Discussing strategies for how to achieve full lifecycle cloud security at the Cloud Security Alliance European Virtual Summit, Chris Hertz, VP, and Jeremy Snyder, senior director at DivvyCloud by Rapid7, said the challenge is not just about adopting cloud services, as you cannot just secure it once as these platforms are always changing.
Snyder said he often sees “a lot of great ideas and a lot of great energy and enthusiasm for adopting cloud technology” but the reality for organizations is that they can be faced with “not getting everything that they want out of their cloud journeys.”
In particular, developers want to embrace services being created by Infrastructure-as-a-Service (IaaS) providers “as it helps them get their jobs done more efficiently and more quickly,” but the pace of change from cloud providers accelerates every year.
Hertz said that cloud services are constantly changing and IaaS providers are always evolving services and the outcomes are unpredictable, as in 2018 there were 81 major breaches down to cloud misconfigurations, and 150 in 2019.
“By our calculation, in our 2020 Misconfiguration Report, we estimate that $5trn in damages have resulted in cloud misconfigurations in 2018 and 2019, so the security achievement gap is real and it is having real impact,” Hertz said.
This means that developers are core to security in a way that they were not before, and the speakers said that is there is misalignment in the way in which security operates today. In particular, if a developer needs to get a task done, they will need to make changes to an access list and to authentication methods to do that.
Snyder added: “That is where some of the ignoring of the circumvention of security comes into place, it is not that people are malicious in anyway, but they have tasks to accomplish in new ways, and that falls into the hands of the developers.” Hertz argued that is why security has not shifted in its approach to the cloud, as security works in the world of the data center with a centralized infrastructure.
“In this new world of self service, we have democratized access but not democratized security, and you have a misalignment,” Hertz said. “Security tries to apply principles that applied in a data center world, but in the cloud security world, it doesn’t work.”
This can lead to security putting blocks in place, or a “rock in the river” as the speakers said, as, whilst developers do not act maliciously, with restrictions in place they cannot get their jobs done. “There is huge friction as security tries to operate as a data center, but eventually the water flows around the rock in the river, and instead you should move from the command and control world to a ‘trust but verify’ and ‘enable but amplify’ model,” Hertz said.
“That is why we are seeing these challenges, as culturally and organizationally, companies are not overcoming this.”
Security researchers have uncovered a major new hacking-for-hire operation against journalists, rights groups, government officials, financial institutions and others, seemingly orchestrated by a shady Indian tech firm.
Thousands of individuals and hundreds of organizations globally were targeted with cyber-espionage tactics in a multi-year campaign by the Dark Basin group, according to Citizen Lab.
Linked to Indian firm BellTroX InfoTech Services, the group apparently worked “on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories and advocacy.”
Although the group targeted financial services and pharmaceuticals players for its clients — including one campaign against those investigating market manipulation by German payment processor Wirecard AG — it frequently focused efforts on advocacy and civil society groups.
These include Greenpeace, the Rockefeller Family Fund, Public Citizen and the Union of Concerned Scientists. Dark Basin phished for info from groups working on the #ExxonKnew campaign, which alleged ExxonMobil hid info about climate change for decades, and those involved in trying to preserve net neutrality in the US, the report claimed.
Its links to BellTrox — whose director, Sumit Gupta, was indicted in 2015 for his role in a similar hack-for-hire scheme — are numerous.
Phishing activity aligned with the Indian time zone, and several of the URL shortening services used by the group — Holi, Rongali, and Pochanchi — have associations with the sub-continent.
Even more damning is the fact that some individuals claiming to work for BellTrox list activities on LinkedIn such as email penetration, exploitation and corporate espionage.
“We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners,” the report continued.
“They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure. BellTroX and its employees appear to use euphemisms for promoting their services online, including ‘Ethical Hacking’ and ‘Certified Ethical Hacker.’ BellTroX’s slogan is: ‘you desire, we do!’”
The investigation started when Citizen Lab was contacted by a journalist who had been targeted with phishing attempts. After tracing the URL shortener used, the investigators were able to identify almost 28,000 additional URLs containing e-mail addresses of targets.
These fairly unsophisticated phishing efforts are said to have had at least some success.
Citizen Lab warned that its findings indicate that there’s likely a large and growing market for hacking-for-hire services like this, with powerful organizations outsourcing cyber-espionage to third parties to maintain plausible deniability of their involvement, while posing a major threat to open democratic societies.
The industry needs to do more to prevent the sharp rise in COVID-19 phishing attempts.
In an open statement shared with Infosecurity, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) made a call for further steps to be taken to “authenticate and secure sending domains and email addresses by deploying email authentication at scale and at enforcement.”
