Feed aggregator

EDP’s North America Business Admits Ransomware Attack

Info Security - Wed, 07/08/2020 - 09:30
EDP’s North America Business Admits Ransomware Attack

The North American arm of a Portuguese energy giant has confirmed that it was also affected by a data-stealing ransomware attack on the firm earlier this year.

The filing with Vermont’s Attorney General’s Office (AGO) last week doesn’t add a great deal of information, but does hint at less-than-thorough incident response processes. It took nearly a month before the North America business was identified as affected.

“On April 13 2020, EDPR NA’s parent corporation experienced a ransomware attack on its information systems. The parent corporation immediately began investigating with the assistance of leading computer forensic experts,” it explained in a letter to customers.

“On May 8 2020, EDPR NA learned, for the first time, that the attackers had gained unauthorized access to at least some information stored on the company’s own information systems. Since then, EDPR NA has worked diligently and on an expedited basis to identify the individuals potentially affected by this incident.”

According to EDPR NA there is “no evidence” that any of its customers’ personal information has been accessed, although it admitted it does store names, Social Security numbers and other personally identifiable information (PII).

According to researchers, EDP was hit by the Ragnar Locker variant back in April, with cyber-criminals demanding €10m ($11m) in ransom or else they would start releasing a trove of data stolen from the firm.

However, in EDP’s statement at the time it said it was unaware of any such ransom demand.

Researchers explained on social media that the attackers likely had access to the firm’s systems for some time before the attack went public – at least 10 days.

EDP employs over 11,000 staff globally and made over €3.3bn in gross operating income in 2018.

Categories: Cyber Risk News

UK Cyber Startups Raise Almost £500m During First Half of 2020

Info Security - Wed, 07/08/2020 - 08:25
UK Cyber Startups Raise Almost £500m During First Half of 2020

UK cyber-startups have raised £496m in funding during the first half of 2020, already close to eclipsing the record £521m invested in these companies last year, according to the London Office for Rapid Cybersecurity Advancement (LORCA)’s new study, The LORCA Report 2020.

This is despite the economic uncertainties caused by the COVID-19 crisis, with cybersecurity startups raising £104m in the first two months of lockdown alone, a 940% increase compared with the same period last year.

However, the analysis revealed that just 1% of this money went to companies securing first-time funding. This means a funding gap is emerging due to investors focusing on growth-stage cyber-firms, which have received 94% of the funding so far in 2020.

This has been a worsening trend over recent years, with the number of deals across cyber-startups at the seed and venture stages standing at 52 in 2018, 39 in 2019 and just 21 so far in 2020. LORCA warned that this disparity is hampering the development of many innovative companies in the cybersecurity sector.

Saj Huq, program director at LORCA, commented: “The UK’s cybersecurity sector has grown tremendously in the last few years and has the potential to be right at the heart of our economic success. We have leading research institutions, technical innovation from startups and government-led bodies and growing engagement from investors and business leaders.

“However, the ecosystem is still nascent and obstacles remain to its continued growth. Access to funding for early-stage startups is clearly the biggest hurdle that must be overcome for the UK to compete on the world stage.”

UK digital infrastructure minister Matt Warman added: “It is great to see these new statistics. The tech sector will play a vital role in powering an economic recovery out of the pandemic and the cybersecurity industry plays an important role in keeping people safe online.

“We are backing our innovative firms to develop cutting-edge solutions and keep one step ahead of tomorrow’s security threats through our National Cyber Security Strategy.”

Yesterday, LORCA, a government-backed innovation program, announced the 17 scaleups selected to join its fifth cohort of cyber-innovators.

Categories: Cyber Risk News

Sophisticated Russian BEC Group Targets Multinationals

Info Security - Tue, 07/07/2020 - 19:40
Sophisticated Russian BEC Group Targets Multinationals

Security company Agari has unearthed a massive Russian business email compromise (BEC) operation that it says has been operating under the radar for at least a year. The group, nicknamed Cosmic Lynx, targets large multinational companies, the security researchers said.

Detailing the group's activities in a report this week, Agari said that it had been involved in over 200 BEC campaigns since July 2019. It believes that Cosmic Lynx has targeted senior executives in 46 countries spanning six continents.

Cosmic Lynx's modus operandi is more sophisticated than many BEC groups, using what Agari calls a dual impersonation scheme. The attacks begin with an email supposedly from a senior executive at the target company to an employee, informing them of an attempt to take over a company in Asia. The email says that the employee is the only person entrusted with this information and asks them to manage the acquisition.

The scammers then introduce the victim to a lawyer who is supposed to be coordinating the acquisition payment. The lawyer arranges for the payment—often running into millions of dollars—to be sent to a mule account in Hong Kong. Cosmic Lynx impersonates a real UK-based lawyer in its emails, spoofing the law firm's address with a similar-looking domain name.

