Feed aggregator

Michigan's Largest Healthcare Provider Phished Again

Info Security - Tue, 08/04/2020 - 17:39
Michigan's Largest Healthcare Provider Phished Again

Michigan's largest healthcare provider has warned around 6,000 patients that their data may have been exposed following a cyber-attack.

The cybersecurity incident is the second phishing-related data breach to befall Beaumont Health in recent months. 

In April, the organization started notifying 112,211 individuals that some of their personal health information (PHI) had been exposed. The warning came after a data breach that occurred in late 2019 resulted in some email accounts' being compromised. 

Beaumont responded by improving its multi-factor authentication software, conducting risk analysis, and providing additional employee training on spotting malicious email.

On June 5, Beaumont Health finished investigating a second data breach in which email accounts were accessed by unauthorized individuals between January 3, 2020, and January 29, 2020. 

Emails within the compromised accounts contained PHI that included names, dates of birth, diagnoses, diagnosis codes, procedure and treatment information, type of treatment provided, prescription information, patient account numbers, and medical record numbers.

The healthcare provider stated that while the email accounts had been compromised, no evidence had been discovered to suggest that any emails or attachments associated with the accounts had been viewed or copied. 

To date, no reports have been received by Beaumont that indicate any of the exposed patient data has been misused. 

Beaumont privacy officer Kelly Partin told the Detroit Free Press that a small number of employees had fallen victim to a phishing scam with the result that six email accounts were compromised.

The incident was detected through routine monitoring carried out in January 2020. Beaumont subsequently launched an investigation that concluded on June 5 that one or more of the accessed email accounts contained patient PHI.

“However, out of an abundance of caution, we are issuing notices to anyone whose information may have been contained in the accessed accounts," said a Beaumont spokesperson.

The individuals impacted by the incident represent just 0.3% of Beaumont's 2.3 million patients. Notifications were issued on July 25, and impacted patients were warned to monitor their bank accounts and insurance statements for fraudulent transactions.

Beaumont said that immediately after the latest breach was detected, steps were taken to disable the email accounts involved and perform password resets. 

Categories: Cyber Risk News

FBI Issues Online Shopping Scam Alert

Info Security - Tue, 08/04/2020 - 16:18
FBI Issues Online Shopping Scam Alert

The Federal Bureau of Investigation has issued a warning to online shoppers after a rise in the number of Americans not receiving items purchased on the internet. 

In a statement published yesterday, the FBI said that an increasing number of victims are being directed to fraudulent websites via social media platforms and popular online search engines. 

Complainants reported that orders placed through these sites didn't turn up or that they only received disposable face masks from China, regardless of what they had purchased. 

"Some victims who complained to the vendor about their shipments were offered partial reimbursement and told to keep the face masks as compensation," said the FBI. 

All attempts made by the victims to be fully reimbursed, or to get a hold of the actual items they had ordered, were unsuccessful.

The scammers used a private domain registration service to avoid personal information's being published in the Whois Public Internet Directory. Instead of ".com", the malicious sites used the internet top-level domains (TLD) ".club" and ".top". 

To appear authentic, the retail websites included content copied from legitimate sites. Many provided valid but unassociated US addresses and telephone numbers under a “Contact Us” link, misleading users to believe the retailer was located within the United States.

Victims were lured with the promise of low prices on items currently in high demand due to lockdown measures introduced to slow the spread of the novel coronavirus. Goods that feature in the complaints received by the FBI include gym equipment, small appliances, tools, and furniture.

The FBI stated: "Victims reported they were led to these websites via ads on social media platforms or while searching for specific items on online search engines’ 'shopping' pages. Victims purchased items from these websites because prices were consistently lower than those offered by other online retail stores." 

Reesha Dedhia, security evangelist at PerimeterX, noted: “In addition to ads on social media platforms and search engines, we have also recently seen a scam from browser extensions that involves redirecting a shopper’s browser to a bunch of malicious domains and websites with the goal of stealing a user’s data and displaying malicious ads."

Categories: Cyber Risk News

Facebook Seen as Riskiest Online Platform

Info Security - Tue, 08/04/2020 - 14:46
Facebook Seen as Riskiest Online Platform

Internet users have named Facebook as the online platform that poses the biggest security risk to their personal data.  

survey conducted by Australia's Edith Cowan University found that 68% of respondents believed their data to be insecure on Facebook. Instagram and Twitter were viewed as risky by 65% and 57% of respondents, respectively.

Social media was seen as far more dangerous in terms of data security than other online platforms. While 28% of respondents believed their data wasn't safe on email and 27% said the same about online health portals, only 14% reckoned online banking poses a risk.

Millennials were the most mistrustful of Facebook, with 73% labeling the platform as insecure. By contrast, baby boomers were most suspicious of Instagram, with around 72% believing use of the image-led platform to be risky. 

The study surveyed 1,130 people from Europe, the United States, and Australia "to see how safe people feel in their highly wired lives and what they're doing to keep themselves safe."

