Feed aggregator

US Law Firm Sued Over Fraudulent Wire Transfer

Info Security - Fri, 07/24/2020 - 17:00
US Law Firm Sued Over Fraudulent Wire Transfer

American international law firm Holland & Knight is facing a lawsuit over a fraudulent wire transfer that saw criminals make off with more than $3m. 

According to the suit, the law firm was hired by two foundations to sell some stock and carry out a merger plan related to the sale. However, a fraudster was able to steal the proceeds from the sale after intercepting emails from the firm and impersonating the stock seller. 

Posing as the seller in an email, the fraudster asked Holland & Knight to wire $3.1m from the stock buyer to a fraudulent account identified as Wemakos Furniture Co. Limited.

The firm sent an email to the new account to verify it, but this email too was intercepted by the cyber-criminal. New documents for the slightly differently named HongKong Wemakos Furniture Trading Co. Limited were sent by the fraudster to Holland & Knight, and the transfer was completed.

The lawsuit was brought by the two foundations selling the stock, Sorenson Impact Foundation and the James Lee Sorenson Family Foundation. The former invests in startups created to help underserved communities while the latter is a nonprofit trust based in Utah. 

According to the plaintiffs, Holland & Knight should have done more to prevent the cybercrime from occurring. They have accused the firm and the transfer agent, a second defendant, of being in breach of contract and of failing in their fiduciary duty. 

The suit says the agent and the firm should have known from the inconsistencies between the documents they received that the fraudster's account was illegitimate. The plaintiffs also said that the defendants should have picked up the phone and called the stock sellers to verify the authenticity of the emails. 

The American Lawyer reports that since being filed in June in Utah state court, the lawsuit was removed to federal court on July 21.  

Holland & Knight provided this statement to the ABA Journal: “Holland & Knight’s information technology system was not compromised in any way. The plaintiff was not a client, and the firm acted on wiring instructions received from the plaintiff’s email system by providing the instructions to the paying agent.”

Categories: Cyber Risk News

Immediate Action Required to Protect OT Assets of Critical Infrastructure Facilities

Info Security - Fri, 07/24/2020 - 14:45
Immediate Action Required to Protect OT Assets of Critical Infrastructure Facilities

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have recommended that all DoD, NSS, DIB and US critical infrastructure facilities take immediate actions to secure their operational technology (OT) assets.

The advice comes in light of the greater use of internet-accessible OT assets to help enable organizations to operate remotely, a phenomenon accelerated by the COVID-19 pandemic. It is an important means of accommodating a decentralized workforce and expanding the outsourcing of key skill areas.

However, it is making organizations more vulnerable to cyber-attacks, with the NSA and CISA noting that “legacy OT assets that were not designed to defend against malicious cyber-activities, combined with readily available information that identifies OT assets connected via the internet, are creating a ‘perfect storm.’”

The NSA and CISA stated they have recently observed OT assets being targeted by methods including spear-phishing and commodity ransomware.

To try and avoid damaging scenarios such as loss of availability on OT networks, especially of critical infrastructure facilities, the NSA and CISA recommend a range of measures are taken:

  1. Have a resilience plan for OT
  2. Exercise your incident response plan
  3. Harden your network
  4. Create an accurate as-operated OT network map immediately
  5. Understand and evaluate cyber-risk on as-operated OT assets
  6. Implement a continuous and vigilant system monitoring program

Commenting on the statement, Marty Edwards, former director of ICS-CERT and VP of OT Security, Tenable said: “Today’s joint alert from the NSA and CISA about malicious activity targeting operational technology (OT) and critical infrastructure should be taken very seriously. Don’t be fooled – this isn’t a warning about the possibility of attacks. This is a warning that attacks have occurred and are ongoing as we speak.

“OT is foundational to absolutely everything we do – from the energy we rely on, to the factories manufacturing medical devices, to the water we drink. The country runs on OT, and while our reliance on OT has only increased, so too has the convergence of IT and OT. Internet-accessible OT devices are significantly more exposed to outside threats than the near-extinct air-gapped systems of old.

“Organizations that utilize OT must remain vigilant and ensure they have complete, real-time visibility across their environments, including IT and OT assets and their associated vulnerabilities. From there, security teams need to prioritize risk-based mitigations such as vulnerability severity, exploitability and asset criticality.”

Categories: Cyber Risk News

Internet Society and AFRINIC Collaborate to Improve Internet Resilience in Africa

Info Security - Fri, 07/24/2020 - 12:15
Internet Society and AFRINIC Collaborate to Improve Internet Resilience in Africa

The Internet Society, a global non-profit organization dedicated to ensuring the open development, evolution and use of the internet and AFRINIC, the Regional Internet Registry (RIR) for the African region, have today announced the launch of a new collaborative effort aimed at improving internet resilience in Africa.

Africa Internet Measurements, a key component of the Internet Society’s Measuring the Internet project, formalizes a longstanding relationship between the Internet Society and AFRINIC. It will drive the development of the internet in Africa through projects and research related to internet measurements and resilience, routing security, open internet standards and internet exchange points.