The group uses excellent English in its emails, unlike many BEC scams, notes Agari. It is also fastidious about its infrastructure. It registers domains that provide an air of authenticity by using security terminology such as secure-mail-gateway.cc. It even used Fortinet, the name of a popular security company, in some of its domains. The group then points the top-level domains to web infrastructure and security company Cloudflare to make it look more legitimate, while conducting its nefarious activities via a subdomain.

Cosmic Lynx also takes DMARC into account, which is a protocol that makes it difficult to spoof domains. When it does target a DMARC user, it uses one of its own domain names instead of faking the target company's domain in the email's reply-to field. However, it modifies the email's display name to include the CEO's email address and make it seem more legitimate.

Agari believes that Cosmic Lynx is a Russian group based on several indicators. These include the Moscow time zone on sent emails, and the use of its infrastructure for other Russia-linked operations, including websites selling fake Russian documents.

"Cosmic Lynx has demonstrated the capability to develop much more complex and creative attacks that sets them apart from other more generic BEC attacks we see every day," Agari concluded.

Categories: Cyber Risk News

Microsoft Research Develops Invisible Cloud Malware Scanner

Info Security - Tue, 07/07/2020 - 18:39
Microsoft Research Develops Invisible Cloud Malware Scanner

It's all very well having thousands of virtual machines running in the cloud, but how do you scan them for malware? Microsoft Research has developed a system called Project Freta to do just that. It has launched the project as a prototype for public use.

Virtual machines (VMs) are software versions of computers that run in a cloud environment. They replicate an entire PC running an operating system like Linux or Windows, and many of them can run on a single piece of hardware at the same time. This has led to cloud environments with thousands of VMs running concurrently. That creates a challenge for systems administrators who want to ensure that none of the VMs are running malware.

Cloud management tools have tackled this by scanning the virtual machines for malware, but this involves running supporting software on each VM. That is time-consuming, and it can also alert malware running on the system that something is looking for it. In some cases, it could cause the malware to realize that it is running in a VM and terminate itself, escaping detection.

Microsoft Research developed Project Freta to completely separate what it calls the security plane from the computing plane, scanning large numbers of VMs while remaining invisible to malware. To do that, it needed a scanning mechanism that left the VM's memory completely untouched.

Project Freta scans the VM's memory without running anything in it. It then works out what system objects the VM holds based on a live in-memory snapshot of the Linux system, looking for processes, in-memory files, kernel modules, and networks, among other things.

The system can detect rootkits and other advanced malware, the company said in a blog post announcing the project.

The research team developed the software in Rust, which is a programming language with memory safety properties built in.

The system processes large numbers of VMs in short order, and is equipped to fingerprint operating systems from the memory image. It started by scanning for Linux, because there are so many different kernels available for that operating system. "With Linux behind us, Windows support is on our roadmap," the company said.

Admins can already test it out by linking their Azure accounts to the project's portal, although Microsoft is holding back extra functionality that enables it to copy memory from live VMs to an offline analysis environment. This should enable it to scale to more than 10,000 VMs at a time, it said.

Categories: Cyber Risk News

Researchers Use AI to Spot Drone Pilots

Info Security - Tue, 07/07/2020 - 17:30
Researchers Use AI to Spot Drone Pilots

Law enforcement and military personnel might finally have a way to track malicious drones and prevent millions of dollars in damage thanks to new artificial intelligence research. Academics at Israel's Ben-Gurion University of the Negev have developed a way to locate the operator of a drone by looking at how the airborne vehicle moves.

Locating the pilots of malicious drones is a pressing issue. In December 2018, Gatwick Airport had to close its runways to avoid drones flying dangerously close. Officers believed that it was a deliberate attack on the airport. The same thing happened at Heathrow Airport just a few weeks later.

While drones are relatively easy to spot, it is a lot harder to pinpoint their pilots. Although technicians can try to locate them by monitoring radio signals, they must be relatively near the drone to do so, and operators can cloak their transmissions.

The Ben-Gurion research team worked on the premise that drones behave differently depending on where the pilots are. By tracking the drone's path in the sky, they were able to analyze the reactions of the pilots to external stimuli such as sun dazzle and obstructions.

The team simulated drone flights using a software simulator, logging the path of drones across 81 simulated flights from three operator locations. It then ran this data through a machine learning algorithm and was able to guess the viewpoint of the operator with 73% accuracy, it said.

The researchers said that this drone-watching technique could be paired with traditional radio frequency scannung techniques. RF scanners have trouble identifying a signal related to a specific drone in a dense area where there might be other, similar signals, it said. "We can train our neural networks to identify command patterns of the signal transmitted from the operator when the drone is turning, rotating, accelerating, and decelerating and use it to connect to signal to a specific drone in the air," it said.

By detecting the direction of an operator, defenders could also use techniques to obstruct their line of sight, it said.