More than half of respondents (59%) said that the most dangerous feature to personal privacy was location sharing. Other features that gave users a bad feeling were facial recognition and fingerprint ID.

The most common measures people have taken to protect themselves from hacking were using antivirus protection software (66%), using two-step password authentication (59%), setting up strong security questions (50%), and using unique passwords for different accounts (48%).

Interestingly, the proportion of survey respondents who worried about being hacked was low. 

Researchers wrote: "About 25% of Americans voiced concern about the possibility, compared to 26% of Australians and 29% of Europeans participating in our survey. Nevertheless, 70% of respondents still said they believe data privacy is important, and they do believe their devices could be hacked."

Baby boomers were found to be the generation most opposed to government monitoring and the generation most likely to use antivirus protection software (78% of all respondents). The youngest tech users—members of Generation Z—were the least likely, at 57%. 

"Instead, they tended to use two-step password authentication the most, although only 64% of Gen Z users have done so," noted researchers.

Categories: Cyber Risk News

WastedLocker Ransomware “Most Sophisticated Attack” Outside Nation State Use

Info Security - Tue, 08/04/2020 - 13:02
WastedLocker Ransomware “Most Sophisticated Attack” Outside Nation State Use

Ransomware can be better dealt with, if security teams have a better and clear view of suspect behavior on the network.

Speaking to Infosecurity, Sophos chief product officer Dan Schiappa and principal research scientist Chester Wisniewski said a lot of issues can be dealt with if they detect how tools are being used in an unpredictable manner. Wisniewski said: “So if you see Powershell or a scanner running outside of planned maintenance, or IT needs permission to run a sniffer, those are easy to detect and if the SOC knows when maintenance is happening, they know it is bad.

“This requires discipline and while most companies don’t have SOC, and need to be investigated and look into and this is most challenging for companies.”

As Sophos publishes a multi-part research series on the realities of ransomware, Wisniewski said that the state of cybersecurity means we worry less about our parents laptop than we did ten years ago, as there is less Flash and Java use, but if you are targeted with ransomware “it is a bad day and you never find out the truth on how [the attacker] got in and hard to learn from mistakes.”

Schiappa said there is more of a nation state approach being taken by the adversary, where they are more hands on and using existing tools, doing reconnaissance and finding out which data they can ransom. He said the best detection strategy is a combination of AI used in a variety of ways, including running deep learning neural network models coupled with human intelligence.

“Look at endpoint detection and response (EDR) for example, it is learning to look for indicators of compromise and a certain chain of events that allows the analyst to scale quickly,” he said.

Among the new research by Sophos, a detailed look at new detection evasion techniques used by the WastedLocker ransomware reveals the Windows Cache Manager and memory-mapped I/O are leveraged to encrypt files. In particular, it uses memory-mapped I/O to encrypt a file, making it harder for behavior based anti-ransomware solutions to keep track of what is going on.

Wisniewski said the likes of WastedLocker takes evasive tactics to a new level and in finding ways to bypass behavioral anti-ransomware tools. “This is the latest example of attackers getting their hands dirty, using new maneuvers to manually disable software as a precursor to a full blown ransomware attack.

“The longer attackers are in the network, the more damage they can inflict. This is why human intelligence and response are critical security components to detect and neutralize early indicators that an attack is underway. Organizations need to know about escalating trends and harden their perimeter by disabling remote access tools like RDP whenever possible to prevent crooks from gaining access to the network, a common denominator in many ransomware attacks that Sophos analyses.”

Wisniewski called WastedLocker the most sophisticated attack he had seen outside of those used by nation states. “Not only successful as a large dollar game, but WastedLocker is investing in being as silent as possible.”

Categories: Cyber Risk News

Google Bans Ads Linking to Hacked Political Content

Info Security - Tue, 08/04/2020 - 10:05
Google Bans Ads Linking to Hacked Political Content

Google has taken extreme steps to prevent major interference in the 2020 US Presidential election, by blocking ads that contain hacked political content.

The move appears designed to prevent a re-run of the lead-up to the last election, when damaging materials were leaked online by Russian hackers and then published and republished by third-party sites to help scupper Democrat hopes.

Twitter has since 2018 banned the spread of all hacked content on its platform including anything political-related.

The Google Ads Hacked political materials policy will officially be launched on September 1, 2020 and applies first to ads covered by the tech giant’s US election ads policy.

It said the rules apply to the following:

“Ads that directly facilitate or advertise access to hacked material related to political entities within scope of Google's elections ads policies. This applies to all protected material that was obtained through the unauthorized intrusion or access of a computer, computer network, or personal electronic device, even if distributed by a third party.”

However, Google will allow “discussion of or commentary on” any hacked content as long as the ad or landing page doesn’t allow direct access to it.

Any entity violating the policy will be notified seven days before their account is suspended.

Google also announced a policy to ban advertisers that try to conceal their identities whilst promoting social, political and other issues.

This follows an announcement last November that it was restricting political advertising to ban deepfake content and “ads or destinations making demonstrably false claims that could significantly undermine participation or trust in an electoral or democratic process.”

