Updating routers with the latest firmware is a frequent recommendation to improve network security. When it comes to home routers, though, the latest updates won't help you much. According to a study by Germany's Fraunhofer Institute for Communication (FKIE), vendors have failed to fix hundreds of vulnerabilities in their consumer-grade routers, leaving people exposed to a wide range of attacks.
The FKIE examined 127 routers spanning seven large vendors and found security flaws in all of them, it said in a report released in late June. It called its results "alarming."
"Many routers are affected by hundreds of known vulnerabilities," it warned. "Even if the routers got recent updates, many of these known vulnerabilities were not fixed."
The routers usually failed to use exploit mitigation techniques, it said, adding that some had passwords that users could not change, and which were either well-known or easy to crack. "Most firmware images provide private cryptographic key material," it continued. "This means, whatever they try to secure with a public-private crypto mechanism is not secure at all."
The Institute used a firmware analysis and comparison tool to extract and analyze the routers' most recent firmware. It found that 46 of them had received no security updates within the last year. At least 90% of the routers used Linux, but over a third of them used version 2.6.36 of the Linux kernel or even older. At the time of writing, the current Linux kernel is 5.7.7. The last security update for version 2.6.36 was in February 2011.
Even the best devices had at least 21 critical vulnerabilities and at least 348 rated with high severity, the study found. On average, routers had 53 critical vulnerabilities, it said.
Covid-19 makes the results particularly worrying because so many more people are now working from home, the Institute said. That means many more of them could be exchanging sensitive data with their employers via these devices.
Fifty routers provided hard-coded credentials, including sixteen with well-known or easily credible credentials, the study found.
Which vendors performed best? According to the study, AVM did a better job than the other vendors in most respects. "ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel," it concluded.
Security company Proofpoint has identified two new exploits coded into Purple Fox, an exploit kit that has evolved dramatically in the last year. The updates show that cyber-criminals are continuing to invest in infection tools to help get their malware onto victims' systems even though exploit kits are declining as an attack technique, the company said.
An exploit kit is a tool used to deliver malware onto a victim's device automatically via a website. It is an automated threat that uses compromised websites to drive up web traffic and scan for vulnerable browsers so that it can deliver its malware-based payload.
Exploit kits are the basis for drive-by downloads that infect a victim as soon as they visit a malicious site. They have often been sold as services to distribute malware, providing cyber-criminals with a conduit to infect victims' machines, but according to Proofpoint their popularity has declined of late.
"Exploit Kits are not as prevalent as they were a few years ago. However, they are still part of the threat landscape," explained the company. "One thing that hasn't changed regarding exploit kits is the way in which exploit kit authors regularly update to include new attacks against newly discovered vulnerabilities."
Purple Fox started out as fileless downloader Trojan malware delivered by an exploit kit called Rig. According to a 2018 write-up by Qihoo 360 Technology, it had infected at least 30,000 users at the time. Trend Micro had spotted it downloading and executing crypto-mining malware onto victims' devices. Last year, it switched from the Nullsoft Scriptable Install System to Windows PowerShell as a means of retrieving and delivering various kinds of malware.
Now, according to Proofpoint, it has become an exploit kit in its own right, built to replace Rig. It has added two new exploits, both patched by Microsoft in the last few months.
The first, CVE-2019-1458, is a local privilege elevation mobility that Microsoft fixed in December last year. The second, CVE-2020-0674, is a bug in Internet Explorer that Microsoft fixed in its February 2020 patch Tuesday update.
"The fact that the authors of the Purple Fox malware have stopped using the RIG EK [exploit kit] and moved to build their own EK to distribute their malware reminds us that malware is a business," Proofpoint said in its analysis. "In essence, the authors behind the Purple Fox malware decided to bring development 'in-house' to reduce costs, just like many legitimate businesses do."
A former Yahoo software developer charged with hacking into customer accounts escaped jail time last week. Reyes Daniel Ruiz, 35, received five years of probation for hacking accounts in the search for private images and videos with sexual content.
