Crypto-wallet firm Ledger has revealed a major security breach of its e-commerce and marketing database, resulting in the compromise of one million customer email addresses and the personal details of thousands.
Aside from the email addresses, which could be used in follow-on phishing attacks spoofing the brand, the hacker made off with the personally identifiable information (PII) of 9500 customers, including first and last name, postal address, phone number and ordered products.
Ledger was at pains to point out that no financial information or passwords were taken and that the incident doesn’t affect customers’ hardware wallets or stored funds.
The firm said it notified the French data protection regulator CNIL on July 17 and enlisted the help of Orange Cyberdefense four days after that to assess the damage and enhance its internal security posture.
“On July 14, 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation,” the notice read.
“A week after patching the breach, we discovered it had been further exploited on June 25, 2020, by an unauthorized third party who accessed our e-commerce and marketing database.”
The firm added that it was now taking steps towards meeting ISO 27001.
Chris DeRamus, VP of technology at Rapid7’s Cloud Security Practice, argued that despite Ledger’s assurances, the incident will impact customer confidence in the brand.
“It is crucial to ensure that all sensitive information – from email addresses to cryptocurrency funds – is secure and kept out of the hands of threat actors,” he added.
“To ensure that a company database is secured, businesses should have Identity Access Management (IAM) governance in place. They should follow the principle of least-privileged access when provisioning IAM permissions by providing checks to restrict identities from being able to access beyond their systems.”
Twitter has confirmed that the social engineering attack which enabled the takeover of major accounts was achieved by a spear-phishing attack.
In an update to its previous statement, Twitter said the attack occurred on July 15 and “targeted a small number of employees through a phone spear-phishing attack.” This attack enabled the attackers to obtain access to both the internal network and specific employee credentials that granted them access to internal support tools.
“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes,” it said. This then enabled them to target additional employees who had access to account support tools.
Using the credentials of the employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36 and downloading the Twitter data of seven.
In the initial attack, Twitter said on 16 July that the coordinated account hijacking campaign wad done by a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” For a period of time, accounts with millions of followers belonging to Jeff Bezos, Bill Gates, Barack Obama, Joe Biden, Elon Musk, Kanye West and others were briefly hijacked and used to promote a cryptocurrency scam. The corporate accounts of Apple, Bitcoin, Coinbase and others were also taken over.
A day later, Twitter disclosed that 130 accounts were targeted, and the successfully compromised accounts represented a “small subset” of the total number of accounts the attackers had in their crosshairs.
Answering questions about access to user accounts, Twitter said it has teams around the world that help with account support that use proprietary tools to help with a variety of support issues. “Access to these tools is strictly limited and is only granted for valid business reasons,” it explained. “We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions and take immediate action if anyone accesses account information without a valid business reason.”
However, Twitter said it is now “taking a hard look at how we can make [the access tools] even more sophisticated.”
Looking forward, it said since the attack it has “significantly limited access to our internal tools and systems to ensure ongoing account security while we complete our investigation” and it is continuing to invest in increased security protocols, techniques and mechanisms.
“Going forward, we’re accelerating several of our pre-existing security workstreams and improvements to our tools. We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing company-wide phishing exercises throughout the year.”
Stuart Reed, UK director at Orange Cyberdefense, said: “As suspected, this breach resulted from social engineering – hackers preying on human vulnerabilities. Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past. The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others.
“It is vital organizations employ a layered approach of people, process and technology for optimal cybersecurity. This incident underlines the critical importance of awareness and education among employees and the role they play in good data hygiene – cybersecurity is not the sole concern of an individual or a function, it is a shared responsibility of all.”
The EU has applied its first ever sanctions in retaliation for cyber-attacks carried out by state-backed Chinese, Russian and North Korean hackers over recent years.
The bloc said it will impose a travel ban and asset freeze on six individuals and three entities in response to the Operation Cloud Hopper, WannaCry and NotPetya attacks, as well as an attempted breach of security at the Organization for the Prohibition of Chemical Weapons (OPCW).
WannaCry has been linked to Pyongyang, while NotPetya is thought to be the work of the Russian military (GRU) and Cloud Hopper was blamed on China’s Ministry of State Security (APT10).
“The measures follow the European Union and member states’ consistent signaling and determination to protect the integrity, security, social-wellbeing and prosperity of our free and democratic societies, as well as the rules-based order and the solid functioning of its international organizations,” said EU high representative, Josep Borrell.