It has also limited targeted advertising to “age, gender, and general location.”

However, reports suggest that even with these new steps, US tech giants are fighting a losing battle against misinformation ahead of the election, which could be the most divisive and hotly contested in living memory.

Categories: Cyber Risk News

New AppMaker Tool Promises Censorship-Free Content

Info Security - Tue, 08/04/2020 - 09:24
New AppMaker Tool Promises Censorship-Free Content

NGOs and other organizations with limited resources can now build their own Android apps designed to bypass censorship filters in China and beyond, thanks to rights group GreatFire.org.

On Monday, the China-focused anti-censorship group launched its new GreatFire AppMaker tool, allowing any organization that uses it to effectively unblock its content behind the Great Firewall and in other autocratic states.

GreatFire co-founder, Charlie Smith, told Infosecurity that the tool is based on the group’s “Collateral Freedom” approach.

This relies on hosting content on major cloud services like AWS that are too important for censors to block, whilst using encrypted domains so the censors can’t selectively block URLs — in effect meaning they’d have to take down AWS completely for all users inside the Middle Kingdom.

Organizations that want to build their own censorship-busting apps first need to visit the AppMaker website, choose a name for their app and specify the web page that the app will use to gather content from, as well as a file which will serve as the app icon.

“Click ‘Submit’ after adding the information above. GreatFire will then start to compile (create) your Android app based on this information (this process will take no more than five minutes),” the group explained.

“Once the app has been compiled, a download link for the app’s Android Package (APK - or the actual software for the app) will appear. Once downloaded, your app can be installed on any Android device and be made available to others so that they can install the app.”

The Human Rights Foundation (HRF) has already created an app via the tool, which also draws inspiration from GreatFire’s own FreeBrowser app.

“It is time for the Chinese government's Great Firewall to come tumbling down,” said Jenny Wang, strategic advisor at the HRF. “Along with our friends at GreatFire, we stand dedicated to beating Chinese censorship - one phone at a time.”

Categories: Cyber Risk News

NetWalker RaaS Makes $25m in Five Months

Info Security - Tue, 08/04/2020 - 08:45
NetWalker RaaS Makes $25m in Five Months

Ransomware-as-a-service (RaaS) group NetWalker has made $25 million in just a matter of months, according to new research from McAfee.

The ransomware works via an affiliate model, whereby operators build custom versions of the malware then distributors (affiliates) are invited to deploy it, receiving a cut of around 80% of the profits.

By monitoring Bitcoin addresses under the control of NetWalker actors, McAfee was able to spot 2795 BTC flowing to the attackers between March 1 and July 27, 2020.

“Even though we do not have complete visibility into the BTC flow before NetWalker started ramping up, one thing is certain, this quarter alone it has been highly successful at extorting organisations for large amounts of money,” the report noted.

“All this at a time when many sectors are struggling because people are sheltering in place and governments are trying to keep businesses from going bankrupt. NetWalker is making millions off the backs of legitimate companies.”

The success of the group appears to have come from the tactics it has deployed over the past few months.

Although first appearing in August 2019, NetWalker more recently adopted the RaaS model and began recruiting affiliates with strong technical expertise in targeted attacks and data theft of the sort used by Maze, REvil, Ryuk and other groups.

Advertising on the cybercrime underground, especially by a threat actor known as “Bugatti,” shares information on updates to the ransomware and helps to recruit new affiliates capable of compromising whole corporate networks, rather than end users, McAfee said.

Attacks typically start with spear-phishing emails, Tomcat and WebLogic server exploits, and by compromising RDP endpoints protected by weak passwords, it claimed.

As per several of its peers, the group will upload stolen data to a dedicated page and entry for each corporate victim if they refuse to pay the ransom.

Categories: Cyber Risk News

Malware Author Admits Role in $568m Cyber-Fraud

Info Security - Mon, 08/03/2020 - 17:30
Malware Author Admits Role in $568m Cyber-Fraud

A malware author has pleaded guilty to conspiracy for his role in a transnational cybercrime organization responsible for stealing over $568m. 

Valerian Chiochiu, a.k.a. “Onassis,” “Flagler,” “Socrate,” and “Eclessiastes,” admitted being involved with one of the largest cyber-fraud enterprises ever created that victimized Americans in all 50 states and millions globally.

The 30-year-old Moldovan national was living in the United States when he conspired with the Infraud Organization. During the course of its seven-year history, Infraud inflicted approximately $2.2bn in intended losses, and more than $568m in actual losses, on a large number of financial institutions, merchants, and private individuals.

Under the slogan “In Fraud We Trust,” this internet-based cyber-criminal enterprise engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband.

Infraud directed traffic and potential purchasers to the automated vending sites of its more than 10,000 members. The sites served as online conduits to the traffic of malware, stolen financial and banking information, stolen means of identification, and other illicit goods. 