Over the last decade, Africa has made major strides in the development of its internet usage. However, improvements are still required in the resilience and the reliability of Africa’s internet infrastructure to meet the same internet standards of the rest of the world.

“Our interests have always been aligned well with AFRINIC’s and we are excited to work with the team to create a bigger and stronger internet across Africa,” said Dawit Bekele, regional vice-president – Africa, the Internet Society.

“We look forward to collaborating on issues related to open standards, local connectivity issues, internet resilience and so much more.”

Eddy Kayihura, chief executive officer, AFRINIC, added: “It is a pleasure to partner with the Internet Society again on this project that aims at promoting internet access and connectivity in Africa. We anticipate more involvement and participation of the internet fraternity in the development of a reliable, accessible, affordable and resilient internet in Africa.”

Categories: Cyber Risk News

Call for Twitter to E2E Encrypt DMs After Hackers Read Messages

Info Security - Fri, 07/24/2020 - 11:00
Call for Twitter to E2E Encrypt DMs After Hackers Read Messages

New questions are being asked of Twitter’s cybersecurity posture after the social network revealed that hackers managed to access the DMs of 36 high-profile accounts in a recent breach, including one Dutch politician.

The firm revealed the news in an update to the incident this week.

The politician in question is believed to be far-right lawmaker Geert Wilders, leader of the Party for Freedom. However, Twitter claimed that: “To date, we have no indication that any other former or current elected official had their DMs accessed.”

Nevertheless, there will concerns among other high-profile names on the 130-strong list of breached accounts that their private messages were also accessed. These include Jeff Bezos, Bill Gates, Barack Obama, Joe Biden, Elon Musk, Michael Bloomberg, Warren Buffet and many others.

Oregon senator Ron Wyden, who sits on the influential Senate Select Committee on Intelligence, took to Twitter before the latest revelations to voice his displeasure at the incident.

“In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter's CEO Jack Dorsey. During that conversation, Mr Dorsey told me the company was working on end-to-end encrypted direct messages,” he explained.

“It’s been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access.”

He added that if hackers were to access the DMs of some of the affected accounts “this breach could have a breathtaking impact for years to come.”

The breach first came to light last week after high-profile accounts began tweeting a cryptocurrency scam designed to trick followers into donating digital currency for a worthy cause.

It soon emerged that the attackers had accessed 130 business and individual accounts by socially engineering Twitter staff, which included “getting through our two-factor protections.”

There was more bad news for the social network this week after Reuters reported that over 1000 employees and contractors had access to the internal tools which could have enabled a similar incident.

Categories: Cyber Risk News

Garmin Outage Could Ground Aircraft

Info Security - Fri, 07/24/2020 - 09:45
Garmin Outage Could Ground Aircraft

Pilots using the flyGarmin app may be forced to ground their aircraft after a suspected ransomware attack against the smart device maker appeared to take out key services.

As of Thursday evening EDT, flight plan filing, account syncing and database concierge capabilities were down in the Garmin Pilot app, according to a service outage update from Garmin. Data from the on-board Central Maintenance Computer (CMC) was also unavailable.

“We are currently experiencing an outage that affects flyGarmin and as a result, the flyGarmin website and mobile app are down at this time,” it noted. “This outage also affects our call centers, and we are currently unavailable to receive any emails or chats, but do have limited availability for calls. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”

The outage seems to have affected the entire firm, which also produces fitness trackers, smart watches and other wearables.

It said the Garmin Connect website and mobile app are also down.

Saryu Nayyar, CEO of Gurucul, described the incident as a “doozy.

“You just don't know when the bad guys are going to attack and who will be their next victim. However, what we do know is every organization is susceptible to ransomware attacks. So, do what you can to prepare and respond,” he added.

“Hopefully, Garmin has a daily backup regimen for the company’s systems and data. That’s table stakes. If you get hit, at least you can recover your data. If you can get ahead of the attackers, even better. Behavioral analytics monitors every user and entity in the environment in real-time, to detect and stop bad actors before they can execute their payload. Machine-based responses are becoming table stakes to machine-based threats these days.”

Categories: Cyber Risk News

Blackbaud Breach Hits Nine More Universities

Info Security - Fri, 07/24/2020 - 08:30
Blackbaud Breach Hits Nine More Universities

A combined ransomware and data breach attack on a US cloud computing provider in May has affected many more universities and non-profits than at first thought.

Infosecurity reported on Wednesday how the University of York in northern England had notified affected staff and students that their personal details may have been compromised as a result of the incident at Blackbaud two months ago.

However, the list of affected Blackbaud customers now stretches to 12, including several more universities in the UK and North America, plus Human Rights Watch and mental health charity Young Minds, according to the BBC.

University College Oxford, the University of London, Canada’s Ambrose University and the Rhode Island School of Design are among those higher education institutions impacted. They’re all said to be in the process of contacting those affected by the breach.

Blackbaud has been criticized for its slow response to the incident, which may put it at risk of a GDPR investigation.

The firm said in a lengthy but undated statement that it discovered and blocked a ransomware attack on its servers back in May, but that “the cyber-criminal removed a copy of a subset of data from our self-hosted environment.