“We will continue to strengthen our cooperation to advance international security and stability in cyber space, increase global resilience and to raise awareness on cyber-threats and malicious cyber-activities.”
While 2017’s NotPetya and WannaCry are fairly well known, Cloud Hopper is less so, although this multi-year APT campaign successfully breached countless managed service providers around the world
“The GRU was also behind an attempt to hack the OPCW’s Wi-Fi network by physically visiting their facilities in the Hague. That operation was disrupted but the unit had been involved in similar operations in Switzerland, Brazil and Malaysia which targeted the Olympics and other investigations involving Russia,” explained John Hultquist, senior director of analysis at Mandiant Threat Intelligence.
“The consistent use of physical human intelligence teams to supplement its intrusion efforts makes the GRU a particularly effective adversary. Sanctions may be particularly effective for disrupting this activity as they may hinder the free movement of this unit.”
Britain's Department for Digital, Culture, Media and Sport is funding a new wave of projects aimed at putting the UK at the forefront of 5G technology.
Among the research and development projects to secure funding are a remote music festival that will take place in the Brighton Dome, trials of autonomous lorries, and a traffic system controlled by artificial intelligence.
Six regional projects, based in Sunderland, Preston, Liverpool, Manchester, Brighton, and Suffolk, involving 17 UK SMEs will receive £30m of public and private funding to combine British industrial ingenuity with new technology. Funding was awarded as part of the government's recent 5G Create competition.
The £30m is part of the wider £200m 5G Testbeds and Trials program (5GTT) that has so far funded 24 5G testbeds across the UK in which almost 70 different 5G technologies, products, and applications have been trialed.
In Brighton, the 5G Festival project will demonstrate how greater connectivity can empower the music industry to bring live festivals and music events to audiences located all over the world.
Over the next year, the project will develop new ideas for integrating 5G technology into the city's venues, such as live streaming performances in high quality and real time. Audiences will be able to engage and interact with artists experimenting with new work enabled and delivered over 5G infrastructure.
The 5G network will initially be deployed in Brighton Dome’s Founder’s Room and Foyer, offering Brighton-based small businesses, community groups, and artists the opportunity to test and develop new 5G-enabled applications.
“Brighton Dome will be among the first arts venues in the country to explore the potential of 5G technology in the application of new artistic work and performance," commented Andrew Comben, chief executive of Brighton Dome & Brighton Festival.
"Not only will it offer artists the chance to create exciting new work but our audiences and visitors to Brighton will be able to enjoy and experience arts events in a completely different way. We’re excited by the endless possibilities this could bring.”
A second round of new projects to receive funding through 5G Create will be announced in the fall.
A Mississippi radio host has been arrested and charged with three counts of simple assault, stalking, obscene electronic communication, and cyber-stalking, which is a felony.
William "Napoleon" Edwards was taken into custody on Tuesday for allegedly cyber-stalking a Hinds County supervisor. In a court hearing held on Wednesday, Municipal Court Judge Ali Shamsideen set Edwards' bond at $20,000.
Edwards hosts a show on WPBQ radio and broadcasts live via Facebook. Known to his listeners as The Cipher Voice, Edwards has built a reputation for exposing issues affecting the city of Jackson.
Previously, Edwards has used his online platform to call out the mayor, the police chief, and even local pastors. But the host's on-air treatment of David Archie prompted the supervisor to accuse Edwards of cyber-stalking.
Archie claims Edwards made death threats against him and falsely accused him of being a convicted felon. The supervisor alleges that during a Facebook Live broadcast that took place last weekend, Edwards threatened to execute him.
In a news conference given outside Jackson Police Department headquarters Tuesday night, Archie said: "There is information he [Edwards] put out about me that was absolutely true. I don't have a problem with that. What I have a problem with is that, if you are not a convicted felon, don't say you are a convicted felon. Edwards said I was a convicted felon twice and I committed horrible crimes against women, which are absolutely not true."
At Wednesday's hearing the judge ordered Edwards to have no contact with Archie. Edwards was also made subject to a gag order that bars him from discussing the circumstances of his arrest on air or via Facebook.
A public defender put it to the judge that the cyber-stalking charge against Edwards should be dismissed as his words had been taken out of context.
The defender maintained that what the host said was that he would use public information to go after Archie. Since Archie is a public official, the attorney argued that Edwards had the right to speak out against him.
