Feed aggregator

Lawmakers Call on Government to Regulate Social Media

Info Security - Wed, 07/01/2020 - 08:40
Lawmakers Call on Government to Regulate Social Media

UK lawmakers have called on the government to take action “without delay” to regulate social media, in a bid to tackle misinformation online.

The House of Lords Committee on Democracy and Digital Technologies reported on Monday that a “pandemic of misinformation” poses an existential threat to democracy, and that companies like Facebook and Google need to be held accountable.

The list of reforms set out by the committee included tighter regulation for political advertising to ensure it is brought into line with other forms of advertising in requirements for truth and accuracy.

Working with the Advertising Standards Authority, political parties should develop a code of conduct to ban inaccurate ads during times of elections and referendums, it said. Wildly inaccurate claims made by the Leave campaign, including that the NHS would receive an extra £350m per week if Britain left the EU, are believed to have influenced many to vote Brexit.

There should also be more transparency around who pays for specific political ads and beefed up powers for the Electoral Commission to fine £500,000 or 4% of total campaign spend for those breaking the rules.

The Lords also called on the government to push ahead with an online harms bill which would give regulator Ofcom the power to hold platform providers legally responsible for content produced by individuals with large numbers of followers. The regulator should be given powers to fine such companies 4% of global annual turnover or force ISPs to block serial offenders.

Ofcom should also be given the power to ensure online firms are transparent in how their algorithms work so they are not operating in a discriminatory manner, the committee said.

An independent ombudsman should be appointed to provide a point of contact for individuals to complain to in the event they feel let down by digital platforms.

Committee chair and Labour peer, David Puttnam, argued that the perils of misinformation have become clear during the COVID-19 crisis.

“We have set out a program for change that, taken as a whole, can allow our democratic institutions to wrestle power back from unaccountable corporations and begin the slow process of restoring trust,” he added.

“Technology is not a force of nature and can be harnessed for the public good. The time to do so is now.”

Catherine Stihler, chief executive of the Open Knowledge Foundation, argued that the only way to fight misinformation and disinformation is to make information open, so authorities like journalists and scientists can report the facts.

“Tech giants have a responsibility to increase transparency and work closely with fact checkers, but self-regulation is never going to be enough by itself – government intervention is required,” she added.

“The UK government should take account of public opinion and the recommendations in this report and work towards a future that is fair, free and open.”

Categories: Cyber Risk News

Faulty Drivers Fuel ATM Hacking Problem, Say Researchers

Info Security - Tue, 06/30/2020 - 18:52
Faulty Drivers Fuel ATM Hacking Problem, Say Researchers

Faulty Windows drivers are to blame for many attacks against ATM and point-of-sale (POS) devices, according to research from Portland, Oregon–based hardware security research company Eclypsium. In a report released this week, it built on previous research highlighting how attackers can exploit poorly designed third-party drivers to gain control over the kernel of Microsoft's operating system and the underlying device firmware. It went on to explain how people can exploit these vulnerabilities to target highly regulated devices.

The researchers found a vulnerable Windows driver exposing a Diebold Nixdorf ATM to attack after acquiring the computer used in the ATM, which controls critical components, including the cash cassettes. The hardware driver provided arbitrary access to I/O ports on the system, enabling it to access devices connected via the PCI interface. The system also used the driver to update the device's BIOS firmware, which could enable it to install a boot kit, they warned. The ATM vendor has already worked with Eclypsium to fix the problem, the report said.

This is not an isolated problem, the researchers warned. "These capabilities in a vulnerable driver could have a devastating impact on ATM or POS devices. Given that many of the drivers in these devices have not been closely analyzed, they are likely to contain undiscovered vulnerabilities," the report said.

Eclypsium drilled down into the specific driver problems that create problems for the Windows kernel in previous research. It named several vendors that had released vulnerable drivers for their devices.

For a long time, there was no way for Windows to mitigate these problems. That changed with the introduction of hypervisor-enforced code integrity (HVCI), which protects Windows from malicious code using built-in virtualization features. The problem is that this feature requires newer processors and isn't yet supported by many third-party drivers, they warned.

ATM hardware doesn't get replaced all that often, meaning that many of them won't be equipped with HVCI. Regulations also slow down the driver patching process, the researchers added. If a device is certified to external security standards, then any change that a vendor makes to its software or firmware could result in delays as it goes through the certification process again, they said.

Other security companies have also highlighted problems with patching ATM software. In a 2019 white paper about ATM security challenges, Fortinet pointed out that manual processes for patching ATMs might fall outside the scope of corporate patch management systems that banks use for conventional IT equipment. That can make it difficult for IT administrators to patch thousands of ATMs across a distributed infrastructure, it warned.

Attacks on ATM hardware (as opposed to the use of add-on skimming devices) are a perennial problem for banks. In September 2019, malware from the Lazarus Group was discovered targeting ATMs in Indian banks. Cash-out crews have also reportedly been targeting US ATMs with 'jackpotting' attacks, in which malware forces devices to continually dispense cash, since 2018.

