Info Security

Subscribe to Info Security  feed
Updated: 1 hour 17 min ago

US Could Appoint a Cybersecurity Leader for Each State

Mon, 01/20/2020 - 17:50
US Could Appoint a Cybersecurity Leader for Each State

The USA is considering legislation that would protect local governments by requiring the appointment of a cybersecurity leader for each state.

Backers of the Cybersecurity State Coordinator Act of 2020 say the proposed law will improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyber-attack.

Under the legislation, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency would be tasked with appointing an employee of the agency in each state to serve as cybersecurity state coordinator. 

Money to create these positions would come from the federal government, which would be required to ring-fence the necessary funding. 

The role of each state coordinator would be multifaceted, combining elements of training, advisory work, and program development.

Each leader would serve as a principal federal cybersecurity risk advisor, coordinating efforts to prepare for, respond to, and remediate cyber-attacks. Another core responsibility would be to raise awareness of the financial, technical, and operational resources available to nonfederal entities from the federal government.

Coordinators would be expected to support training, exercises, and planning for continuity of operations to expedite as swift a recovery as possible from cybersecurity incidents. Furthermore, they would be called on to assist nonfederal entities in developing and coordinating vulnerability disclosure programs consistent with federal and information security industry standards.

"State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors," reads the bill. "There is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses."

The bill, which has attracted bi-partisan support, was introduced by Senators Maggie Hassan and Gary Peters and is co-sponsored by senators John Cornyn of Texas and Rob Portman of Ohio.

Portman said: "This bipartisan bill, which creates a cybersecurity state coordinator position, would help bolster state and local governments' cybersecurity by facilitating their relationship with the federal government to ensure they know what preventative resources are available to them as well as who to turn to if an attack occurs."

Categories: Cyber Risk News

Possessing Ransomware Could Become Illegal in Maryland

Mon, 01/20/2020 - 16:29
Possessing Ransomware Could Become Illegal in Maryland

Lawmakers in the state of Maryland are considering making it a criminal offense to be in possession of ransomware. 

A bill was introduced on Tuesday, January 14, that seeks to penalize Marylanders who knowingly possess the malware and intend to use it to cause harm. The bill also grants victims of a ransomware attack the right to sue the hacker for damages in civil court. 

The state has already outlawed the use of malicious technology to extort money out of victims. Senate Bill 30, which was heard before the Senate Judicial Proceedings Committee last week, would make it a misdemeanor to be in possession of ransomware with the intent to use it in a malicious manner.

Any person convicted of this misdemeanor could face 10 years in prison and/or a fine of up to $10,000. 

The proposed law would not apply to cybersecurity researchers who may be in possession of ransomware for innocent research purposes.

Senator Susan Lee, who is the lead sponsor of the bill, said that it "gives prosecutors tools to charge offenders.”

Assuming a remarkable level of naiveté on the part of cyber-criminals who use ransomware to extort vast sums of money from organizations and individuals, Lee said that it was "important to establish [the bill] so criminals know it’s a crime."

In January 2019, the Salisbury, Maryland, police department suffered a ransomware attack that prevented officers from accessing the department's computer network. Four months later, Baltimore, the state's largest urban conurbation, was hit by a ransomware attack that is estimated to have cost around $18m. 

Possessing ransomware is already a criminal offense in several US states, including Michigan and California. The fight against ransomware was led by Wyoming, which in 2014 became the first state to make it illegal to possess ransomware, spyware, adware, keyloggers, and several other types of malware.

There's no denying that ransomware is causing problems in the United States. In 2019 alone, this particular strain of malware impacted at least 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts, with estimated costs of $7.5bn. 

According to a ransomware report by cybersecurity firm Emsisoft,"the only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid."

Categories: Cyber Risk News

Mitsubishi Electric Discloses Information Leak

Mon, 01/20/2020 - 15:29
Mitsubishi Electric Discloses Information Leak

Japanese company Mitsubishi Electric has today disclosed an information leak that occurred over six months ago. 

The century-old electronics and electrical equipment manufacturing firm announced the breach by issuing a brief statement on its website.

An official internal investigation was launched after suspicious activity was observed taking place on June 28, 2019. The company said that upon noting the unusual behavior on the network, measures were immediately taken to restrict external access. 

According to, hackers accessed servers and computers at Mitsubishi headquarters and other offices belonging to the company in a large-scale cyber-attack. 

Mitsubishi said: "We have confirmed that our network may have been subject to unauthorized access by third parties and that personal information and corporate confidential information may have been leaked to the outside."

Mitsubishi announced the breach today after it was reported by two newspapers, the Asahi Shimbun and Nikkei. A theory put forward by both local papers is that the attack was initiated by a cyber-espionage group with links to the People's Republic of China. 