Edwards' sister, Darcell Odom, said that his family fears for the radio personality's safety while he is in jail because The Cipher "has undoubtedly said some unfavorable things regarding some city officials."
Doing business under the name MessageControl, eTorch is a messaging security provider with solutions designed to help stop social engineering and human identity attacks with the use of machine learning technology. The company was founded in 2015 and employs 16 people.
Mimecast said the deal was inspired by the "significant increases in spam and phishing attacks" that followed in the wake of the global health pandemic.
According to a recent report from the Boston firm, 60% of organizations have seen the volume of impersonation attacks increase. In addition, the volume of internal threats or data leaks experienced by organizations rose 58% and 43%, respectively.
A company spokesperson said: "To combat these growing threats, Mimecast’s acquisition of MessageControl will provide customers using productivity apps, such as Microsoft 365, even stronger protection against advanced phishing and impersonation attacks with machine learning technologies."
The acquisition will allow Mimecast to offer several key capabilities, including contextual, real-time warnings in email, the ability to prevent misaddressed email data leaks, and machine learning identification of anomalous behaviors.
“MessageControl is a natural complement to Mimecast’s suite of cyber-resilience solutions,” Mimecast CEO Peter Bauer said in a statement.
“Its artificial intelligence and machine-learning capabilities will offer additional layers of defense by evolving and ‘learning’ the customer environment and user behaviors over time.”
MessageControl’s graph technology has been designed to inspect email attributes and content and then apply machine learning to build a library of known and unknown patterns for each individual user. The technology has been engineered to get smarter over time. Impressively, it has the ability to make real-time decisions on more than one billion unique user behavior data points.
“Mimecast’s portfolio of solutions offers MessageControl the opportunity to expand its reach to protect even more organizations against the advanced threats plaguing the market today,” said Paul Everton, founder and chief technology officer at MessageControl.
“We’re excited to join the Mimecast team as we continue on our mission to stop social engineering and human identity attacks.”
Financial terms of the deal were not disclosed.
Thunderbolt is an interface for allowing high-speed connections between computers and peripherals. Using Thunderspy, attackers potentially change or even remove the security measures of the Thunderbolt interface on a target computer, enabling them to steal data from it.
Despite being first uncovered by Björn Ruytenberg, a computer security researcher, in May 2020, more insights are needed into Thunderspy, with Thunderbolt-based attacks rare and highly targeted in nature.
Aryeh Goretsky, ESET distinguished researcher noted: “While Ruytenberg’s research has received publicity because of its novel attack vector, not much has been said about how to protect against Thunderspy, or even determine whether you have been a victim.”
Goretsky explained that Thunderbolt-based attacks are generally limited to high profile targets such as business executives, engineers or administrative personnel because they are difficult to conduct; it either requires cloning identities of Thunderbolt devices that are already trusted and allowed by the computer, or even the permanent disablement of Thunderbolt security.
Both of these methods require in-person access to the target computer as well as the tools to disassemble the computer, attach a logic programmer, read the firmware from the SPI flash ROM chip, disassemble and modify its instructions, and write it back to the chip.
To effectively protect against Thunderspy, Goretsky recommends: “First, prevent any unauthorized access to your computer. Second, secure all your computer’s relevant interfaces and ports, such as USB-C. Besides that, look beyond physical measures and also take steps to make your computer’s firmware and software more secure.”
These include taking very simple steps. “Disable hibernation, sleep or other hybrid shutdown modes. Make the computer turn completely off when not in use – doing this can prevent attacks on the computer’s memory via Thunderspy,” he added.
ESET additionally recommend that reputable security software is used to scan a computer’s UEFI firmware, which is one of the locations where Thunderbolt security information is stored.
Security researchers at Kaspersky have uncovered a new cyber-mercenary group that they claim has been providing hacking services for hire for almost a decade.
Dubbed “Deceptikons,” the APT group isn’t particularly sophisticated from a technical perspective and isn’t known to have deployed any zero-day threats during that time, the Russian AV vendor said in a Q2 round-up report.
“The Deceptikons infrastructure and malware set is clever, rather than technically advanced. It is also highly persistent and in many ways reminds us of WildNeutron,” the firm said.
Also known as Jripbot and Morpho, WildNeutron was known for targeting private companies for profit around the globe, most notably Apple, Facebook, Twitter and Microsoft in 2013. The threat actors behind the group were noted for the care they took in hiding command and control server (C&C) addresses and building-in special features to help with recovery from any C&C shutdown attempts.