Categories: Cyber Risk News

Unauthorized Data Sharing Puts Companies at Risk

Info Security - Tue, 06/30/2020 - 18:07
Unauthorized Data Sharing Puts Companies at Risk

Inappropriate data sharing continues to be a problem for companies, according to a survey from data discovery and auditing software vendor Netwrix. Although most companies have designated secure storage areas for their data, many find it leaking into insecure areas, its research found.

A quarter of companies have discovered data stored outside designated secure locations in the past year, according to the vendor's "2020 Data Risk & Security" report. It took them considerable time to discover the stray data, with 23% reporting that it lay undiscovered for weeks.

This data seems to make its way into insecure storage because employees don't follow data sharing policies, if they exist at all. According to the survey, 30% of systems administrators granted direct access to sensitive data based only on user requests. The results show up in audits and can lead to financial penalties. Of companies that experienced unauthorized data-sharing incidents, 54% ended up with non-compliance findings from audits.

Many companies don't keep tabs on user data access privileges, the survey found. He reported that a little over half of all organizations don't review these access privileges regularly.

This lack of visibility into access rights makes it hard to track data sharing. According to the survey, only half of all organizations are confident that employees are sharing data without the IT department's knowledge. Of those, 29% cannot track employee data sharing at all, making their claims difficult to prove.

The survey examined all stages of the data life cycle from creation through to disposal. It found poor practices at the data-creation stage that have direct implications for other stages such as data sharing. Nearly two-thirds of the survey respondents said that they couldn't confirm they only collect the minimum amount of customer data required. Of those, 34% are subject to the GDPR, which limits the amount of data they are allowed to collect. Companies that collect more customer data than they need to and fail to manage it properly later on compound their security risk.

The survey covered 1,045 IT professionals around the world, with the largest proportion (48%) coming from North America, followed by 26% from the EMEA region. Half the companies had 1,000 employees or fewer.

Categories: Cyber Risk News

US Government Warns of Palo Alto Vulnerability

Info Security - Tue, 06/30/2020 - 17:10
US Government Warns of Palo Alto Vulnerability

The US government has warned of a critical flaw in Palo Alto Networks equipment that could enable attackers to take over its devices with minimal skill.

The warning, issued by US Cyber Command, urged people to patch all devices affected by the vulnerability immediately. It said that foreign advanced persistent threat actors will attempt to exploit it soon.

Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.


— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020

As a user of these products, US Cyber Command would have reason to worry about foreign nation-states targeting its networks and those of its partners. It is one of eleven unified commands at the US Department of Defense, and oversees the US military's cyberspace operations.

The vulnerability, CVE-2020-2021, concerns the authentication process in PAN-OS, which is the operating system driving Palo Alto firewalls. When authentication using the Security Assertion Markup Language (SAML) is enabled and the 'Validate Identity Provider Certificate' option is unchecked, the system doesn't verify signatures properly, enabling someone to gain unauthenticated access to protected resources over a network.

Although it has a severity of 10—the highest possible—this is not a remote code execution vulnerability. It would, however, allow an unauthenticated attacker with network access to web interfaces to log into its firewalls as administrator. The bug affects its PA and VM series next-generation firewalls, the company said in the vulnerability announcement.

This attack could be particularly damaging to customers now because they rely heavily on firewall and VPN access to serve employees working remotely during the COVID-19 pandemic.

The security hardware vendor said that it is not aware of any malicious attempts to exploit the vulnerability thus far.

Administrators can patch the vulnerability today by upgrading to new versions of the software. It has patched versions 8.0, 8.1, 9.0, and 9.1 with point releases to fix the problem. Alternatively, they can simply disable SAML authentication to eliminate the issue until they get the chance to fix it with a point upgrade, meaning that they would have to switch to another form of authentication.

This advisory comes almost exactly a year after Palo Alto announced a remote code execution flaw in its GlobalProtect Portal and Gateway interface products. That vulnerability, rated High with a CVSS score of 8.1, allowed attackers to execute arbitrary code without authentication. In April 2019, CMU-CERT also warned that the company's VPN software was storing cookies insecurely in log files.

Categories: Cyber Risk News

New Cybersecurity Standard for IoT Devices Established By ETSI

Info Security - Tue, 06/30/2020 - 15:30
New Cybersecurity Standard for IoT Devices Established By ETSI

A new standard for cybersecurity in the Internet of Things (IoT) has been unveiled today by the ETSI Technical Committee on Cybersecurity. It establishes a security baseline for internet-connected consumer products and for future IoT certification schemes. It is hoped the standard, titled ETSI EN 303 645, will help prevent large-scale, prevalent attacks taking place against smart devices.

Developed in collaboration with industry, academics and government, the standard aims to restrict the ability of cyber-criminals to control devices across the globe and launch DDoS attacks, mine cryptocurrency and spy on users in their own homes. This has become a major concern for the cybersecurity industry due to the growing prevalence of smart devices in households, many of which have security weaknesses.  