On September 30, 2019, Ruiz, a 10-year veteran at Yahoo, pleaded guilty to unauthorized intrusion into around 6,000 Yahoo accounts while working on the company's mail engineering team. He cracked user passwords and access to internal Yahoo systems to compromise the accounts between 2012 and 2015. He would look at financial documents but focused mainly on private sexual images and videos, storing up to 4,000 on his hard drive.
Ruiz targeted accounts belonging to younger women, including personal friends and work colleagues. After accessing the Yahoo accounts, he went on to snoop in around 100 other cloud service accounts belonging to the victims, including iCloud, Facebook, Gmail, Photobucket, and Dropbox. He also used these accounts to find other victims.
On June 21, 2018, other engineers at Yahoo (which by that time was called Oath) noticed suspicious account activities, prompting Ruiz to leave work early and begin destroying the evidence at home. Two months later, the FBI arrived at his house with a search warrant, and he confessed to agents that he had destroyed the evidence.
He was charged with computer intrusion and interception of a wire communication. He pleaded guilty to the former and was released on a $200,000 bond. He has been working temporary jobs and drawing unemployment since.
Along with a potential five-year jail sentence, Ruiz could have faced a fine of $250,000. However, the judge sentenced him to five years' probation along with twelve months of home confinement and electronic monitoring. He must also pay $115,957 in restitution to Oath. Only 3,137 of the hacked accounts' owners could be identified because Ruiz destroyed the hard drive containing the identities of the remaining victims.
According to the sentencing memorandum, "none of the images or videos were shared. The defendant also stresses that he has never had any interest, nor did he take any action, to contact or meet the victims. He used the videos and images solely for his own self-gratification for which he is now very ashamed and remorseful."
System partition infections as a method of installing adware are on the rise in mobile devices, according to new research from Kaspersky. It found that 14.8% of Kaspersky users who were targeted by malware or adware in 2019 had this type of infection, which means the malicious files cannot be deleted.
A system partition infection is particularly dangerous as security solutions are unable to remove malicious files because they cannot access the system directories. Adware – software created to display intrusive advertising – is increasingly being installed using this type of infection, according to the analysis.
This can occur in two ways: either the file gains root access on a device and installs adware in the system partition or in some cases, they are already installed on the device prior to reaching the consumer. Kaspersky found that the risk of such files being pre-installed on mobile devices varies from 1% to 5% in low-cost devices, rising to up to 27% in extreme cases.
The threat level of these malicious programs varies significantly, from Trojans that can install and run apps without the user’s knowledge, to simply subjecting users to intrusive advertising.
Kaspersky added that some vendors have admitted to embedding adware in their smartphones, which reduces the cost of the device to the consumer.
Igor Golovin, security researcher at Kaspersky, commented: “Our analysis demonstrates that mobile users are not only regularly attacked by adware and other threats, but their device may also be at risk even before they purchased it. Customers don’t even suspect that they are spending their cash on a pocket-sized billboard. Some mobile device suppliers are focusing on maximising profits through in-device advertising tools, even if those tools cause inconvenience to the device owners.
“But this is not a good trend – both for security and usability. I advise users to look carefully into the model of smartphone they are looking to buy and take these risks into account – at the end of the day it is often a choice between a cheaper device or a more user-friendly one.”
The number and value of fines for data breaches is predicted to increase between now and 2025, according to a new study by DSA Connect. Interviews with 1000 workers between 24 and 27 April 2020 revealed that 37% think there will be an increase and 6% believe the rise will be dramatic. Just 3% expect a reduction.
In regard to fines linked to the inadequate deletion and destruction of data, 32% think there will be an increase, 4% anticipate a dramatic rise and 2% expect a fall.
The primary factor in this expected growth is because employees have access to much more data than ever before, with 30% of respondents stating that they have accessed more data at work in the past 12 months. This is opposed to 7% who said the level has fallen in this period, while 57% found that there had been no change.
Encouragingly, 75% of workers think their employers have good or excellent’ processes for storing data safely and only 5% think they are poor. The remaining 20% said they don’t know.
However, only 38% of employees answered yes when asked if their employer had a data sanitization policy, with 14% saying no and 47% stating that they don’t know.
