Info Security

Subscribe to Info Security  feed
Updated: 2 hours 55 min ago

Pensacola Under Attack as Suspected Ransomware Strikes

Tue, 12/10/2019 - 09:38
Pensacola Under Attack as Suspected Ransomware Strikes

The US city of Pensacola has become the latest municipality to suffer a suspected ransomware attack taking out local services.

The north-west Florida city came under attack early on Saturday morning local time, according to local reports.

“The City of Pensacola has experienced a cyber incident, and we have disconnected much of our city network until the issue can be resolved. Our IT Department is working diligently to resolve the issue,” it said in a Facebook notice.

Services affected include some online payments such as Pensacola Energy and City of Pensacola Sanitation Services, and the 311 customer service line. City hall workers were also disrupted, as email and some phone systems were taken down.

An update on Monday appeared to suggest the local government was still battling to restore systems and remediate the incident.

“Please note that the city remains operational despite the cyber incident. We will continue to provide services as we are able to, and we want to emphasize that 911 is NOT impacted,” it noted.

The incident came just hours after a suspected terrorist shooting at the Naval Air Station (NAS) in Pensacola when a Saudi Arabian Air Force officer opened fire in a classroom, killing three sailors. However, the FBI has taken to Twitter to say that it had “not identified” a connection between the two incidents.

There is a connection, however, with the countless other ransomware raids on US municipalities across the country this year.

The situation has become so dire that the United States Conference of Mayors earlier this year passed a resolution not to cooperate with online extortionists.

Many local governments, including Florida's Lake City and Riviera Beach, have elected to pay ransoms in return for a decryption key, some of them out of cyber-insurance funds. This has emboldened the hackers to a certain extent.

Categories: Cyber Risk News

Wipro Launches Cyber Defense Center Down Under

Mon, 12/09/2019 - 17:05
Wipro Launches Cyber Defense Center Down Under

An Indian information technology, consulting, and business process services company has opened its first of what could eventually be many cybersecurity centers in Australia.

Wipro Limited announced the launch of the NextGen Cyber Defense Center on Thursday. The new state-of-the-art facility, which is located in the coastal city of Melbourne, is expected to create over 100 jobs. 

A Wipro spokesperson said: "With the launch of this center, Wipro aims to make substantial investments to upskill its employees, hire more local resources and generate more than 100 jobs in Melbourne for cybersecurity specialists."

With an eye on the future, the company shared plans to roll out similar Cyber Defense Centers in other Australian cities to "offer cyber resilience and provide digital protection to large government organizations."

Manoj Nagpaul, senior vice president of Asia Pacific and Japan at Wipro Limited, said: "We will offer our customers in the Australian market the ability to leverage our global experience, technical expertise and strategic cyber investments to secure their digital operations. 

"Our CDC will be equipped with state-of-the-art technology–enabled infrastructure with continuous security monitoring, a large pool of experienced security professionals and a global delivery model to achieve and scale highly secure integrated platforms."

The new Melbourne facility was inaugurated by Tim Pallas, minister for economic development, Parliament of Victoria, in the presence of customers, technology partners, the leadership team, and local employees.

Pallas said: "Melbourne is Australia’s leading tech city, and we welcome this investment by Wipro—a leading global information technology company. The establishment of this Defense Center will strengthen Victoria’s capability in cybersecurity and draw on the local expertise to help Wipro protect Australian organizations from cyber-related incidents."

According to Wipro’s recently released "State of Cybersecurity Report 2019" (in which 10% of the global organizations surveyed were from Australia), 55% of the respondents highlighted digital lockdowns due to ransomware attacks are their top cyber-risk. 

The report found that the worldwide breach rate, calculated as the number of records stolen per second, has gone up to 232 records per second from the previous year’s average of 88 records/second. 

Despite the rise in the number of security incidents, the same report found that only 25% of respondents said that they carry out security assessments in every build cycle before pushing applications out to the internet.

Categories: Cyber Risk News

British Cybersecurity Firm Goes Under Owing Millions

Mon, 12/09/2019 - 16:22
British Cybersecurity Firm Goes Under Owing Millions

An award-winning British cybersecurity firm has gone into administration owing £3.5m to unsecured creditors.

XQ Digital Resilience Limited, which traded as XQ Cyber, brought in administrators David Rubin & Partners after declaring bankruptcy in October by placing a notice in the London Gazette

The company was best known for developing CyberScore, a security testing and rating service that converts raw vulnerability data into more easily digestible security remediation and risk management plans.

According to a statement of affairs document published on the Companies House website this week and dated October, trade creditors are owed just over £500,000. 

The unsecured creditor who is owed the largest single sum of money by the Gloucestershire-based cybersecurity firm is an individual who made a £2.4m loan to the business. He was listed as someone who had significant control of the business in January 2017. 

Aside from this individual investor, HM Revenue and Customs is the largest creditor, left out of pocket for a total amount of £473,649. Five- and six-figure sums are also owed to a small number of tech suppliers. 