Earlier this month, for example, an investigation by Which? found that 3.5 million wireless indoor security cameras across the world potentially have critical security flaws that make them vulnerable to hacking.

ETSI EN 303 645 outlines 13 provisions for the security of a wide range of IoT consumer devices and their associated services. These include children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances and smart home assistants.

Five specific data protection provisions for consumer IoT are also set out in the standard.

Mahmoud Ghaddar, CISO Standardization, commented: “Ensuring a better level of security in the IoT ecosystem can only be achieved if governments, industry and consumers collaborate on a common and reachable goal, and standardization bodies like ETSI have provided the right platform to achieve it for this standard.”

A number of manufacturers and IoT stakeholders have already developed products and certification schemes according to ETSI EN 303 645. Juhani Eronen, chief specialist at Traficom, added: “To date we have awarded the labels to several products including fitness watches, home automation devices and smart hubs. Being involved in the development of the ETSI standard from the start helped us a lot in building up our certification scheme. Feedback from companies and hackers has been very positive so far.”

Categories: Cyber Risk News

Indian Government Bans TikTok and 50+ Chinese Apps

Info Security - Tue, 06/30/2020 - 11:25
Indian Government Bans TikTok and 50+ Chinese Apps

The Indian government has banned over 50 Chinese-made smartphone apps including popular social title TikTok over concerns they may be stealing user data.

The 59 titles also include Twitter-like platform Weibo and WhatsApp clone WeChat, as well as a range of other browser, camera, news, entertainment and communications apps.

A government statement noted that the decision was taken due to fears that the apps were “prejudicial to sovereignty and integrity of India, defense of India, security of state and public order.”

These concerns were linked to fears over users’ data security and privacy.

“The Ministry of Information Technology has received many complaints from various sources including several reports about misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India,” it said.

Although the concerns may be genuine, the timing appears to be deliberate, coinciding with a period of heightened tensions between the two Asian giants after recent border clashes left 20 Indian soldiers dead.

According to the BBC, India is TikTok’s biggest foreign market with an estimated 120 million users.

However, the app has come in for criticism not only in India. In the US, the Pentagon banned its use by soldiers early this year on security concerns related to its Beijing-based owner ByteDance.

The Committee on Foreign Investment in the United States (CFIUS) has launched an inquiry into whether the user data TikTok collects represents a national security risk. If this becomes a full-blown investigation it could even put the sale of the title, which was originally a US app called Musical.ly, in jeopardy.

Concerns also swirl over the extent to which TikTok is influenced by Beijing, after it appeared to censor content linked to pro-democracy protesters in Hong Kong.

ProPrivacy digital privacy expert, Ray Walsh, argued that although New Delhi’s decision was probably taken for geopolitical reasons, it doesn’t mean it has no basis in privacy best practice.

“The decision will drastically reduce the amount of data passing from Indian citizens to Chinese authorities, via seemingly innocuous and hugely popular apps such as TikTok. These apps are known to harvest huge amounts of data from their users, resulting in covert international surveillance for the Chinese government,” he argued.

“Although the ban is likely to be controversial among Indian citizens, it may well cause other world leaders to consider whether they could or should impose similar sanctions.”

It remains to be seen how easy it is to enforce such a ban in practice.

Categories: Cyber Risk News

InFraud Cybercrime Gang Member Pleads Guilty to Charges

Info Security - Tue, 06/30/2020 - 10:30
InFraud Cybercrime Gang Member Pleads Guilty to Charges

A leading figure in a notorious cybercrime organization has pleaded guilty before a Nevada court to racketeering charges.

Russian national Sergey Medvedev — aka “Stells,” “segmed” and “serjbear” — pleaded guilty to conspiracy charges under the Racketeer Influenced and Corrupt Organizations Act (RICO), according to the Department of Justice (DoJ).

According to the indictment, the InFraud group he was a member of was founded in 2010 by 34-year-old Ukrainian Svyatoslav Bondarenko to be an expert in “carding” — the online trafficking of stolen personal and financial information.

“Under the slogan, ‘In Fraud We Trust,’ the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware and other illicit goods,” the DoJ said. 

“It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information and other contraband were permitted to advertise to members.”

By March 2017 there were an estimated 10,900 registered members of InFraud. The DoJ claimed that during its seven-year history it made over $568m from its victims — financial institutions, merchants and individuals.

The group was finally taken down in early 2018 after police in Australia, the UK, France, Italy, Kosovo and Serbia swooped on 13 individuals thought to have key roles in InFraud. An indictment was subsequently released charging 36 suspected members.

Medvedev, 33, was extradited from Thailand after being arrested there during the 2018 international police crackdown.

The news comes just days after another Russian national, Aleksei Burkov, was sentenced to nine years behind bars for operating the Cardplanet website, which sold stolen card data.