It said preventing rampant phishing, emboldened and bolstered by the global pandemic, should be the top priority for domain owners, as email authentication is crucial to ensuring the flow of critical information.
It explained that from organizations, including those on the front lines of the battle against COVID-19 and those involved in the impending general election in the United States and the rest of the worl,d must be protected from misinformation campaigns and phishing.
“The deployment of correct email authentication requires a careful and measured approach,” the statement said.
M3AAWG and its members strongly encouraged domain owners, who operate email programs, to adhere to the following email authentication parameters when publishing and signing their various records:
- Publishing SPF records with at least ~all, or -all if the domain does not send email
- Signing all mail with aligned DKIM
- Publishing DMARC policies for organizational domains — even non-sending ones — at enforcement: using at least p=quarantine, although p=reject is preferable, across the entire domain and all subdomains without exception
The statement warned that, during this time of pandemic, “it is more essential than ever that malicious actors are not able to impersonate trusted sources of information or assistance.”
The full suite of email authentication protocols is the best way for a sender to establish and affirm their identity when sending email, and by creating barriers to impersonation, a sender’s identity becomes more trusted and harder to forge, thereby restoring trust because the sender is who they claim to be.
M3AAWG acknowledged that implementing email authentication can be challenging and time consuming, current circumstances notwithstanding, so M3AAWG and it members are ready to help the sending community with resources, free tools and documented best practices to protect their brands, domains and email addresses from impersonation.
“Combatting the assault on our inboxes is a collective endeavor, the importance of which is even more profound given the pandemic and the increased importance of achieving digital proximity while remaining physically distant,” it said.
In an email to Infosecurity, David Appelbaum, CMO of Valimail, said the company is seeing a marked rise in DMARC deployment across the board, not just from its own customers, but among all domains worldwide.
“The rash of COVID19-themed phishing attacks, many of which have spoofed those governments and NGOs left unprotected by DMARC, has absolutely contributed to an increased awareness of DMARC (not to mention DKIM and SPF),” he said.
“M3AAWG is absolutely right to recommend DMARC, and in particular, to insist on the importance of configuring it with an enforcement policy. Anything less leaves domain owners open to being spoofed by the worst kind of opportunistic criminals."
Microsoft released fixes for 129 vulnerabilities in its regular monthly update round yesterday, the fourth month in a row to hit over 100 CVEs and the largest of any Patch Tuesday.
Of the 129 CVEs, only 11 are rated critical and there are no flaws being actively exploited in the wild.
Some 98 vulnerabilities can be resolved by deploying OS and browser updates, while the other 31 are spread across Office, SharePoint, Defender, Endpoint Protection and developer tools like Visual Studio, ChakraCore and Azure Dev Ops, according to Ivanti senior product manager, Todd Schell.
He argued that the COVID-related shift to mass home working is causing problems for companies reliant on VPNs to patch.
“There are many solutions that can manage updates without the need for a VPN. Another difficulty companies are facing is user connectivity,” he added.
“I had a conversation with one company that is managing updates without needing to use a VPN to access the network. Their challenge is their users have low internet speeds. Monthly updates requiring hundreds of megabytes of patches, or gigabytes in some cases, become problematic as well.”
Allan Liska, intelligence analyst at Recorded Future, said admins should start with CVE-2020-1281, a remote code execution vulnerability in Microsoft’s Object Linking & Embedding (OLE). It affects Windows 7-10 and Windows Server 2008-2019.
“The vulnerability exists in the way OLE validates user input. An attacker who sent a specially crafted file or program, or convinced a victim to download one, could execute malicious code on the victim’s machine,” he explained. “Microsoft assigned this vulnerability a CVSS score of 7.8; a similar vulnerability, CVE-2017-0199, has been widely exploited including by the Lazarus group and APT 34.”
Others pointed to a remote code execution bug in SharePoint as demanding urgent attention.
CVE-2020-1181 affects the way SharePoint processes unsafe ASP .Net web controls. Although it requires a user to be authenticated to exploit the flaw, SharePoint itself is an increasingly popular target for attackers.
Nintendo has added another 140,000 accounts to those it claimed were compromised by hackers from April this year, bringing the total to 300,000.
The updated figure was given as a result of its ongoing investigation into the incident. The additional Nintendo Network ID (NNID) accounts that have been “accessed maliciously” have had their passwords reset and the relevant customers were contacted directly.
The gaming giant said back in April that 160,000 legacy NNIDs, which are associated with its now-defunct Nintendo 3DS handsets and Wii U consoles, were accessed by unauthorized third parties.
The Japanese firm said they were “obtained illegally by some means other than our service” to buy digital items from the My Nintendo Store or Nintendo eShop, using stored cards or PayPal log-ins.