Harry Benham, chairman of DSA Connect, said: “With developments such as the Internet of Things (IoT) employers are dealing with more data than ever. They also have to contend with a rise in the number of cyber-attacks and ever more stringent legislation around protecting client data and how they use it.
“Employers need to invest more time and resources in enhancing their strategies against this.”
The General Data Protection Regulation (GDPR) has led to the development of other data protection legislation around the world recently. These include the California Consumer Protection Act (CCPA), which came into force last week and the Brazilian General Data Protection Law.
Tesco Clubcard users have been warned to check their accounts, after a weakness was discovered in the way that Hotels.com codes were generated, which then impacted Clubcard members as they tried to use their points.
Whilst Tesco Clubcard’s IT systems have not been compromised in any way, research found cyber-criminals purchased fraudulent vouchers to provide huge discounts on bookings via Hotels.com. The codes were generated by Hotels.com and made available to Tesco Clubcard members as a reward for in-store spending.
According to The Telegraph, the vouchers allowed people to get up to £750 off hotel rooms on Hotels.com. Fraudsters were able to guess the final four digits of the promotional code that unlocks the discount as the remaining nine characters follow the same pattern each time, and the codes were sold on hacker forums for between £200 and £750.
Initially alerted by researchers from CyberNews, who informed Hotels.com parent Expedia Group of the flaw, the booking site has since taken measures to resolve the issue and Tesco Clubcard temporarily removed Hotels.com from Clubcard Rewards until the issue was resolved.
A spokesperson for the CyberNews research team, said: “In the current economic climate people are looking for ways to save money, so businesses need to stay vigilant to prevent fraud. We’d recommend using longer, less predictable discount codes with more characters which make it harder for cyber-criminals to predict, as well as implementing a limit on attempts for an incorrect entry to prevent brute force attacks of this nature.”
A statement from Hotels.com said the issue “was identified and resolved promptly several months ago” and, working closely with its partners at Tesco, it ensured that only legitimate Clubcard customers were able to obtain and redeem the codes they had earned. “No customers of Hotels.com or Tesco missed out on the offer, lost money or Clubcard points as a result.”
The number of UK business falling victim to cybercrime has doubled over the past five years, costing the economy an estimated tens of billions in the process, according to new research from Beaming.
The business ISP polled over 2500 companies between 2015 and 2019 to compile its latest report, Five Years in Cyber Security.
The percentage of respondents claiming to have fallen victim to cybercrime rose over that time period from 13% in 2015 to a quarter (25%) last year, equivalent to around 1.5 million businesses.
Although large firms with over 250 employees were the most likely to suffer attacks, with over 87% impacted last year, smaller businesses (11-50 employees) experienced the steepest rise, from 28% in 2015 to 68% last year.
Beaming estimated the total cost to UK firms over this five-year period to be in the region of £87bn, including damaged assets, financial penalties and lost productivity. A spokesperson told Infosecurity that it extrapolated the figure from an average cost calculated from interviews with business leaders.
Phishing was the most likely form of attack to successfully strike UK victim organizations, linked to a 50% increase in victims, with employees accountable for around a third of breaches (36%) in 2019.
Beaming managing director, Sonia Blizzard, argued that automated attack methodologies have helped cyber-criminals ramp up scale, frequency and sophistication.
“The threat has grown astronomically over the last five years. What used to be seen as a big-business problem has become a serious concern for every company director, manager and IT professional out there,” she added.
“Small businesses are now on the front line in the war against cybercrime, but they haven’t invested in cybersecurity or employee education at the same rate as their larger counterparts, and they are easier targets as a result.”
Although many small (20%), medium (24%) and large companies (36%) now discuss cyber-threats at board level, investments in security have not always been forthcoming.
In 2015, 30% of businesses had a firewall at the network perimeter; a figure that stands at just 37% today. Those with employee awareness-raising programs in place rose from 20% to just 22% over the same time, according to the report.
North Korean hackers appear to have been breaking into US e-commerce stores since May 2019 and planting digital skimming code to make money for the hermit nation.