The statement of affairs estimates that assets totaling £304,374 are available to be used to pay back unsecured creditors. 

The administrators stated that while XQ Cyber's intellectual property and goodwill have a book value of £645,599, they expect to be able to use them to realize just £200,000.

The National Cyber Security Centre (NCSC)–approved company, which boasted many former GCHQ staffers among its employees, had gone through a recruitment drive in 2019 and made new hires just six weeks before going into administration.  

At XQ Cyber's demise, around 60 workers were made redundant, according to posts made on LinkedIn by former XQ Cyber staff members. 

XQ Cyber was featured as one of 20 UK security start-ups to watch in a profile in Information Age in June. The company's Twitter account has been inactive since November 7; however, its website—which states that the trading name of the company is now CS Information Security Limited—is still up and running.

The news of the company's decline took the cybersecurity industry by surprise, as public-sector UKCloud had reportedly added XQ Cyber’s CyberScore cybersecurity testing and rating tool to its portfolio in May, potentially creating a lucrative sales channel.

Categories: Cyber Risk News

Ransomware Attack on Minnesota Health Facility

Mon, 12/09/2019 - 15:22
Ransomware Attack on Minnesota Health Facility

A Minnesota healthcare facility specializing in treatments for the face, teeth, mouth, and jaw has been hit by a ransomware attack.

Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) announced the data security incident on Thursday via their website.

On September 23, 2019, threat actors struck a server used by the organization. IT staff were able to intervene immediately to restore the impacted data. No mention was made as to the amount of money demanded by the attackers or whether the ransom was paid. 

All 80,000 patients of the facility are being informed of the incident, which SEMOMS said "may have resulted in the inadvertent exposure of patients’ health information."  

In a statement published on their website, SEMOMS said: "Although at this time there is no evidence that patient information was actually accessed or viewed, or any indication of anyone’s information being misused, the practice has taken steps to notify anyone who may have been affected by this incident, including sending letters to anyone whose information may have been exposed."

Computer forensic experts, hired by SEMOMS to discover what, if any, information had been accessed in the attack, were unable to give a definitive answer. 

SEMOMS said: "After examining the impacted server, the investigation was unable to determine if patients’ names and X-ray images had been viewed or accessed by an unknown, unauthorized third party.  

"While our investigation did not identify specific activity surrounding patients’ information, we are notifying potentially impacted individuals out of an abundance of caution."

Letters sent to potentially impacted patients include information about what occurred and a toll-free number where patients can learn more about the incident.

SEMOMS gave a reassurance that any patients' financial information, medical records, or Social Security numbers that had been provided to the health organization had not been impacted by the event. 

The incident has spurred SEMOMS to carry out a review of their current cybersecurity protection and procedures.

SEMOMS said: "SEMOMS remains committed to protecting patients’ information and has taken steps to prevent a similar event from occurring in the future, including reviewing and revising its information security policies and procedures."

Categories: Cyber Risk News

Vietnamese Hackers Compromised BMW and Hyundai: Report

Mon, 12/09/2019 - 11:12
Vietnamese Hackers Compromised BMW and Hyundai: Report

A Vietnamese state-backed threat group has been blamed for cyber-attacks that compromised the networks of BMW and Hyundai over recent months.

APT32, also known as “Ocean Lotus,” has been operational for the past few years. This spring it managed to infiltrate the network of the German car giant, installing a pen testing tool known as Cobalt Strike to remotely spy on machines, according to local reports.

However, BMW’s cybersecurity team caught wind of the attack and carefully monitored the group's activity, before finally kicking the attackers out in early December, Bayerischer Rundfunk claimed.

“We have implemented structures and processes that minimize the risk of unauthorized external access to our systems and allow us to quickly detect, reconstruct, and recover in the event of an incident,” the carmaker said in a general statement.

It was claimed that the hackers may be looking for trade secrets that will help to spur development at privately owned Vietnamese automotive start-up VinFast, which is currently supplied almost 100% by German manufacturers.

Hyundai’s corporate network was apparently also targeted, but there are no further details about that raid.

APT32 is known mainly for cyber-espionage activities targeting foreign businesses with a vested interest in Vietnam’s manufacturing, consumer products and hospitality sectors. It has also targeted political activists and free speech supporters inside Vietnam and across south-east Asia, according to FireEye.

“The targeting of private sector interests by APT32 is notable, and FireEye believes the actor poses significant risk to companies doing business in, or preparing to invest in, [Vietnam],” the security vendor said in its 2017 report on the group.

“While the motivation for each APT32 private sector compromise varied—and in some cases was unknown—the unauthorized access could serve as a platform for law enforcement, intellectual property theft or anti-corruption measures that could ultimately erode the competitive advantage of targeted organizations.”