Like WildNeutron, Deceptikons is unusual for APT groups in focusing on commercial and non-governmental targets.
“In 2019, Deceptikons spear-phished a set of European law firms, deploying PowerShell scripts. As in previous campaigns, the actor used modified LNK files requiring user interaction to initially compromise systems and execute a PowerShell backdoor,” explained Kaspersky.
“In all likelihood, the group’s motivations included obtaining specific financial information, details of negotiations and perhaps even evidence of the law firms’ clientele.”
Hacker-for-hire groups represent a different but no less immediate threat to organizations than state-sponsored operatives. In some cases, they do go after government as well as commercial targets.
In June, Citizen Lab uncovered a major operation against journalists, rights groups, government officials, financial institutions and others, apparently orchestrated by an Indian tech firm. The mere presence of Dark Basin, as well as Deceptikons and groups like them, indicates there is a thriving market in the outsourcing of cyber-espionage activity.
North Korea is most likely behind a new cyber-espionage campaign targeting US defense and aerospace firms earlier this year, according to McAfee.
The security firm’s Advanced Threat Research (ATR) group said it detected similarities in TTPs with previous campaigns in 2017 and 2019 which were attributed to Hidden Cobra — the umbrella term used to refer to Pyongyang’s Lazarus, Kimsuky, KONNI and APT37 groups.
The new “Operation North Star” attacks, spotted running from March to May, used a fairly rudimentary spear-phishing email featuring legitimate job ads at defense contractors as a lure.
“This recent campaign used malicious documents to install malware on the targeted system using a template injection attack,” McAfee explained.
“This technique allows a weaponized document to download an external Word template containing macros that will be executed. This is a known trick used to bypass static malicious document analysis, as well as detection, as the macros are embedded in the downloaded template.”
According to the report, victims were also targeted via social media.
Compromised infrastructure in European countries was used to host the command and control (C2) servers and distribute implants to targeted machines, it added.
However, the C2 infrastructure wasn’t active at the time of analysis, which limited McAfee’s insight into the campaign. The report also wasn’t able to clarify exactly which organizations were targeted as it wasn’t able to retrieve any of the spear-phishing emails.
McAfee does know that the lures were job ads in engineering and project management positions across various US defense programs, including: F-22 fighter jets, Defense, Space and Security (DSS), photovoltaics for space solar cells and the Aeronautics Integrated Fighter Group.
German giant Dussmann Group has become the latest company to fall victim to a ransomware-data breach attack, after hackers began posting stolen files to the dark web.
The facilities management multinational, which employs over 66,000 staff worldwide and makes billions of euros in sales annually, appears to have been struck by the Nefilim variant.
The group behind the ransomware began posting over 16,000 files to its dark web site as proof of its efforts, according to @ransomleaks. A screenshot shows the first part of the upload dated Monday with links to the archive, and reveals some personal contact details of the company’s executives.
Pioneered by groups such as Maze, this is a common tactic designed to persuade victim organizations who have backed-up their data to pay the ransom, although the cyber-criminals’ claims of how much data they actually have in their possession aren’t necessarily to be trusted.
A Dussmann statement issued by the firm revealed that the attack targeted its refrigeration subsidiary Dresdner Kühlanlagenbau, admitting that data “was encrypted and copied.
“The servers were shut down as a precaution. The data protection authorities and the State Office of Criminal Investigation in Saxony have been informed and charges have been filed,” it continued.
“Operational processes in the business unit for refrigeration air-conditioning plant engineering are secure. DKA has already informed clients and employees about the cyber-attack and the data outflow. Due to ongoing investigations, we cannot say more at present.”
It’s unclear exactly how the firm’s security was breached, although Nefilim is a fairly new variant that shares many characteristics with the Nemty ransomware family. To that end it’s most likely to spread via RDP, according to Trend Micro.
Ransomware attackers have multiple tactics to target RDP including: exploitation of vulnerabilities in the protocol, brute forcing log-ins and purchasing breached RDP credentials online.
The risks are significantly higher today considering the number of remote workers using such tools to connect to office systems.
Rite Aid's quiet use of facial recognition technology in its stores has ended after nearly a decade.
Since 2012, the American drugstore had gradually implemented the technology in 200 stores around the country, according to an investigation by Reuters.
Analysis of where the technology had been deployed indicated that Rite Aid had primarily installed it in lower-income neighborhoods.