This would seem to indicate that hackers potentially used credential stuffing techniques, were able to crack weak passwords or obtained them via phishing.
Experts from SpyCloud claimed at the time that they believed credential stuffing was the most likely option, after finding the source code for a bespoke account checker tool designed specifically to compromise Nintendo users.
“For enterprises like Nintendo, protecting users from account takeover poses a unique challenge. Inevitably, some portion of users will reuse passwords, putting their accounts at risk,” it said.
“To protect users from account takeover, enterprises need to secure their human attack surface by proactively monitoring user logins for credential reuse and resetting compromised passwords — before criminals have the chance to use them.”
Nintendo reiterated in its updated statement yesterday that fewer than 1% of global NNIDs were affected.
With access to users’ NNID accounts, hackers may have also been able to view their nickname, date of birth, country/region and email address.
If the NNID shared the same password as their Nintendo account, they would also have been able to view the user’s full name and gender.
Users are urged to set different passwords for NNID and Nintendo accounts and switch on two-factor authentication for the latter.
The Pentagon research agency that helped invent the internet and GPS is inviting hackers to find flaws in its new mega-secure hardware.
Ethical hackers who spot vulnerabilities in the new technology created by the Defense Advanced Research Projects Agency (DARPA) will be rewarded with more than just a deep sense of satisfaction. For every flaw found, DARPA will be doling out a cash prize.
DARPA's July bug bounty contest is being held prior to the new technology going public in an effort to catch any weaknesses that may have been overlooked.
According to the Washington Post, the super-secure new technology is based on re-engineering hardware, such as computer chips and circuits, to make it more secure. It has been designed in this way so that hackers who rely on being able to undermine software to gain unauthorized access to systems and devices will find their attempts stymied.
If successful and widely adopted, this approach could see the era of releasing endless software updates to patch vulnerabilities unearthed by threat actors and ethical researchers finally draw to a close.
DARPA microsystems technology office program manager Keith Rebello said that the new hardware could declaw malicious hackers and give legitimate organizations the edge when it comes to cybersecurity.
“It [would have] a huge, huge impact,” said Rebello. “About 70 percent of all cyber-attacks are due to hardware vulnerabilities. If we can fix those permanently, we can take a large portion of the attack surface away.”
For DARPA's new contest, bug bounty hunters will be invited to try to crack a voter registration database and a medical database containing top secret research.
Explaining the choice of models, Rebello said: “We wanted to use demonstrations that are relevant to show the impact that we can have with this technology."
The new program was started in 2017 and is officially called System Security Integration Through Hardware and Firmware, or SSITH. DARPA has funded the hardware, but its construction is being completed by researchers and academics at places like the Massachusetts Institute of Technology, the University of Michigan, and Lockheed Martin.
SSITH will continue for one more year to allow vulnerabilities to be detected and fixed.
A digital intelligence company has launched a global initiative to promote the development of trustworthy artificial intelligence (AI) technology.
By 2025, Gartner estimates 30 percent of large enterprise and government contracts for the purchase of digital products and services that incorporate AI will require the use of explainable and ethical AI. Furthermore, three-quarters of consumers say they won’t buy from unethical companies, while 86% say they’re more loyal to ethical companies.
To get the ball rolling, ABBYY has publicized its core guiding principles on developing, maintaining, and promoting trustworthy AI technologies. The company is now advocating for other technology leaders to do likewise.
“Innovation and ethics go hand in hand. As the use of AI grows, it is important for technology leaders to adhere to and promote the use of technologies that are transparent, fair, unbiased and respect data privacy,” commented Anthony Macciola, chief innovation officer at ABBYY.
“By adhering to high standards with regards to the performance, transparency and accuracy of our products, we are able to deliver solutions that have a tremendous impact for our customers.”
Principles that ABBYY is committed to upholding include protecting confidential customer and partner data and providing visibility into the performance characteristics and metrics of its technologies, as well as providing opportunities for product feedback.
Looking beyond financial gain, the company has sworn to deliver AI technologies that are socially and economically beneficial and has affirmed that it will actively foster a culture that promotes the ethical use of AI and its social utility.
"AI has the power to yield significant social and economic benefit,” added Macciola. “With ethics in mind, we have the ability to transform the future in a manner that promotes innovation, accelerates technological advancements, and augments human intelligence, creativity and capabilities responsibly.”
Privacy is another area of concern that ABBYY has considered. The company, which uses machine learning, natural language processing, neural networks, and optical character recognition on data, has incorporated a privacy-by-design principle as an integral part of its software development processes.
Cybersecurity incidents at NASA increased by 366% last year as the organization's cybersecurity budget was slashed by $3.1m.
"Being one of the nation’s most important federal agencies, this is an alarming finding," wrote Atlas researchers. "Cyber incidents at NASA can affect national security, intellectual property, and individuals whose data could be lost due to data breaches."