“As protecting our customers’ data is our top priority, we paid the cyber-criminal’s demand with confirmation that the copy they removed had been destroyed,” it said.

“Based on the nature of the incident, our research and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cyber-criminal, was or will be misused, or will be disseminated or otherwise made available publicly.”

Cath Goulding, CISO at Nominet, argued that it was “worrying” that the firm had paid the ransom, against general best practice advice, adding that this could encourage future attacks.

“Once again, multiple parties have been exploited through a common component in their supply chain. This demonstrates the multiplier effect of supply chain hacks and reinforces the advice that security needs to be a collaborative exercise across organizations and between them,” she said.

“It is important to scrutinize your supply chain, understand their processes and ensure due diligence is done to mitigate the risk of an attack. Ideally you should be looking for suppliers that have at least the same security principles as you do.”

Despite paying the ransomware attackers in this case, Blackbaud maintains that it follows “industry standard best practices.” It has reportedly refused to reveal the full list of clients affected by this breach out of privacy concerns.

The UK’s Information Commissioner’s Office (ICO) has been notified about the case.

Categories: Cyber Risk News

Florida Tax Office Blames Data Breach on Virus

Info Security - Thu, 07/23/2020 - 18:00
Florida Tax Office Blames Data Breach on Virus

A Florida Tax Collector's Office has blamed malware found on an employee's computer for a data breach that affected around 450,000 residents of Polk County. 

The breach occurred in June at the Tax Collector’s Office for Polk County (TCPC). Information exposed in the attack included Social Security numbers and driver's license numbers. 

In a statement issued on July 15, Tax Collector for Polk County Joe Tedder said that his office was "subject to a new strain of a targeted computer virus attack not seen before."

The attack occurred at around 2:15 pm on June 23 after an office employee clicked on what turned out to be a malicious email attachment disguised as an invoice. 

Tedder's office said that the incident was "quickly recognized" by the IT team, who "took immediate action to mitigate the threat." In an attempt to prevent the virus from spreading, the office's entire computer system was shut down, including telephones, online processing, and service center operations.

Following the attack, all of the office's PCs were wiped clean and restored and third-party computer forensic specialists were brought in to determine the scope of the incident. 

A subsequent forensic investigation completed on July 11 concluded that driver's license numbers had potentially been accessible to an anonymous third party. 

The investigation found no evidence that personal information was subject to actual or attempted misuse.

“We believe exposure was very limited,” Tedder told WFLA.

Tedder's office stated: "Although the investigation found no evidence that any information was misused, individuals are encouraged to remain vigilant against incidents of identity theft by reviewing account statements for unusual activity or errors."

Once the compromised computer system was back up and running, it was determined that no access had been lost as a result of the attack.

"The Tax Collector’s Office is currently able to report that we did not lose access to our systems, backups, or other operational data," said the TCPC. 

"However, in an abundance of caution to address this new strain of computer virus, TCPC has implemented additional safeguards to further secure system information."

Categories: Cyber Risk News

US Banks Can Now Offer Crypto Custody Services

Info Security - Thu, 07/23/2020 - 17:30
US Banks Can Now Offer Crypto Custody Services

US officials have given the go-ahead for all nationally chartered banks in the US to provide custody services for crypto-currencies.

Senior Deputy Comptroller and Senior Counsel Jonathan Gould has declared that any of America's national banks can hold onto the unique cryptographic keys for a crypto-currency wallet.

Gould made the statement in a letter dated July 22 that appears to be addressed to an unidentified bank.

Prior to banks' receiving the green light from Gould, crypto-currency custody was the unique preserve of specialist firms. To offer the service to large investors, these firms typically had to be in possession of a state license such as a trust charter. 

Now national banks will be able to hold digital assets for their clients, who could benefit as a result.

In his letter, Gould noted that banks “may offer more secure storage services compared to existing options."

He then made the observation that using regulated custodians may help investment advisors and consumers to maintain access to their private keys and consequently keep their funds secure.

Gould prophesized that to keep offering traditional services in the future, banks would likely have to embrace fresh technological solutions.

He wrote: “The OCC recognizes that, as the financial markets become increasingly technological, there will likely be increasing need for banks and other service providers to leverage new technology and innovative ways to provide traditional services on behalf of customers."

In his letter, Gould said banks would be able to provide both fiduciary and non-fiduciary custodian services and compared some crypto-currencies to the US dollar.

He wrote: "The US dollar was a type of asset-backed money prior to abandonment of the gold standard. Some types of cryptocurrencies may have similar characteristics to this type of money. For example, stablecoin is a type of cryptocurrency that is backed by an asset, such as a fiat currency or a commodity."

“This announcement signifies a real acceleration in the embrace of the digital asset class and the value of digital currency solutions," commented Digivault CEO Robert Cooper.

"Not only does this represent seismic development for crypto holders in the US but echoes a broader trend regarding the acceptance of digital assets amongst global regulators."