While Nikkei reported that hackers swiped 200 MB of information from Mitsubishi, the manufacturer claims that its investigation of the incident uncovered no evidence that any sensitive data connected to its business partners or government defense contracts had been stolen or misused. 

In a statement no doubt intended to reassure Mitsubishi's corporate parents, the company wrote: "As a result of an internal investigation, it has been confirmed that sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners has not been leaked." 

When announcing the incident, Mitsubishi didn't explain why it had waited so long after discovering the breach to go public with the news. However, the inclusion of the comment "to date, no damage or impact related to this matter has been confirmed" could imply that the company chose to hold back information until it had a clear idea of what the effects of the breach might be.

Japan's chief cabinet secretary Yoshihide Suga said the government had been informed of the cybersecurity breach and that there was no leak of information related to defense equipment or to the electric power sector.

Categories: Cyber Risk News

€114m in Fines Imposed by Euro Authorities Under GDPR

Mon, 01/20/2020 - 13:01
€114m in Fines Imposed by Euro Authorities Under GDPR

Data protection regulators have imposed €114m ($126m/£97m) in monetary fines under the GDPR for a wide range of infringements, according to new findings from DLA Piper.

Whilst not all fines were related to data breach infringements, DLA Piper’s latest GDPR Data Breach Survey found that more than 160,000 data breach notifications have been reported across the 28 European Union Member States since the GDPR came into force on May 25 2018.

In terms of the total value of fines issued by geographical region, France (€51m), Germany (€24.5m) and Austria (€18m) topped the rankings, whilst the Netherlands (40,647), Germany (37,636) and the UK (22,181) had the highest number of data breaches notified to regulators.

The highest GDPR fine to date was €50m, imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent. Earlier this year, the UK ICO published intentions to fine British Airways £183.39m and Marriott £99m following two high profile data breaches, although neither fine has been finalized at the time of writing.

Ross McKean, a partner at DLA Piper specializing in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organizations.

“The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”

Categories: Cyber Risk News

Travelex Begins Reboot as VPN Bug Persists

Mon, 01/20/2020 - 11:18
Travelex Begins Reboot as VPN Bug Persists

Under-fire foreign currency firm Travelex has claimed its first customer-facing services in the UK have gone live after a crippling ransomware attack in December, with experts suggesting an unpatched VPN bug may have been to blame.

The London-headquartered business has been slammed by customers after the suspected Sodinokibi (REvil) ransomware struck on December 31, forcing it to take systems offline as a precautionary measure.

Several complained that the foreign currency they ordered and paid for online is unavailable, leaving them out of pocket. The outage affected not just Travelex’s websites but its bricks-and-mortar outlets and services it provides to major UK high street banks such as Barclays and RBS.

However, the firm claimed in an update on Friday it has been working hard this month to restore online and customer-facing systems.

“On 17 January 2020, we confirmed that the first of our customer-facing systems in the UK were live and that the phased restoration of our systems globally was now firmly underway. We are prioritizing the UK as this is our single largest market,” it said.

Although unconfirmed, security experts believe that an unpatched critical vulnerability in Pulse Secure VPNs (CVE-2019-11510) may have allowed attackers to remotely execute malicious code on Travelex IT systems.

Troy Mursch of Bad Packets claimed to have reached out to the firm in September to flag the software flaw, which has a CVSS score of 10.0, but received no response.

On Friday, he said that there are still over 3000 vulnerable Pulse Secure VPN servers out there. That’s bad news because the bug is seeing “wide exploitation,” despite the fact that a patch has been available since April 2019, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

“A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials,” CISA said of CVE-2019-11510.

“It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.”

Although Travelex maintains that there is “no evidence that any data has left the organization,” the hackers behind the $6 million ransom demand have claimed they exfiltrated 5GB of sensitive customer data last year.

Categories: Cyber Risk News

London Councils Lose Nearly 1300 Devices Over Three Years

Mon, 01/20/2020 - 10:45
London Councils Lose Nearly 1300 Devices Over Three Years

The number of London councils reporting lost or stolen mobile computing devices has more than doubled over the past three financial years, according to new Freedom of Information (FOI) data.

Think tank Parliament Street compiled responses from 23 out of the 31 local borough councils that operate across the UK capital.

It found that a total of 1293 devices were lost or stolen over the three financial years from 2016, including laptops, mobile phones and tablets. The figure jumped from 304 in 2016-17 to 635 in 2018-19, a 109% increase.

Phones went missing most often, accounting for 951 lost or stolen devices over the period. The figure rose 122%, from 215 in 2016-17 to 478 in 2018-19.

Laptop losses also almost doubled over the period, from 64 to 124, while tablet losses increased slightly from 26 to 33.