Categories: Cyber Risk News

US Suspends Sensitive Tech Exports to Hong Kong

Info Security - Tue, 06/30/2020 - 09:45
US Suspends Sensitive Tech Exports to Hong Kong

The US government has said it will suspend export of sensitive defense technologies to Hong Kong after China passed a controversial national security law in the Special Administrative Region (SAR).

In a brief statement on Monday, commerce secretary Wilbur Ross argued that the new law meant that sensitive US tech may find its way into the hands of the People’s Liberation Army (PLA) or the fearsome Ministry of State Security (MSS), both of which are prolific sources of cyber-attacks on foreign targets.

“Commerce Department regulations affording preferential treatment to Hong Kong over China, including the availability of export license exceptions, are suspended,” he continued.

“Further actions to eliminate differential treatment are also being evaluated. We urge Beijing to immediately reverse course and fulfill the promises it has made to the people of Hong Kong and the world.”

The controversial law was passed unanimously today by China’s rubber-stamp parliament, the National People’s Congress.

It seeks to criminalize activities such as secession and collusion with foreign forces, but many see it as an attempt to muzzle political activists and protesters in the region. The law also flies in the face of the binding “one country, two systems” agreement between China and the UK which intended the SAR to retain its autonomy for 50 years after the handover in 1997.

Judging by Ross’s remarks, the ban on exports of sensitive technologies to Hong Kong is likely to presage a wider revocation of the SAR’s special status under US law, by which it is granted certain preferential economic and trading rights over China.

On Friday, the State Department also imposed visa restrictions on Chinese Communist Party officials accused of undermining Hong Kong’s autonomy.

Beijing’s opaque political system is such that no Hong Kongers have yet even been able to see and read for themselves exactly what the legislation entails.

However, reports suggest it will carry a maximum sentence of life.

Categories: Cyber Risk News

#COVID19 HMRC Phishing Scams Persist, Begin Targeting Passport Details

Info Security - Tue, 06/30/2020 - 08:45
#COVID19 HMRC Phishing Scams Persist, Begin Targeting Passport Details

Fraudsters are continuing to exploit self-employed people with advancements in already-established COVID-related HMRC phishing scams.

Uncovered by Griffin Law, the latest variation of this attack is now targeting the passport details of self-employed people, along with other information including personal and bank details.

According to Griffin Law, the scam begins with a text message purporting to be from HMRC informing the recipient they are due a tax refund which can be applied for online via an official looking site that uses HMRC branding and is entitled “Coronavirus (COVID-19) guidance and support.”

The bogus site then asks for several pieces of the user’s sensitive information before also requesting their passport number as ‘verification’ – a new aspect of the scam previously discovered by Griffin Law.

So far, Griffin Law has ascertained that around 80 self-employed London-based workers have reported receiving this scam to their respective accountant.

Stav Pischits, CEO of Cynance, said: “The COVID-19 crisis has triggered a sharp rise in phishing attacks targeting businesses and individuals with realistic scams promising financial support and purporting to be from HMRC.

“All it takes is a single employee to accidentally hand over confidential company information, such as bank account details, a username or password for a potentially catastrophic data breach to occur.”

It’s therefore vital that all companies invest in improving cybersecurity procedures, particularly with millions of employees working remotely for the foreseeable future, he added.

Chris Ross, SVP, Barracuda Networks, warned that cyber-criminals will continue to exploit any situation to harvest financial data from individuals and see the national emergency as the perfect opportunity to fool vulnerable victims into handing over personal information.

“Security awareness is key within the workforce, and it’s vital that all employees are trained about how these schemes operate as well as how SMS can be exploited as part of a wider phishing scheme.”

Categories: Cyber Risk News

Businesses Lack a Workable Ransomware Recovery Strategy

Info Security - Tue, 06/30/2020 - 08:00
Businesses Lack a Workable Ransomware Recovery Strategy

More than a third of businesses do not have a ransomware emergency plan in place, or are not aware if one exists within their company.

According to research from Ontrack of 484 organizations, 39% either did not have or were not unaware of a ransomware strategy, while 26% admitted they couldn’t access any working backups after an attack.

“The threat of ransomware has never been greater” said Philip Bridge, president of Ontrack. “The fact that only 39% of respondents to our survey have an emergency plan in place for a ransomware attack is shocking. They are gambling with their and their customers’ data.

“It is imperative, now as ever, to ensure your organization has processes and procedures in place to mitigate the impact of any cyber-attack and protect sensitive data,” added Bridge.

As the third anniversary of the NotPetya attacks were marked at the weekend, David Grout, CTO of EMEA at FireEye, said NotPetya highlighted the need for resiliency, backup and preparation, as well as the importance of being able to track and identify the perpetrators and understand their motives.

“In terms of what can be done to mitigate the effects of these attacks, primarily, it is essential that patches are made available quickly and that they are widely adopted. If a discovered vulnerability can be exploited, it is highly likely that threat groups will use it, and continue to do so until it is fixed, inflicting untold damage,” he said.