According to the indictment, Chiochiu provided guidance to Infraud members on the development, deployment, and use of malware as a means of harvesting stolen data. As part of his plea agreement, Chiochiu admitted to authoring a strain of malware known to the computer security community as “FastPOS.”

Chiochiu's guilty plea was given on July 31 before US District Court Judge James C. Mahan in the District of Nevada. The admission came just over a month after the Russian co-founder and administrator of Infraud, Sergey Medvedev, separately pleaded guilty on June 26.  

According to the indictment, Infraud was created in October 2010 by Medvedev and Svyatoslav Bondarenko, a.k.a. “Obnon,” “Rector,” and “Helkern,” 34, of Ukraine. Bondarenko remains at large. 

Sentencing for Chiochiu has been scheduled take place on December 11.

Special Agent in Charge Francisco Burrola for the US Immigration and Customs Enforcement’s Homeland Security Investigations (HSI) Las Vegas Office said: “While criminal operators may continue to grow the reach of their criminal activity, ultimately they do not escape the reach of law enforcement."

Categories: Cyber Risk News

Second Data Breach at Kentucky Unemployment System

Info Security - Mon, 08/03/2020 - 16:35
Second Data Breach at Kentucky Unemployment System

Kentucky's unemployment system appears to have suffered its second data breach in four months after a claimant reported being able to view another claimant's personal data.

The reporter of the alleged breach logged on to the Office of Unemployment Insurance's (OUI) online system on July 27 to work on their unemployment application. While trying to enter their own details, the claimant was able to view information about another claimant's former employer and health. 

A statement released on July 29 by the Labor Cabinet said that the reporter of the alleged breach was not shown the other claimant's name, Social Security number, or other personally identifying information.

The statement read: "On July 27, 2020, at approximately 4 p.m., the Office of Unemployment Insurance ("OUI") learned that a claimant (Claimant A) had seen information pertaining to another individual (Claimant B) while Claimant A was navigating his own unemployment application in the OUI online system. Specifically, as he was navigating his application, Claimant A saw information about Claimant B's former employer, as well as information pertaining to Claimant B's health." 

The cabinet said that OUI was "reporting this potential breach out of an abundance of caution" while the allegations are investigated by the Office of Technology Services.

On July 28, the fired former director of Kentucky’s unemployment office told a panel of lawmakers that officials at the Education and Workforce Development Cabinet took no action for a day following reports that claimants had been able to log in to the OUI system and see other people's sensitive information.

Muncie McNamara was hired to run the unemployment office in December but lost his job in May after months of reported backlogs in the system. McNamara said an email he sent to the IT department on April 22 about a possible breach received no response.

J.T. Henderson, a spokesman at the Cabinet for Education and Workforce Development, said the only “verifiable” claims of a data breach were received on April 23.

Following the April data breach, 53,029 Kentuckians who filed unemployment claims between March 1 and April 23 were notified that their data may have been exposed.

Kentucky's current unemployment rate is 4.3%, with nearly 83,000 Kentuckians registered as unemployed in June 2020.

Categories: Cyber Risk News

Cyber-Criminals Ease Off Travel Industry

Info Security - Mon, 08/03/2020 - 16:30
Cyber-Criminals Ease Off Travel Industry

Cyber-criminals are redirecting their attacks from the travel and hospitality industry to the computer and IT sector. 

According to new research by Specops Software, 4 in 5 businesses in the computer and IT industry have seen an increase in cybercrime threats since COVID-19 made working from home the new normal. The percentage of businesses attacked in this sector was higher than that found to exist in any other field.

While cyber-attacks against the travel and hospitality sector have gone up since the global health pandemic began, the increase was the smallest one experienced by any industry.  

The findings were the result of a survey that asked 2,043 business owners across 11 different sectors how many cybercrime threats or attempts they had experienced since making the switch to remote working.

Researchers found more than half of all businesses (54%) reported an increase in cyber-attacks while working from home. Despite this, just over half (52%) of businesses, surveyed across all sectors, said that they were mulling over whether to make the switch to remote working for their employees permanent post-COVID.

Asked what type of attack had increased the most, all sectors answered phishing attempts. The attack that almost all businesses reported being most concerned over was ransomware. While 96% of businesses were worried about ransomware, 74% said crypto-jacking was a concern and 67% feared phishing. 

Despite 78% of computer and IT businesses reporting that they had experienced an increase in cyber-attacks, 85% of businesses in this sector said that they might introduce permanent remote working. By contrast, just 23% of businesses in the travel and hospitality sector were considering making working from home permanent and 31% reported a rise in the number of cyber-attacks they had experienced.

More than 7 in 10 (73%) businesses in the medical and health sector reported an increase in cybercrime threats since lockdown began, with many experiencing sophisticated malware attacks in recent months.

Researchers wrote: "Although hackers have promised no more healthcare attacks, the sector is still highly vulnerable and concerned about future attacks. This is one of the reasons only 32% of businesses in this sector would consider remote working for employees."