Categories: Cyber Risk News

FTC: Cambridge Analytica Deceived Facebook Users

Mon, 12/09/2019 - 10:12
FTC: Cambridge Analytica Deceived Facebook Users

Cambridge Analytica deceived tens of millions of Facebook users by working to harvest their personal data for use in political targeting, the FTC has ruled.

The regulator voted 5-0 in favor of issuing the Opinion and Final Order to the notorious consulting firm, which worked with developer Aleksandr Kogan to obtain data on as many as 87 million Facebook users.

That data, harvested via an innocuous-looking app, was subsequently used to target swing voters ahead of the 2016 US Presidential election, it is claimed.

The FTC Opinion confirms the allegations made in an administrative complaint issued in July: “that app users were falsely told the app would not collect users’ names or other identifiable information.”

It also states that Cambridge Analytica falsely claimed it still participated in the Privacy Shield data transfer agreement between the US and EU, despite its certification having lapsed.

“The Final Order prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the EU-US Privacy Shield framework and other similar regulatory or standard-setting organizations,” the FTC noted.

“In addition, the company is required to continue to apply Privacy Shield protections to personal information it collected while participating in the program (or to provide other protections authorized by law), or return or delete the information. It also must delete the personal information that it collected through the GSRApp.”

The FTC earlier this year fined Facebook a record $5 billion for deficiencies which allowed third-party app developer Kogan to get away with misleading customers and harvesting data without obtaining informed consent — on both Facebook users and their friends and family.

The social network has since announced a major new privacy-by-design push which will introduce more stringent processes to control what developers can and can’t do.

Although Kogan and former Cambridge Analytica CEO Alexander Nix have agreed to settle the FTC’s allegations, the consultancy itself filed for bankruptcy in 2018.

Categories: Cyber Risk News

Reddit: US-UK NHS ‘Sale’ Docs Leaked by Russia

Mon, 12/09/2019 - 09:48
Reddit: US-UK NHS ‘Sale’ Docs Leaked by Russia

Documents allegedly revealing a secret post-Brexit US-UK trade deal were leaked online as part of a Russian influence campaign, Reddit has claimed.

The social site said it has banned 61 accounts and one subreddit following an investigation into the origin of the documents, which had been seized on by the opposition Labour Party as proof of a deal to ‘sell’ the NHS to US companies.

Those it found guilty of posting and sharing the documents are probably part of a Russian campaign dubbed “Secondary Infektion” that has already been attempting influence operations on Facebook, it claimed.

“In late October, an account u/gregoratior posted the leaked documents and later reposted by an additional account u/ostermaxnn. Additionally, we were able to find a pocket of accounts participating in vote manipulation on the original post. All of these accounts have the same shared pattern as the original Secondary Infektion group detected, causing us to believe that this was indeed tied to the original group,” explained Redditt in a post over the weekend.

“Outside of the post by u/gregoratior, none of these accounts or posts received much attention on the platform, and many of the posts were removed either by moderators or as part of normal content manipulation operations. The accounts posted in different regional subreddits, and in several different languages.”

The Secondary Infektion group is known for attempts to sow discord between NATO allies and in its mature OpSec capabilities, which help to keep its tracks covered.

If true, the incident would seem to echo attempts to influence the 2016 US Presidential election, when Russian hackers stole and leaked sensitive Democratic Party documents, to the detriment of Hillary Clinton’s campaign.

However, these don’t seem to have had the same impact. Reports claim UK officials are currently investigating whether the documents were originally leaked or hacked.

Categories: Cyber Risk News

Bernie Sanders Pledges High-Speed Internet for All

Fri, 12/06/2019 - 18:58
Bernie Sanders Pledges High-Speed Internet for All

US presidential candidate Bernie Sanders today released a plan to introduce high-speed internet to every American household if he wins the 2020 election. 

The High-Speed Internet for All proposal suggests giving local and state governments $150bn in grants and aid to create publicly owned broadband networks. Of this funding, $7.5bn would be ring-fenced to "expand high-speed broadband in Indian Country and fully resource the FCC’s Office of Native Affairs and Policy."

In a statement released on his website that will likely strike a chord with voters far younger than he is, Sanders said that the internet must be treated as "a public utility that everyone deserves as a basic human right." If elected as president next year, the Vermont senator said he would roll out the plan by the end of his first term. 

The plan Sanders has drawn up involves antitrust authorities taking action to dismantle the "internet service provider and cable monopolies" that are currently in play in the US and would see the reinstatement of the net neutrality regulation that was repealed in June last year. 

Sanders said the proposal would stop the internet from operating as a "price-gouging profit machine" for service providers. Internet and cable companies would be required to put a stop to hidden fees and be more transparent in disclosing the cost of services.

Earlier today on Twitter Sanders wrote: "The internet as we know it was developed by taxpayer-funded research, using taxpayer-funded grants in taxpayer-funded labs. Our tax dollars built the internet. It should be a public good for all, not another price-gouging profit machine for Comcast, AT&T and Verizon."