The pharmacy said that the geographical distribution of the technology was informed by local and national crime statistics together with each site's infrastructure and specific history of thefts.
Rite Aid said the technology was installed as part of an effort to deter thieves and protect staff from violent crime. Under the system, the faces of people entering a store were matched to those of individuals Rite Aid had previously observed engaging in criminal or potentially criminal activity.
In the event of a match's being made, an alert was sent to the smartphones of the store's security personnel. Customers could then be asked to leave if the security found, after reviewing the match, that it was accurate.
After confirming the existence and scale of the technology's use in its stores to Reuters, Rite Aid last week said it was pulling the plug on the facial recognition program. It later stated that all the cameras linked to the facial recognition software had been turned off.
“This decision was in part based on a larger industry conversation,” Rite Aid told Reuters in a statement, adding that “other large technology companies seem to be scaling back or rethinking their efforts around facial recognition given increasing uncertainty around the technology’s utility.”
During one or more visits from October 2019 to July 2020, Reuters' investigators found facial recognition cameras at 33 of the 75 Rite Aid stores they visited in Manhattan and central Los Angeles.
“Reporters found no notice of the surveillance in more than a third of the stores they visited with the facial recognition cameras,” stated Reuters.
The world’s largest non-profit association of certified cybersecurity professionals has named Global Knowledge as its official training provider in the United Kingdom.
The partnership between Global Knowledge and (ISC)² was announced today as part of the latter’s drive to offer certified cybersecurity training to its UK customer base.
Global Knowledge will be providing exam preparation training for the full range of (ISC)² certifications, responding to increased demand and a growing supply shortage of certified professionals in the cybersecurity workforce.
“Expanding the channel for (ISC)² certification training in the region to provide more choice to learners is of paramount importance at this critical time for both the UK and the global economy,” said Deshini Newman, managing director EMEA at (ISC)².
“The world of work has changed in response to the challenges presented by the global pandemic. It has made cybersecurity skills all the more critical as organizations tackle the cyber-challenge on multiple fronts — dealing with external and internal cyber-threats, maintaining regulatory compliance amid evolving regulation, following best practices and securing an increasingly distributed workforce.”
Global Knowledge was established in 1995 and is headquartered in North Carolina. Every year the company delivers over one million information technology and business skills training courses to over 200,000 professionals. Course curriculums include communications skills, business analysis, project management, service management, process improvement and leadership development services.
“Global Knowledge welcomes the opportunity to be a (ISC)² Official Training Provider in the UK,” said Glyn Roberts, managing director at Global Knowledge UK.
“For over two decades, Global Knowledge has provided the quality IT and business skills training that organizations of all sizes require to succeed in an ever-changing business world and cybersecurity landscape. This new partnership with (ISC)² will support our goal to continuously grow and innovate, ensuring our mutual customers always obtain the most relevant learning experience and content possible.”
Boasting a membership that exceeds 150,000, (ISC)² is best known for its acclaimed Certified Information Systems Security Professional (CISSP®) certification. In the UK, the association also partners with training providers Firebrand Training and Learning Tree International.
Pop icon Madonna has been censured for sharing a video on Instagram in which doctors tout hydroxychloroquine as an effective treatment for individuals infected with coronavirus.
The clip shared by her Madgesty shows members of America's Frontline Doctors speaking at a gathering held outside the US Supreme Court. In it, Houston doctor Stella Immanuel says that she has used hydroxychloroquine to effectively treat 350 coronavirus patients "and counting."
America's Food and Drug Administration has cautioned against the use of hydroxychloroquine or chloroquine for COVID-19 outside of a hospital setting or a clinical trial due to risk of heart rhythm problems.
The singer shared the video with 15 million followers together with a post that claimed a vaccine for COVID-19 had been discovered but was being suppressed to "let the rich get richer."
Instagram blurred out the video with a caption stating, "false information." Users who viewed the post were directed to a page informing them that no vaccine for the novel coronavirus has been created.
Madonna's fans and peers expressed disbelief over the singer's suggestion of the existence of a coronavirus conspiracy.
"This is utter madness!!!," commented pop star Annie Lennox. "Hopefully your site has been hacked and you're just about to explain it."
The post was later removed from Madonna's Instagram account. The same video was previously shared by Donald Trump Jr. on Twitter, landing the president's son a 12-hour ban from using the social media app.