Lambeth was most affected by missing devices, recording 281 losses, 84% of which were mobile phones. Next came Richmond and Wandsworth (123) and Brent (170). Richmond and Wandsworth, which reported together, saw a 666% increase in lost and stolen devices, while the figure stood at 74% in Brent.

Absolute Software EMEA VP, Andy Harcup, warned that the rise of flexible working combined with opportunistic thieves is increasing the risk of confidential public sector data going missing.

“If said device ends up in the wrong hands, these councils and the constituents they serve could be facing severe consequences, including a major data breach with citizen details finding their way onto the dark web,” he added.

“It's time for all organizations to wake up to the very real risks posed by stolen devices in terms of data security. Every single council should have robust end-point security measures in place to ensure that devices reported missing can be accessed, tracked, deleted and frozen appropriately.”

Categories: Cyber Risk News

Citrix Patches ADC Bug as Attacker Hoards Access

Mon, 01/20/2020 - 10:15
Citrix Patches ADC Bug as Attacker Hoards Access

Citrix has begun issuing patches for a serious vulnerability in its Application Delivery Controller (ADC) product which experts have warned is being exploited in the wild.

The tech giant revealed the CVE-2019-19781 bug in ADC and its Citrix Gateway back in December. If successfully exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.

Although the firm announced a series of mitigations to help protect customers as it readied a permanent fix, researchers claimed to have discovered tens of thousands of users that were still exposed, including high value targets across verticals including finance, government and healthcare.

Part of the problem appeared to be that not all of these mitigations worked as intended. The Dutch authorities urged businesses to disable Citrix systems altogether.

With proof-of-concept exploits appearing online in recent days and reports of active attacks, Citrix appeared to accelerate the process of readying patches.

Permanent fixes for ADC versions 11.1 and 12.0 are now ready and it has “moved forward” availability dates for other versions 12.1, 13 and 10.5 to January 24. Its Citrix SD-WAN WANOP product will also be patched on the same day.

The news comes as FireEye warned it had spotted “dozens of successful exploitation attempts” against ADC deployments that had not put in place temporary pre-patch mitigations.

One particular payload, which it named “NotRobin,” appears to be hoarding access to exposed Citrix systems.

“FireEye believes that the actor behind NotRobin has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027,” FireEye explained.

“NotRobin mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.”

Categories: Cyber Risk News

Fidelis Cybersecurity Acquired by Skyview Capital

Fri, 01/17/2020 - 17:00
Fidelis Cybersecurity Acquired by Skyview Capital

An American company dedicated to thwarting cyber-attacks has been snapped up by a global private equity firm. 

Skyview Capital, LLC announced its acquisition of Fidelis Cybersecurity, Inc yesterday. Fidelis is located in the Maryland town of Bethesda, which a 2015 NerdWallet survey found to be the most educated place in America. 

Fidelis Cybersecurity is a leading provider of network traffic analysis and of digital forensics and incident response solutions that enable enterprises and government organizations to detect, hunt, and respond to advanced threats that evade traditional security solutions.

The company counts among its 250 employees some of the world's leading cybersecurity experts, including specialists from the US Department of Defense, the intelligence community, and industry.

Solutions developed by Fidelis are delivered as standalone network, endpoint, and deception products; an integrated platform; or as a constantly operational managed detection and response service that augments existing security operations, threat hunting, and incident response capabilities.

Fidelis was acquired from a consortium of investors in a stock transaction in a deal that serves to increase Skyview's existing software technology portfolio.

"With the ever-increasing complexity of digital environments and the pace of cyber threats across the world, we see an opportunity to build upon Fidelis' impressive technology and solidify its position within the IT security industry," said Alex Soltani, chairman and CEO of Skyview. 

"This transaction aligns well with our investment philosophy of targeting and investing in mission critical technology businesses across a wide spectrum of verticals, from telecommunications to cybersecurity."

The mission of Fidelis is not set to change as a result of the acquisition. 

Soltani said: "Skyview is committed to realizing the full value of Fidelis as a safeguard against cyber threats, and we are enthusiastic about identifying both organic and inorganic growth opportunities."

Nick Lantuh, president and chief executive officer of Fidelis Cybersecurity, sees the deal as a golden opportunity for growth. 

He said: "We are excited to partner with Skyview Capital and benefit from their ability to help us take the Fidelis platform, which provides unmatched visibility and empowers security teams to rapidly respond to threats, into other markets."

Categories: Cyber Risk News

NortonLifeLock Puts Silicon Valley Real Estate Up for Sale

Fri, 01/17/2020 - 16:15
NortonLifeLock Puts Silicon Valley Real Estate Up for Sale

NortonLifeLock, formerly known as Symantec, has put ten large commercial buildings in California’s Silicon Valley on the market. 