With supreme confidence in his own historical significance, Sanders likened his proposal to President Franklin D. Roosevelt's campaign to bring electricity to every rural community in America. In 1933, when Roosevelt first took office, only one in ten farms in rural America was on the grid.

"Just as President Roosevelt fundamentally made America more equal by bringing electricity to every community, urban and rural, over 80 years ago, as president, I will do the same with high-speed internet," Sanders wrote on Twitter today.

In broadband deployment, the United States ranked tenth out of 22 in a 2018 comparison with European countries, and in America's rural communities, more than 31 percent of people are without broadband. 

Categories: Cyber Risk News

Real Life Director of Evil Corp Indicted for 10-Year Cybercrime Spree

Fri, 12/06/2019 - 18:00
Real Life Director of Evil Corp Indicted for 10-Year Cybercrime Spree

US and UK authorities have indicted the leader of a notorious cybercrime gang that stole $70m from bank accounts around the world using malware.

Ukrainian-born Russian national Maksim V. Yakubets allegedly headed up an organized crime syndicate that used Bugat malware—also known as Cridex and Dridex—to drain money from the customers of just under 300 organizations in 40 different countries. 

He is further accused of participating in a second scheme involving Zeus malware, which similarly used a botnet and money mules to pilfer bank accounts.   

Yakubets, who is known online primarily as Aqua, is wanted in relation to two separate international computer hacking and bank fraud schemes spanning from May 2009 to the present day. 

The 32-year-old was indicted in a US federal court on Thursday along with a fellow alleged cyber-criminal, 38-year-old Igor Turashev from Russia's Yoshkar-Ola-Ola. Turashev is wanted in connection with the deployment of Bugat malware. 

According to the UK's National Crime Agency, the organized crime syndicate of which Yakubets was the ringleader called itself Evil Corp—the nickname given to fictional multi-national conglomerate E Corp in the smash hit TV series Mr. Robot

Yakubets allegedly ran his large-scale criminal organization from the basements of Moscow cafes, employing dozens of people. He is currently thought to be in Russia, where he is known to sport a coiffed hairdo and cruise around in a customized Lamborghini supercar with a personalized number plate that translates to "Thief." 

A reward of $5m—the largest ever to be offered for a cyber-criminal—is being offered under the Transnational Organized Crime Rewards Program for information leading to the arrest or conviction of Yakubets.  

Lynne Owens, director general of the NCA, said: "The significance of this group of cyber-criminals is hard to overstate; they have been responsible for campaigns targeting our financial structures with multiple strains of malware over the last decade. We are unlikely to ever know the full cost, but the impact on the UK alone is assessed to run into the hundreds of millions."

FBI Deputy Director David Bowdich said: "The charges highlight the persistence of the FBI and our partners to vigorously pursue those who desire to profit from innocent people through deception and theft. By calling out those who threaten American businesses and citizens, we expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability."

Categories: Cyber Risk News

Six Customers Affected by Ransomware Attack on CyrusOne

Fri, 12/06/2019 - 17:07
Six Customers Affected by Ransomware Attack on CyrusOne

One of the largest data center providers in America has become the victim of a ransomware attack.

Texas company CyrusOne confirmed yesterday that an attack involving REvil (Sodinokibi) ransomware had taken place on Wednesday. Customers of the company's New York data center, located in Wappingers Falls, suffered a loss of service as a result of the incident. 

A CyrusOne spokesperson said: "Six of our managed service customers, located primarily in our New York data center, have experienced availability issues due to a ransomware program encrypting certain devices in their network.

"Our data center colocation services, including IX and IP Network Services, are not involved in this incident. Our investigation is on-going, and we are working closely with third-party experts to address this matter."

The attackers advised CyrusOne that they would decrypt one file encrypted in the ransomware attack as a show of good faith that the remaining hijacked data would be returned upon receipt of payment. 

Exactly how the attackers gained entry to the company's network is currently unknown. The attackers say they have a private key, which they claim is the only way to access the stolen information. 

CyrusOne serves thousands of customers across 48 different data centers located around the world. Among its customers are over 200 Fortune 1,000 companies. The company said that it is currently using backups to help its customers recover lost data.

This incident is not the first time that this particular strain of the Sodinokibi ransomware has been a total pain in the coco de mer. REvil was used to attack Oracle's WebLogic server in April of this year, and since then it has also been deployed against more than 400 American dental practices and over 20 Texas municipalities.

Thomas Hatch, CTO and co-founder at SaltStack, commented: "The response and remediation from CyrusOne have been excellent given its ability to restore data from backups and respond rapidly to the attack. However, this situation highlights that data center and IaaS providers are just as vulnerable to attacks as other companies. While IaaS providers generally create very secure infrastructures, there is still the liability that they can be attacked in this manner."