The technique has applications beyond watching drones, the paper said. It could also be used to identify drivers by looking at behavior in different traffic situations, including how they use the pedals and the steering wheel, and how much distance they keep from the other cars.

Other researchers at Ben-Gurion Univeristy have also been working on anti-drone technology. In March, Prof. Amiel Ishaaya at the University's School of Electrical and Computer Engineering revealed a laser-based defense system called Light Blade that will be able to down the next generation of attack drones.

Categories: Cyber Risk News

Manufacturing Sector Paid Out 62% of Total Ransomware Payments in 2019

Info Security - Tue, 07/07/2020 - 14:10
Manufacturing Sector Paid Out 62% of Total Ransomware Payments in 2019

The manufacturing industry spent more than any other sector last year on ransomware payments, paying out $6.9m, according to a new study by Kivu Consulting. This represents 62% of the total $11m+ of ransoms transferred to cyber-criminals throughout 2019, despite manufacturing only making up 18% of all paid ransom cases.

Over two-thirds (67%) of paid ransomware attacks against organizations from this industry were conducted via a crypto-ransomware called Ryuk. This uses encryption to block access to a system, file or device until a ransom is paid.

In total, Kivu Consulting said that it had facilitated 143 cases of ransom payments in 2019. Its analysis is based on data from 63 of those cases where the industry was identified and recorded.

The report revealed that healthcare was the sector most frequently hit by ransomware threat actors in 2019, making up 28% of cases in which ransoms were paid out. Healthcare institutions are also known to be facing increasing threats from cyber-criminals during COVID-19, including ransomware attacks.

Another major finding from the study was that ransomware attackers targeted organizations of all sizes rather than just large corporations and businesses, utilizing a range of tactics.

Elgan Jones, CIO and managing director at Kivu Consulting , said: “This latest report is a testament to the exclusive insight Kivu is able to produce from over 700 ransomware cases and with over four years of work in this area. Evaluating cyber-threat trends from ransom payments is something we will continue to do, and we look forward to sharing those findings with our partners going forward.

“Our hope is that this report and other research we produce helps to inform insurance carriers’ and law firms’ services to better support their customers in navigating the cyber-risk landscape.”

Categories: Cyber Risk News

Tech Giants Suspend Hong Kong Co-Operation Following Security Law

Info Security - Tue, 07/07/2020 - 11:30
Tech Giants Suspend Hong Kong Co-Operation Following Security Law

A slew of technology providers have temporarily suspended any co-operation with Hong Kong police following the introduction of a regressive national security law.  

WhatsApp, Telegram, Facebook, Twitter, LinkedIn and Zoom have all announced a pause on the processing of data requests from the Special Administrative Region (SAR) of China until an international consensus is formed on how to react.

“We understand the importance of protecting the right to privacy of our Hong Kong users under these circumstances,” Mike Ravdonikas of Telegram told the Hong Kong Free Press on Sunday. “Accordingly, Telegram does not intend to process any data requests related to its Hong Kong users until an international consensus is reached in relation to the ongoing political changes in the city.”

A spokesperson for Zoom said the firm was actively monitoring the developments “including any guidance from the US government” and had paused data access requests in the meantime.

“We believe freedom of expression is a fundamental human right and support the right of people to express themselves without fear for their safety or other repercussions,” a Facebook statement read. “We have a global process for government requests and in reviewing each individual request, we consider Facebook’s policies, local laws and international human rights standards.”

Widely criticized by governments around the world, the legislation was secretly drafted in Beijing in blatant violation of the “one country two systems” agreement signed between China and Britain which enabled the former colony to retain a semi-autonomous criminal justice and political system following the 1997 handover.

The law will now give the Chinese authorities the power to punish acts of “terrorist activities,” “secession,” “subversion” and “collusion with a foreign country” with life imprisonment or even death.

The vague wording of the legislation is said to be such that it is likely to be used to stifle free speech in the SAR, while police have been granted the power to search premises for evidence without a warrant.

The law can also be applied outside Hong Kong and China, which many see as an attempt to muzzle any kind of criticism of the regime from commentators abroad.

Categories: Cyber Risk News

Bankrupt Bitcoin Biz Founder Leaves $13m Hole

Info Security - Tue, 07/07/2020 - 10:30
Bankrupt Bitcoin Biz Founder Leaves $13m Hole

An infamous South African Bitcoin entrepreneur has been declared bankrupt, leaving investors facing total losses of over $13m, according to local reports.

Willie Breedt was the founder and CEO of VaultAge Solutions, a cryptocurrency trading platform that was launched in 2018.

Back in May, investors in the platform started to complain of fraud and investigators from the country’s Directorate for Priority Crime Investigation (DPCI) were sent in to find out what had happened.

Now it has emerged that Breedt, who is currently thought to be in hiding, is bankrupt, with around 2000 investors owed around R227m ($13.2m).