The cybersecurity company is seeking a buyer for the properties, which are all based in the Mountain View area, close to the Google Quad Campus. The ten buildings on the market are grouped into three separate campuses, not more than a few minutes' drive from one another. 

Commercial real estate firm Cushman & Wakefield has been hired to help shift the properties, which together total 707,000 square feet. 

According to The Orange County Register, the buildings are featured in a brochure being circulated on behalf of NortonLifeLock. 

"Never before offered to the marketplace, the offering represents a generational opportunity to acquire a portfolio of 10 buildings totaling 706,737 square feet in the heart of Silicon Valley," states the brochure. 

Mountain View was the site of Symantec’s headquarters for many years, but in November the company, under its new name NortonLifeLock, relocated its operational nerve center to Tempe, Arizona. 

One of the three campuses for sale, described in the brochure as the "headquarters campus," is located at 350 Ellis Street. On this site are five buildings offering a total 428,000 square feet of office space. 

The second campus, which is made up of research and office buildings totaling 128,000 square feet, is located at 455, 487, and 501 E. Middlefield Road. The final clutch of office and research buildings, which together offer 150,000 square feet of space, is at 515 and 545 N. Whisman Road.

In an effort to keep the ten properties together, NortonLifeLock is ideally seeking a single buyer for all three campuses.

The brochure states that "it is a strong preference of the seller for one buyer to acquire the entire portfolio," however, "individual offers on the various components may be considered."

NortonLifeLock's decision to put the properties on the market comes amid a concerted effort by the company to downsize. Over the course of 2019, the company announced it would be terminating 320 jobs in Mountain View and a further 82 in San Francisco.

Categories: Cyber Risk News

Teen Charged Over $50m SIM-Swapping Scam on Blockchain Experts

Fri, 01/17/2020 - 15:25
Teen Charged Over $50m SIM-Swapping Scam on Blockchain Experts

A teenager from Montreal is facing four criminal charges in connection with a $50m SIM-swapping scam that targeted two renowned Canadian Blockchain experts. 

Eighteen-year-old hacker Samy Bensaci is accused of being part of a crime ring that stole millions of dollars in crypto-currency by gaining unauthorized access to the cell phones of crypto-currency holders in America and Canada. 

Spokesperson for the Canadian police force, the Sûreté du Québec, Lieutenant Hugo Fournier, said the elaborate SIM-swapping cyber-fraud was responsible for the theft of "$50 million from our neighbors to the south and $300,000 in Canada."

Police say the crypto-currency thefts, which netted dozens of victims, were perpetrated by the gang in the spring of 2018. 

Among the alleged victims are renowned Toronto businessman, author, and head of the Blockchain Research Institute Don Tapscott and his son Alex, a globally recognized investor, advisor, and speaker on Blockchain technology and crypto-currencies. Together, father and son co-authored Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World.

Bensaci was arrested in Victoria, British Colombia, in November and charged with fraudulently obtaining computer service, committing fraud over $5,000, identity fraud, and illegally accessing computer data. In December, the teen was released on $200,000 bail and ordered to live with his parents in northeast Montreal until his next court hearing.

According to La Presse, neighbors described Bensaci as a discreet young man who spends a lot of time on his computer.

While staying at his parents' residence, Bensaci is prohibited from accessing "any computer, tablet, mobile phone, game console, including PS3, PS4, Xbox, Nintendo Switch, or any other device capable of accessing the Internet," and banned from possessing or exchanging any form of crypto-currency. 

Many of the individuals allegedly targeted by the gang had attended the Consensus crypto-currency fair, held annually in New York.

"We suspect that hackers spot targets during such events," said American SIM-swapping victim Rob Ross. Ross, who was robbed of $1m in crypto-currency in two separate attacks by 21-year-old hacker Nicholas Truglia, now manages the website.

Ontario Provincial Police sent out an alert regarding the SIM-swap scam in November, along with a warning that fraudsters sometimes impersonate a target and falsely claim that their phone has been lost or stolen.

Categories: Cyber Risk News

Oracle Issues Record CPU with 334 Patches

Fri, 01/17/2020 - 12:35
Oracle Issues Record CPU with 334 Patches

Oracle has hit an all-time record for number of security fixes issued in a critical patch update (CPU), providing sysadmins with over 330 in its first quarterly release of the decade.

The enterprise software giant issued 334 patches in total across more than 90 products this week. As such, January 2020 easily beats the previous largest CPU, consisting of 308 fixes in July 2017.

Oracle strongly urged firms to apply the patches as soon as possible, claiming that attacks have had success in compromising customers that failed to update their systems promptly. However, there are short-term alternatives.

“Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack,” it explained.

“Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.”

Among the products affected by this quarter’s CPU are popular platforms including: Oracle Database Server, which featured 12 new patches including three remotely exploitable; Oracle Communications Applications (25 patches, 23 of which are remotely exploitable); Oracle E-Business Suite (23, 21); Oracle Enterprise Manager (50, 10); Fusion Middleware (38, 30); Java SE (12); JD Edwards (9); MySQL (19, 6); Siebel CRM (5); Oracle Virtualization (22, 3); and PeopleSoft (15, 12).

It’s a busy time of the year for IT administrators. Earlier this week, Microsoft released fixes for scores of vulnerabilities in the last regular Patch Tuesday for Windows 7 and Server 2008.

These included a serious bug disclosed by the NSA which could allow attackers to circumvent existing security by ‘signing’ malware with a legitimate-looking certificate.

Categories: Cyber Risk News

Equifax Breach Settlement Could Cost Firm Billions

Fri, 01/17/2020 - 10:40
Equifax Breach Settlement Could Cost Firm Billions

Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.

The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.

Over two-fifths (44%) of the population of the US are thought to have been affected.

This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.

However, that’s just a small part of the overall financial impact of the ruling.

The firm has agreed to spend at least $1bn on improving its cybersecurity posture over the coming five years. It will also need to fund several years of credit monitoring from Experian and its own services for class members. That could amount to an extra $2bn if all 140 miilion+ customers sign up.

That’s not to mention the $6bn in credit monitoring services already being claimed by several million class members, their $77.5m in attorney fees and further amounts in litigation expenses that Equifax will need to pay.

The total could creep up towards $10bn — a cautionary tale for organizations tempted to focus on business growth at the expense of cybersecurity and risk mitigation.

“This settlement is the largest and most comprehensive recovery in a data breach case in US history by several orders of magnitude,” wrote district judge Thomas Thrash.

“The minimum cost to Equifax of the settlement is $1.38bn and could be more, depending on the cost of complying with the injunctive relief, the number and amount of valid claims filed for out-of-pocket losses and the number of class members who sign up for credit monitoring.”

Categories: Cyber Risk News

Data Breach Site WeLeakInfo Suspended as Feds Swoop

Fri, 01/17/2020 - 09:56
Data Breach Site WeLeakInfo Suspended as Feds Swoop

The FBI has joined forces with the UK’s National Crime Agency (NCA) and other law enforcers to suspend a popular website which sells access to stolen data.

The WeLeakInfo[.]com domain was seized by the Feds after the District Court for the District of Columbia issued a warrant, although its administrators are still at large.

Although the site claimed to be focused on helping breached internet users discover if their personal data had been compromised, by selling access to billions of records it also provided a useful resource for cyber-criminals looking to launch credential stuffing, phishing and other attacks.

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts,” a statement from the Department of Justice explained

“The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months).”

The way it operated stood in contrast to legitimate breach notification site HaveIBeenPwned, which only lets users know if their accounts have been compromised, rather than providing access to troves of breached data.

Jake Moore, cybersecurity specialist at ESET, argued that hackers can do a great deal of damage even just with limited sets of breached emails and names.

“The big risk comes from brute force attacks, where criminals use common password combinations against emails to try and break into personal accounts,” he added.

“An incredibly large amount of people still use predictable or simple passwords. Many people's passwords are also readily available on the dark web, so it quickly and simply becomes an exercise in joining the dots for the cyber-criminals.”

The FBI is seeking any information on the owners and operators of WeLeakInfo.

Categories: Cyber Risk News

Emotet Locked onto US Military and Government

Thu, 01/16/2020 - 17:25
Emotet Locked onto US Military and Government

New research into the latest victims of Emotet has found increased instances of the malware affecting the United States of America's government and military.

The pernicious malware, which is spread via email, has been infecting organizations all over the world since 2014. By shining a spotlight on Emotet's recent activities, researchers at Cisco Talos discovered that the US government is among the latest victims to be compromised. 

Researchers made the discovery by closely examining the patterns of outbound email associated with the malware. 

A Talos spokesperson said: "If a person has substantial email ties to a particular organization, when they become infected with Emotet the effects would manifest in the form of increased outbound Emotet email directed at that organization. 

"One of the most vivid illustrations of this effect can be seen in Emotet's relationship to the .mil (U.S. military) and .gov (U.S./state government) top-level domains (TLDs). 

"When Emotet emerged from its summer vacation back in mid-September 2019, relatively few outbound emails were seen directed at the .mil and .gov TLDs. But sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the U.S. government."

The malware's successful compromise of at least one US government employee led to what researchers described as a "rapid increase" in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019.