Categories: Cyber Risk News

Banking Trojans Are Top Financial Services Threat

Fri, 12/06/2019 - 11:30
Banking Trojans Are Top Financial Services Threat

Banking Trojans represent the biggest potential threat to financial institutions and their customers, and are on the rise, according to new research from Blueliv.

The Spanish threat intelligence firm released data from a recent Twitter poll of over 11,000 users and its newly launched report for the banking sector, Follow the Money.

Nearly a third (31%) of respondents claimed banking Trojans were the biggest threat to financial services firms, followed by mobile malware (28%), a category also increasingly comprised of Trojans designed to access customer accounts.

The bad news is that activity appears to be escalating in this area: Blueliv’s report revealed the firm tracked a three-digit uptick in Trickbot (283%) and Dridex (130%) detections over Q2 and Q3 this year.

The botnets are known to distribute banking Trojans as well as other malware targeting financial services.

The poll also revealed that skills shortages (28%) are the biggest challenge facing banks’ IT security teams as they try to build out programs.

Recent data from (ISC)2 revealed that global skills shortages now exceed four million. In Europe the crisis is particularly acute: shortages have soared by 100% over the past year to reach 291,000.

The poll also highlighted the challenges associated with high volumes of threats and alerts (26%) and poor visibility into threats (20%), which it is claimed are hampering banking cybersecurity teams as they struggle to combat attacks.

“Because they are such high-value targets for cyber-criminal activity, it is imperative that financial services organizations monitor what is happening both inside and outside their networks in real-time to create effective mitigation strategies before, during and after an attack,” argued Blueliv CEO Daniel Solís.

“Security teams can be easily overwhelmed by the number of threat alerts they receive which can very quickly result in alert fatigue and desensitization to real, preventable threats. Threat intelligence can address the cyber skills gap through continuous automated monitoring combined with human resource to provide context, helping FSIs develop highly-targeted threat detection, prevention and investigation capabilities.”

Breaches in the financial sector tripled over the five years to 2018, with the average cost of cybercrime in the sector over $18 million, more than any other vertical, according to Accenture.

Categories: Cyber Risk News

Microsoft: 44 Million User Passwords Have Been Breached

Fri, 12/06/2019 - 10:27
Microsoft: 44 Million User Passwords Have Been Breached

Tens of millions of Microsoft customers are using log-ins that have previously been breached, putting themselves and their organization at risk of account takeover, the computing giant has revealed.

In a study running from January to March 2019, Microsoft’s threat research team checked over three billion credentials known to have been stolen by hackers, using third-party sources such as law enforcement and public databases.

It found a match for over 44 million Microsoft Services Accounts, used primarily by consumers, and AzureAD accounts, which is more worrying for businesses.

“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” it explained.

“Given the frequency of passwords being reused by multiple individuals, it is critical to back your password with some form of strong credential. Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture.”

Microsoft claimed that 99.9% of identity attacks can be mitigated by turning on MFA.

The advice is especially important in the context of ongoing credential stuffing attacks. A report from Akamai earlier this year claimed that such attacks are costing the average EMEA firm on average $4 million annually in app downtime, lost customers and extra IT support.

Attacks have already struck far and wide this year, affecting organizations such as TfL, OkCupid, TurboTax and many more.

A 2018 study of around 30 million users found that password reuse was common among over half (52%), while nearly a third (30%) of modified passwords were easy to crack within just 10 guesses.

A Google poll of 3000 computer users released earlier this year found that just a third (35%) use a different password for all accounts, and only a quarter (24%) use a password manager.

Categories: Cyber Risk News

UK Card Fraud Losses Now Accounts for Half of Europe

Fri, 12/06/2019 - 09:56
UK Card Fraud Losses Now Accounts for Half of Europe

UK card fraud now accounts for half of all losses across Europe, driven by data breaches and online scams, according to new findings from FICO.

The predictive analytics firm’s newly launched interactive European Fraud Map reveals that UK card fraud losses hit a record £671 in 2018, up 19% from the previous year.

The figure amounts to almost half the total €1.6 billion (£1.4bn) recorded across the 19 countries included in the map: in Europe plus Ukraine, Russia and Turkey.

The vast majority of the UK’s losses (£506.4m) came from card-not-present (CNP) channels, which are dominated these days by online fraud.

FICO said that the figures can be explained in part by a surge in data breaches, which has flooded underground forums with the identity data needed to carry out CNP scams. Another factor is changes in reporting processes which means more incidents are being recorded.

“The sheer volume of attempted fraud has meant that, although more fraud is being prevented now than ever before, and that it’s being caught earlier in the attack cycle, the total value lost is still on the rise,” said Matt Cox, the firm's vice president for fraud management solutions in Europe.

"Personal information lost in high-profile data breaches means it’s easier than ever for criminals to impersonate individuals and businesses, so we all need to be more vigilant — personally, and as an industry. We’re seeing the continued growth and diversification of social engineering fraud, which uses techniques like vishing, phishing and whaling.”