Researchers at Sansec claimed today that the notorious Lazarus (Hidden Cobra) group was behind attacks on at least several dozen stores, including a recent high-profile raid on US accessories retailer Claire’s.
It’s unclear how the attackers gained access to the victims’ back-end systems, although spear-phishing against retail staff is a distinct possibility.
“To monetize the skimming operations, Hidden Cobra developed a global exfiltration network. This network utilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity,” Sansec continued.
“The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family run book store from New Jersey.”
The researchers linked various elements of the attacks to previous North Korean activity, including domains such as technokain.com, darvishkhan.net and areac-agr.com where malware and skimmers have been launched from.
“Does the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations? Theoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely,” argued Sansec.
“First, thousands of sites get hacked each day, making an overlap highly coincidental. Secondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after gaining access, in order to shield the new asset from competitors.”
The revelations over Pyongyang-sponsored Magecart attacks mean the despotic regime is using yet another tactic to fill its government coffers.
Previously, groups like Lazarus have been associated mainly with attacks on banks and cryptocurrency exchanges.
A UN report from last year claimed the Kim Jong-un regime had managed to generate $2bn from such attacks.
A Google VP has ignited a fierce debate in the cybersecurity industry over the use of potentially discriminatory language after withdrawing from the upcoming Black Hat USA virtual event in protest.
David Kleidermacher, who is VP of Android security and privacy, thanked the organizers of the long-running security conference but said it was time to change.
“Black hat and white hat are terms that need to change. This has nothing to do with their original meaning, and it’s not about race alone – we also need sensible gender-neutral changes like PITM versus MITM,” he argued on Twitter.
“These changes remove harmful associations, promote inclusion and help us break down walls of unconscious bias. Not everyone agrees which terms to change, but I feel strongly our language needs to (this one in particular).”
Many leapt to his defense: noted researcher Kevin Beaumont argued that more speakers and attendees should boycott Black Hat until the organizers change the name.
However, Kleidermacher’s comments also brought out a significant number of industry professionals who disagreed.
Many focused on the fact that the term itself is not derived from a notion of things that are “black” inherently being malign, but of the fact that the villains in old cowboy movies used to wear black hats while the heroes wore white hats.
However, Kleidermacher argued that the issue goes beyond this narrow interpretation.
“To reiterate – the need for language change has nothing to do with the origins of the term black hat in infosec. Those who focus on that are missing the point. Black hat/white hat and blacklist/whitelist perpetuate harmful associations of black = bad, white = good,” he said.
That didn’t deter some industry commentators who described the stance as “performative” and “virtue signalling.” Others argued that industry efforts would be better spent on more practical ways to make the sector more diverse.
“The companies at the forefront of changing these tech terminologies hardly have black professionals at the decision table and their top leadership, that’s the change we ask, not sidelining us by making a lingua change no reasonable person asked for,” argued @0xSkywalker.
Back in May, the UK’s National Cyber Security Center (NCSC) updated terminology on its website, replacing “blacklist” and “whitelist” with “deny list” and “allow list,” after being contacted by a concerned customer.
The National Security Agency released guidance this week on securing IPsec virtual private networks as companies across the US continue to grapple with remote working in the wake of the coronavirus pandemic. The advice included a warning not to rely on vendor-supplied configurations.
The document came in two flavors: a guide to securing VPNs and a version with more detailed configuration examples. It warned that many VPN vendors provide cryptography suites and IPsec policies pre-configured for their devices, along with extra ones for compatibility. The Internet Security Association and Key Management Protocol (ISAKMP) and the IPsec policy define how VPNs should authenticate each other, manage their security associations, and generate their keys at different phases of a VPN connection.
"If either of these phases is configured to allow obsolete cryptography, the entire VPN will be at risk, and data confidentiality might be lost," the document warned.
The NSA advised administrators to ensure that these policies comply with the Committee on National Security Systems Policy (CNSSP)-15 standard, which defines parameters for the secure sharing of information between national security systems. Even configuring CNSSP-15-compliant default policies may not be enough, because many VPNs are configured to fall back to alternative policies if their default one is not available. That risks using non-compliant security policies if administrators leave vendors' pre-configured alternatives on their devices, the document said.