“The NotPetya attack could have been mitigated by ensuring updates to software were regularly conducted, as well as thorough assessments of a given organization’s security, especially through simulated cyber-breaches.”

Speaking to Infosecurity, BH Consulting CEO Brian Honan said, with ransomware becoming an increasing concern for many organizations, he is seeing more businesses take steps to tackle the threat.

“However, many of these steps focus very much on the preventive aspect of security controls and in particular on ensuring effective anti-virus software is in place. While this is an important element in protecting against ransomware, organizations do need to take a more holistic approach to protecting their businesses and ensuring they can continue to function and recover from an attack should it happen.”

Honan recommended having robust data backup and data recovery strategies in place. “The key is to ensure business resilience in the event of a ransomware attack,” he said. “To achieve this, organizations should incorporate their incident response processes, for all cyber-attacks and not just for ransomware attacks, with their business continuity plan so they can continue to operate, while looking to recover from secure backups.

“A good backup strategy that is regularly reviewed, secured and tested to ensure the data can be recovered is one of the most effective defenses against ransomware.”

Categories: Cyber Risk News

UCSF Pays $1.14m Ransomware Fee

Info Security - Mon, 06/29/2020 - 20:02
UCSF Pays $1.14m Ransomware Fee

The University Of California San Francisco finally confirmed that it had forked over $1.14m to ransomware thieves last week, less than a month after discovering that critical academic data related to its COVID-19 research had been encrypted.

The university said in a statement on Friday that it had detected a security incident affecting some of its School of Medicine servers on June 1. It had quarantined the affected IT systems at the time. The attackers managed to encrypt some of the university's systems with ransomware and demanded a payment. Although the university believed that no patient's medical records were affected, the data was important enough that it was forced to play ball with the criminals. It said:

"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained."

UCSF was one of three higher education establishments to be targeted in a single week at the start of June by the Netwalker ransomware gang.

The BBC received a tip that enabled it to drop in on a chat session between UCSF and the criminal gang on the dark web. According to the chat transcript, Netwalker originally asked for a $3m ransom, but UCSF countered, asking them to accept $780,000. The two parties kept haggling, until they agreed on a final sum of $1,140,895. That equated to 116.4 bitcoins, which the university transferred the following day.

Universities are difficult places to protect because the networks are vast and geared toward open information sharing. In September 2019, the UK's National Cybersecurity Center reported that UK universities were at particular risk from nation-state attacks, although most fail to pay much attention. In May last year, Moody's Investors Service warned that universities have numerous campuses and thousands of students along with budgetary constraints, making their cybersecurity effort especially difficult. Its research, sponsored by IBM Security, revealed 101 confirmed data disclosures at US universities in 2017, up from just 15 in 2014.

Categories: Cyber Risk News

Researchers Find New Calendar-Based Phishing Campaign

Info Security - Mon, 06/29/2020 - 19:50
Researchers Find New Calendar-Based Phishing Campaign

Researchers have once again spotted crooks using calendar invitations to mount phishing attacks. The Cofense Phishing Defense Center found the attack in enterprise email environments protected by Proofpoint and Microsoft, it announced last week.

The phishing scam uses iCalendar, which is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks. iCalendar files are usually delivered with an .ics extension. The company found the attackers using this file with the subject "Fault Detection from Message Center," from a sender with the display name Walker. It came from a legitimate account belonging to a school district, indicating that the attackers were using a compromised email. That enabled them to bypass email filters relying on the DKIM and SPF technologies that authenticate sending domains.

When the victim opens the .ics file, it proposes a calendar entry displaying the URL, along with a message saying that it is from a security center. The web page behind the URL is hosted on Microsoft's SharePoint site, and displays another link to a phishing site hosted by Google that appears to show a Wells Fargo login page.

Victims gullible enough to cooperate must submit their login details, PIN and account numbers, along with their email credentials. Doing so hands the attackers the keys to the kingdom. The phishing site will then send them to the legitimate Wells Fargo website to quell any suspicion.

This may be a new campaign, but it is not a new technique. A similar attack cropped up last June, when Kaspersky found attackers using Google's auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.

This attack shows that cyber-crooks are still using the same attack vectors to deliver their scam material. Cofense also points out that using legitimate domains designed to host user content is a common tactic, and a perennial problem for the likes of Microsoft and Google. It gives the attackers an air of legitimacy because they get to take advantage of these sites' built-in SSL certificates, which add the reassuring green padlock icon to the side of the URL in a browser's address bar.

Categories: Cyber Risk News

Criminals Exploit Pandemic with Brute-Force RDP Attacks

Info Security - Mon, 06/29/2020 - 19:33
Criminals Exploit Pandemic with Brute-Force RDP Attacks

ESET is the latest security company to notice a sharp spike in RDP-based hacks over the last few months. The anti-malware company spotted a rise in the number of brute-force attacks using the remote access protocol, and said that cyber-criminals have been using it to distribute ransomware.

The Remote Desktop Protocol is a proprietary Microsoft protocol that allows people to access Windows from outside the network. Companies often leave their RDP ports open without taking proper security measures, ESET warned. That can lead to malware infections.

