliant.
Ray Walsh, digital privacy expert at ProPrivacy, raised similar concerns to Privacy International.
“The problem with allowing private businesses to use real-time scanning is that the facial recognition cameras could theoretically become part of constant real-time surveillance leveraged by the police or other government agencies, of the like seen in countries such as China,” he argued.
“These systems mean everyone who ventures out in public is being constantly scanned. It is vital for regulation on the use of facial recognition to offer transparency over how the general public’s data is collected, stored, processed and transported to ensure privacy and data security."
The National Cyber Security Centre (NCSC) has announced its annual CyberFirst Girls Competition is now open for registrations, with a mission to inspire the next generation of young women to pursue a career in the industry.
Although set-up as an off-shoot of GCHQ to advise and protect UK organizations from cyber-threats, one of the NCSC’s other core goals is to help address chronic cybersecurity skills shortages in the UK.
According to government figures published in March, 48% of businesses have a basic cyber-skills gap. This is defined as those in charge of cybersecurity lacking "the confidence to carry out the kinds of basic tasks laid out in the government-endorsed Cyber Essentials scheme, and are not getting support from external cybersecurity providers.”
What’s more, 25% of firms said that such gaps prevent them from achieving their business goals. The industry is also woefully lacking in diversity: just 15% of the cyber-workforce is female versus 28% in the wider digital sector, the report claimed.
The CyberFirst Girls Competition offers female students in Year 8 in England and Wales, Year 9 in Northern Ireland and S2 in Scotland the opportunity to test their skills in a “fun but challenging” environment.
Teams of four students participate in an online qualifier lasting 10 days, before a regional semi-final round and then the grand final on April 26 2021.
The opening of registrations comes hot on the heels of another initiative from the NCSC: EmPower Cyber Week. Running last week, the event saw scores of schools from around the country participate in virtual presentations designed to show pupils aged 12-13 what careers in cybersecurity look like.
Topics including coding, cryptography and logic were delivered in a highly accessible manner. For example, a “Popstars and Passwords” track taught students to create strong passwords using three random words and their favourite pop stars. A “Python Mind Reader” course used the eponymous programming language to create a simple game.
“The NCSC is committed to creating an environment where cybersecurity can thrive, and we’re pleased that our drives to reach school-aged children are inspiring the next generation of cyber-experts,” said NCSC deputy director for cyber-growth, Chris Ensor.
“The CyberFirst program looks to offer pupils and students as many chances as possible to develop valuable cyber-skills – and we would strongly encourage girls to register for next year’s CyberFirst Girls competition.”
The development of an Internet of Things (IoT) threat hunting framework enabled the discovery of over a billion attacks.
They explained that they had created the framework as they had noticed the increase of DDoS attacks, as well as “the weapons including IoT malware and botnets” and Cheng said that, according to research, 20% of attacks in 2020 were related to IoT.
They said the benefits of using an automated threat hunting system include:
- Automatic detection and real-time blocking of various threats
- Instantly locating various threat trends
- Follow-up analysis of a large number of intelligence resources by threat analysts
- The cost of human maintenance is extremely low
They said their IoT hunting service is capable of analyzing 20 terabytes of traffic across IoT and ICS. “We do not need to dedicate a lot of powerful machines to do the processing to help cut down on costs,” Cheng said. It has been able to detect 1.2 billion attacks, including detecting 70 million malicious IP addresses and 15 million suspicious domains, as well as a possible 1.4 million botnet devices.
“If we count back all the way to early 2019, we analyzed 45TB of data,” Cheng said, and they were able to distinguish 70 million suspicious domains. The countries with the most devices tied up in botnets were Vietnam with 1.6 million, China with 1.3 million and India with one million. The most attacked countries were the USA with 316 million attacks, more than double for India with 155 million attacks.