Following a brief spot of respite over the winter holidays, Emotet is once again causing trouble. Cisco Talos said that the upward trend in the quantity of messages directed at .mil and .gov had "continued into January 2020."

Emotet works by stealing someone's email, then impersonating the victims and sending copies of itself in reply. The malicious emails are delivered through a network of stolen SMTP accounts. 

Recipients, conned into thinking that they are receiving a message from a friend or professional colleague, open the email and are then infected.

The simplicity of Emotet's attack strategy belies its effectiveness. "This relatively simple email-man-in-the-middle social engineering approach has made Emotet one of the most prolific vehicles for delivering malware that we have seen in modern times," said researchers. 

Categories: Cyber Risk News

LORCA Announces Fourth and Largest Cohort of Cybersecurity Innovators

Thu, 01/16/2020 - 17:01
LORCA Announces Fourth and Largest Cohort of Cybersecurity Innovators

The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the 20 scale-ups selected to join its fourth cohort of cyber-innovators.

The latest group is LORCA’s largest and most international yet – including companies from the UK, Israel, Spain, Switzerland, Denmark, Singapore and the US – using technologies such as automation and quantum to protect UK industry against the latest threats.

LORCA is hosted and delivered by Plexal at Here East in London’s Queen Elizabeth Olympic Park. The year-long project will support the 20 new companies to scale, secure investment, access new markets and participate in overseas trade missions, with the ultimate aim of growing the British cybersecurity industry.

The scaleups will also receive technical and commercial support from the program’s delivery partner Deloitte and engineering expertise from the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.

LORCA lanched in June 2018 with backing from the Department for Digital, Culture, Media & Sport and has enrolled 55 companies into its program.

The latest cohort includes scaleups with a range of cutting-edge solutions, invited to apply based on three innovation themes identified by industry leaders from various sectors:

  • Connected Economy
  • Connected Everything
  • Connected Everyone

Saj Huq, program director, LORCA, said: “LORCA exists to bring cutting-edge technology to market and to enable the most promising cyber-innovators to become globally competitive businesses. The international reach and the variety of solutions within our incoming fourth cohort is an exciting demonstration of both the strength and attractiveness of the UK market, as well as an illustration of the increasingly prominent role that LORCA plays as a convener and collaborator within the global innovation ecosystem.”

The 20 companies enrolling in the latest cohort are:

  1. Acreto
  2. Anzen Technologies Systems
  3. Avnos
  4. Contingent
  5. Continuum Security
  6. Darkbeam
  7. Heimdal Security
  8. Keyless
  9. Kinnami
  10. L7 Defence
  11. Orpheus
  12. Osirium
  13. Risk Ledger
  14. ShieldIOT
  15. SureCert
  16. ThreatAware
  17. ThunderCipher (Licel)
  18. Variti
  19. VIVIDA
  20. Westgate Cyber Security

Categories: Cyber Risk News

Bill for New Orleans Cyber-Attack $7m and Rising

Thu, 01/16/2020 - 16:02
Bill for New Orleans Cyber-Attack $7m and Rising

The December cyber-attack on the southern city of New Orleans has caused over $7m of damage.

New Orleans mayor Latoya Cantrell said yesterday that the already alarmingly high figure continues to grow as the city recovers from the incident. 

A cyber-insurance policy taken out by New Orleans prior to the attack has allowed the Big Easy to recover $3m, but the popular vacation city will still be left cruelly out of pocket as a result of the incident. According to Cantrell, the cost is just something that the city will "have to eat."

"This is something that we have to deal with as a city and it is an expense that we also have to eat as a city. It speaks to the priority of infrastructure that has always been a priority of mine and it also speaks to the real push for maintenance of infrastructure. This will be ongoing," Cantrell told Fox8.

The $7m figure does not include the cost of paying a ransom to the attack's perpetrators, who, despite using ransomware to cripple the city's computer networks, never issued a ransom demand. 

In a stoic display of optimism, Cantrell told Fox8 that the ravages wrought by the attack, although bad, could have been far worse. 

She said: "The early detection and the intrusion helped us one. IT halted our networks, shut them down completely, which prevented this cyber-attack from being catastrophic."

Recovery from the attack is still a long way off, according to the city’s chief administrative officer, Gilbert Montano, as New Orleans is currently wading through a significant backlog of work that resulted from the forced reversion to manual governance.

"Now, we’re in the stabilization period. We are trying to rebuild what we had to turn off essentially and that is a long, laborious, time-sensitive process and that’s where I am telling staff and employees we’re looking maybe at a six to eight month window before actual normalcy starts to integrate all of our systems," said Montano.

Expenses that are included in the $7m figure are the cost of purchasing 3,400 new computers and improving the city's IT infrastructure in an effort to prevent future cyber-catastrophes.