Categories: Cyber Risk News

Havenly Breach Hits Over 1.3 Million Accounts

Info Security - Mon, 08/03/2020 - 12:02
Havenly Breach Hits Over 1.3 Million Accounts

Havenly has become the latest online firm to suffer a serious breach of customer data after hackers published the information for free on the dark web.

Notorious dark web trader ShinyHunters was spotted last week posting the data of nearly 1.4 million accounts online.

They’re said to be part of a much bigger 386 million record trove including data from customers of Dave, Promo and HomeChef, which has been previously disclosed.

According to breach notification site HaveIBeenPwned, the data from Havenly customers includes email addresses, names, phone numbers, geographic locations and passwords stored as SHA-1 hashes.

However, an email to customers from the interior design company last week failed to mention the compromise of personal data at all, instead focusing on the fact that no financial details were disclosed.

“We are working with external security experts to investigate this matter. However, in the meantime, out of an abundance of caution, we are logging all existing customers out of their Havenly accounts and asking our customers to reset their password when they next log in to the Havenly website,” it continued.

“As a best practice, we also encourage all of our customers to use different passwords across all online services and applications, and to update those passwords now and on a regular basis.”

According to HaveIBeenPwned, the breach itself took place over a month ago, on June 25, with the personal customer data “subsequently shared extensively throughout online hacking communities.”

That means, at the very least, those same customers should be informed of potential phishing and identity fraud risks stemming from the incident.

Last week it was revealed that a breach at Promo.com had compromised over 14 million accounts, while one at LA-based fintech Dave included an estimated 7.5 million records.

Categories: Cyber Risk News

Hundreds Targeted By Free TV License Scam

Info Security - Mon, 08/03/2020 - 11:00
Hundreds Targeted By Free TV License Scam

Researchers from the think tank Parliament Street have uncovered a text message scam offering a ‘Free TV License.’

Coinciding with the BBC’s controversial decision to axe the universal free TV license for over-75s, the fraud is designed to steal the personal financial data of victims.

According to the Parliament Street researchers, hundreds of UK consumers have already been targeted by the scam which begins with a text message sent to the receiver’s phone that reads: “Due to COVID-19 we are able to provide one year free of charge TV License service upon application.” The message then prompts the user to visit a fraudulent website that uses official TV license branding.

From there, victims are asked to enter various pieces of personal information including name, date of birth, home address and banking details, which are then stolen.

“This SMS-based phishing attack, otherwise known as a smishing attack, is yet another case of opportunistic cyber-criminals looking to take advantage of unknowing victims during COVID-19,” said cyber-expert Andy Heather, VP, Centrify. “The BBC license fee has been the source of ongoing debate in recent times, and this smishing campaign holds a veneer of legitimacy, just enough to trick some unsuspecting victims into giving away their payment details.”

What’s more, he added, the psychology behind receiving an SMS message is a lot different when compared to receiving an email. “The former is generally considered to be a lot more personable, and thus a smishing attack may catch many individuals off-guard.”

Tim Sadler, CEO at Tessian, commented: “Throughout the pandemic, we’ve seen a spike in phishing attacks whereby hackers impersonate trusted organizations and government agencies, preying on people’s vulnerabilities during these stressful times. In this particular case, hackers are taking advantage of the fact that people are struggling financially in the wake of the pandemic, offering a free TV license, to steal valuable information.”

Sadler explained that awareness of such scams is the first step in defending against them. “Look out for any use of ungrammatical language in the text and if the offer seems too good to be true, then do not click on any links. Visit the official TV licensee website to verify if the offer is real.”

Categories: Cyber Risk News

Microsoft in Talks to Buy TikTok in the US

Info Security - Mon, 08/03/2020 - 09:35
Microsoft in Talks to Buy TikTok in the US

Microsoft has revealed it is in preliminary talks to buy TikTok’s operations in several countries outside China, in a deal that would help allay national security concerns about the app which are fomenting in Washington.

Under the proposals, which have been filed with the increasingly influential Committee on Foreign Investment in the United States (CFIUS), Microsoft would own and operate TikTok in the US, Canada, Australia and New Zealand.

“This new structure would build on the experience TikTok users currently love, while adding world-class security, privacy and digital safety protections. The operating model for the service would be built to ensure transparency to users as well as appropriate security oversight by governments in these countries,” Microsoft said in a blog post.

“Among other measures, Microsoft would ensure that all private data of TikTok’s American users is transferred to and remains in the United States. To the extent that any such data is currently stored or backed-up outside the United States, Microsoft would ensure that this data is deleted from servers outside the country after it is transferred.”

The update claimed Microsoft CEO Satya Nadella has been in contact not only with TikTok’s Chinese parent company ByteDance but also US President Donald Trump, highlighting the politicized nature of the deal.

Hawks in Washington are concerned that the app provides a covert channel for the Chinese government to spy on its global users — suggestions fiercely denied by the company. Others have argued that the US simply doesn’t want a Chinese-owned social media app becoming a global success.

There have also been concerns that the firm has kowtowed to Beijing by banning content on its platform that the Communist Party might find offensive.

The app has already been banned in India and by the US military, ostensibly on security concerns.