Categories: Cyber Risk News

Fraudulent Photo App Operation Detected on Google Store

Info Security - Thu, 07/23/2020 - 17:12
Fraudulent Photo App Operation Detected on Google Store

Researchers have exposed a malicious cyber-operation involving fraudulent photo-editing apps, none of which were found to function as advertised.

New research published today by White Ops’ Satori threat intelligence team revealed 29 fraudulent apps to be part of a nefarious cyber-scheme that they have named Chartreuse Blur. 

The apps, which have already been downloaded 3.5 million times from the Google Play Store, cause out-of-context (OOC) ads to run rampant on a compromised device and randomly open web browsers while the device is in use. 

Researchers noted that any time a compromised device is unlocked, plugged into a charger, or even switches cellular networks, an OOC ad pops up on the home screen, whether the fraudulent app is open or not. 

Whoever is behind the operation tried hard to hide the true nature of the apps involved. The team found the apps' malicious code has been buried in a three-stage payload evolution so that none of the code appears problematic until stage three. 

Efforts were also made to prevent users from deleting any of the apps they have installed. Almost immediately upon installation, the app icon disappears from the device’s home screen, making it incredibly difficult for users to find and remove. 

The name Chartreuse Blur was given to the operation because the majority of the apps involved are masquerading as photo editors and include the world "blur" in their package name. 

“If the app you’ve just downloaded is playing hide and seek with you, the icon disappearing from your home screen, it might be bogus,” warned researchers.

“If the only way you can open the app is by going into your Settings menu and finding it in a long list of apps, it might be bogus. If after you download this app, you open your phone and you begin getting bombarded by ads just appearing out of nowhere, it might be bogus.”

One of the apps exposed by researchers, the Square Photo Blur app, has since been removed from the Google Play Store.

“The developer name for Square Photo Blur — 'Thomas Mary' — is almost certainly bogus,” noted researchers. 

“All of the apps in this investigation feature developers whose 'names' are common English language names smashed together, seemingly at random.”

Categories: Cyber Risk News

CISOs: Cyber Insurance Fails to Cover Modern Threats and Remote Workforces

Info Security - Thu, 07/23/2020 - 16:00
CISOs: Cyber Insurance Fails to Cover Modern Threats and Remote Workforces

A large majority of CISOs are seeking additional cyber insurance coverage because of an increase in vulnerabilities resulting from the work from home surge.

According to research by Arceo of 250 CISOs at companies with $250m to $2bn in annual revenue, over three-quarters (77%) said there are incidents they need coverage for, but are unable to get it. Also, 88% of respondents were not completely satisfied with the performance of their company’s primary insurance brokerage.

However, 96% want additional coverage, as they believe the security practices followed when working remotely are unlikely to be as stringent as those at the office, leading to a higher risk of attack. Those CISOs stated that cloud usage (49%), personal devices usage (45%) and unvetted apps or platforms (41%) posed the biggest threats during this work from home period.

Also, CISOs want cyber insurance to cover business email compromise (56% of respondents), loss of electronic data (55%), cyber-extortion (53%) and ransomware (52%).

Isabelle Dumont, VP of market engagement at Cowbell Cyber, said there needs to be more clarity over cyber-coverage for all stakeholders that deal with cyber insurance.

“Only a standalone cyber-policy can address this by matching every category of a cyber-incident – data breach, extortion and ransomware, social engineering, fraudulent fund transfer, and many more – with specific coverage and relevant definitions, including which device usage – home or office – is covered and much more,” she said. “Policyholders’ satisfaction directly depends on this as well as overall value provided whether or not there is a claim made during the policy period.”

Among the 77% of CISOs that identified incidents they feel they need coverage for but are report unable to get it, the most common unmet need is cyber-extortion, particularly at firms with the largest revenue. So is the onus on cyber insurance providers to be broader in their coverage, or clearer in what they will and will not cover?

Andrew Barratt, UK managing director at Coalfire, said: “Cyber-extortion (and extortion in general) has posed problems for the insurance markets because it is difficult to underwrite. In practical terms, the policy typically won’t cover ransom or extortion charges due to the legalities in different jurisdictions. Also, the ransomware that is typically used to execute extortion scenarios is something that exploits user error – so insurers have a tough time balancing the value of this risk.”

Barratt also said some brokers simply push a stock ‘cyber’ product and don’t spend the time understanding whether it covers all the things the business needs. “With the complexity of cyber-coverage options, it is really important to understand all exclusions, limits and risks being transferred.”

Barratt also recommended CISOs to look for more specialty cyber-coverage that starts with a discussion of their needs with the broker and, in some cases, the underwriters. “Risks are more likely to be accepted if an organization can show they have some controls in place to mitigate or detect issues and that potential exposure time can be controlled,” he said. 

Mohit Tiwari, CEO and co-founder of Symmetry Systems, added that many organizations are often led astray when it comes to obtaining cyber insurance because they are too lost by buzzwords. “If insurers were able to offer coverage on the data itself, then even the top concerns for CISOs could be eased by the knowledge that the information most vital to their operations is safe.”

Register here our Fall Online Summit, which will include a discussion on the topic of cyber insurance.