Categories: Cyber Risk News

ISA Global Cybersecurity Alliance Triples Membership

Thu, 01/16/2020 - 15:00
ISA Global Cybersecurity Alliance Triples Membership

A worldwide cybersecurity alliance established last year by the International Society of Automation (ISA) has tripled its membership in just six months. 

The ISA Global Cybersecurity Alliance (ISAGCA) drew its first breath in July 2019. The organization was set up with the intention to provide an open, collaborative forum to advance cybersecurity awareness, readiness, and knowledge sharing. 

Founded with six initial members, ISAGCA announced on Tuesday that its ranks have since swelled to include an additional 23 companies and organizations. 

As of the end of 2019, the original vanguard of Schneider Electric, Rockwell Automation, Honeywell, Johnson Controls, Claroty, and Nozomi Networks had been strengthened by the addition of aeSolutions, Bayshore Networks, Beijing Winicssec Technologies Co. Ltd., Digital Immunity, Dragos, exida, ISA Security Compliance Institute, ISA99 Committee, Idaho National Laboratory, LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity), Mission Secure, Inc., Mocana Corporation, Munio Security, PAS Global, Radiflow, Senhasegura (supporting member), Tenable, TiSafe, Tripwire, WisePlant, Wallix Group, and Xage Security.

The new adherents to the cause have all joined as founding members. Alliance membership is open to all end users, asset owners, government agencies, and other cybersecurity-focused organizations. 

"The cyber threat to critical infrastructure has never been greater," said Eddie Habibi, founder and CEO of newly welcomed ISAGCA member PAS Global

ISA executive director Mary Ramsey said: "When we pair ISA's standards expertise with the real-world experience of companies like PAS, we can make major strides in advancing cybersecurity.

"Our founding members are united in their belief that security is a journey, not a destination, and they are committed to developing the resources that asset owners need to make progress." 

New alliance member Tripwire was sensible of the organization’s potential to influence cybersecurity around the globe. 

A Tripwire spokesman said: "In becoming a founding member of ISA Global Cybersecurity Alliance, Tripwire will participate in creating initiatives to increase industry awareness, creating education and certification programs, and advocating for sensible cybersecurity approaches with regulatory bodies and world governments."

ISAGCA is organized into four general focus areas: Awareness & Outreach, Compliance & Prevention, Education & Training, and Advocacy & Adoption. Each area has an attached working group, actively working on projects that include creating an easy-to-follow, condensed guide to implementing the ISA/IEC 62443 series of standards and setting up a database of speakers with expertise and experience in automation cybersecurity and associated commitments to wax lyrical at industry events.

Categories: Cyber Risk News

Business Disruption Attacks Most Prevalent in Last 12 Months

Thu, 01/16/2020 - 13:25
Business Disruption Attacks Most Prevalent in Last 12 Months

Business disruption was the main objective of attackers in the last year, with ransomware, DDoS and malware commonly used.

According to the CrowdStrike Services Cyber Front Lines Report, which offers observations from its incident response and proactive services, a third (36%) of incidents often involved ransomware, destructive malware or denial of service attacks. Crowdstrike determined that these three factors to be focused on “business disruption,” and while an adversary’s main goal in a ransomware attack is financial gain, the impact of disruption to a business can often outweigh the loss incurred by paying the ransom.

Also observed in 25% of the investigated incidents was data theft, including the theft of intellectual property, personally identifiable information and personal health information. IP theft has been linked to numerous nation state adversaries that specialize in targeted intrusion attacks, while PII and PHI data theft can enable both espionage and criminally-motivated operations.

“Typically, this type of data may be used by a cyber-espionage actor to build a dossier on a high-profile target, or a cyber-criminal may sell or ransom the information,” the report said.

To get on to a network, the most popular vector was spear-phishing, accounting for 35% of investigated cases, compared to 16% using web attacks and another 16% using compromised credentials.

Jack Mannino, CEO at nVisium, told Infosecurity that in many cases, we’re struggling with many of the same issues from a decade ago, while we’re seeing an increase in attacks against cloud infrastructure and systems.

“While many organizations have been in the cloud for a while, countless teams are still undertaking transformation and are attempting to replicate security controls that they have developed internally within a new architecture,” he said.

The report also found that organizations that meet Crowdstrike’s 1-10-60 benchmark — detect an incident in one minute, investigate in 10 minutes and remediate within an hour — are improving their chances of stopping cyber-adversaries. However, it found that the vast majority of organizations struggle to meet the 1-10-60 standard in another recent survey, despite the vast majority of organizations seeing adherence to the rule as a “game changer” in ensuring protection. “Adhering to the rule is a challenging benchmark that requires speed and experience,” the report said.