The UK’s Faster Payments and Europe’s SEPA Instant Credit Transfer initiatives have made speedy seamless payments a reality across the continent — but this is also helping scammers to get away with and launder fraudulently obtained funds before businesses can stop them.

UK police have been forced to go into schools this year warning about the dangers posed by money mule recruiters, as the latter continue to flood social media in a bid to snare cash-strapped teens.

“The key to fighting online fraud lies in establishing practices to protect against data compromise,” said Cox. “Drawing on global networks of loss data and confirmed cases of fraud enables businesses to identify and prevent data breaches significantly earlier, reducing the customer losses and operational pressures that often result from these attacks.”

Categories: Cyber Risk News

US Family Loses Life Savings in Money Mule Email Scam

Thu, 12/05/2019 - 18:18
US Family Loses Life Savings in Money Mule Email Scam

The Federal Bureau of Investigation has issued a warning after a family from Oregon lost their life savings in a business email compromise scam involving money mules.

Aaron Cole and his wife decided to move into a bigger house after welcoming two children into their family. The couple sold their existing home, and the title company told them they would be in touch soon with instructions for making the down payment on their new house. 

Aaron's wife received an email on December 4, 2018, from what appeared to be the title company and sent $122,850 to the account number provided in the message. A few days later, Aaron received a phone call from the title company to inform him it was time to wire the down payment.

An FBI spokesperson said: "The Coles had been the victims of a business email compromise scam and had wired their money to a criminal who had spoofed the title company’s email address and sent them fake wire instructions. Their down payment had been funneled into one account and then broken up and sent to four other banks."

After falling victim to the scam, the Cole family was left in a situation where they couldn't make the down payment on their new house and had fewer than three weeks to vacate their current home. 

"When this happened, I couldn’t come up with the words to tell my wife," said Aaron Cole.

"The equity in the house was our way to move forward. I put myself back 15 years."

Generously, the title company stepped in and offered to cover their down payment in exchange for the Cole family's help in highlighting the problem of business email compromise. 

Last year, the FBI’s Internet Crime Complaint Center (IC3) received more than 20,000 complaints from victims of business email compromise alone. These victims reported losses of more than $1.2bn. 

The cyber-criminals who stole from the Coles were assisted by the actions of money mules—people who knowingly or unwittingly transfer funds on behalf of, or at the direction of, someone else. 

Yesterday the FBI issued an advisory to the general public to be wary of any unsolicited emails or other communications containing a job offer promising easy money or a request to open a bank account in another person’s name or in the name of a business created by someone else. 

Extreme caution was also advised to anyone who receives an electronic request for money from a loved one.

Categories: Cyber Risk News

Data Breach at Nebraska Medicine an Inside Job

Thu, 12/05/2019 - 17:13
Data Breach at Nebraska Medicine an Inside Job

Nebraska Medicine has suffered a data breach after an employee accessed patients' medical records for almost three months without authorization or even the thinnest sliver of a legitimate reason. 

A routine audit of the medical record system conducted in October of this year revealed the gross violation of patient privacy, which occurred over the summer of 2019. 

The employee took their first digital stroll through patients' records on July 11. The unauthorized access then continued until October 1, when the audit was carried out. 

After discovering what was going on, Nebraska Medicine took steps to prevent any further unauthorized access from occurring. A particularly effective step was the organization's decision to fire the employee in question the day after the privacy violation was detected. 

Patients whose data had been compromised were notified by letter. Information accessed by the now former Nebraska Medicine employee included names, birth dates, addresses, medical record numbers, Social Security numbers, driver’s license numbers, clinical information, lab imagery, and notes from physicians.

In a statement released on Tuesday, Nebraska Medicine said: "Once Nebraska Medicine became aware of the incident, our staff took action to investigate, prevent further improper access, and to notify affected patients. We have no reason to believe the information accessed has been or will be misused.

"In cases where the Social Security number or driver’s license was accessible, we are offering credit monitoring for a full year, at no cost to the affected patients."

In a letter sent to patients affected by the breach, privacy officer Debra Bishop apologized for the breach and offered assurance that steps had been taken to prevent a similar incident from happening.

Bishop wrote: "This individual no longer works for Nebraska Medicine and no longer has access to Nebraska Medicine systems. To help prevent something like this from happening again, we are continuing to regularly audit our electronic medical record system for potential unauthorized activity, and are retraining staff about appropriate access of patient information."

Nebraska Medicine operates two major hospitals and 40 outpatient clinics in the Omaha area and has an international reputation for providing bone marrow and stem cell transplantation services. In 2006, Nebraska Medicine performed the first "frozen elephant trunk" heart procedure, otherwise known as open stent grafting, in the United States.

Categories: Cyber Risk News

Vulnerabilities Discovered in VPN Used by NASA

Thu, 12/05/2019 - 16:27
Vulnerabilities Discovered in VPN Used by NASA

A virtual private network (VPN) used by NASA, Shell, and BT has been found to have multiple vulnerabilities. 