The findings were based on data gathered by the Office of Management and Budget (OMB) in 2018 and 2019. OMB reviews government agencies annually and shoulders the responsibility for developing and overseeing the implementation of cybersecurity policies, guidelines, and standards in federal agencies.
A digital security incident is defined by the researchers as "any attempted or actual unauthorized access, use, disclosure, or destruction of information" plus digital incidents that include "interfering with operations within the organization and violations of NASA’s computing policies and regulations."
Incidents recorded as "improper usage" accounted for 90.5% of the massive increase. The term "improper use" refers to any incident whereby an authorized user violates an organization’s acceptable usage policies.
A positive finding made by researchers was that despite NASA's large size, only 15 incidents in which equipment owned by the company was lost or stolen were reported in 2019, down from 23 such occurrences in 2018.
"It has to be noted that NASA does employ more than 17,000 people, so some of them are bound to lose or get equipment stolen, even if cybercriminals are not targeting NASA directly," wrote researchers.
NASA is one of the few major federal agencies whose cybersecurity budget was lower in 2019 than it had been in 2018 after it was cut from $170,700,000 to $167,600,000.
The news comes just days after NASA astronauts made history by entering the International Space Station from a commercially made spacecraft (a SpaceX Crew Dragon) for the very first time. Astronauts Doug Hurley and Bob Behnken were blasted into orbit by the SpaceX Falcon 9 rocket on Saturday, May 30, from the Kennedy Space Center.
An average of 41% of UK employees across all sectors have not received adequate cybersecurity training, which is leaving businesses and individuals vulnerable to attacks, according to a new study by Specops Software. Travel and hospitality was the sector with the worst record, with 84% of staff stating they have not received sufficient training. The findings come just weeks after easyJet suffered a data breach in which details of nine million of its customers were accessed.
The survey of 1342 businesses across 11 different sectors in the UK also discovered that 69% of workers in education and training have not received adequate cybersecurity training from their employers, with the figure 56% for those in customer service, 47% in marketing, advertising and PR, 42% for medical and health, and 37% in the creative arts and design sector.
The industries which had the highest levels of adequate cybersecurity training according to the study were legal services (16%), recruitment and HR (19%) and accountancy, banking and finance (23%).
The results are especially concerning considering the recent spike in attacks in areas such as education and, during COVID-19, healthcare. Earlier this year, the UK Information Commissioner’s Office (ICO) revealed that human error was the cause of 90% of cyber data breaches in 2019.
There does appear to have been a bigger emphasis on cybersecurity training as a result of COVID-19, with 21% of respondents stating they had been trained a lot more since the crisis began. However, the analysis also found just 29% of business sectors have initiated additional cybersecurity training since the pandemic, despite the additional risks posed by the recent surge in remote working.
Darren James, cybersecurity expert at Specops Software, commented: “The fact of the matter is that you can put as many security systems and procedures in place as you wish, but usually the weakest link is always the human being involved. Providing cybersecurity training is essential. Subjects such as password hygiene, email scam/phishing/malware awareness, social media usage etc. are important and the more attention we can bring via training at work, the less likely people in general will fall victim to these crimes.”
Speaking during a Microsoft webinar, the company’s EMEA chief security advisor Cyril Voisin said he does not expect companies to “fully revert to the IT state that they were in before” COVID-19 lockdown, predicting more cloud usage in the future.
Whilst he acknowledged that this will lead to more questions about how to secure a cloud deployment, he expected more use of Zero Trust strategies. Voisin also said he expects remote working to remain an option for many companies, and he explained that there is the potential for compromises in the shift of working in an office to working from home. He acknowledged that whilst the original goal “was to make things work and security may have been an afterthought,” employees still need to be trained and receive security education.
As well as that, he said he expects VPN policies to evolve. “Companies that were already doing this notion of ‘you must use a VPN for everything you do when you are not in the office’ are starting to relax,” he said, due to latency and bandwidth issues, and he predicted companies will require more VPNs going forward.
Alongside that, he said keeping corporate resources secured whilst keeping users productive will lead to greater encryption of documents, and the deployment of endpoint detection and response (EDR) will enable that. Also, companies will invest in application management, with strategies like bring your own device (BYOD) and bring your own application important to offer more flexibility and “keep a company competitive.”
In terms of the financial impact of the COVID-19 pandemic, Voisin said companies may have to choose between investments to keep the company afloat and investing in security practices. “There will be a tension here, but I’ve had conversations with customers and they understand the need for security, and understand it is a requirement to sustain a long term business.”