In a move that could draw criticism from defenders of the right to free speech, both Facebook and Twitter have removed the video from their sites after declaring it to be false information.
Yesterday some of the doctors featured in the banned video met with Vice President Mike Pence.
Following the meeting, the group's leader Simone Gold tweeted: "We have just met with Vice President Mike Pence to request the administration's assistance in empowering doctors to prescribe hydroxychloroquine without political obstruction. We also discussed the recent censorship of doctors on social media platforms."
The Vatican’s computer networks have allegedly been infiltrated by Chinese hackers in the run up to sensitive talks between the Catholic Church and Beijing focusing on the religion’s status in China.
This is according to cybersecurity firm Recorded Future, which detected a series of incursions into the Vatican and the Holy See’s Study Mission to China’s systems from the beginning of May. The latter organization is a Hong Kong-based group of de facto Vatican representatives.
It is a suspected case of cyber-espionage, with the Chinese state frequently accused of targeting religious groups, such as Buddhist Tibetans and Muslim Uighurs, through cyber-attacks in recent years. Recorded Future’s report noted that Chinese state-sponsored groups often target religious minorities in the region.
Talks are expected to take place in September between the Vatican and the Chinese government regarding the renewal of a provisional agreement signed in 2018 that revised the terms of the Catholic Church’s operations in China.
The report said multiple PlugX C2 servers that communicated with Vatican hosts were identified from mid-May until at least July 21 2020. In one attack, a customized PlugX payload was hidden in a letter purporting to be from the Vatican to Msgr. Javier Corona Herrera, the chaplain who heads the study mission in Hong Kong.
Recorded Future stated: “From early May 2020, The Vatican and the Catholic Diocese of Hong Kong were among several Catholic Church-related organizations that were targeted by RedDelta, a Chinese-state sponsored threat activity group tracked by Insikt Group.”
It added: “The suspected intrusion into the Vatican would offer RedDelta insight into the negotiating position of the Holy See ahead of the deal’s September 2020 renewal. The targeting of the Hong Kong Study Mission and its Catholic Diocese could also provide a valuable intelligence source for both monitoring the diocese’s relations with the Vatican and its position on Hong Kong’s pro-democracy movement amidst widespread protests and the recent sweeping Hong Kong national security law.”
Speaking to Infosecurity, Sam Curry, chief Security officer at Cybereason, commented: “There are three certainties in life, death, taxes and Beijing’s repeated denials of having any involvement in cyber-espionage. The communist government can then claim plausible deniability and blame some third party that they likely hired to do their dirty work.”
He added: “As for the Vatican or any public or private entity, there is another certainty and that is repeated attempts to steal your proprietary information by a nation-state or rogue hacking group. Reducing risk should be paramount to any organization and one of the ways security analysts can see more deeply into a network is through threat hunting and around the clock monitoring of all inbound and outbound network traffic.”
Cyber-criminals’ exploitation of the COVID-19 pandemic to target individuals and businesses has continued unabated during the second quarter of 2020, according to ESET’s Q2 2020 Threat Report published today. The findings highlight how the crisis is defining the cybersecurity landscape in Q2 in a similar way as it did in Q1 after the pandemic first struck.
ESET observed a continuous focus on phishing using COVID-19 lures in this period. This included criminals taking advantage of the rise in online shopping that has occurred during the pandemic, with a 10-fold increase in phishing emails impersonating one of the world’s leading package delivery services found in comparison to Q1.
The shift to remote working as a result of the pandemic has also led to increased targeting of Remote Desktop Protocal (RDP) in recent months. Roman Kováč, chief research officer at ESET, commented: “Our telemetry showed a continued influx of COVID-19 lures in web and email attacks, as well as an increase in attacks targeting RDP, with persistent attempts to establish RDP connections more than doubling since the beginning of the year.”
Ransomware tactics were found to be “rapidly developing” in this period, with operators moving away from doxing and random data leaking towards auctioning the stolen data on dedicated underground sites.
The report also highlighted some of the important investigations undertaken by ESET researchers in recent months. This included the uncovering of a ransomware campaign targeting Android users in Canada under the guise of a COVID-19 tracing app. “We quickly put a halt to this operation and provided a decryptor for victims,” said Kováč.
Additionally, exclusive research revealed details of a malicious Google Chrome extension targeting hardware wallets for cryptocurrencies and a renewed targeted attack on a Hong Kong university.