One of the largest investors in the scheme, Simon Dix of Hilton, who was owed R7.5m, successfully applied for a court order to seize Breedt’s assets. According to News24, police and investigators tracked Breedt down to a guest house at the Silver Lakes Estate in Pretoria.

During the raid they are said to have seized multiple electronic devices including a laptop and a nano stick.

Breedt’s South African bank accounts have also been frozen and PricewaterhouseCoopers has reportedly been hired to launch an investigation into VaultAge and the agents selling cryptocurrency on its behalf.

It remains unclear whether investors in the company’s schemes will get the money they are owed.

The case comes just days after a UK court wound up GPay Limited, a scam cryptocurrency trading company which defrauded novice investors.

The company, which traded under the names Cryptopoint and XtraderFX, is said to have made off with £1.5m. It used false advertising claiming affiliation with Martin Lewis, founder of MoneySavingExpert, and entrepreneurs from the hit TV show Dragons’ Den to persuade victims to part with their funds.

Categories: Cyber Risk News

Instagram Star “Hushpuppi” Faces BEC Charges

Info Security - Tue, 07/07/2020 - 09:30
Instagram Star “Hushpuppi” Faces BEC Charges

A social media star known for his ostentatious displays of wealth is set to be charged in the US with conspiracy to launder hundreds of millions of dollars from BEC and other fraud schemes.

Nigerian national Ramon Olorunwa Abbas, 37, (aka “Ray Hushpuppi” and “Hush”) was expelled from his home in the United Arab Emirates last week after being arrested there by police in June.

FBI special agents obtained custody of him and brought him to the US to face the charges.

They claim that Abbas financed his luxury lifestyle through cybercrime.

Specifically, he’s accused of being part of a BEC scheme that cost a New York law firm $922,857 in October 2019, after criminals hacked an internal account and used it to convince a paralegal to wire money intended for a client’s real estate refinancing.

Abbas is also accused of providing two European bank accounts intended for the laundering of over $11m in illegally obtained funds from a $14.7m cyber-heist at a foreign bank in February 2019.

He is said to have conspired to steal hundreds of millions more from other targets including a plot to scam an English Premier League football club out of £100m ($124m).

“BEC schemes are one of the most difficult cybercrimes we encounter as they typically involve a coordinated group of con artists scattered around the world who have experience with computer hacking and exploiting the international financial system,” said US attorney Nick Hanna.

“This case targets a key player in a large, transnational conspiracy who was living an opulent lifestyle in another country while allegedly providing safe havens for stolen money around the world. As this case demonstrates, my office will continue to hold such criminals accountable, no matter where they live.”

BEC accounted for more criminal losses than any other type of cybercrime last year. Scammers made nearly $1.8bn in 2019, over half the total $3.5bn lost to cybercrime, according to the FBI.

Categories: Cyber Risk News

LORCA Announces Fifth Cyber-Accelerator Cohort

Info Security - Tue, 07/07/2020 - 09:00
LORCA Announces Fifth Cyber-Accelerator Cohort

The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the 17 scaleups selected to join its fifth cohort of cyber-innovators.

Launched in 2018, LORCA is a government-backed innovation program delivered by Plexal at the London-based technology hub Here East and is supported by Deloitte and the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast. LORCA’s commercial partners are Lloyds Banking Group, Dell Technologies and Kudelski Security.

LORCA aims to help scale the cyber-innovations industry and acts as a global launch pad for cyber-companies, cultivating links with cyber-hubs and programs from across the UK’s maturing cyber-ecosystem.

LORCA announced an open call in March 2020 for startups with solutions to challenges presented by a connected society, including supply chain security, digital identity and the digital risk associated with an increasingly connected world to apply. The recruitment and selection process was carried out entirely virtually.

The selected members have innovative solutions that relate to identity, IoT, cloud security, autonomous cyber-defense, privacy and more.

The 17 selected companies are:

  1. AdvSTAR
  2. BlockAPT
  3. Breachlock
  5. ContextSpace Solutions
  6. CyberHive
  7. InsurTechnix
  8. ITsMine
  9. MIRACL Technologies
  10. Nanotego
  11. RedHunt Labs
  12. The CyberFish
  13. TrustStamp
  14. VerifiedWhiteList
  15. VU Security Ltd
  16. Zamna Technologies
  17. ZeroGuard

With particular focus on the importance of diversity and inclusion within the cyber-industry, LORCA encouraged applications from under-represented founders in its fifth cohort open call. As such, 18% of its fifth cohort includes scaleups with female founders or CEOs and 18% with leaders from BAME backgrounds.

The year-long program will support the 17 early-stage companies to grow, secure investment, access new markets and participate in overseas trade missions, with the ultimate aim of growing the British cybersecurity industry.