The company has tied the spike in attacks to the COVID-19 pandemic. With lots of office workers forced to log in from home, RDP has become a common way for them to access machines back at the office, it explained. It distributed a graph showing daily attacks against unique clients rising from just under 30,000 in December to over 100,000 during May.

ESET created a new detection layer that spots repeated login attempts from external environments. It adds offending IP addresses to a blacklist that it uses to protect all of its clients. For that to work, though, companies must enable the Network Level Authentication (NLA) RDP option on their servers. This is something that Microsoft has already recommended in the past as a protection against the BlueKeep worm that emerged last year, which exploited a vulnerability in RDP.

Other things you can do to protect yourself against RDP include disabling it altogether if you don't need it, the company says, or at least creating access control lists that limit the number of users allowed to connect directly over the internet. Use strong, complex passwords for all accounts, along with multi-factor authentication, it advises. If possible, use a VPN gateway to broker all connections from outside your local network. We covered some protection techniques in April.

ESET isn't the only company to have noticed a rise in RDP-based attacks. In March, Shodan noticed an uptick in the number of devices exposing RDP to the internet. A month later, Kaspersky reported the same thing, warning that the number of Bruteforce.Generic.RDP attacks had "rocketed across almost the entire planet" since March.

Exposed RDP problems are so bad that the FBI even warned about it in 2018, and reportedly sent out another warning this month to K–12 schools in the US about an increase in RDP-based ransomware attacks during the pandemic.

Categories: Cyber Risk News

Malware Incidents Fall Amid Overall Rise in Security Events Last Year

Info Security - Mon, 06/29/2020 - 15:28
Malware Incidents Fall Amid Overall Rise in Security Events Last Year

Malware incidents fell by 23% in 2019 despite an overall increase in security events, according to Orange Cyberdefense in its inaugural Security Navigator report. The findings suggest that businesses have grown investment in technologies that protect themselves from these kinds of threats, leading cyber-criminals to shift to other types of attack.

Of the security events the cybersecurity company analyzed last year, only 22% were classified as malware-related, which compared to 45% in the previous year.

Despite this, out of 263,109 events Orange Cyberdefense uncovered in 2019 from data obtained from its 10 CyberSOCs and 16 SOCs, 11.17% were identified as verified security incidents, representing a 34.4% rise compared to 2018. This is particularly significant considering the total number of events increased by only 3%. The most common incident cause last year was application anomalies, which grew from 36% to 46%.

“The findings don’t mean that malware is no longer a significant threat; far from it,” said Charl van der Walt, head of security research at Orange Cyberdefense. “What it does suggest is that endpoint-centered prevention can significantly reduce the risk to businesses. What we see here is very likely the immediate result of investment in next-gen endpoint protection. While elaborate malware and APTs used in targeted attacks still do pose a serious threat, the skill level of the common cyber-criminal simply does not match up-to-date endpoint protection anymore. That is good news.”

Malware-related incidents were observed to drop off during peak holiday periods in April, mid-July and early December, indicating that cyber-criminals take breaks in these periods in line with businesses.

The report also revealed there was no change in the frequency of cryptomining attacks despite the value of Monero, Ethereum, Litecoin and Bitcoin reaching a new peak in early summer 2019, suggesting this type of threat is in decline. Worryingly however, the number of attacks deemed business-critical doubled to 0.11% in 2019.

Categories: Cyber Risk News

IoT Botnet Developer Gets 13-Month Sentence

Info Security - Mon, 06/29/2020 - 11:00
IoT Botnet Developer Gets 13-Month Sentence

A Washington man has been sentenced to 13 months behind bars for his part in developing, using and selling access to DDoS botnets based on the infamous IoT malware Mirai.

Kenneth Currin Schuchman, 22, of Vancouver, was handed his sentence late last week after pleading guilty last September to one count of fraud and related activity in connection with computers, in violation of the Computer Fraud & Abuse Act.

The botnets, known as Satori, Okiru, Masuta and Tsunami/Fbot, were used to compromise hundreds of thousands of connected devices worldwide, according to the Department of Justice.

Schuchman, who went by online aliases including “Nexus” and “Nexus-Zeta,” worked with co-conspirators “Vamp” and “Drake” to build on the Mirai code with new capabilities. His expertise was apparently in finding new vulnerabilities in IoT devices, which could subsequently be exploited to remotely control them.

After being arrested and charged in August 2018, Schuchman is said to have developed another IoT botnet, Qbot, while on supervised release, and also called in a swatting attack on “Vamp’s” home.

Vamp, Drake and UK national “Viktor” have also been charged for their roles in operating and developing the botnets.

“Cyber-criminals depend on anonymity, but remain visible in the eyes of justice,” said US attorney Brian Schroder. “Today’s sentencing should serve as a reminder that together with our law enforcement and private sector partners, we have the ability and resolve to find and bring to justice those that prey on Alaskans and victims across the United States.”