Asked by Infosecurity if they were surprised by the number of attacks they found, the speakers they said they were, as it can typically take one to two days to analyze malware and understand what kind of malware it is and its behaviors. “With so much unknown malware, we need to spend time to analyze,” Cheng said.
IT services provider Transputec will provide security for Worldwide Flight Services’ (WFS) aviation cargo and ground handling operations, it has been announced.
Under the agreement, Transputec will work with ThreatSpike Labs to ensure WFS has the technology and services most relevant to its needs and will provide 24/7 monitoring for potential security risks, ensuring resolution is found before they become an issue.
WFS’ aviation cargo and ground handling operations consists of 21,800 employees at 171 stations in 22 countries across five continents. Transputec was deemed the most suitable provider for the firm after emerging top in proof of concept trials.
Sonny Sehgal, CEO of Transputec, commented: “We are excited to be working with such a respected market leader as WFS and pleased to be helping to further improve the company’s security program to increase the value of its services. Our team has already been welcomed as an extension of their IT function and a core part of their security team and will offer specialist help and digital expertise to support the integrity and growth of WFS’ operations around the world.”
Pedro Garcia, group chief information officer for WFS, said: “Safety and security will always be WFS’ top priority to underpin the vital services we provide for our airline customers at airports around the world. We take this responsibility very seriously and are constantly reviewing our systems and processes to ensure they are fit-for-purpose against potential threats and to protect our business continuity. Transputec is providing critical managed services that enable us to improve the resilience, efficiency and security of our global operations, which gives us the peace of mind that any security anomaly or incident will be managed and resolved instantly.”
There has been several security incidents involving airlines this year, including Easyjet revealing that approximately nine million of its customers had their personal data accessed and reports that access to Pakistan International Airlines’ network is being offered for sale on the dark web.
A UK business specializing in tax relief for its clients has exposed the personal details of over 100,000 of them via a misconfigured content management system (CMS).
Researchers at Website Planet told Infosecurity exclusively about the privacy snafu, which they discovered on October 13 and notified the firm about the next day.
That company was Marriage Tax Refund, a Wolverhampton-based organization whose business model is to recover marriage tax allowance funds for UK clients.
According to the research team, the firm had misconfigured its WordPress CMS, leaving a directory listing of PDF documents available for public view, with no password protection.
This meant anyone could theoretically have viewed personally identifiable information (PII) on Marriage Tax Refund clients, including: applicants’ full names, gender and home address, plus their partners’ full names and gender, and the refund amount they could request.
Website Planet estimated that in excess of 100,000 clients who signed up to the scheme since the company’s founding in October 2016 could have had their PII exposed in this way.
“A combination of full name, address and marital status are sufficient for nefarious users to conduct identity theft and fraud. Furthermore, personal user details could be used to conduct fraud across other platforms without the victim becoming aware that such activity is occurring,” the researchers warned.
“Therefore, Marriage Tax Refund’s leak could potentially be used to deploy deeper and more damaging scams by sending customized information directly to their target’s addresses, possibly disguised as communication from Marriage Tax Refund, or, disguised as HMRC but referencing the customer’s business with Marriage Tax Refund and thereby gaining the intended target’s trust.”
After notifying both the UK CERT and privacy regulator the Information Commissioner’s Office (ICO), Website Planet finally saw that the misconfiguration had been fixed by the firm on November 6 this year.
An unnamed individual in the United States has pleaded guilty to creating a botnet and using it to launch a series of cyber-attacks against the gaming community before reaching their 18th birthday.
The Distributed Denial of Service (DDoS) attacks, carried out in October 2016, caused what the United States Department of Justice described as "massive disruption to the internet."
As a result of the attacks, websites, including those pertaining to Sony, Twitter, Amazon, PayPal, Tumblr, Netflix, and Southern New Hampshire University (SNHU), became either completely inaccessible or accessible only intermittently for several hours on October 21, 2016.
"As a result of the individual’s DDoS attacks, Dyn, Sony, SNHU, and other entities and individuals suffered losses including lost advertising revenues and remediation costs," said the DOJ.