Saj Huq, director, LORCA, said: “The pandemic has accelerated many emerging digital trends, as well as the inevitable risks that accompany them. Cybersecurity challenges that were previously on the horizon have been brought forward as society and our economy becomes more connected, and security more critical than ever. The arrival of our fifth cohort highlights that there is world-leading talent and cutting-edge technology available to address these challenges and enable secure, societal-wide digital transformation.”

Huq added that LORCA intends to continue supporting scaling companies, acting as a catalyst for collaboration between innovators and critical parts of the ecosystem such as investors, industry, academia and government.

Digital infrastructure minister Matt Warman concluded: “This initiative will see some of the brightest minds from across the country benefit from expert advice to turn their creative ideas into practical business tools and develop the cybersecurity technology of tomorrow.”

Categories: Cyber Risk News

Infosecurity Magazine Autumn/Fall Online Summit Agenda – Live Now!

Info Security - Tue, 07/07/2020 - 08:20
Infosecurity Magazine Autumn/Fall Online Summit Agenda – Live Now!

Infosecurity Magazine is delighted to announce the launch of the content agenda for its upcoming Autumn/Fall Online Summit, taking place September 22 and 23.

Registration is now open for the virtual event which will showcase 14 live sessions, moderated by the Infosecurity editorial team, featuring an array of experts and thought leaders discussing various topics and issues currently impacting the information security industry.

The immersive education program will include short ‘How To’ sessions, panel debates and Point-Counterpoint Live sessions with high caliber speakers and specialists.

Topics to be explored during the event include:

  • Adapting to COVID-19 and changing infosec norms
  • How CISOs can lead from the front of their organizations
  • Why SIEM is a big piece of the modern security puzzle
  • How to master and manage cloud app security
  • Why upskilling your security team is key
  • How to align cybersecurity concepts with business goals
  • And much more!

What’s more, across the two-day event, attendees will have the opportunity to qualify for up to 11 CPE credits, access and download additional resources such as whitepaper reports and webinars, and interact with peers across the globe via a real-time virtual networking area.

Access the full event agenda and register for the summit here:

Online Summit Autumn 2020 (EMEA) Agenda & Speakers - September 24 Online Summit Fall 2020 (North America) Agenda & Speakers - September 25
Categories: Cyber Risk News

Home Routers Are All Broken, Finds Security Study

Info Security - Mon, 07/06/2020 - 19:04
Home Routers Are All Broken, Finds Security Study

Updating routers with the latest firmware is a frequent recommendation to improve network security. When it comes to home routers, though, the latest updates won't help you much. According to a study by Germany's Fraunhofer Institute for Communication (FKIE), vendors have failed to fix hundreds of vulnerabilities in their consumer-grade routers, leaving people exposed to a wide range of attacks.

The FKIE examined 127 routers spanning seven large vendors and found security flaws in all of them, it said in a report released in late June. It called its results "alarming."

"Many routers are affected by hundreds of known vulnerabilities," it warned. "Even if the routers got recent updates, many of these known vulnerabilities were not fixed."

The routers usually failed to use exploit mitigation techniques, it said, adding that some had passwords that users could not change, and which were either well-known or easy to crack. "Most firmware images provide private cryptographic key material," it continued. "This means, whatever they try to secure with a public-private crypto mechanism is not secure at all."

The Institute used a firmware analysis and comparison tool to extract and analyze the routers' most recent firmware. It found that 46 of them had received no security updates within the last year. At least 90% of the routers used Linux, but over a third of them used version 2.6.36 of the Linux kernel or even older. At the time of writing, the current Linux kernel is 5.7.7. The last security update for version 2.6.36 was in February 2011.

Even the best devices had at least 21 critical vulnerabilities and at least 348 rated with high severity, the study found. On average, routers had 53 critical vulnerabilities, it said.

Covid-19 makes the results particularly worrying because so many more people are now working from home, the Institute said. That means many more of them could be exchanging sensitive data with their employers via these devices.

Fifty routers provided hard-coded credentials, including sixteen with well-known or easily credible credentials, the study found.

Which vendors performed best? According to the study, AVM did a better job than the other vendors in most respects. "ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel," it concluded.

Categories: Cyber Risk News

Purple Fox Exploit Kit Adds Two Microsoft Vulnerabilities

Info Security - Mon, 07/06/2020 - 18:31
Purple Fox Exploit Kit Adds Two Microsoft Vulnerabilities

Security company Proofpoint has identified two new exploits coded into Purple Fox, an exploit kit that has evolved dramatically in the last year. The updates show that cyber-criminals are continuing to invest in infection tools to help get their malware onto victims' systems even though exploit kits are declining as an attack technique, the company said.

An exploit kit is a tool used to deliver malware onto a victim's device automatically via a website. It is an automated threat that uses compromised websites to drive up web traffic and scan for vulnerable browsers so that it can deliver its malware-based payload.