Asked by Infosecurity if he had seen more companies deploy a Zero Trust approach since lockdown procedures began, Voisin said he had seen many companies “intensify what they are doing” and some were ahead of the curve, “but the people who had not done Zero Trust had started to do it slowly because they relied on a ‘VPN for everything approach’ to security and when they realized the limitations of VPN, they started to do Zero Trust.”
He said that, in some cases, people could not be armed with a laptop to work from home, and so had to use personal devices for work, “and we’ve seen adoption of Teams skyrocket, with 75 million unique users every day, so people are impacted by that and started to implement Zero Trust based on their situation.”
Speaking at the Cloud Security Alliance European Virtual Summit Eric Vétillard, lead certification expert, ENISA, talked about the concept and development of a European certification scheme for cloud services as part of the EU Cybersecurity Act..
Intended to revamp and strengthen the EU Agency for Cybersecurity (ENISA) and establish an EU-wide cybersecurity certification framework for digital products, services and processes, the EU Cybersecurity Act will introduce the first EU-wide cybersecurity certification framework for ICT products, services and processes.
After the announcement of the Cybersecurity Act, ENISA was tasked in November 2019 by the European Commission to design a candidate scheme for cloud services. Vétillard said there were two missions around the establishment of a European Certification Framework: to make ENISA permanent, and to define a cybersecurity certification framework, in particular to support the drafting of new policies through certification schemes.
“The idea here is to define a framework to increase the use of cybersecurity certification throughout Europe and extending to all counties,” he said. “To do that, we need to go beyond national schemes and offer mutual recognition at the European level.”
Vétillard explained that the framework will also allow users to make “informed decisions” on cybersecurity, and ultimately only require one certificate throughout Europe. “In order for the scheme to be successful it needs to be accepted by a majority of the member states of the European Union,” he added.
He explained that the certification is being drafted by ENISA, along with the European Cybersecurity Certification Group – a member group of member states – and an advisory group, who will assist in drafting the scheme. When a scheme is selected, around 20 experts representing stakeholders, institutions and observers will work together to build a candidate scheme, which will be submitted to the next phase to get an opinion from the ECCG.
In terms of building the scheme, Vétillard said there are 22 questions to be answered, including the “specific evaluation criteria and methods to be used” which he said will represent a significant part of the work. He also said there is a mandate to monitor compliance of certified and self-assessed products.
As for what the scheme will achieve, Vétillard said this will include determining what a cloud service is. “If you look around, there are many definitions of what is meant by cloud computing” and ultimately the definition from ISO/IEC 17788 was selected “as it determines any service run on top of a cloud system.”
The next determination will be on cloud capabilities, where the same ISO standard was again used in order to determine that all cloud capabilities support some aspect of infrastructure, platform and application. Also all deployment models will be considered, including private, public and hybrid clouds.
The third consideration is three assurance levels, including “basic,” “substantial” and “high” which will be assessed by an accredited third party. Basic means that the cloud security provider has shown some intentions to implement security controls. Substantial means that the provider has correctly implemented security controls and there is some vulnerability testing, and High means that the effectiveness of the provider’s controls against attacks has been demonstrated, requiring penetration testing and intended for “critical applications in sensitive fields.”
Vétillard said the choice of the level is based on the level of risk, and the number of parameters of the activity and size of the cloud service.
ENISA’s objective is to have answers to key questions and to know the structure of the scheme by the end of June 2020 “and to know how to move forward into the writing of the scheme itself.”
By September, the first draft will be completed, and after internal reviews, the final delivery of the candidate scheme is due by the end of the year. Vétillard said this is intended to be part of a larger framework, and ultimately used to provide baselines to other schemes.
IBM has claimed it no longer sells facial recognition software and has called for a “national dialogue” on how it should be used by police in the wake of recent US protests against systemic racism.
In an open letter to Congress on racial justice reform, CEO Arvind Krishna revealed that the tech giant “has sunset its general purpose facial recognition and analysis software products.”
While technology can help to improve transparency and protect police it shouldn’t be used to promote discrimination, Krishna argued.
“IBM firmly opposes and will not condone uses of any technology, including facial recognition technology offered by other vendors, for mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency,” the letter continued.
“We believe now is the time to begin a national dialogue on whether and how facial recognition technology should be employed by domestic law enforcement agencies.”
IBM added that AI technology in general can be a powerful tool for helping law enforcers keep the streets safe, but that both vendors and users have “a shared responsibility to ensure that Al is tested for bias, particularity when used in law enforcement, and that such bias testing is audited and reported.”
In the UK, a government-backed report from noted think tank the Royal United Services Institute (RUSI) warned that AI-powered facial recognition and other technologies using machine learning such as predictive crime mapping and individual risk assessments can amplify discrimination if they’re based on flawed data containing bias.