Categories: Cyber Risk News

Cloud Misconfigurations a Major Compliance Risk, Say IT Decision Makers

Info Security - Thu, 07/23/2020 - 15:31
Cloud Misconfigurations a Major Compliance Risk, Say IT Decision Makers

Cloud misconfigurations are considered a data security risk by 95% of IT decision makers in the UK, according to a new study from Trend Micro. The findings highlight how human error is a major cause of organizations’ compliance problems and is obstructing their digital transformation.

Of those who regard cloud misconfiguration as a risk, 41% said it is a “great risk.” For those working in B2C, this rose to 57%, and in administrative or technical roles, 52%.

Nearly two-thirds (62%) of IT decision makers said they are extremely or very concerned about the legal and regulatory compliance implications of cloud threats like misconfiguration, and 27% stated they had experienced such an incident over the past year.

The most common forms of misconfiguration errors include leaving an unencrypted data store exposed to the public internet without any form of authentication required to access it, exposing data to all global users of the same cloud platform and leaving encryption keys and passwords in open repositories.

This provides cyber-criminals with opportunities to undertake nefarious activities such as stealing and ransoming data and installing malicious digital skimming code onto websites.

“From Capital One to the US government, the list of serious data leaks and breaches via misconfigured cloud systems is growing by the second. Trend Micro’s Cloud One – Conformity offering detects 230 million of these errors every single day,” commented Bharat Mistry, principal security strategist at Trend Micro.

“This tells us something important: organizations are struggling to find the in-house skills needed to keep pace with their complex hybrid and multi-cloud deployments. With just a few clicks of a mouse potentially exposing highly sensitive and regulated data, CISOs need to consider investments such as cloud security posture management to tackle escalating risk.”

There have been numerous instances of data being exposed due to cloud misconfiguration errors over recent years as more organizations store data in the cloud. Last month, thousands of domestic violence victims have had their emergency distress messages exposed after a developer misconfigured a back-end AWS bucket.

Categories: Cyber Risk News

#COVID19 Home Working Leads to Cybersecurity Hiring Spree

Info Security - Thu, 07/23/2020 - 14:30
#COVID19 Home Working Leads to Cybersecurity Hiring Spree

The COVID-19 pandemic has led to a major boost in cybersecurity job vacancies in the US, data from the Cybersecurity Jobs Report: Q2, has revealed. The study, produced by the International Consortium of Minority Cybersecurity Professionals (ICMCP) and CyberVista, indicates that the shift to remote working in the crisis has led to organizations investing more heavily in protecting themselves from cyber-threats.

An estimated 62% of the US workforce has transitioned to working from home, which has made businesses far more vulnerable to attack. A study published yesterday, for example, found that 43% of employees in the UK and US have made errors leading to cybersecurity repercussions in April.

Taken from LinkedIn, there were 261,545 open cybersecurity-related positions in April, 244,140 in May and 348,082 in June. Overall, the software and IT services job market has performed comparatively strongly since the pandemic struck the US in March. While there was an industry average decline of -10.94% for hiring changes month-over-month in March, this was just -0.8% in software and IT services. Since then, there was a -0.35% fall in April followed by a 7.21% increase in May.

Sectors which have had the largest number of openings for cybersecurity positions since June 18 are healthcare (at least 120,000), financial services (at least 115,000), IT and services (at least 114,000), retail (at least 85,000) and computer software (at least 77,800).

This is in the context of unemployment reaching its highest level since the great depression in the US during the crisis.

Nevertheless, the report also highlighted that the well-publicized cybersecurity skills gap means that there is currently a shortage of candidates to meet this demand, finding that 86% of the cybersecurity job openings had attracted under 10 applicants.

It stated: “Organizations may be ready and willing to hire cybersecurity talent at growing rates, but they will likely be disappointed in what they find. The talent shortage that plagued the industry for over a decade is still right where they left it earlier in the year.”

As a result, it added that organizations should consider looking for candidates from outside of traditional backgrounds and experience levels.

Categories: Cyber Risk News

Password Reuse to Blame for Fifth of Account Takeovers

Info Security - Thu, 07/23/2020 - 11:04
Password Reuse to Blame for Fifth of Account Takeovers

Email account takeover (ATO) attacks often last for over a week and result from employees reusing passwords across multiple sites, according to new research from Barracuda Networks.

The security vendor teamed up with researchers at UC Berkeley to study the lifecycle of email ATO attacks, examining 159 compromised accounts across 111 organizations.

The study revealed that attacker dwell time for over a third of accounts was more than one week, emphasizing the importance of monitoring and threat removal tools to spot suspicious behavior post-compromise.

Interestingly, in a fifth (20%) of cases, compromised accounts featured in at least one previous password breach. This suggests that attackers are exploiting credential reuse to hijack accounts, either through credential stuffing or similar automated techniques, although phishing is still a popular way to obtain log-ins.

In the vast majority (93%) of ATO incidents studied, the attacker did not use the account to send out phishing emails, perhaps concerned that this would increase their chances of being exposed.

Barracuda speculated that instead, they could be using the accounts to launch conversation hijacking attacks, or that they had simply performed ATO in order to sell the account to another cyber-criminal.  