Introduced in the 1990s, IPsec is a traditional protocol for VPNs to talk to each other. It can be used for remote access, or for inter-VPN communications. It is an alternative to SSL/TLS VPNs, which offer entirely browser-based access without using a dedicated software application on the client side.
The NSA also advised administrators to reduce the attack surface of their VPN gateways. Because these devices tend to be internet-accessible, they are prone to network scanning, brute-force attacks, and zero-day vulnerabilities, it warned. One way to reduce this risk is to limit accepted traffic to known IP addresses if working with peer VPNs.
"Remote access VPNs present the issue of the remote peer IP address being unknown and therefore it cannot be added to a static filtering rule," it noted. However, admins can still limit access to specific ports and protocols, such as ports 500 and 4500, accessible via UDP.
It isn't often that you hear the words "breach," "privacy," and "moose" in the same sentence, but thanks to the province of Nova Scotia, that just changed. The maritime province on Canada's East Coast was dealing with the publicity fallout from an information leak this week after reportedly mismanaging the distribution of personal license information to hunters.
Each year, Nova Scotia Lands and Forestry holds a lottery to distribute moose-hunting licenses in the Cape Breton region. Restricting licenses is important to preserve the moose population, which has declined of late.
According to the CBC, the government department distributed licenses to the winners. The problem was that they were the wrong licenses. Hopeful hunters received other peoples' names and wildlife resource card numbers in the mail.
The government used to publish the names of the winners in the local newspaper, but stopped doing that. Some hunters believe that was because lottery winners would be pestered by outfitters hoping to sell them equipment. The information, if distributed to the wrong people, would enable them to purchase licenses for hunting other animals illegally.
A government official said that the botched mailing was down to human error. Letters to hunters were printed separately from envelopes, and staff didn't realize that the letters contained information specific to individuals. The government is recalling information packs that it sent out and mailing new ones.
This may be a low-level breach, but it is the latest in a series of slip-ups by the Nova Scotia government that had more serious ramifications. In May, it removed online documents involving appeals to its Workers' Compensation Board that included personal details about peoples' health, medications, and family.
Last year, the Nova Scotia Health Authority had to notify almost 3,000 people about a breach of their health information after a successful phishing attack on an employee. The province was also the recipient of the Electronic Frontier Foundation's 2019 What the Swat? Award after it arrested a teenager for downloading 7,000 sensitive documents from publicly accessible URLs on its website. It later dropped the charges.
Just like jokes, sometimes the old vulnerabilities are the best ones. So, stop us if you've heard this before: ransomware criminals are still using malicious Excel 4.0 macros in campaigns. This week, Microsoft's security intelligence team noted that Avaddon was the latest malware to use the macros as an infection vector.
This week, Avaddon ransomware became the latest malware to use malicious Excel 4.0 macros in campaigns. Emails carrying the malicious Excel attachments were sent to specific targets, primarily in Italy. When run, the malicious macro downloads the Avaddon ransomware. pic.twitter.com/K8TN9X9xQR— Microsoft Security Intelligence (@MsftSecIntel) July 2, 2020
Avaddon is a form of ransomware that emerged in early June, and it is the latest malware campaign to use Excel 4.0 macros to spread in recent weeks. "The technique has been adopted by numerous campaigns, including ones that used COVID-19 themed lures," it said. We documented this back in May when the NetSupport Manager RAT appeared.
"This week's campaign continues a recent trend of delivering ransomware as the immediate payload in email campaigns," Microsoft said.
Avaddon searches for data to encrypt and then appends its own extension to encrypted files, dropping a ransom note in each folder that it affects. That links to a payment site accessible via the Tor network containing a unique ID that the victim can use to log in. They then see a ransom amount and instructions on how to pay.