The British Security Industry Association’s (BSIA) Cybersecurity Product Assurance Group (CySPAG) has announced the release of a new code of practice for installers responsible for safety and security systems.
Developed by the CySPAG, the Installation of safety and security systems – cybersecurity code of practice will assist in providing confidence throughout the supply chain, promoting secure connection of products and services and delivering client assurance regarding connected solutions. The recommendations put forward apply in addition to other standards and codes of practice relating to systems and equipment to be installed.
Steve Lampett, technical manager at BSIA, said: “We have long been concerned with the ever-increasing use of internet connected devices and systems in electronic security and how the growing links to home and business networks can leave individuals and companies vulnerable to cyber-attacks.
“It is also significantly important to acknowledge that there is a combined stakeholder effort in providing a cyber-secure solution, i.e. manufacturers, designers and installers working in collaboration to provide a credible cyber secure solution.”
The BSIA’s new code of practice for installers takes a practical approach to address cybersecurity risks, moves the sector forward in terms of managing that risk and has the potential to become a real game changer for the industry, Lampett added.
“This will not be the end goal but should steer industry practitioners into thinking differently about how we utilise new technology in security and equip the professional security industry for the future.”
Glenn Foot, chairman, CySPAG, explained that CySPAG has strong representation from various roles across the industry and has focused on what is practicable for installers to do and what can be expected of clients.
“The code of practice is the first step in a journey for this industry, and CySPAG is committed to continuing to support the industry with firstly comprehensive training modules for installation companies and also a linked code of practice for manufacturers.
“The overall aim is to ensure products are produced and installed securely.”
The acquisition will strengthen Qualys’ endpoint behavior detection portfolio and boost its own research capabilities with Spell’s deep knowledge of threat hunting and adversary techniques. Key Spell Security employees have joined Qualys’ Malware Detection Solutions, it has been disclosed.
Qualys said the addition of Spell Security’s hunting and reporting capabilities will enable it’s security teams to detect and hunt for high fidelity threats, gain the full context of attack paths with powerful correlation of all security vectors for investigation and prioritization of security incidents, and respond appropriately to eliminate the root cause of incidents.
Philippe Courtot, chairman and CEO of Qualys, said: “Spell Security delivers outstanding malware and threat research capabilities, frontline experience investigating security incidents and data breaches, and powerful triage-driven threat hunting capabilities.
“Adding it’s technology to the Qualys Cloud Platform enables us to further strengthen our security and threat research, advanced endpoint behavior detection and provide customers with enhanced telemetry for even greater visibility, which helps them respond to threats more quickly. We welcome Spell Security to the Qualys family.”
Rajesh Mony, founder and CTO of Spell Security, said: “The entire Spell Security team and I are thrilled to be part of such a pioneering and innovative cybersecurity company. Qualys’ approach to delivering a unified cloud platform with all the information needed for protection, detection and response at your fingertips is well ahead of anything we’ve seen.”
The announcement comes as Qualys announces the launch of its Multi-Vector Endpoint Detection and Response (EDR) product. Designed to provide critical context and full visibility into the entire attack chain to provide a comprehensive, more automated and faster response to protect against attacks, Multi-Vector EDR enables security teams to unify multiple context vectors like asset and software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, network traffic summary, MITRE ATT&CK tactics and techniques, malware, endpoint telemetry and network reachability by leveraging the Qualys backend to correlate with threat intelligence for accurate detection, investigation and response.
“Qualys Multi-Vector EDR represents a major extension to both the Qualys Cloud Platform and our agent technology,” said Courtot. “Adding context and correlating billions of global events with threat intelligence, analytics and machine learning results in a truly groundbreaking approach to EDR that not only stops sophisticated multi-vector attacks, but also automatically orchestrates the appropriate response all from a single solution, thus greatly reducing the time to respond while drastically reducing cost.”
A greater focus is being placed on credential theft by nation state actors rather than stealing money.
Speaking on a virtual briefing, Jens Monrad, head of Mandiant Threat Intelligence for EMEA at FireEye, focused on attacks from Russia, Iran and China and their various activities. Monrad said attacks are easily done because of the user’s common digital footprint, which can allow an attacker to pick up on items about the victim and use them in a social engineering scenario.
He explained that the biggest detection of malware seen by FireEye customers is focusing on stealing credentials and stealing information “and that makes sense as regardless of your motivation, if you can steal or buy stolen credentials. you will make less noise in your operation.”