Exploit kits are the basis for drive-by downloads that infect a victim as soon as they visit a malicious site. They have often been sold as services to distribute malware, providing cyber-criminals with a conduit to infect victims' machines, but according to Proofpoint their popularity has declined of late.

"Exploit Kits are not as prevalent as they were a few years ago. However, they are still part of the threat landscape," explained the company. "One thing that hasn't changed regarding exploit kits is the way in which exploit kit authors regularly update to include new attacks against newly discovered vulnerabilities."

Purple Fox started out as fileless downloader Trojan malware delivered by an exploit kit called Rig. According to a 2018 write-up by Qihoo 360 Technology, it had infected at least 30,000 users at the time. Trend Micro had spotted it downloading and executing crypto-mining malware onto victims' devices. Last year, it switched from the Nullsoft Scriptable Install System to Windows PowerShell as a means of retrieving and delivering various kinds of malware.

Now, according to Proofpoint, it has become an exploit kit in its own right, built to replace Rig. It has added two new exploits, both patched by Microsoft in the last few months.

The first, CVE-2019-1458, is a local privilege elevation mobility that Microsoft fixed in December last year. The second, CVE-2020-0674, is a bug in Internet Explorer that Microsoft fixed in its February 2020 patch Tuesday update.

"The fact that the authors of the Purple Fox malware have stopped using the RIG EK [exploit kit] and moved to build their own EK to distribute their malware reminds us that malware is a business," Proofpoint said in its analysis. "In essence, the authors behind the Purple Fox malware decided to bring development 'in-house' to reduce costs, just like many legitimate businesses do."

Categories: Cyber Risk News

Account-Snooping Yahoo Engineer Escapes Jail Time

Info Security - Mon, 07/06/2020 - 17:47
Account-Snooping Yahoo Engineer Escapes Jail Time

A former Yahoo software developer charged with hacking into customer accounts escaped jail time last week. Reyes Daniel Ruiz, 35, received five years of probation for hacking accounts in the search for private images and videos with sexual content.

On September 30, 2019, Ruiz, a 10-year veteran at Yahoo, pleaded guilty to unauthorized intrusion into around 6,000 Yahoo accounts while working on the company's mail engineering team. He cracked user passwords and access to internal Yahoo systems to compromise the accounts between 2012 and 2015. He would look at financial documents but focused mainly on private sexual images and videos, storing up to 4,000 on his hard drive.

Ruiz targeted accounts belonging to younger women, including personal friends and work colleagues. After accessing the Yahoo accounts, he went on to snoop in around 100 other cloud service accounts belonging to the victims, including iCloud, Facebook, Gmail, Photobucket, and Dropbox. He also used these accounts to find other victims.

On June 21, 2018, other engineers at Yahoo (which by that time was called Oath) noticed suspicious account activities, prompting Ruiz to leave work early and begin destroying the evidence at home. Two months later, the FBI arrived at his house with a search warrant, and he confessed to agents that he had destroyed the evidence.

He was charged with computer intrusion and interception of a wire communication. He pleaded guilty to the former and was released on a $200,000 bond. He has been working temporary jobs and drawing unemployment since.

Along with a potential five-year jail sentence, Ruiz could have faced a fine of $250,000. However, the judge sentenced him to five years' probation along with twelve months of home confinement and electronic monitoring. He must also pay $115,957 in restitution to Oath. Only 3,137 of the hacked accounts' owners could be identified because Ruiz destroyed the hard drive containing the identities of the remaining victims.

According to the sentencing memorandum, "none of the images or videos were shared. The defendant also stresses that he has never had any interest, nor did he take any action, to contact or meet the victims. He used the videos and images solely for his own self-gratification for which he is now very ashamed and remorseful."

Categories: Cyber Risk News

Mobile Users Increasingly Targeted by Undeletable Malicious Files

Info Security - Mon, 07/06/2020 - 15:30
Mobile Users Increasingly Targeted by Undeletable Malicious Files

System partition infections as a method of installing adware are on the rise in mobile devices, according to new research from Kaspersky. It found that 14.8% of Kaspersky users who were targeted by malware or adware in 2019 had this type of infection, which means the malicious files cannot be deleted.

A system partition infection is particularly dangerous as security solutions are unable to remove malicious files because they cannot access the system directories. Adware – software created to display intrusive advertising – is increasingly being installed using this type of infection, according to the analysis.

This can occur in two ways: either the file gains root access on a device and installs adware in the system partition or in some cases, they are already installed on the device prior to reaching the consumer. Kaspersky found that the risk of such files being pre-installed on mobile devices varies from 1% to 5% in low-cost devices, rising to up to 27% in extreme cases.

The threat level of these malicious programs varies significantly, from Trojans that can install and run apps without the user’s knowledge, to simply subjecting users to intrusive advertising.

Kaspersky added that some vendors have admitted to embedding adware in their smartphones, which reduces the cost of the device to the consumer.