That hasn’t stopped British police using facial recognition technology with increasing frequency, despite complaints by rights groups that it is racially biased, inaccurate and tramples on civil liberties.
Even privacy watchdog the ICO has warned forces to go slow and ensure any pilots comply with data protection laws, while a statutory code of practice is drawn up.
In the US, facial recognition tech has been banned in many cities.
However, IBM’s Krishna argued that technology can still have a positive role to play in modern policing, by bringing greater transparency and accountability through body cameras and “modern data analytics techniques.”
Security researchers are once again warning website owners to ensure any cloud storage resources linked to their site are locked down, after discovering Magecart and malicious redirector code lurking in misconfigured S3 buckets.
RiskIQ threat researcher, Jordan Herman, said his team made the discovery on May 12, after finding Magecart code residing on three websites all run by a company known as Endeavor Business Media. They apparently host content and chat forums designed for firefighters, police officers and security professionals.
Alongside Magecart they found a malicious redirector dubbed “jqueryapi1oad” which they first discovered back in July 2019 on compromised S3 buckets that had also been seeded with digital skimming code.
On closer inspection, RiskIQ discovered the redirector first appeared in April of last year and is still in use, connected with 362 unique domains.
It’s linked to the Hookads malvertising campaign that Herman claimed “has historically been connected to exploit kits and other malicious behavior.”
They found the redirector on other sites with misconfigured S3 buckets, including a Colombian football news site that’s in the top 30,000 global Alexa rankings. So far, 277 sites have been identified as affected by jqueryapi1oad, potentially exposing countless unsuspected web users.
“As attacks involving misconfigured S3 buckets continue, knowing where your organization is using them across its digital attack surface is imperative,” argued Herman.
“In today’s threat environment, businesses cannot move forward safely without having a digital footprint, an inventory of all digital assets, to ensure they are under the management of your security team and properly configured.”
Back in July 2019, RiskIQ warned that attackers were actively scanning for misconfigured S3 buckets to spread malicious code, seeding skimming code into AWS instances associated with 17,000 domains, including some of the top 2000 Alexa-ranked websites in the world.
The latest discovery proves such attacks are ongoing, and represent an immediate threat to organizations.
Cyber-criminals have launched a new phishing scam designed to steal personal and financial details of self-employed workers using the Self-Employment Income Support Scheme (SEISS) during the COVID-19 outbreak.
The scam was uncovered by litigation company Griffin Law and begins with a text message sent to self-employed workers offering a tax rebate purporting to be from HMRC. This is in the wake of chancellor Rishi Sunak’s recent announcement of an extension to the SEISS.
According to Griffin Law, the text message informs victims that they are eligible for a tax refund and redirects them to a bogus website which leads to a realistic copy of the official HMRC site. Users are then met with a form which asks them to enter their email address, postcode and HMRC log-in details, before a fake refund amount is calculated.
From there, victims are taken to another page and asked to enter personal information including card number, name on card, account number, security code and expiry date.
Griffin Law estimates that around 100 self-employed workers have so far reported the scam to their accountants and business networks.
Commenting on the news, cyber-expert Chris Ross, SVP, Barracuda Networks, said: “This is the latest in a series of sophisticated HMRC-branded phishing scams designed to target vulnerable workers during the COVID-19 outbreak. We’ve seen a sharp rise in these kinds of schemes, often carefully crafted and timed alongside new government funding announcements to increase the likelihood of duping unsuspecting workers into handing over personal financial data.”
Andy Harcup, VP, Absolute Software, added: “The scam uses official government branding, logos and layouts, including a disclaimer about the site using cookies to fool users into thinking this is a legitimate way to reclaim money. It is vital that users remain vigilant to such attacks, checking the origin and legitimacy of sites before handing over confidential financial data. It’s also critical that companies ensure they have the necessary cybersecurity systems in place to protect against malicious communications across all workplace laptops and devices, to keep hackers at bay.”
Honda is investigating a cyber-attack on its IT network in Europe which researchers are claiming is Ekans ransomware.
The carmaker has issued a brief statement after problems were uncovered on Sunday, confirming there was an issue with its network.
It said it had “experienced a disruption in its computer network that has caused a loss of connectivity, thus impacting our business operations.
“Our information technology team is working quickly to assess the situation,” it added, according to The Detroit Bureau.
However, on Twitter, security researchers were less circumspect. One, known as @milkr3am, posted several screenshots including one with purported Ekans (aka Snake) code that checks specifically for the mds.honda.com domain, indicating that this variant has been specially customized to target the firm.
They also posted a ransom note, which requests the victim organization to get in touch with a secure Tutanota email address to discuss purchasing the private decryption key, which it says was “created specifically for your network.”