Weaknesses in the Aviatrix VPN were detected by Immersive Labs researcher and content engineer Alex Seymour on October 7, 2019. 

The multiple local privilege escalation vulnerabilities Seymour discovered would have allowed an attacker who already had access to a machine to escalate privileges and achieve anything they wanted. With the extra level of privileges, the attacker would have been able to dive into files, folders, and network services that the user would not previously have been able to access.

The discovery comes just two months after the National Security Agency (NSA) and National Security Council (NSC) both issued warnings regarding state-sponsored attacks aimed at exploiting vulnerabilities in VPNs.

Alex Seymour said: "Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it. 

"People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry."

Aviatrix took swift action to address the issue, releasing a patch, v2.4.10 on November 4.

"Users should install the new patch as soon as possible to ensure there is no exploitation in the wild," said Seymour 

A spokesperson for Immersive Labs said that Aviatrix has been responsive and open to discussion after the vulnerabilities were disclosed and had taken on board advice on how to resolve the issue.

"The changes made to resolve the issue were timely and well implemented. They have kept communication open throughout the disclosure process, remaining positive and showing that they take the security of their customers and product seriously," said the Immersive Labs spokesperson. 

Seymour's suspicions were aroused when he noticed a wordy outpouring after firing up the Aviatrix VPN on a Linux machine. The last two lines of script indicated that two local web servers were started when the VPN was launched.

Weak file permissions set on the installation directory on Linux and FreeBSD made it possible to modify shell scripts that are executed when a VPN connection is established and terminated. When the back-end service executed the "OpenVPN" command, the script was executed with elevated privileges.

Categories: Cyber Risk News

Lib Dems, Labour and SNP 'Ahead' on Election Security

Thu, 12/05/2019 - 12:00
Lib Dems, Labour and SNP 'Ahead' on Election Security

Security researchers are warning UK voters to be on their guard after revealing that most of the country’s political parties still don’t have best practice email security measures in place to mitigate fraud risks.

RedSift analyzed the UK’s main 13 political parties ahead of a tense General Election on December 12, in which the direction of the country could finally be decided after three years of Brexit-related uncertainty.

It found that just three, the Liberal Democrats, Labour and the Scottish National Party (SNP), had a valid DMARC policy. The Domain-based Message Authentication, Reporting and Conformance protocol (DMARC) is recommended by security experts as a key function to help prevent phishing and other spoof email attempts.

While it’s best used in combination with other layered security measures, DMARC does help to guarantee the legitimacy of the sender, which is why the UK government mandated its use for departments back in 2016, with the US following two years later.

According to RedSift’s research, the Conservative Party, the Brexit Party and many others are exposing voters to potentially fraudulent email communications.

“This insight into political party cybersecurity is particularly concerning given that the National Cyber Security Centre, an organization that’s part of the UK government, mandated back in 2016 that all government bodies should implement DMARC so all email traffic can be monitored for malicious activity,” argued RedSift co-founder, Randal Pinto. “It’s a sorry state of affairs that three years on, voters still can’t be sure whether political pledges and requests for support are originating from credible candidates.”

Even the three parties that currently have valid DMARC policies in place can do more. They need to upgrade to a p=reject policy so phishing emails don’t end up being received by prospective voters.

The Conservative Party has already caused widespread anger for doctoring footage of opposition candidates on Brexit and changing its official Twitter feed during a televised debate to pose as an official fact-checking source.

“Confidence in politics has taken a dive recently,” argued Pinto. “The Conservative’s ‘factcheckUK’ Twitter scandal hurt the party’s credibility, damaging public trust — akin to the method scammers deploy each time they impersonate emails to elicit action.”

Categories: Cyber Risk News

China’s Great Cannon Fires on Hong Kong Protesters

Thu, 12/05/2019 - 10:30
China’s Great Cannon Fires on Hong Kong Protesters

A Chinese government-backed DDoS operation has been resurrected to disrupt pro-democracy supporters in Hong Kong, according to AT&T Cybersecurity.

The firm revealed in a new blog post yesterday that it spotted activity from the so-called “Great Cannon” starting on August 31, with the most recent DDoS attempts coming on November 25.

Specifically, it was observed trying to take offline the LIHKG website, which is used by Hong Kongers to share info and plan protests across the Special Administrative Region (SAR) of China wracked by unrest over the past few months.

The Great Cannon works by intercepting traffic from websites hosted in China and inserting malicious JavaScript in legitimate analytics scripts, thereby forcing users’ machines to covertly make requests against targeted sites.

The code not only attempts to repeatedly request the LIHKG home page but also multiple sites and memes that appear on the forum, so as to blend in with normal traffic, according to Chris Doman of AT&T Cybersecurity’s Alien Vault business.

“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code that we won’t discuss here,” he explained.

“Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services.”