Igor Golovin, security researcher at Kaspersky, commented: “Our analysis demonstrates that mobile users are not only regularly attacked by adware and other threats, but their device may also be at risk even before they purchased it. Customers don’t even suspect that they are spending their cash on a pocket-sized billboard. Some mobile device suppliers are focusing on maximising profits through in-device advertising tools, even if those tools cause inconvenience to the device owners.

“But this is not a good trend – both for security and usability. I advise users to look carefully into the model of smartphone they are looking to buy and take these risks into account – at the end of the day it is often a choice between a cheaper device or a more user-friendly one.”

Categories: Cyber Risk News

Volume and Size of Fines for Data Breaches Expected to Rise

Info Security - Mon, 07/06/2020 - 14:45
Volume and Size of Fines for Data Breaches Expected to Rise

The number and value of fines for data breaches is predicted to increase between now and 2025, according to a new study by DSA Connect. Interviews with 1000 workers between 24 and 27 April 2020 revealed that 37% think there will be an increase and 6% believe the rise will be dramatic. Just 3% expect a reduction.

In regard to fines linked to the inadequate deletion and destruction of data, 32% think there will be an increase, 4% anticipate a dramatic rise and 2% expect a fall.

The primary factor in this expected growth is because employees have access to much more data than ever before, with 30% of respondents stating that they have accessed more data at work in the past 12 months. This is opposed to 7% who said the level has fallen in this period, while 57% found that there had been no change.

Encouragingly, 75% of workers think their employers have good or excellent’ processes for storing data safely and only 5% think they are poor. The remaining 20% said they don’t know.

However, only 38% of employees answered yes when asked if their employer had a data sanitization policy, with 14% saying no and 47% stating that they don’t know.

Harry Benham, chairman of DSA Connect, said: “With developments such as the Internet of Things (IoT) employers are dealing with more data than ever. They also have to contend with a rise in the number of cyber-attacks and ever more stringent legislation around protecting client data and how they use it. 

“Employers need to invest more time and resources in enhancing their strategies against this.”

The General Data Protection Regulation (GDPR) has led to the development of other data protection legislation around the world recently. These include the California Consumer Protection Act (CCPA), which came into force last week and the Brazilian General Data Protection Law.

Categories: Cyber Risk News

Flaw Fixed in Hotels.com Generator as Tesco Clubcard Users Impacted

Info Security - Mon, 07/06/2020 - 12:15
Flaw Fixed in Hotels.com Generator as Tesco Clubcard Users Impacted

Tesco Clubcard users have been warned to check their accounts, after a weakness was discovered in the way that Hotels.com codes were generated, which then impacted Clubcard members as they tried to use their points.

Whilst Tesco Clubcard’s IT systems have not been compromised in any way, research found cyber-criminals purchased fraudulent vouchers to provide huge discounts on bookings via Hotels.com. The codes were generated by Hotels.com and made available to Tesco Clubcard members as a reward for in-store spending.

According to The Telegraph, the vouchers allowed people to get up to £750 off hotel rooms on Hotels.com. Fraudsters were able to guess the final four digits of the promotional code that unlocks the discount as the remaining nine characters follow the same pattern each time, and the codes were sold on hacker forums for between £200 and £750.

Initially alerted by researchers from CyberNews, who informed Hotels.com parent Expedia Group of the flaw, the booking site has since taken measures to resolve the issue and Tesco Clubcard temporarily removed Hotels.com from Clubcard Rewards until the issue was resolved.

A spokesperson for the CyberNews research team, said: “In the current economic climate people are looking for ways to save money, so businesses need to stay vigilant to prevent fraud. We’d recommend using longer, less predictable discount codes with more characters which make it harder for cyber-criminals to predict, as well as implementing a limit on attempts for an incorrect entry to prevent brute force attacks of this nature.”

A statement from Hotels.com said the issue “was identified and resolved promptly several months ago” and, working closely with its partners at Tesco, it ensured that only legitimate Clubcard customers were able to obtain and redeem the codes they had earned. “No customers of Hotels.com or Tesco missed out on the offer, lost money or Clubcard points as a result.”

Categories: Cyber Risk News

Corporate Cybercrime Victims Double in Five Years

Info Security - Mon, 07/06/2020 - 11:00
Corporate Cybercrime Victims Double in Five Years

The number of UK business falling victim to cybercrime has doubled over the past five years, costing the economy an estimated tens of billions in the process, according to new research from Beaming.

The business ISP polled over 2500 companies between 2015 and 2019 to compile its latest report, Five Years in Cyber Security.

The percentage of respondents claiming to have fallen victim to cybercrime rose over that time period from 13% in 2015 to a quarter (25%) last year, equivalent to around 1.5 million businesses.

Although large firms with over 250 employees were the most likely to suffer attacks, with over 87% impacted last year, smaller businesses (11-50 employees) experienced the steepest rise, from 28% in 2015 to 68% last year.