Alongside these are links to Virus Total which apparently show the code detected by 40 out of 71 vendors as Snake or Ekans ransomware.
This isn’t the first time Honda’s cybersecurity posture has come under scrutiny. Back in 2011 its American arm admitted to a data breach which compromised the personal details of over two million customers.
Then in 2019, the carmaker suffered two separate incidents. In July a researcher discovered an exposed Elasticsearch instance leaking 134 million corporate documents (around 40GB of data). Then in December, a similar incident exposed around 26,000 unique customer records from the firm’s North American business.
“Unfortunately, conventional approaches to ransomware threats tend to be minimally effective. Employee training can never completely remove the potential for human error, while software designed to stop malware rapidly becomes obsolete as threats and their identifying signatures evolve,” explained Cloudian VP of engineering, Neil Stobart.
“As such, organizations often encrypt data as a safeguard against ransomware. However, while encryption can be useful where cyber-criminals just want to access and share the data itself, in the case of ransomware, they can simply re-encrypt the data to prevent access by its rightful owner.”
The website of an animal rights group has been hacked after its founder made accusations regarding the killing of a pregnant elephant in Kerala.
The 15-year-old elephant suffered a broken jaw and died on May 27 in the Velliyar River after allegedly eating a pineapple filled with firecrackers. Such traps are commonly set in India's forest fringe areas to keep boars and other wild animals from damaging crops.
Following the expectant animal's tragic demise, Indian politician, animal rights activist, and founder of the organization People for Animals Maneka Gandhi said that "action should be taken against everyone who is suspected in Malappuram."
The politician's comments were considered to be controversial since it is not yet clear who may have laid the trap and whether it was intended specifically for the elephant, or whether the incident occurred in Malappuram district or in the adjoining Palakkad district.
According to Asian News International, Gandhi also said: "Kerala government has not taken any action in Malappuram, it seems they are scared. An elephant is killed every three days in Kerala. We have less than 20,000 elephants left in India, they are rapidly declining."
On June 4, following Gandhi's comments, a group of cyber-criminals hacked the official website of the PFA. The group, who call themselves Kerala Cyber Warriors, replaced the PFA site with a message that read "Maneka Gandhi dragged the sad death of pregnant elephant for dirty politics."
PFA trustee and wildlife activist Gauri Maulekhi said the hacked organization is now considering taking legal action against the malicious hackers.
Gauri told THE WEEK: "This kind of bullying, trolling and one-upmanship is not going to work."
Maulekhi said the elephant's violent death had transpired as a result of the Kerala government's attitude toward the hunting of wild animals.
"Hunting was banned in the country in 1972," said Maulekhi. "The Kerala government, in a recent order, has incentivized hunting. Poor people have started hunting wild boar to make money. They are forced to kill wild animals because of the absurd and wicked policies of the state government."
The International Criminal Police Organization (INTERPOL) 2020 Digital Forensics Expert Group conference is to be virtually hosted by the University of New Haven in partnership with MITRE Corporation.
The event aims to bring together leaders in digital forensics to learn about new developments in the field while also providing an opportunity for some professional networking.
INTERPOL approached Elder Family Chair and director of the university's Connecticut Institute of Technology Dr. Ibrahim Baggili and nonprofit MITRE with a hosting request last year. Baggili had planned to host the event with Cory Hall, principal cybersecurity engineer at MITRE, as his co-chair.
However, plans to physically site the event at the university were left in tatters by the global outbreak of COVID-19. Had the conference been able to take place on site at the university as originally intended, it would have been the first time in history that the event was held in the United States.
Eager to ensure the event went ahead despite the challenges of lockdown measures and travel restrictions designed to slow the spread of COVID-19, the university and MITRE are now hosting the conference in cyberspace.
Baggili said that in light of the increased reliance placed on technology by society in the wake of the coronavirus pandemic, cybersecurity was more important now than ever before.
“Cyber criminals will always take advantage of people, and how we investigate these crimes is of the utmost importance,” said Baggili. “From what we have learned from COVID-19, our livelihood, at this point, depends on technology.”
Hall commented that although a physical venue might be missing from the INTERPOL event, the need for digital forensics experts to be up to speed on the latest developments in their field was not.
“Digital forensics experts worldwide still require updates on new tradecraft and a place to connect and learn from one another,” said Hall. “This is a great example of collaboration across academia, nonprofits, and international law enforcement. It shows that our human spirit will prevail against this pandemic.”
The virtual conference will take place on four days over two weeks in June. For the first time, participants will be given the chance to solve a digital forensics challenge.
Columbia College, Chicago has become the third US college in a week to fall victim to a cyber-attack involving the Netwalker family of ransomware.
The Illinois educational establishment, along with Michigan State University and the University of California, San Francisco, was targeted by cyber-criminals and given six days to pay a ransom to recover its files.