The Microsoft news comes as mounting reports suggest Trump was planning to ban the app in the US. It recently hired former Disney exec Kevin Mayer as CEO.

“If Microsoft is the buyer, it is part of a pattern trying to buy cool brands (e.g. it bought Skype and LinkedIn before) to stay fresh,” argued Roslyn Layton, co-founder of ChinaTechThreat.

“The price of TikTok would be peanuts for them. The regulators would be happy that it’s out of Chinese hands. There could be some pushback from ‘big tech’ detractors, but on the other hand, the security concerns are greater.”

Categories: Cyber Risk News

Three Arrested for Twitter VIP Account Hijacking

Info Security - Mon, 08/03/2020 - 08:30
Three Arrested for Twitter VIP Account Hijacking

Two teens and a man in his early 20s have been arrested for the account hijacking cyber-attack on high-profile Twitter users that took place in mid-July.  

The three males are Mason Sheppard (aka “Chaewon”), 19, of Bognor Regis in the UK, Nima Fazeli (aka “Rolex”), 22, of Orlando, Florida, and a 17-year-old boy from Tampa, Florida.

Sheppard has been charged with conspiracy to commit wire fraud, conspiracy to commit money laundering and the intentional access of a protected computer, while Fazeli has been charged with aiding and abetting the intentional access of a protected computer.

The 17-year-old’s charges have been sealed to protect his identity, although reports suggest he was the ringleader of the attack and faces 30 felony charges. He is being tried in a state court as Florida law reportedly allows minors to be charged as adults in some financial crime cases.

The three are said to have spear-phished Twitter employees by phone to gain access to internal support tools. They then used these to access 130 high-profile accounts, tweeting from over 40 including several corporate accounts like Apple, Bitcoin and Coinbase, as well as business leaders and celebrities.

These included Jeff Bezos, Bill Gates, Barack Obama, Joe Biden, Elon Musk, Kanye West and many others. The messages were designed to trick followers into sending digital currency to a scam Bitcoin account the three had created.

They are said to have received $100,000 from more than 400 transfers of funds.

More worryingly, the three managed to also gain access to private DMs from 36 accounts and downloaded data from seven.

Kelly Jackson, IRS-Criminal Investigation (IRS-CI) special agent in charge of the Washington DC Field Office, argued that her team was able to unravel the mystery of the attack by analyzing the hackers’ attempts to launder their funds.

“The Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-anonymized bitcoin transactions allowing for the identification of two different hackers,” she continued.

“This case serves as a great example of how following the money, international collaboration and public-private partnerships can work to successfully take down a perceived anonymous criminal enterprise. Regardless of the illicit scheme, and whether the proceeds are virtual or tangible, IRS-CI will continue to follow the money and unravel complex financial transactions.”

Categories: Cyber Risk News

Ohio Researcher Admits Selling Secrets to China

Info Security - Fri, 07/31/2020 - 18:01
Ohio Researcher Admits Selling Secrets to China

An American researcher has admitted stealing scientific trade secrets from a children's hospital and selling them to China.

Former Ohio resident Li Chen pleaded guilty yesterday to conspiring to steal scientific trade secrets and conspiring to commit wire fraud concerning the research, identification, and treatment of a range of pediatric medical conditions. 

Chen and her husband, alleged co-conspirator Yu Zhou, 49, worked in separate medical research labs at the Nationwide Children's Hospital's Research Institute for 10 years each (Zhou from 2007 until 2017 and Chen from 2008 until 2018). 

The couple were arrested in California in July 2019 and charged with conspiring to steal at least five trade secrets related to research on the cellular components known as exosomes. 

Known to facilitate cell-to-cell communication, exosomes play a key role in the research, identification, and treatment of several medical conditions, including liver cancer and necrotizing enterocolitis, that can affect premature babies.

Chen conspired to steal and then monetize one of the trade secrets by making and selling exosome “isolation kits.” The 46-year-old then set up a company in China to sell the kits. 

In return for the secrets, Chen received benefits from the Chinese government, including from the State Administration of Foreign Expert Affairs and the National Natural Science Foundation of China.

The US Department of Justice said: "Chen also applied to multiple Chinese government talent plans, a method used by China to transfer foreign research and technology to the Chinese government."

As part of her plea, the once trusted researcher has agreed to forfeit approximately $1.4m together with 500,000 shares of common stock of Avalon GloboCare Corp. and 400 shares of common stock of GenExosome Technologies Inc.

US attorney David DeVillers commended the cooperation of the research institute throughout the investigation into the thefts.

“Nationwide Children’s Hospital’s Research Institute took reasonable measures to protect its cutting-edge intellectual property and trade secrets regarding exosomes," said DeVillers.

“Chen betrayed her employer of 10 years by stealing trade secrets from this American institution and transferring them to China after receiving payments from the Chinese government.”

Categories: Cyber Risk News

Volunteer Program Aims to Secure US Election

Info Security - Fri, 07/31/2020 - 17:00
Volunteer Program Aims to Secure US Election

The University of Chicago has launched a new initiative that aims to increase the cybersecurity of America’s forthcoming presidential election.