Beaming estimated the total cost to UK firms over this five-year period to be in the region of £87bn, including damaged assets, financial penalties and lost productivity. A spokesperson told Infosecurity that it extrapolated the figure from an average cost calculated from interviews with business leaders. 

Phishing was the most likely form of attack to successfully strike UK victim organizations, linked to a 50% increase in victims, with employees accountable for around a third of breaches (36%) in 2019.

Beaming managing director, Sonia Blizzard, argued that automated attack methodologies have helped cyber-criminals ramp up scale, frequency and sophistication.

“The threat has grown astronomically over the last five years. What used to be seen as a big-business problem has become a serious concern for every company director, manager and IT professional out there,” she added.

“Small businesses are now on the front line in the war against cybercrime, but they haven’t invested in cybersecurity or employee education at the same rate as their larger counterparts, and they are easier targets as a result.”

Although many small (20%), medium (24%) and large companies (36%) now discuss cyber-threats at board level, investments in security have not always been forthcoming.

In 2015, 30% of businesses had a firewall at the network perimeter; a figure that stands at just 37% today. Those with employee awareness-raising programs in place rose from 20% to just 22% over the same time, according to the report.

Categories: Cyber Risk News

North Korean Hackers Behind Magecart Attacks

Info Security - Mon, 07/06/2020 - 09:40
North Korean Hackers Behind Magecart Attacks

North Korean hackers appear to have been breaking into US e-commerce stores since May 2019 and planting digital skimming code to make money for the hermit nation.

Researchers at Sansec claimed today that the notorious Lazarus (Hidden Cobra) group was behind attacks on at least several dozen stores, including a recent high-profile raid on US accessories retailer Claire’s.

It’s unclear how the attackers gained access to the victims’ back-end systems, although spear-phishing against retail staff is a distinct possibility.

“To monetize the skimming operations, Hidden Cobra developed a global exfiltration network. This network utilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity,” Sansec continued.

“The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family run book store from New Jersey.”

The researchers linked various elements of the attacks to previous North Korean activity, including domains such as technokain.com, darvishkhan.net and areac-agr.com where malware and skimmers have been launched from.

“Does the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations? Theoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely,” argued Sansec.

“First, thousands of sites get hacked each day, making an overlap highly coincidental. Secondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after gaining access, in order to shield the new asset from competitors.”

The revelations over Pyongyang-sponsored Magecart attacks mean the despotic regime is using yet another tactic to fill its government coffers.

Previously, groups like Lazarus have been associated mainly with attacks on banks and cryptocurrency exchanges.

A UN report from last year claimed the Kim Jong-un regime had managed to generate $2bn from such attacks.

Categories: Cyber Risk News

Google VP Withdraws from Black Hat 2020 Over its Name

Info Security - Mon, 07/06/2020 - 08:36
Google VP Withdraws from Black Hat 2020 Over its Name

A Google VP has ignited a fierce debate in the cybersecurity industry over the use of potentially discriminatory language after withdrawing from the upcoming Black Hat USA virtual event in protest.

David Kleidermacher, who is VP of Android security and privacy, thanked the organizers of the long-running security conference but said it was time to change.

“Black hat and white hat are terms that need to change. This has nothing to do with their original meaning, and it’s not about race alone – we also need sensible gender-neutral changes like PITM versus MITM,” he argued on Twitter.

“These changes remove harmful associations, promote inclusion and help us break down walls of unconscious bias. Not everyone agrees which terms to change, but I feel strongly our language needs to (this one in particular).”

Many leapt to his defense: noted researcher Kevin Beaumont argued that more speakers and attendees should boycott Black Hat until the organizers change the name.

However, Kleidermacher’s comments also brought out a significant number of industry professionals who disagreed.

Many focused on the fact that the term itself is not derived from a notion of things that are “black” inherently being malign, but of the fact that the villains in old cowboy movies used to wear black hats while the heroes wore white hats.

However, Kleidermacher argued that the issue goes beyond this narrow interpretation.

“To reiterate – the need for language change has nothing to do with the origins of the term black hat in infosec. Those who focus on that are missing the point. Black hat/white hat and blacklist/whitelist perpetuate harmful associations of black = bad, white = good,” he said.

That didn’t deter some industry commentators who described the stance as “performative” and “virtue signalling.” Others argued that industry efforts would be better spent on more practical ways to make the sector more diverse.

“The companies at the forefront of changing these tech terminologies hardly have black professionals at the decision table and their top leadership, that’s the change we ask, not sidelining us by making a lingua change no reasonable person asked for,” argued @0xSkywalker.

Back in May, the UK’s National Cyber Security Center (NCSC) updated terminology on its website, replacing “blacklist” and “whitelist” with “deny list” and “allow list,” after being contacted by a concerned customer.

Categories: Cyber Risk News