Macros are an old method of distributing malware that fell out of favor after Microsoft introduced more protections to stop them. Macros are disabled by default in more recent versions of Microsoft Office, meaning that criminals would have to persuade victims to turn them on. Enterprise IT admins can even set documents not to give users that option. However, not all of them do that, and many victims' computers aren't managed by an admin at all. So this ancient delivery method is still a fruitful vector for attackers.
A record number of teenagers have enrolled in the National Cyber Security Center’s (NCSC) CyberFirst summer courses this year, with classes held online for the first time due to the COVID-19 pandemic. As a result, the NCSC plans to offer a mix of classroom and virtual learning for future summer courses, even when social distancing restrictions have ended.
Taking place annually, the courses offer teenagers aged from 14-17 the opportunity to develop their digital and problem-solving skills as well as introduce them to the cyber-threat landscape. In the program, leading experts from industry and GCHQ teach topics including how to analyze common cyber-attacks, crack codes and defend devices and networks.
Moving the courses online has proved a resounding success, with a record number of applications received: 1700 students will be accepted this year, an increase of 600 compared to 2019.
Chris Ensor, deputy director for cyber-growth at the NCSC, commented: “Moving this year’s CyberFirst summer courses online has proven hugely popular, with a record number of boys and girls participating and developing their cyber-skills from home – in a way that is fun, insightful and engaging.”
Commenting on the news, Fiona Boyd, head of enterprise and cybersecurity at Fujitsu, said: “The record number of teenagers signing up to the NCSC’s CyberFirst summer courses is a fantastic first step towards tackling the STEM skills gap. The cybersecurity skills gap in particular is too large for organizations to ignore with a reported 3.5 million unfilled positions expected by 2021.
“Raising awareness of a cybersecurity career at an early age can help introduce younger students into the industry with a variety of ideas and ways of thinking. In turn, a well-trained cybersecurity team can not only prepare for the future, but stay ahead of emerging cybersecurity threats that may manifest from technologies such as AI and 5G.”
The UK government has recently introduced a number of other new initiatives to tackle the cybersecurity skills shortage. In May it announced the creation of a new online cyber-school to help develop a new generation of cybersecurity professionals.
Nearly 100,000 customers have had their sensitive personal data and revealing photos exposed online after a US-based fitness company misconfigured an Amazon database.
Las Vegas-headquartered V Shred left the S3 bucket containing over 1.3 million individual files publicly accessible, according to vpnMentor.
The research team discovered the leak on May 14 but it took a whole month for the company to disable access to the offending files. Initially, V Shred apparently claimed it was necessary for user files to be publicly available and denied that any PII data had been exposed. Once informed, it removed the PII but said it was leaving the other files publicly accessible, according to vpnMentor.
The 606GB trove contained three CSV files with PII on over 96,000 users, featuring full names, home and email addresses, phone numbers, birth dates, social security numbers, social media accounts, usernames and passwords, health conditions and more.
The database also contained meal plans, profile photos and “before and after” body photos for some customers, as well as details on 52 trainers, according to the report.
“Using the PII data exposed through the S3 bucket, malicious hackers and cyber-criminals could create very effective phishing campaigns targeting V Shred customers,” vpnMentor claimed.
“If the CSV files contained the social security numbers of any individuals, this would be a goldmine for cyber-criminals. They could utilize such information for a wide range of fraud and wholesale identity theft.”
Users could also be blackmailed with threats to release their before and after photos, it added.
The firm discovered V Shred’s misconfigured S3 bucket as part of a broader web mapping project which has already revealed multiple leaks, exposing hundreds of millions of sensitive records.
These include fitness tech firm Kinomap which accidentally leaked 42 million records, sports retailer Decathlon, which leaked 123 million, and a British printing company which may have exposed military secrets.
A mysterious uninstaller has been discovered in malware-laden tax software required for download by firms doing business in China, according to Trustwave.
The security vendor explained last week how it discovered a backdoor it named GoldenSpy inside Intelligent Tax software, produced by the Golden Tax Department of Aisino Corporation. A Chinese bank requires its business clients to download the software.
The security vendor claimed at the time that the powerful backdoor, which allowed for complete remote control of a victim’s network, could not be removed, even if Intelligent Tax was uninstalled.