Supporting the second theory is the fact that, in 31% of cases, accounts are compromised by one actor and then used by a different player to mine for information, or monetized in another way.

This again emphasizes the importance of rapid intrusion detection and response, the report claimed.

A single actor compromised and utilized accounts in 51% of cases.

Attackers are most likely to use hijacked email accounts to go after email-related Office 365 applications (78%). Of the remaining 22% cases, the majority (17%) featured attempts to access SharePoint for sensitive documents.

Categories: Cyber Risk News

Over 1500 Exposed Online Databases Wiped by “Meow” Attacker

Info Security - Thu, 07/23/2020 - 09:45
Over 1500 Exposed Online Databases Wiped by “Meow” Attacker

Over 1500 online databases and counting have been wiped by a mystery attacker, for no apparent reason other than they are misconfigured and exposed to the public internet.

Researcher Bob Diachenko was first to notice the campaign after he discovered a misconfigured database belonging to Hong Kong-based VPN provider UFO. After being notified, the company secured the data, only for it to reappear at a different IP address.

This time the attacker pounced, overwriting all data with the words “meow” and a string of random numbers. It appears as if no ransom note was left.

“After the exposed data had been secured, it resurfaced a second time on July 20 at a different IP address – all of the records destroyed now by a new ‘Meow’ bot attack,” tweeted Diachenko earlier this week. “[The] new Elasticsearch bot attack does not contain any ransom or threats, just 'meow' with a random set of numbers. It is quite fast and search&destroy new clusters pretty effectively.”

According to a Shodan search, there was 1269 impacted Elasticsearch servers globally and 276 MongoDB instances hit buy the “meow” bot at the time of writing. It’s unclear whether the attacker has first stolen victims’ data or if this is a purely destructive campaign.

Boris Cipot, senior security engineer at Synopsys, described the attacks as a “game changer” which may actually motivate organizations to follow security best practice.

“We’re seeing organizations rushing to identify and secure exposed databases, which is a much-needed and long overdue step for many firms. It’s alarming that by running a single Shodan search, we’re able to see just how many unsecured devices and services are out there – all of which are potential attack vectors,” he argued.

“There is the possibility that the attacker isn’t abusing the user data prior to its deletion. If that is in fact the case, meow attacks could actually be safeguarding users from more financially-driven malicious attackers. While the user would be impacted either way – having just lost whatever data was being stored on an affected database – at least it wouldn’t be held for ransom or sold on the dark web, for instance.”

Categories: Cyber Risk News

Hackers Steal Transfer Fees, Cripple Football Stadiums

Info Security - Thu, 07/23/2020 - 08:35
Hackers Steal Transfer Fees, Cripple Football Stadiums

The UK’s sporting organizations have been told to urgently improve cybersecurity after a new GCHQ report revealed that 70% have experienced a breach or incident in the past year, more than double the business average.

The National Cyber Security Center (NCSC) study also claimed that 30% of these organizations have experienced over five incidents in the past year.

In a sector said to contribute £37bn to the UK economy, it’s no surprise that most threats are financially motivated. Almost a third (30%) of incidents studied caused direct financial damage to the victim organization – on average, £10,000 per security breach, although one organization lost over £4m.

Tried-and-tested techniques are being used to compromise firms in the sector, including phishing, credential stuffing, malware and password spraying.

The most common threat is business email compromise (BEC). The NCSC claimed one Premier League football club nearly lost a £1m transfer fee to scammers after they hijacked the Office 365 account of its managing director. The scam was only stopped after the bank noticed a problem with the payee account.

Similarly, cyber-fraud was pegged as another common threat to sporting organizations: including not just BEC but also mandate fraud, CEO fraud, conveyancing fraud and invoice fraud. Three-quarters (75%) of surveyed firms had received fraudulent emails and at least 30% said they had experienced people fraudulently impersonating the organization in emails. Less than a third have DMARC configured, said the NCSC.

Two-fifths (40%) of attacks on sporting organizations involved some form of malware, with ransomware the biggest threat. One English Football League (EFL) club experienced a serious outage which hit virtually all endpoints, locally stored data and stadium CCTV and turnstiles, almost leading to the cancellation of a match.

“While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber-criminals cashing in on this industry is very real,” said NCSC director of operations, Paul Chichester.

“I would urge sporting bodies to use this time to look at where they can improve their cybersecurity – doing so now will help protect them and millions of fans from the consequences of cybercrime.”

Multi-factor authentication, role-based monitoring, improved cyber-awareness programs, business continuity plans and a board-level discussion of risk are all vital actions for the industry going forward, said the NCSC.

Categories: Cyber Risk News

Disabled Delawareans' Personal Data Ends Up in Student Project

Info Security - Wed, 07/22/2020 - 16:34
Disabled Delawareans' Personal Data Ends Up in Student Project

A recent Delaware Department of Health and Social Services data breach resulted in the private data of hundreds of disabled Delawareans' being included in a student project. 

Data included in the breach included full names, birth dates, primary diagnosis, and county of residence. 