"Sony estimated that its resultant losses included approximately $2.7 million in net revenue."
On December 9, the Department announced that an individual, formerly a juvenile, had pleaded guilty to committing acts of federal juvenile delinquency in relation to the 2016 cyber-attacks.
Unsealed court documents revealed that from approximately 2015 until November 2016, the individual conspired with others to build and operate at least one online botnet, which they then used to launch DDoS attacks against multiple victim computers.
The botnet was a variant of the Mirai botnet that infected Internet-of-Things devices, such as internet-connected video cameras and recorders, turning them into bots that could launch DDoS attacks.
The individual and their co-conspirators specifically targeted computers belonging to online gamers or to gaming platforms, knocking then offline completely or otherwise significantly impairing their functionality.
On October 21, 2016, the individual and others launched multiple DDoS attacks against the Sony PlayStation Network's gaming platform in an attempt to knock it offline for a sustained period.
According to the plea agreement, the individual conspired to commit computer fraud and abuse by operating a botnet and by intentionally damaging a computer. Because the individual was aged under 18 when they committed the offenses, their identity is being withheld pursuant to the Juvenile Delinquency Act.
The guilty plea was entered in a closed proceeding before Chief Judge Landya McCafferty in the District of New Hampshire. Judge McCafferty scheduled the individual’s sentencing to take place on January 7, 2021.
An American healthcare provider has started notifying more than a million patients that their data may have been exposed as the result of a cyber-attack.
Dental Care Alliance discovered on October 11 that it had been the victim of a hack that began on September 18, 2020. The company, which is headquartered in Sarasota, Florida, was able to contain the attack by October 13.
Patient data that may have been accessed in the security incident included names, addresses, dental diagnosis and treatment information, patient account numbers, billing information, bank account numbers, the name of the patient's dentist, and health insurance information.
Dave Quigley, general counsel for DCA, told Databreaches.net that the breach had been reported to all relevant regulatory bodies and that DCA had notified all 1,004,304 people affected by the incident via letter in November.
Explaining why no remediation services such as credit monitoring had been offered to patients impacted by the breach, Quigley said: "We have seen no specific evidence that personal information was used for malicious purposes."
He added: "We will continue to do all that is necessary and appropriate to support and inform impacted individuals in the days ahead."
A review of what data the attackers were able to access concluded that bank account numbers belonging to only 10% of the individuals impacted by the hack were visible to an unauthorized third party.
Dental Care Alliance is a dental support organization with more than 320 affiliated dental practices across 20 states. The LLC was established in 1991 by Dr. Steven Matzkin and currently works with more than 700 dentists.
The incident comes 10 months after a ransomware attack on Colorado information technology company Complete Technology Solutions (CTS) impacted about 100 dental practices in the United States, leaving staff unable to access patient records and treatment schedules.
Practices in Colorado, Kansas, Nebraska, and Nevada were impacted by the incident, including the Pediatric Dental Specialists of Greater Nebraska.
Co-owner Dr. Jessica Meeske, describing the effect of the attack on the practice, told the American Dental Association: "You are absolutely paralyzed in the same way as if you lost your location physically."
Internet-connected MySQL databases around the world are being targeted by a double extortion ransomware campaign that researchers have dubbed PLEASE_READ_ME.
The campaign, which dates back to at least January 2020, was detected by researchers at Guardicore Labs. So far, it has breached more than 83,000 of the more than five million internet-facing MySQL databases in existence worldwide.
Simple but effective in its approach, the campaign uses file-less ransomware to exploit weak credentials in MySQL servers. After gaining entry, the attackers lock the databases and steal data.
The attack is a double extortion because its authors use two different tactics to turn a profit. First, they try to blackmail the database owners into handing over money to retrieve access to their data. Second, they sell the stolen data online to the highest bidder.