As part of his sentence, Schuchman will be required to serve 18 months of community confinement following his release from prison, and three years of supervised release.

Categories: Cyber Risk News

Chinese Bank Forces Firms to Download Backdoored Software

Info Security - Mon, 06/29/2020 - 09:45
Chinese Bank Forces Firms to Download Backdoored Software

Organizations doing business in China have been warned that official looking software mandated for download by domestic banks may actually contain backdoor malware.

Trustwave explained in a new report that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software, produced by the Golden Tax Department of Aisino Corporation.

Although it worked as advertised, the software also contained a powerful backdoor that could not be removed, even if Intelligent Tax was uninstalled.

“It installed a hidden backdoor on the system that enabled a remote adversary to execute Windows commands or to upload and execute any binary (to include ransomware, Trojans or other malware),” explained Trustwave VP of cyber-threat detection and response, Brian Hussey.

“Basically, it was a wide-open door into the network with system-level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure.”

He admitted that it remains unclear whether the backdoor was added to the software unbeknownst to the local bank, or if the scheme is one that affects a wide range of businesses across China.

Although the current campaign began in April this year, GoldenSpy variants apparently date back to December 2016, a couple of months after Aisino announced a new ‘big data’ partnership with a company called Chenkuo Network Technology.

That same company digitally signs GoldenSpy using text, “certified software version upgrade service,” designed to legitimize the malware.

Neither Chinese firm had replied to Trustwave at the time of writing.

“We believe that every corporation operating in China or using the Aisino Intelligent Tax Software should consider this incident a potential threat and should engage in threat hunting, containment and remediation countermeasures, as outlined in our technical report,” concluded Hussey.

Categories: Cyber Risk News

Campaigners Call for Computer Misuse Act Revision on 30th Anniversary

Info Security - Mon, 06/29/2020 - 09:15
Campaigners Call for Computer Misuse Act Revision on 30th Anniversary

An open letter has been sent to UK Prime Minister Boris Johnson, asking for an update to the Computer Misuse Act (CMA) as it marks its 30th anniversary of reaching royal assent..

Coordinated by the CyberUp Campaign, a group of cybersecurity organizations are pushing for an update of the Computer Misuse Act to make it fit for the digital age.

“In 1990, when the CMA became law, only 0.5% of the UK population used the internet, and the concept of cybersecurity and threat intelligence research did not yet exist,” the letter read. “Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalizes a large proportion of modern cyber-defense practices.”

The letter cited the COVID-19 pandemic, stating that this demonstrates “how reliant modern society is on secure and effective digital technologies.”

It claimed: “The government has committed to investing in the UK’s digital and technology credentials and, as we move beyond the pandemic, we are calling on the government to make putting in place a new cybercrime regime part of this commitment. This will give our cyber-defenders the tools they need to keep Britain safe.”

In the past few years, efforts have been made to bring the CMA up-to-date, with NCC Group admitting that a lot of the work it does “is hampered by the CMA” and with a reform, it wants to make a change so as to make vital threat intelligence commercially and ethically easier.

The CyberUp Campaign includes NCC Group, alongside representatives from vendors Digital Shadows, McAfee and Trend Micro, industry trade bodies techUK and CREST, and a number of prominent lawyers, academics and researchers in the field of cybersecurity.

In an email to Infosecurity, Robert Schifreen, who was one of the two people initially charged with accessing the Duke of Edinburgh’s personal message box after gaining access to BT’s Prestel interactive viewdata service, agreed that the CMA “could do with a polish.” However. he also said it is basically fit for purpose, “and I don't see much evidence that researchers are being dissuaded from researching in case their possession of pen test tools results in them being prosecuted.”

He added: “If anyone wants to criticize a key element of the fight against cybercrime, attacking Action Fraud would be more useful than attacking the CMA.”

Categories: Cyber Risk News

Online Learning Platform Exposes Data on One Million Students

Info Security - Mon, 06/29/2020 - 08:45
Online Learning Platform Exposes Data on One Million Students

Over one million North American students have had their data exposed after a popular online learning platform left it in a publicly accessible cloud database, according to vpnMentor.

Researchers from the firm claimed that the Elasticsearch database belonging to provider OneClass was left completely unsecured.

The trove contained over 27GB of data, amounting to 8.9 million records, including many students’ full names, email addresses, schools/universities, phone numbers, account details and school enrollment details.

Although OneClass secured the database just a few days after being notified on May 20 this year, it subsequently claimed that the exposed information was merely test data, according to vpnMentor.

“However, during our investigation, we had used publicly available information to verify a small sample of records in the database,” the researchers continued.

“Taking the PII data from numerous records, we found the social profiles of lecturers and other users on various platforms that matched the records in OneClass’s database. Based on this, we doubt the veracity of OneClass’s claim and stand by our assessment.”

It goes without saying that hackers could have conducted highly effective follow-on phishing emails with the exposed data, with a view to obtaining financial details from victims, or even spreading malware.