The breach occurred when four students from the University of Delaware contacted a Delaware Division of Developmental Disabilities Services (DDDS) provider. The students reached out to request data for a project that aimed to use geo-mapping to detect gaps in the services received by DDDS recipients. 

A DDDS employee who emailed out information in response to the students' request neglected to anonymize sensitive data. Their slip-up caused the private information of 350 recipients of DDDS support to be exposed.

The data breach was only discovered when the unwitting students included the sensitive data in a presentation on their senior project, given via Zoom on May 8.

According to WDEL, those affected by the breach were notified by letter. Dated June 29, the letter stated: "For the purposes of the project, the UD students requested information about service recipients living within a specific geographic area, as well as basic demographic information such as age range and disability status. In response, a DDDS staff person sent information, via email, to the four students on April 9, 2020, for use in their final project."

The information emailed to the students included highly sensitive data that the department admitted should have been "de-identified."

Social Security numbers included in the data sent out to students had been redacted. 

According to the letter, action was taken to secure the data as soon as the breach was detected.

"DDDS senior leadership halted the presentation as soon as the personal information was presented," the letter said. "DDDS instructed the students to delete all files containing the data used in the project (including emails, shared files, and the presentation itself)."

While the staff member who claimed responsibility for the breach has been addressed "administratively," according to the DDDS, an investigation into the incident is ongoing. 

Those impacted by the breach were not offered any form of free credit monitoring. 

Categories: Cyber Risk News

Digital Dome to Protect Louisiana's Energy Infrastructure

Info Security - Wed, 07/22/2020 - 15:58
Digital Dome to Protect Louisiana's Energy Infrastructure

Louisiana State University's research entity has been awarded a $25m federal contract to create a digital dome capable of protecting the Pelican State's energy infrastructure from cyber-threats. 

State Governor John Bel Edwards announced on Monday that the contract to carry out the groundbreaking work had been won by Stephenson Technologies Corp. Over the next five years, the company will create a virtual construction capable of protecting Port Fourchon and America's only offshore deepwater port, Louisiana Offshore Oil Port (LOOP).

Over 250 companies operate at Port Fourchon, which serves 90% of deepwater oil and gas activities in the Gulf of Mexico and handles around 15% of America's shipments of domestic and foreign oil. Daily traffic at the port can involve around 400 capacious supply vessels. 

The digital dome will defend these assets by collecting, interpreting, and fusing electromagnetic signals in the area spanning Port Fourchon and its connection to LOOP. Cyber-threats will be neutralized after detection, and any intelligence gathered concerning nautical risks affecting vessels, passengers, and cargo will be passed on to coastal enforcement agencies. 

Inspiration for the digital dome project came from an all-weather air defense system established in Israel in 2011. 

“Perhaps the most exciting aspect of this project is we first envisioned it on our economic development mission to Israel in 2018,” Governor Edwards said. 

“In viewing the Iron Dome that Israel created to protect its air defense systems, we glimpsed what Stephenson Technologies Corporation could create to protect our nation’s most vital energy gateway at Port Fourchon."

Edwards added that the project would be a boost to the state's burgeoning IT and cybersecurity industries.  

"Not only will this project provide critical protection for the US energy supply, STC’s work will advance Louisiana’s growing base of cybersecurity and IT talent,” he said. 

Funding for the digital dome project was awarded from the US Department of Defense’s Naval Research Laboratory.

LSU established Stephenson Technologies Corp. in 2016 with support from Louisiana Economic Development. The entity's creation was part of the university's strategy to strengthen its support of the defense community. Since its creation, Stephenson has gathered more than $60m in contract awards.

Categories: Cyber Risk News

India to Train 5000 Women in Cyber-Safety

Info Security - Wed, 07/22/2020 - 15:25
India to Train 5000 Women in Cyber-Safety

Responsible Netism has teamed up with the Maharashtra State Commission for Women to develop a cyber-safety training program for young women in India. 

The Digital Stree Shakti program aims to teach 5000 females in 10 Maharashtra cities about how to stay safe while online. Participating students will be aged between 16 and 25. 

Training will cover areas including fake profiles, account hacking, cyber-bullying, gender-based trolling, online harassment, stalking, morphing, cyber-grooming, revenge porn, sextortion, online fraud, email spoofing and dangerous internet dares.

The program will be taught in the form of webinar sessions, instructional videos, PowerPoint presentations, and online workshops. Young women who complete the training will be awarded the title of Cyber Sakhee

Case studies taken from the real world will be included in the training, placing the very real danger of cyber-threats in context. 

Responsible Netism is a non-profit start-up that aims to promote cyber-safety by educating children and young people about how to protect themselves while online. Founder Sonali Patankar revealed that the program hadn't been created solely as an educational tool.

“We also play the role of being a referral organization,’’ she said. “We connect participants facing online distress with the local law enforcement, local organizations and mental health professionals for any psychological support required in terms of counseling or other interventions.’’

Trainees will be taught how to detect and report cybercrimes and where to go if they become victims of cyber-threats such as virtual bullying. A recent study conducted by Responsible Netism and the Cyber Peace Foundation supported by Maharashtra State Council of Educational Research and Training found that 80% of school students aged 10 to 17 in Maharashtra do not report the cybercrimes they experience online to their parents, teachers, or the police.