Researchers noted that the attackers have been able to offer over 250,000 databases for sale on a dark web auction site so far.
The attackers leave a backdoor user on the database for persistence, allowing them to re-access the network whenever the mood strikes them.
Researchers were able to trace the origins of the attacks to 11 different IP addresses, the majority of which are based in Ireland and the UK.
Since spotting the first attack on January 24, the Guardicore Global Sensors Network (GGSN) has reported a total of 92 attacks. Since October, the rate at which attacks are being launched has risen steeply.
Two variants have been used over the campaign's lifetime, showing an evolution in the attackers' tactics. The first was used from January to the end of November for 63 attacks, and the second phase kicked off on October 3, halting at November's end.
In phase one, the attackers left a ransom note with their wallet address, the amount of Bitcoin to pay, and an email address for technical support. Victims were given 10 days to pay up.
"We found that a total of 1.2867640900000001 BTC had been transferred to these wallets, equivalent to 24,906 USD," noted researchers.
In the second phase, the attackers ditched the Bitcoin wallet in favor of a website in the TOR network where payment could be made.
The Cyber Helpline, a volunteer organization that offers emergency assistance to victims of cybercrime and cyber-stalking in the UK, has been awarded £10,000 in lottery funding.
The group said the money will be used to support its helpline and chatbox services, with demand rising rapidly due to the growing levels of cybercrime following the shift to digital during COVID-19. This includes further investment into its chatbot technology, which ensures 24/7 support is available to victims, as well as enabling the onboarding of new volunteers as helpline responders to deal with live cybercrime issues.
The Cyber Helpline was formed several years ago in response to a lack of support for cybercrime victims in the UK, and currently provides practical assistance to around 400 victims every month. It has a team of 50 volunteer cybersecurity experts.
It noted common issues it responds to include cyber-stalking, lost devices, hacked accounts, online bullying and harassment and sextortion.
The funding comes from The National Lottery Community Fund, which distributes money raised from National Lottery players for good causes.
Rory Innes, founder of The Cyber Helpline, commented: “We’re delighted that The National Lottery Community Fund has recognized our work in this way. Now, thanks to National Lottery players, we will be able to support hundreds more victims of cybercrime in the UK and alleviate the severe emotional and financial burden caused by these attacks. At a time when the country is going through a national lockdown and economic hardship amid redundancies and closed businesses, we see our mission of creating a country where the cyber-criminals do not win as more important than ever.”
Back in August, INTERPOL observed that cybercrime is growing at an “alarming pace” as a result of COVID-19, while earlier this week, McAfee revealed that total global losses from cybercrime has exceeded $1tn.
Email defense provider Vade Secure has announced the appointment of former Israeli military staff sergeant Maya Gershon as its new chief revenue officer.
Gershon is an electrical and computer engineering graduate who started her career working at Unit 8200, a top-secret and classified cyber-unit of the Israeli Military Intelligence.
She brings 20 years of sales and marketing experience to Vade Secure, having previously held leadership positions at companies including WeWork, Intel, Cisco and IronSource.
Gershon assumes leadership of the firm’s global sales and marketing activities and heads up the acceleration of its business development.
“Our international development strategy is based on indirect sales via our MSP partners, aggregators, ISPs and OEMs,” said Gershon. “My goal is to accelerate this strong momentum with our partners in our existing markets and within new markets by developing effective and partially automated sales and marketing processes, resulting in a virtuous chain of new business generation for Vade Secure and its partners.”
The appointment announcement coincides with the opening of Vade Secure’s first office on Israeli soil, which is located in the local technological ecosystem with access to Israel’s talent pool.
“Nearly 100% of Israeli cybersecurity companies sell their products and services internationally,” said Georges Lotigier, CEO of Vade Secure. “With its internationally oriented market, Israel was a planned step in Vade Secure’s global expansion strategy. Maya brings us her experience in international growth acceleration while being immersed in one of the world’s most important cybersecurity ecosystems.”