Shawn Henry, chief security officer and president of CrowdStrike Services, said: “The report offers observations into why ransomware and business disruption dominated headlines in 2019 and gives valuable insight into why issues with adversarial dwell time remain a problem for businesses around the world. Strong cybersecurity posture ultimately lies within technology that ensures early detection, swift response and fast mitigation to keep adversaries off networks for good.”

Rui Lopes, engineering and technical support manager at Panda Security, said that the use of cyberspace to carry out all kinds of malicious activities is not going anywhere in 2020, “and while cybersecurity players work to mitigate attacks, organizations struggle on their end with a gap in security experts which may not be covered even if they have a budget for it.”

Categories: Cyber Risk News

China Promises Action on Tech Transfers and IP Protection

Thu, 01/16/2020 - 12:00
China Promises Action on Tech Transfers and IP Protection

Phase One of the US-China trade deal has finally been signed, with promises from Beijing that it will improve protection of IP and trade secrets and end forced tech transfers, although security experts will be skeptical.

The majority of the headlines focused on the scrapping of some mooted tariffs on goods from China including mobile phones and computers, as well as promises to increase imports of US goods by $200bn.

However, in the document itself, major sections are devoted to several areas of concern for many US businesses over the past decade or more.

These include the forced transfer of IP to a local Chinese partner that many foreign businesses have been required to follow in order to gain access to the country’s vast market. In the new document, both parties recognize that such transfers should only happen on “voluntary, market-based terms.

“Neither Party shall require or pressure persons of the other Party to transfer technology to its persons in relation to acquisitions, joint ventures, or other investment transactions,” it continued.

The new deal also contains significant new promises by China to improve protection of intellectual property, trade secrets and confidential business information and combat counterfeiting and piracy online.

“China recognizes the importance of establishing and implementing a comprehensive legal system of intellectual property protection and enforcement as it transforms from a major intellectual property consumer to a major intellectual property producer,” it said.

Specifically, China has agreed to impose “heavier punishment” including jail time and monetary fines to deter IP theft.

However, it remains to be seen whether any of the promises made by Beijing are adhered to.

Both the US and UK famously signed an agreement with China in 2015 promising it would cease all economic espionage activity. Experts revealed that activity began to ramp up again from the Chinese side soon after.

China is also increasing its collection of sensitive corporate data from all firms operating within its borders, under a new corporate social credit system, which recently raised alarm bells at the EU Chamber of Commerce in China.

This could effectively achieve the same end for the Chinese government as forced tech transfers, it warned.

“The system of regulatory ratings necessitates the collection of massive amounts of company data, mostly through mandatory data transfers to government authorities, creating an increasingly complete disclosure of a company’s profile,” the report claimed. “Large data transfers are likely to include some sensitive data points, such as technological details and personnel information.”

Researchers have also recently revealed how Chinese state hacking groups are increasingly using local companies as a front for their espionage activities.

Categories: Cyber Risk News

Trump Takes on Apple Over FBI's Backdoor Request

Thu, 01/16/2020 - 11:00
Trump Takes on Apple Over FBI's Backdoor Request

Donald Trump has hit out at Apple after it refused to unlock the iPhone of a suspected terrorist shooter who killed three sailors last month, setting the firm on another collision course with the authorities over its stance on user privacy.

In a developing story reminiscent of the San Bernardino shootings four years ago, Apple declined to help the FBI unlock the smartphone of 21-year-old Royal Saudi Air Force lieutenant who went on a killing spree at Pensacola Air Force base.

Although it claimed to have given the FBI “all of the data in our possession” when approached by agents a month ago, Apple maintained that bypassing the killer’s passcodes would create a dangerous precedent.

“We have always maintained there is no such thing as a backdoor just for the good guys. Backdoors can also be exploited by those who threaten our national security and the data security of our customers,” it said in a statement.

“Today, law enforcement has access to more data than ever before in history, so Americans do not have to choose between weakening encryption and solving investigations. We feel strongly encryption is vital to protecting our country and our users' data.”

However, that wasn’t good enough for attorney general William Barr, who has previously slammed tech companies for their stance on encryption, and Trump, who took to Twitter to share his ire with the world.

“We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements. They will have to step up to the plate and help our great Country, NOW!” he wrote.

The world’s leading encryption experts agree with Apple and other tech firms that creating backdoors for law enforcers would ultimately undermine security for hundreds of millions of legitimate business and personal users.

In 2018 they penned an open letter to FBI director, Christopher Wray, asking him to explain the technical basis for the Feds’ repeated claims that encryption backdoors can be engineered without impacting user security.

That request remains unanswered.

Categories: Cyber Risk News