Election Cyber Surge will function as a matchmaker service, connecting US election officials concerned about cybersecurity with volunteers who are experts in the field.

Officials will choose an area of particular weakness, and then choose from a list of volunteer helpers someone from whom they would like to receive help over the phone, via text, or through a video chat. 

The assistance provided by the group will be opened up to all state and local election officials. 

The program will launch with 50 volunteers, all of whom will have gone through some kind of vetting process. Most of the volunteers who have already signed up to the project are cybersecurity professionals with a least ten years of experience who were located through the university's contact database. 

Election Cyber Surge said that their volunteer technologists represent a cross-section of the information security field, including election security, cybersecurity, and IT.

Exactly what vetting is involved in the volunteer selection process is not mentioned on the university’s dedicated project web page. Those seeking to apply for a volunteer position are simply asked to provide their name, email address, organization, phone number, zip code, key skills and any comments, and to indicate if they have previously attended the DEF CON Voting Village. 

Commenting on the new initiative, project leader Maya Worman, a former government cybersecurity strategist of long standing, said: “The need is obvious, but the help exists.”

Javvad Malik, security awareness advocate at KnowBe4, said that while the project could potentially be helpful, involving a brigade of volunteers in election security offered no guarantee that any effective cybersecurity strategies will be implemented. 

“If the volunteers find issues, the question then arises as to whether there are resources allocated that can address those issues, put in place fixes, and validate the effectiveness,” said Malik. 

“So, while volunteers can play a significant role, there is still a lot of other work that will need to be done as part of an overall effective cybersecurity strategy.”

What the formation of the group has affirmed is that there is a lack of confidence in the security of America’s electoral system. 

Categories: Cyber Risk News

Digital Propaganda Campaign Discredits US

Info Security - Fri, 07/31/2020 - 15:25
Digital Propaganda Campaign Discredits US

Researchers have discovered a digital propaganda campaign focused on spreading false information and inciting hatred against the US and the North Atlantic Treaty Organization (NATO). 

Dubbed Ghostwriter, the apparently well-resourced campaign has sought to portray the presence of American and NATO troops in Europe as aggressive and dangerous to local populations. 

Tactics used to turn public opinion against the US and NATO include publishing content that accuses both targets of worsening the spread of COVID-19 in Europe.

The campaign, which began in 2017, was discovered by researchers at FireEye, who were unable to ascribe the content created to a single malicious actor or group of actors. Instead, Ghostwriter consists of an "activity set" of malicious content linked by similar behavioral characteristics and personas. 

Researchers say that in addition to circulating a litany of untruths, Ghostwriter operations have leveraged entirely fabricated official documents and correspondence to add an appearance of authenticity to their false narratives.

One malicious action featured a fabricated letter presented as having been authored by NATO Secretary General Jens Stoltenberg that was disseminated by Ghostwriter personas to bolster a narrative suggesting that NATO was planning to withdraw from Lithuania in response to the COVID-19 pandemic.

In a further push to make their claims appear genuine, Ghostwriter operations "have leveraged compromised websites, including legitimate news websites, to publish fabricated content, or used spoofed email accounts to engage in direct outreach and dissemination of content to NATO itself and national organizations and media outlets in the target countries."

A common theme found among Ghostwriter content is the inclusion of made-up quotes that have been falsely attributed. Some of the campaign's malicious content has been identified and publicly discredited by European governments. 

Researchers stated: "On several occasions, news outlets and government agencies in Lithuania, Latvia, and Poland have issued public statements declaring content and narratives promoted as part of what we identify as Ghostwriter to be untrue and have labeled them to be disinformation or fake news.” 

While no unequivocal evidence has been found to date that links the well-funded campaign to any particular person, organization or country, researchers said Ghostwriter propaganda has included "strategic discussion favoring Russia over other world powers." 

Categories: Cyber Risk News

Many Second Hand Phones Are Sold with Security Vulnerabilities

Info Security - Fri, 07/31/2020 - 14:25
Many Second Hand Phones Are Sold with Security Vulnerabilities

A substantial proportion of second hand mobile phones are vulnerable to being hacked due to not being supported by important security updates, an investigation by Which? has found.

The analysis centered around three popular mobile phone retailers: SmartFoneStore, Music Magpie and CeX. The worst affected was CeX, where nearly a third (31%) of phones sold are no longer supported by security updates from manufacturers. For SmartFoneStore, 17% of models sold were unsupported, while for Music Magpie it was 20%.

This is providing cyber-criminals with opportunities to target older vulnerabilities in these devices.

Which? said that it presented the three companies with the findings, and since then SmartFoneStore has issued a warning on unsupported devices so people are aware before they buy them, while Music Magpie has removed all the affected devices from sale. However, it has not yet received a response from CeX.

Which? has advised that customers check the manufacturer’s security updates page to find out this information before purchasing a used phone.