Identity and access management will be crucial to securing workforces going forward, according to a panel speaking of experts during the Wallix Live: The State of Security event.
The speakers acknowledged the “herculean” effort of many organizations to successfully roll out mass remote working at very short notice this year after the COVID-19 pandemic struck. All the indications are that this way of working will be utilized far more going forward, and “the net result is that more people than ever before will need to access corporate data from their homes and personal devices,” said Didier Lesteven, executive vice-president sales and marketing at Wallix.
Despite the many benefits of remote working demonstrated during this period to both employers and staff, this way of working clearly adds to the security risks for organizations, who are no longer able to rely on a strong outer perimeter strategy, with information accessed across multiple devices and networks.
This requires a fundamental reshaping of organizations’ security strategies, and “identity access becomes a critical point if we are trying to secure these new ways of working,” commented Soumya Banerjee, cyber-expert at McKinsey.
Outside of the corporate buildings, it is much harder for security staff to gain visibility of the identities of those accessing different parts of the network, especially as increasing numbers of companies move to multi-cloud environments. Yet gaining this control is critical.
Laura Deaner, CISO, S&P Global, noted that within an organization, “everyone is important to a criminal because if they can get in, they will get in, so they don’t need to necessarily target C-suites – they can target anyone, including people who have privileged access and identities.”
The concept of security by design, which aims to proactively address risks early in the system development cycle, could be applied to manage access and identity more securely. Lesteven outlined that organizations must have a clear strategy by which users are identified, authenticated and the resources they are allowed to gain secure access to are managed, all of which “needs to be monitored for future auditing purposes.”
He added: “These global security process need to be by design and applied to all steps of the digital journey of any users.”
This approach needs to be taken in consideration of the expectations of users, however, as it may be a source of frustration if it is harder to gain access to data compared to being in the office environment. In the view of Banerjee, this requires security teams to learn and understand the perspective of users and what they want. “As an identity professional, my approach is now about how I can make it more human centric, experience based and then see what the technology and process enablers are for that experience.”
Ultimately, finding the right balance, and potentially compromise, is key. Deaner concluded: “The most challenging thing is the balance between usability and security. I want everyone on my network to feel like they’re able to operate effectively, but I also have to protect them.”
North Korea’s offensive cyber-program evolved from one of power projection to one which is “dual-focused” and going after international economic targets.
Speaking at Black Hat Europe 2020, Crowdstrike researchers Jason Rivera and Josh Burgess discussed how North Korea had advanced its strategy from one of showing force, which was more prevalent under the leadership of Kim Jong-Il, to one which is now going after targets other than the US, South Korea and Japan.
At first, it had engaged in DDoS attacks and deploying wiper malware, but Rivera, director of the strategic threat advisory group at Crowdstrike, said it was not able to do “any serious damage.” However, attacks became more focused and targeted, such as data exfiltration from South Korea’s Ministry of Defense and the attacking of the Seattle subway system and the 2014 attack on Sony Pictures.
In the power protection era, Rivera said that they would often focus attacks on military targets and demonstrate its nuclear capabilities “to push back its regional adversaries” as well as the USA.
The next phase focused on generating currency, due to the economic sanctions placed on North Korea because of its nuclear program “in order to bypass some of the financial hardships brought on by these sanctions.” Rivera said Crowdstrike had observed North Korea engaging in different types of currency generation operations, including fraudulent attacks, ransomware, attacks on the SWIFT banking systems and ATM cash out schemes.
However, it’s current activity is on a dual-focused effort, where it goes after economic targets for currency generation, but also attacks critical infrastructure, international targets and even the United Nations. “Also, with currency generation, we see the targeting of non-traditional targets, such as crypto-currency exchanges, especially those located in East Asia,” Rivera said.
“We also see a lot of focus on economic growth targeting, taking a page out of China’s playbook. China engages in a lot of espionage in support of their own economy, and we’re now seeing North Korea do the same and it appears to be focused on critical infrastructure sectors where they need a lot of help.” This includes power generation and agriculture, to empower its economy.