The tool itself first came to prominence around four years ago when it was used to target anti-censorship organization The researchers that revealed the cannon for the first time claimed it was co-located with China’s notorious Great Firewall censorship infrastructure.

Global anger spread after the Great Cannon was then turned on developer site Github, which at the time hosted anti-censorship tools.

Researchers warned that the same tool could very easily be repurposed to deliver malware rather than DDoS attacks.

Categories: Cyber Risk News

#BHEU: Mental Health and Depression Websites Share Details in Plain Text

Thu, 12/05/2019 - 10:00
#BHEU: Mental Health and Depression Websites Share Details in Plain Text

Revealing research around web and cookie security at Black Hat Europe in London, Eliot Bendinelli, technologist at Privacy International and Frederike Kaltheuner, formerly of Privacy International and now tech policy fellow at Mozilla, described how a number of websites offering “tests” on mental health and depression shared results with third parties.

Kaltheuner said that this sort of tracking is “not just highly intrusive but is information that can be used against you.” She said that GDPR consent firms are “designed to be deceptive and annoying” and often it is easier to consent than not, and very few people know what happens when you do consent.

Therefore, the duo did accept some tracking requests and did a subject access request to get the data that had been collected, and received a statistical analysis on their age, gender and education level. This also included data shared with companies in the data broker and the advertising technology ecosystem.

This led them to do tests on websites, with a focus on three countries: UK, Germany and France. Bendinelli said that the goal was to find websites driving traffic to partners. Using tools such as Webxray to run a headless version of chrome and record all interaction you have had with a website, including cookies, images and javascript, and a HTTP Toolkit which inspects what POST queries a website is sending.

Kaltheuner revealed that 97.78% of all webpages had a third party element and while this was not nefarious, “it does come with a privacy risk.” She said that the average cookies collected were 44 for French websites, 12 in the UK and seven in Germany.

“Also, we found that 76% of websites contained a third party tracker for marketing,” Kaltheuner said, with counters found for data brokers and companies who do programmatic advertising.

Bendinelli added that having completed depression tests, he found that several stored the test results in the URL, and this was shared with a third party, and one sent them to 500 partners with answers in clear text. An NHS website sent the test scores to a website which was found to be an analytics server, which the NHS confirmed was recorded for their own analytics. “We were disappointed as there was no warning,” Bendinelli said.

Kaltheuner said that the basics of the research and this extended version had “barely scratched the surface” as they had only investigated nine websites and found poorly designed tests. “Many findings are in violation of GDPR and e-privacy,” she pointed out, saying that consent is needed to place cookies, and for processing data as “you can only process with the explicit consent of the user.”

The two concluded by acknowledging that technology changes quickly, but a broader discussion is needed about how people want to be treated, and who wants access to this and who shouldn’t.

Categories: Cyber Risk News

UK Fashion Store Sweaty Betty Suffers Magecart Heist

Thu, 12/05/2019 - 09:30
UK Fashion Store Sweaty Betty Suffers Magecart Heist

British e-commerce store Sweaty Betty has become the latest victim of a digital skimming attack after customers unwittingly had their card data stolen over the period of a week.

In an email sent to customers, the women’s fashion retailer confirmed that “a third party gained unauthorized access to part of our website and inserted malicious code designed to capture information entered during the checkout process.”

Customers placing orders online or over the phone between November 19 and 27 are thought to have been affected, although the firm has not revealed how many may have had their card details stolen.

As well as card number, CVV and expiry date, the hackers may have stolen customer names, billing and email addresses, telephone numbers and passwords for the site.

“We can confirm that Sweaty Betty has launched a comprehensive investigation following a highly-sophisticated cybersecurity incident on our website platform. We worked quickly to engage specialist technical security consultants to assist us with our investigations and we can confirm the issue has now been resolved and apologize for any inconvenience,” a spokesperson told Infosecurity sister publication Essential Retail.

“We have taken all the necessary steps to inform those who may have been affected and the Information Commissioner’s Office (ICO) has been notified. We take data security extremely seriously and the privacy of our customers remains our highest priority. Importantly, this issue has been resolved, and it is safe to shop at Sweaty Betty – whether online, by phone, or in stores.”

The incident appears to have been a classic Magecart attack, in which hackers insert malicious JavaScript into payment pages to siphon off card details as they are entered in by customers. It came just before the Black Friday sales weekend, when traffic to e-commerce stores soars.

In the past month alone, similar attacks have hit US gun-maker Smith & Wesson and department store Macy’s.

“Unfortunately, when armed with payment card information or personally identifiable information (PII), malicious parties can make fraudulent purchases, sell said data on the dark web for a quick profit, and much more,” argued Bitglass CTO, Anurag Kahol.

“Additionally, a staggering 59% of consumers reuse passwords across multiple accounts. This means that if a cyber-criminal appropriates a single password, they can potentially gain access to a user's accounts across a number of retailers and services where said password is reused.”

Categories: Cyber Risk News