Furthermore, if an attacker wanted to do a high stake “heist,” or if you wanted to rob a house, if you could purchase the access code to the alarm system or purchase the keys, you make less noise than if you break in and make more noise.
“Credentials can vary from anything that requires a username and password to databases or access to cloud environments,” he said. “This is just part of the ecosystem we currently see, and [cyber-criminals] advertise databases and tools and services on the underground forums.”
Monrad added, from a cyber-criminal perspective or even as part of nation state campaign, buying those credentials may give you more of a silent entry into a system. “If you’re a cyber-criminal deploying ransomware post-compromise, this will make you more successful in your intrusions.”
He said this is why Mandiant is focused on credential theft as a sole operation, as it sees this as a challenge for organizations to control their credentials, to monitor for stolen credentials and to make sure that they use the best guidance on passwords and enforcing MFA.
Asked by Infosecurity if the company's research had not considered nations which were seeking financial gain from attacks, such as North Korea, Monrad said the intention had been to focus on diplomatic attacks by Russia, “dual use” by China and “where anything is a threat” by Iran, but he admitted that where North Korea is involved, they do still see “those big money heists.”
He said that financial attacks are still happening, and there are more standard cyber-attacks taking place where the attacker tries “to gain large financial sums in one cyber-attack,” but the “longer game” with credential theft is now common, and from a cyber-criminal perspective, the value in purely financial attacks is diminishing, with more money made from “selling access to desktop machines.
“With the exception of North Korea we do see that change,” he concluded, noting there is more interest in interacting with the banking transfer systems and mechanisms, and specifically with the SWIFT banking transfer system.
An Israeli marketing video firm this week announced a major breach of user data which appears to have impacted over 14 million accounts.
Promo, which describes itself as “the world’s #1 marketing video maker,” revealed in an online notice that a vulnerability in a third-party service was to blame for the incident, which also affected customers of its Slidely business.
Although social media log-ins and financial information were not compromised, the attackers appear to have made off with plenty of sensitive personal data.
“The exposed data includes first name, last name, email address, IP address, approximated user location based on the IP address, gender, as well as encrypted, hashed and salted password to the Promo or Slidely account,” said Promo.
“Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded.”
In fact, this does seem to be the case, after dark web traders were spotted selling the haul, including 1.4 million cracked passwords.
Although Promo failed to quantify the scale of the breach, HaveIBeenPwned has claimed the incident exposed 22 million records containing over 14.6 million unique email addresses.
Promo has informed all affected customers and will force a password reset as a precaution.
“Promo blamed a third-party vendor for exposing the passwords, but why is Promo sharing its users’ passwords with third parties in the first place? Furthermore, Promo must have been using an outdated hash algorithm to encrypt passwords if hackers were able to crack them,” argued Comparitech privacy advocate, Paul Bischoff.
“To add insult to injury, the data was posted on a forum before Promo even knew about the breach and was able to alert customers. That’s three strikes against Promo.”
The average global cost of a data breach fell slightly from 2019-2020 but COVID-19 is likely to increase the financial impact and incident response times thanks to mass remote working, according to IBM.
Published today, the tech giant’s annual Cost of a Data Breach Report is compiled from analysis of 524 breached organizations and covers 17 countries and 17 industries.
The average breach cost of $3.86m is 1.5% down on last year’s study, but this is not necessarily a cause for celebration.
“Costs were much lower for some of the most mature companies and industries and much higher for organizations that lagged behind in areas such as security automation and incident response processes,” the report noted.
What’s more, the impact of mass remote working is expected to add $137,000 to these costs, delivering an adjusted average total cost of $4m, higher than last year’s $3.92m.
So-called “mega breaches” also experienced a surge in associated costs: for between one and 10 million records lost the costs are said to be $50m on average, while for breaches of over 50 million records the figure is a whopping $392m. That’s up from $388m in 2019 and is more than 100-times the average for breaches of under 100,000 records.
Cloud misconfigurations tied stolen or compromised credentials as the number one cause of breaches resulting from malicious attacks (19%).
Configuration errors caused the average breach cost to jump by half a million dollars to $4.41m, however, compromised credentials lead to an even bigger financial hit, adding $1m to breach costs for an adjusted average of $4.77m.
Lost business comprises the biggest chunk (40%) of cost following a breach, increasing from $1.42m in 2019 to $1.52m this year. This can include customer churn, system downtime and the cost of finding new business, according to IBM.