Commenting on the findings, Jake Moore, cybersecurity specialist at ESET, said: “It may sound like a great deal to purchase an older and cheaper device, but unfortunately you can’t put a price on security.

“Older phones notoriously have a use-by-date when they are no longer supported by security patches. These devices will often still work as normal on the surface, but threat actors can use older vulnerabilities under the hood to target their victims with ease, so those at risk must be reminded to check which operating system it currently supports before purchasing.”

For phones operating off an Android operating system, there will typically be two years of operating system updates and three years of security updates. For Apple iPhones, system and security updates are usually packaged together and these will continue for an average of five to six  years.

Categories: Cyber Risk News

Future of CISOs Positive Despite Budget and Transformation Challenges, Say Security Leaders

Info Security - Fri, 07/31/2020 - 12:30
Future of CISOs Positive Despite Budget and Transformation Challenges, Say Security Leaders

The best CISOs are those involved with transformation and using the current pandemic situation to establish new ideas and strategies.

Speaking on a virtual panel led by panel chair Ed Amoroso, founder and CEO of TAG Cyber and featuring speakers from HP and other companies, Charles Blauner, partner and CISO in Residence at Team8, said he felt the best CISOs are operating within organizations where they are business leaders.

Blauner said, despite the COVID-19 pandemic, he felt nothing had changed for the CISO from the daily job of being responsible for critical assets and protecting them irrespective of where they may be, whilst everything else in their world has changed. “Which assets were valuable and where they are accessed from is different from a year ago, and I don’t think it ever goes back to normal in the old definition,” he said.

Blauner explained that he sees budgets going down and also going up, as companies think about operational resiliency “and the really good CISOs, who understand how to build on the fact that security is such a foundational aspect of our operational resiliency,  are getting it right and expanding the definition of what it means to be a CISO.”

This is not about just protecting information as it was 30 years ago, “but this is an opportunity for the good CISOs to change the nature of their relationship with their CEOs with their businesses,” he added.

“The really good CISOs think about how to leverage modern and even ancient technology to really help transform the business. The really good CISO right now is taking the opportunity to put new ideas out there, and it is the really bad CISOs that struggle to catch up with all the changes that no-one ever talked about as no-one ever thought the CISO was important.”

Also speaking on the panel was Kris Lovejoy, EY global cybersecurity leader and former CISO of IBM, who said that CISOs are often left out of the transformation process, while budgets are cut. “They are being asked to reforecast their budget and strategy in the context of new business approaches.”

However, Lovejoy said she was optimistic as in the past, she had seen organizations “buy more stuff” to deal with compliance issues, and never take anything out. “My hope is that this industry will begin to streamline and de-complex our organizations  and think about security in the context of business, as opposed to how we have been considering it before,” she said.

“So I do believe that the combination of large scale breaches, ransomware attacks and the requirements which are getting the mindshare of the executives, along with top down pressure plus the bottom up pressure to rationalize, will result in a meeting in the middle that is going to institutionally change our approach to cyber.”

Asked by Amoroso if she felt CISOs are up to that challenge, she said she is seeing this and she had some hope in that CISOs are “more business aligned and transformational in nature” and she felt that their pragmatism and business alignment is going to prepare them in future.

Categories: Cyber Risk News

Drizly Breach Hits 2.5 Million Customer Accounts

Info Security - Fri, 07/31/2020 - 11:00
Drizly Breach Hits 2.5 Million Customer Accounts

Alcohol delivery startup Drizly has suffered a major breach of customer data, with nearly 2.5 million accounts compromised in an incident discovered earlier this month.

The firm — which describes itself as the world’s largest marketplace for beers, wines and spirits — partners with retail stores in over 100 North American cities.

It has been emailing customers to warn them of a recent incident in which personally identifiable information (PII) but no financial data was compromised.

“We recently identified some suspicious activity involving customer data and initiated an investigation to determine what may have occurred,” the notice read.

“We’ve found that an unauthorized party appears to have obtained some of our customers’ personal information, including email address, date of birth, hashed passwords and in some rare cases, delivery address.”

The firm went on to say that as the passwords were hashed, these credentials “cannot be used to gain access to our customers’ accounts.”

According to breach notification site HaveIBeenPwned, the algorithm used by Drizly is bcrypt. Whilst one of the more secure ones, it does not guarantee that passwords won’t be cracked.

Users would therefore be recommended to follow Drizly’s advice and reset their passwords on this site and any others they may have shared the same log-ins across.

The trove of compromised information also included customer names and IP addresses, with an estimated 2.5 million accounts affected in the July 2 breach, according to HaveIBeenPwned.

“When you have a startup that’s really rockin’ it in terms of sales and growth, they definitely become a target for bad actors,” argued Chloé Messdagh, VP of strategy at Point3 Security.

“Many times, startups don’t have the most put-together security team, if any team at all. It’s important, however, for companies to invest in security from the get-go. Without security, you’re bound to have issues – it’s not ‘if,’ but ‘when.’”

Categories: Cyber Risk News