North Korea is also targeting international organizations like the UN and Israel’s industrial base. “This demonstrates a high degree on behalf of the North Korean regime and at this point they do believe that they have succeeded and got to the point where they are at now, taking it to the next level,” he said.
Burgess, technical lead for threat intelligence at Crowdstrike, said the focus on energy production is on all forms including oil, gas and coal, and this has seen targets in the USA being hit. “It was more designed to steal than anything else, especially in a recent oil and gas campaign, as it was designed to go through and pilfer out information and throw the wiper on the end and make it seem like they could control power,” Burgess said. “Everything was designed to be more business focused and disable business.”
Looking forward, Rivera predicted an increased use of advanced ransomware, including offering ransomware-as-a-service and data extortion where data is stolen and encrypted, and the victim is blackmailed into paying up or the data is exposed.
Rivera also said North Korea is expected to follow China’s lead and carry out more economic espionage, and follow a concept of “cyber-brinkmanship” where two sides make threats and it comes down to “who calls chicken first.” He said Crowdstrike has seen North Korea “bring its adversaries to the edge and use cyber or nuclear threats to determine the effects.” As it would not survive a nuclear encounter and this would lead to international condemnation and a potential regime change, Rivera said he expected North Korea to move to the cyber-side “as this is safer for them.”
Rivera said: “The cyber-route still allows them to project power, still allows them to take swipes at their adversaries, but does so in a much safer way and has a lower risk of kinetic retaliation but also a lower risk of having the Kim dynasty replaced.”
Senior managers in UK and US companies are routinely exposing their organization to cyber-threats with more risky device and password management practices than their junior colleagues, according to OneLogin.
The identity and access management (IAM) provider polled 2000 remote workers in both countries this month, to compile its State of Remote Work Survey 2.0.
It found that senior managers were twice as likely to share a work device with someone outside the organization: 42% admitted doing so versus 20% of their junior counterparts.
They were also more than twice as likely to share passwords: 19% confessed to giving their credentials to a family member compared to only 7% of junior employees.
Finally, nearly a third (30%) of senior staff admitted working from public Wi-Fi, versus just 15% of junior workers.
The report also revealed that remote workers in the US appear to be less security-focused than their counterparts across the Atlantic. In total, 7% more American than UK respondents shared work devices, 9% more worked on public Wi-Fi and 8% more downloaded personal applications.
Brad Brooks, CEO of OneLogin, argued that distributed working has made it important for employees to take greater responsibility for their security posture.
“The effects of the pandemic mean that virtually all organizations are now operating, to some degree, outside of the controlled and protected office environment. That is, without the corporate-grade firewalls and on-site IT people we all once relied on for protection,” he added.
“Understanding the sanctity of their corporate passwords and devices, and the potential dangers of working on an unsecure Wi-Fi network should be top priorities for all remote workers. More importantly, it is up to senior management to lead by example. Unfortunately, these results appear to indicate otherwise.”
The report also revealed that male respondents were more likely to engage in risky behavior than their female colleagues.
Security researchers have uncovered a massive Instagram click farm in central Asia, operating tens of thousands of fake profiles.
A team at vpnMentor found the operation thanks to a completely unsecured Elasticsearch database it was using, connected to the public-facing internet.
“The click farm appears to be run by a sophisticated operation that has built a highly automated process to create tens of thousands of fake proxy accounts on Instagram. Each account had its own avatar, bio and ‘persona,’ appearing to join Instagram from all over the world,” said vpnMentor.
“Each fake account would then publish posts, view others’ posts, follow, react and engage with profiles. The click farm was also using proxy servers and IP addresses to hide its activity.”
Operated from either Armenia or Kazakhstan, this C&C server contained usernames, passwords, proxy IP addresses and email addresses for the fake accounts, as well as related SMS verification codes and phone numbers.