“Furthermore, OneClass users are very young — including minors — and will generally be unaware of most criminal schemes and frauds online. This makes them particularly vulnerable targets. It’s also likely many of them use their parent’s credit cards to sign up, exposing their whole family to risk,” vpnMentor explained.

“With so many students relying on remote learning due to coronavirus, OneClass could be experiencing a surge in new users. Hackers could quickly create fraudulent emails using the pandemic and related uncertainty as a pretext to contact potential victims, posing as OneClass and asking them to divulge sensitive information.”

That’s not to mention the reputational hit to OneClass itself and a potentially significant regulatory compliance burden. Headquartered in Toronto, the firm provides online education resources to millions of students in North America.

Categories: Cyber Risk News

US Bill Proposes Ban on Feds' Using Facial Recognition Technology

Info Security - Fri, 06/26/2020 - 15:30
US Bill Proposes Ban on Feds' Using Facial Recognition Technology

US lawmakers have introduced a bill that proposes banning federal law enforcement agencies from using facial recognition and biometric surveillance technology.

The Facial Recognition and Biometric Technology Moratorium Act of 2020 was introduced yesterday by Senators Ed Markey and Jeff Merkley. 

If passed into law, the wide-sweeping bill would make federal funding for state and local law enforcement agencies contingent on the implementation of similar tech and surveillance bans. 

Markey said the bill would prevent the use of technology that poses a physical threat to minority groups residing in the United States. In the Massachusetts senator's opinion, banning the police from using such tools is the "only responsible thing to do."

“Facial recognition technology doesn’t just pose a grave threat to our privacy, it physically endangers Black Americans and other minority populations in our country,” Markey said in a statement. 

“As we work to dismantle the systematic racism that permeates every part of our society, we can’t ignore the harms that these technologies present."

The bill proposes making it unlawful for any federal official or agency to "acquire, possess, access or use” biometric surveillance technology in the United States. It further prohibits the use of federal cash to procure this type of technology.

Use of this type of surveillance technology is not prohibited entirely under the new bill but would only be allowed if exercised with extreme caution and in adherence to a federal law containing a long list of provisions.

Cynics might conclude that the timing of the bill's introduction, in the wake of protests triggered by George Floyd's death and in an election year, was motivated by political gain. 

The Pinellas County Sheriff’s Office in Florida has been using FACES (Face Analysis Comparison and Examination System) for two decades. And, according to a 2019 report by the United States Government Accountability Office (GAO), the FBI has logged more than 390,000 facial-recognition searches of federal and local databases since 2011.

Various civil liberties and human rights groups including Amnesty International and the American Civil Liberties Union have been campaigning for surveillance technology to be banned for years on the grounds that it infringes upon people's constitutional freedoms and is marred by racial and gender bias.

Categories: Cyber Risk News

Fraudster Jailed for Stealing Millions from US Seniors

Info Security - Fri, 06/26/2020 - 15:14
Fraudster Jailed for Stealing Millions from US Seniors

A despicable Brit has been jailed after stealing from America's elderly to fund his extravagant millionaire lifestyle. 

Fraudster Gareth David Long was sentenced to 70 months in prison for running an elaborate scheme that claimed more 375,000 victims during a six-month period in 2013. 

Las Vegas resident Long operated a third-party processing company V Internet Corp from 2008 to 2013 that specialized in the creation and deposit of remotely created checks (RCCs). Through his work, the 41-year-old had access to the personal and financial information of hundreds of thousands of consumers whose accounts he was trusted to debit.

After he stopped acting as a third-party payment processor in January 2013, Long used the data he had acquired over the previous five years to charge purchases to his victims' accounts. 

Not content with the data he had acquired legally and then exploited illegally, Long purchased the information of additional consumers in the form of lead lists.

Over the course of his large-scale wire fraud and identify theft scheme, Long deposited more than 750,000 fraudulent RCCs totaling more than $22m. While approximately half of the checks were immediately reversed by victims’ banks, the unscrupulous criminal nevertheless succeeded in stealing approximately $11m.

When victims called to complain about the charges, Long instructed his employees to pass the charges off as payments authorized by the victims in connection with an online payday loan application. Many of the victims were elderly.

Long used the proceeds of his morally derelict scheme to purchase cars, three airplanes, a fire truck, a ranch, and 23 acres of land in Texas and to pay his personal expenses. He also bought construction and farming equipment. 

The US Postal Inspection Service seized more than $2.9m from Long’s company bank accounts. Property that Long purchased with the proceeds of his fraudulent activity, including his cars and planes, was also seized by postal inspectors. 

Long pleaded guilty to wire fraud and aggravated identity theft charges. As part of the sentencing hearing, the court ordered Long to forfeit $11.2m and the ranch and land he purchased in Texas.

Jody Hunt, assistant attorney general for the Justice Department’s Civil Division, said: “The defendant exploited his access to sensitive personal and financial information to steal millions of dollars from victims throughout the United States."

Categories: Cyber Risk News