Netwalker, also known as Mailto or as an updated version of Kokoklock ransomware, was first observed operating in September 2019. The malware works by encrypting data and renaming files with the developer's email address and an extension made up of the victim's unique ID.
Like the attack on the University of California, the assault on Columbia occurred on June 3, exactly one week after Michigan State University was hit. On the Netwalker blog, the cyber-criminals claimed to have exfiltrated "very highly sensitive data like social security numbers and other private information" from Columbia.
Columbia's chief of staff, Laurent Pernot, told the Columbia Chronicle on June 5 that the Netwalker attack was detected by the college's IT systems and contained to a limited number of college servers.
“Some college, employee and student data was accessed by the perpetrators, though the exact nature and extent of that is still being determined,” wrote Pernot, adding that steps had been taken to prevent further breaches.
Updates made to the Netwalker blog yesterday suggest some of the colleges may have succumbed to the attackers' demands.
Emsisoft's Brett Callow told Infosecurity magazine yesterday: "UCSF and Columbia are no longer listed on Netwalker’s leak site, which likely means they paid (making it a lucrative week for the criminals) or that they asked to be delisted pending negotiations. So it appears only MSU is still holding out and refusing to negotiate."
Threat group REvil recently switched from publishing data if a ransom isn't paid to auctioning it off to the highest bidder.
Asked if Netwalker's operators might follow suit, Callow said: "I wouldn’t be at all surprised if Netwalker were to adopt a REvil-like auction process for stolen information. Like other businesses, criminal enterprises adopt each other’s strategies and the introduction of mechanisms enabling stolen data to be monetized would seem to be a logical progression. We saw this with data exfiltration and publishing: the strategy was pioneered by Maze and then quickly adopted by multiple other groups."
The number of open source software (OSS) vulnerabilities more than doubled in 2019 compared with 2018, a new RiskSense report has shown. Total common vulnerabilities and exposures vulnerabilities (CVEs) reached 968 last year, up from 421 in 2018, a rise of 130%. CVEs have remained at historically high levels into the first three months of 2020 too, suggesting this is a long-term trend.
The report also revealed that it takes an average of 54 days for OSS vulnerabilities to be added to the National Vulnerability Database (NVD) following public disclosure. These delays mean organizations are often exposed to serious application security risks for around two months. The lags were observed across all severities of vulnerabilities, including those rated as ‘critical’ and ones that are weaponized.
The OSS projects that had the most CVEs were the Jenkins automation server (646) and MySQL (624), each of which had 15 weaponized vulnerabilities. While HashiCorp’s Vagrant only had nine CVEs, a very high proportion (six) were weaponized. Other OSS projects that had vulnerabilities that were trending or popular in real-world attacks included Apache Tomcat, Magento, Kubernetes, Elasticsearch and JBoss.
Cross-site scripting weaknesses were the second most common form of vulnerabilities, and the most weaponized. This was followed by input validation issues, which were the third most common and second most weaponized. Additionally, the study showed that some weaknesses, such as deserialization issues (28) and code injections (16) were far less common but remained very popular in active attack campaigns.
“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations,” said Srinivas Mukkamala, CEO of RiskSense. “Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”
Over 300,000 Canadian accountants and related stakeholders have been hit by a breach of a professional member association, it emerged late last week.
The Chartered Professional Accountants of Canada (CPA Canada) revealed in a statement that an unauthorized third party had managed to access personal information after compromising the organization’s website.
Over 329,000 individuals including members and others have been notified and warned of follow-on attacks.
The compromised information relates mainly to the CPA Magazine and includes names, addresses, email addresses and employer names. CPA Canada claimed that passwords and full credit card numbers were encrypted, although didn’t specify what type of algorithm was used to scramble these details.
“CPA Canada today has notified affected individuals that the information involved could be used for the purposes of targeted phishing scams,” the organization said.
“CPA Canada is encouraging affected individuals to remain vigilant about any emails they may receive asking them to provide sensitive information or click on links or attachments, even if they appear to come from CPA Canada or an individual or company they know or trust.”
Although CPA Canada said it took “immediate steps” to secure its systems and work out what had happened, in reality the breach may have taken place several months ago. The organization linked the incident to an alert it issued back in April about an apparent phishing campaign in which users were requested to change their CPA Canada passwords because of a website breach.
“We are told that these emails appear to originate from the IT department of the employer of the individual receiving the message. These emails suggest that their IT department suspects a cybersecurity compromise with the cpacanada.ca domain,” it explained at the time.
“It is important that you do not act on the directions in any such email. CPA Canada continues to monitor the security of its web platform and is not experiencing anything unusual. In addition, the integrity of our password reset process remains secure.”