The researchers tied the operation back to central Asia as many of the IP addresses and mobile phone numbers used to authenticate and run the fake accounts were from Armenia and Kazakhstan.
“Click farms are often paid by individuals or companies to inflate their followers and engagement. The people hiring click farms then use this to leverage sponsorship posts and other forms of income from the app. In doing so, they’re defrauding any company or third party that pays them based on followers and engagement,” explained vpnMentor.
“Click farms are also used to spread fake news and misinformation. There is plenty of evidence that this is already a widespread practice and a popular form of election interference, manipulation and indirect attack on rivals by governments like Russia, China, Iran and their allies.”
After notifying Facebook about the server on September 21, it was shut down the following day.
The European Medicines Agency (EMA) has suffered a cyber-attack which led to the compromise of documents related to the Pfizer/BioNTech vaccine, currently being deployed in the UK.
The agency itself only issued a very brief statement, saying it could not provide more details while an investigation was still underway.
“EMA has been the subject of a cyber-attack,” it noted. “The agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities.”
However, BioNTech disclosed more about the incident.
“Today, we were informed by the EMA that the agency has been subject to a cyber-attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed,” it revealed.
The news comes just days after IBM revealed a sophisticated nation state phishing campaign against various organizations that provide the cold chain storage needed to distribute the Pfizer vaccine globally.
Sensitive information on vaccines developed in the West has been sought-after by nation state actors from China, Russia and North Korea for months. In October, an Indian pharma giant making Russia’s Sputnik-V vaccine was forced to shut several facilities after an unspecified incident.
Mark Hendry, director of data protection and cybersecurity at law firm DWF, said it’s unclear whether the EMA attack was nation state or cybercrime-oriented.
“Being aware of the cyber-attackers’ mind set is important in anticipating, preparing for and defending against such attacks,” he added.
“Businesses should consider identifying and planning for recurring or one-off events in their organizational lifecycle when they might become a likely target of attack and ensure that robust people, process and technology-based defense and response systems are in place to deal with threats.”
A man from Texas, charged in January with cyber-stalking realtors across the United States, has been indicted for capital murder in the deaths of two women.
Andy Castillo was arrested on January 6 for allegedly cyber-stalking as many as 100 realtors in up to 22 different states.
The 57-year-old Lubbock resident was accused of sending sexually explicit messages and pornographic images to agents via text message.
Realtors also received messages containing images of their own children that had been downloaded from social media along with descriptions of the ways in which the sender wanted to sexually assault the minors.
The McLennan County Sheriff's Office began investigating Castillo in late December 2019 after receiving complaints from seven Waco-based realtors who received sexually explicit images and messages from unknown numbers.
Investigators said that the stalker used multiple phone numbers and an app to mask his identity but eventually made a mistake that allowed his digital trail to be followed.
In January, Castillo was charged with one count of cyber-stalking and two counts of criminal solicitation-aggravated sexual assault of a child, relating to alleged crimes in Waco.
Now a grand jury has indicted Castillo for capital murder over the deaths of roommates Cynthia Palacio and Linda Carbajal, who resided in Lubbock.
Palacio’s partially clothed body was discovered on a rural road in Slaton, Texas, in July 2003. Carbajal's body was found nine months later on a dirt road in northern Lubbock County. Both women were aged 21 at the time of their demise.
Cold case investigators revealed in September that DNA evidence found at both murder scenes had been linked to Castillo.
According to court documents, a match was found between Castillo's DNA and DNA evidence that was originally taken from Palacio’s thigh, from underneath her fingernails, as well as from the necklace and blouse she had been wearing on the day she died from asphyxiation.
After Castillo’s arrest relating to the Waco-area cases, authorities were able to obtain a DNA sample and match it to the DNA found with Palacio.
Castillo is currently being detained in Lubbock County Detention Center on a $500,000 bond.