However, after attracting widespread publicity, the backdoor has now been joined by a new file, discovered by Trustwave’s Threat Fusion team.
“This new sample’s sole mission is to delete GoldenSpy and remove any trace it existed. Including the deletion of registry entries, all files and folders (including the GoldenSpy log file), and finally, the uninstaller deletes itself,” explained the firm’s VP of cyber-threat detection and response, Brian Hussey.
“This GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment. However, as the deployment of this uninstaller is delivered directly from the supposedly legitimate tax software, this has to leave users of Intelligent Tax concerned about what else could be downloaded and executed in a similar manner.”
It’s still unclear who seeded the original malware in the tax software. It could either have been done without the knowledge of the bank, or is part of a much wider conspiracy designed to monitor foreign firms doing business in the Middle Kingdom.
The swift appearance of an uninstaller would seem to favor the latter theory, as it’s unlikely that cyber-criminals would care if they were found out.
“Organizations must continuously be vigilant, always threat hunting, because our adversaries will continue to find new ways to trick, manipulate and socially engineer their way into environments,” Hussey argued.
“The value of the GoldenSpy case study is not the IOCs we provided, it’s the lesson that malware can be cleverly hidden in any software, regardless of its source or supposed legitimacy.”
Security researchers have discovered five dating apps in the US and East Asia which are leaking millions of customer records thanks to misconfigured cloud databases.
A team from WizCase led by Avishai Efrat explained that the Elasticsearch servers, MongoDB databases and AWS buckets they found were left publicly accessible with no password.
In the US, an Amazon bucket traced to CatholicSingles was found to be leaking a 17MB database of 50,000 records including names, email addresses, billing addresses, phone numbers, age, gender, occupation and education.
Another dating site hosted in the US, Yestiki, leaked around 4300 records (352MB) including phone numbers, names, addresses and GPS location data of date venues, as well as user ratings, activity logs and Foursquare secret key IDs.
Next up is SPYKX.com, the South Korean company behind the Congdaq/Kongdak dating app. It was found leaking 123,000 records (600MB) via an unprotected Elasticsearch server, including emails, cleartext passwords, phone numbers, dates of birth, gender, education and GPSdata.
Also in South Korea, dating app Blurry exposed 70,000 user records (3667MB) via an Elasticsearch server, including private messages sent between users – some of which contained sensitive information like social media handles and phone numbers.
Finally, Japanese dating apps Charin and Kyuun, which appear to be owned by the same company, leaked over 100 million records via the same unsecured Elasticsearch database sitting on an AWS EC2 server.
Compromised user information included email addresses and passwords, both hashed and cleartext, user IDs, mobile device information and dating preferences such as distance and age, according to WizCase.
The researchers also found an additional six exposed servers packed with dating app user information but couldn’t identify the owner, although it claimed they may be the product of a web scraping operation. Data from users of Zhenai, Say Love, Netease, Love Chat and Companion were found.
It’s unclear whether any of the companies WizCase contacted has addressed the configuration errors, but the firm warned users of potential follow-on identity fraud, phishing, blackmail and privacy risks.
Back in September last year, the same research team was able to access a database of around 77,000 users of Heyyo, a Turkey-based online dating service.
Researchers have discovered a gaping hole in popular remote access system Apache Guacamole that puts thousands of companies with remote employees at risk. The flaw could allow attackers to control the software and the computers that connect to it. Luckily, there is a patch available.
With large numbers of employees now working from home, remote access systems that let users control computers in the office from their home machines are increasingly popular. One free version is the open source software Apache Guacamole.
Provided by the open source Apache Software Foundation, Guacamole is a gateway that enables remote clients to connect from a browser via various protocols, including Microsoft's Remote Desktop Protocol (RDP). It is a popular product, with over 10 million downloads of its docker container.
Researchers at Check Point began evaluating this software in mid-February as the company prepared to transfer over 5,000 employees to remote work during the early stages of the pandemic. They quickly found problems with the open source gateway. If it connects to a compromised computer inside the network, attackers can use that machine to take control of the entire gateway with potentially disastrous results, they warned.