Patankar said that courses would be available in Marathi, Hindi, and English, with students invited to choose whichever language they find most comfortable for their instruction. 

Maharashtra State Commission for Women member secretary Aastha Luthra said: “Our initiative to empower young women digitally is a way to strengthen and make them more confident and competent to cope with the challenges which have emerged in the present times. The program also underscores the commitment and dedication of the commission.’’

Categories: Cyber Risk News

Home Distractions a Major Cause of Cybersecurity Errors During Lockdown

Info Security - Wed, 07/22/2020 - 15:15
Home Distractions a Major Cause of Cybersecurity Errors During Lockdown

Nearly half (43%) of UK and US employees have made errors leading to cybersecurity repercussions, according to a new study from Tessian. The analysis, undertaken in April during the height of the COVID-19 pandemic, suggests that the disruption and additional stress and distractions of remote working are making organizations more vulnerable to cyber-attacks facilitated by human error.

In the survey of 1000 workers in the UK and 1000 workers in the US, a quarter admitted to clicking on a link in a phishing email whilst at work. This most commonly occurred in the technology sector (47%).

Additionally, 20% of companies revealed they have lost customers due to sending an email to the wrong person. This was a mistake 58% of employees admitted to making and a further 10% said they had lost their job as a result.  

Distraction was the biggest cause for these kinds of mistakes, according to the report. Nearly half (47%) highlighted being distracted as the main reason for falling for a phishing scam while 41% said this was the biggest factor in sending an email to the wrong person.

Other major reasons for clicking on phishing links were fatigue (44%) the perceived legitimacy of the email (43%) and because the emails purportedly came from a senior executive (41%) or well known brand (41%).

Over half of workers (52%) added that they make more mistakes at work when stressed, 43% when tired and 41% when distracted. Notably, 57% of workers stated they are more distracted when working from home.

With home working set to become much more common following the health crisis, the report suggests businesses need to focus on providing more extensive user awareness training.

Tim Sadler, CEO and co-founder of Tessian, commented: “To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviors and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate for each person.”

Yesterday, an analysis from Kaspersky found that the increasing reliance on the internet during the pandemic has created a ripe environment for fraudsters to operate in.

Categories: Cyber Risk News

FTC Details #COVID19 Scams and Fraud Cases to Senate

Info Security - Wed, 07/22/2020 - 14:00
FTC Details #COVID19 Scams and Fraud Cases to Senate

The Federal Trade Commission (FTC) has said COVID-19-related shopping scams are its top coronavirus-related consumer complaint.

Testifying before the Senate Commerce Committee Subcommittee on Manufacturing, Trade, and Consumer Protection on its efforts to combat scams and other consumer problems related to the ongoing COVID-19 pandemic, Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said it has been monitoring consumer complaints and the marketplace for a variety of scams linked to the COVID-19 pandemic.

As well as deceptive advertising or marketing touting “miracle cures” for COVID-19, the FTC also detailed complaints about merchants offering masks, personal protective equipment and related products for sale but then failing to ship the promised products, meet delivery agreements and provide refunds to consumers.

To get these false treatment claims taken down as quickly as possible, the FTC has sent more than 250 warning letters to marketers regarding claims that their products will treat, cure or prevent COVID-19. In most cases, companies that have received such letters have taken steps to quickly correct their problematic claims. The FTC, however, reiterated that it will pursue law enforcement action when a warning letter does not stop the problem.

The FTC has also sent warning letters to multi-level marketing companies regarding COVID-19 prevention or treatment claims and earnings claims, VoIP service providers for “assisting and facilitating” illegal telemarketing or robocalls related to the COVID-19 pandemic.

Smith said it is often the case that, following reports of a health scare, deceptive advertising or marketing touting “miracle cures” quickly emerge. “The COVID-19 pandemic has put this cause and effect scenario into overdrive,” he warned. “Although some of these supposed ‘treatments’ seem facially preposterous, it is not uncommon for consumers in distress to be willing to try (and spend) anything in the hopes that it will protect them or their families from sickness or death.”

Smith said the FTC has “worked aggressively to educate consumers of all ages” about coronavirus-related scams from the onset of the pandemic, and FTC staff across the Bureau of Consumer Protection have conducted national and local outreach with partners to reach a variety of audiences. “The FTC also has provided outreach specifically on privacy during the coronavirus pandemic, a concern of many businesses and consumers as the pandemic has shifted the workplace from traditional office spaces to consumers’ homes,” he said.

“The pandemic has led to an increased reliance on technology to stay connected, and the Commission is staying abreast of privacy or data security issues that may arise so that consumers and businesses can better protect themselves in this increasingly virtual world.”

The FTC also announced complaints or settlements in more than 30 law enforcement matters, including settlements that will return more than $225m to consumers. Smith also urged Congress to pass legislation that would clarify that the agency does have authority under the FTC Act to obtain money for consumers from fraudsters and scammers.

Categories: Cyber Risk News