"Once in control of the gateway, an attacker can eavesdrop on all incoming sessions, record all the credentials used, and even start new sessions to control the rest of the computers within the organization," said the researchers in their report. "When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network."
They found several critical reverse RDP vulnerabilities that the destination machine could use to control the gateway, along with new vulnerabilities in FreeRDP, which is Apache's free implementation of the proprietary RDP.
Between them, these vulnerabilities allow for Heartbleed-style information disclosure along with memory corruption. Chaining these together created arbitrary read and write capabilities on the gateway. The researchers then used a privilege elevation attack to gain control of the system.
They disclosed these vulnerabilities to Apache at the end of March, and it silently patched them on May 8 in an update to its GitHub repository. It then released an official patched version (1.2.0) on June 28.
The researchers note that all versions of Guacamole released before January 2020 are using vulnerable versions of FreeRDP, so it is important to patch now.
Schools and colleges in the US have leaked 24.5 million records since 2005, according to new research by technology website Comparitech. K–12 school districts across the country have suffered 1,327 breaches in the last 15 years—with last year's count setting an all-time high.
According to a list of data breaches compiled by the site and with the help of tools from the National Center for Education Statistics (NCES), the most common cause of data breaches in K–12 schools is hacking, representing 45.9% of all incidents. It's also the biggest cause of breaches in colleges. Unintentional disclosure comes in second, with 21% in schools and 27.3% in colleges, followed by theft or loss of portable devices (11.1% in schools, and 14.7% in colleges). K–12 schools saw 60 breaches in total last year, although they lost the most records in 2018, spilling 991,340.
"There doesn’t appear to be any kind of trend in the breach numbers for K–12 schools or colleges, nor does there seem to be a pattern with college records affected," said the report. "However, over the past few years, there has been a significant increase in the number of school records affected."
Colleges saw by far the largest proportion of breaches, at 74%. Public institutions were also the hardest hit, accounting for 77.7% of the breaches at both school and college level.
The report noted that many of the breaches affected more than one institution. One good example was a data breach at Pearson Education, which affected schools across the US. This demonstrates that not all these breaches are down to mismanagement on the part of a school or college; sometimes, it's a supply-chain issue.
At the state level, California experienced the most data breaches across colleges and schools combined, accounting for 11.8%. It also lost the most records among all states. As the report points out, though, this is to be expected given that the state harbors a large percentage of the US population (around one in eight people).
Law enforcement has arrested 746 people in the UK after cracking an encrypted phone network used for criminal activities. The UK National Crime Agency had been working with international partners to crack the EncroChat network since 2016, it revealed today.
EncroChat was one of the largest providers of encrypted mobile communications via its secure mobile phone network, operating from servers in France. It also offered an instant messaging service, the NCA said. It had 60,000 users worldwide, 10,000 of whom were in the UK. They used the network for trading illicit commodities, laundering money, and planning hits on rivals, it added.
The service used its own specialist devices, costing around €1000 each. It would then charge €1500 for a six-month subscription offering worldwide coverage. Devices didn't require users to associate a SIM card with their account, and they used a dual operating system with an encrypted interface designed to avoid detection.
The company also removed cameras, microphones, GPS capability, and USB ports from its hardware and enabled criminals to delete messages on the devices. It could also wipe them entirely from afar with a kill code.
Each message sent via the device used a different set of keys, according to EncroChat's website, which said: "If any given key is ever compromised, it will never result in the compromise of previously transmitted messages—or even passive observation of future messages."Police crack the code
That didn't stop police from cracking the system, though. Law enforcement said that EncroChat realized its network had been compromised and warned its users to throw away their handsets on June 13.
We may never know how police managed that decryption, and the French aren't talking, according to Europol. One clue might lie in EncroChat's apparent decision to cobble together its own encryption, which cryptography experts always warn against. Its website said:
"The algorithms employed are many times stronger than that of PGP (RSA+AES). We employ algorithms from different families of mathematics, which protects message content in the event that one encryption algorithm is ever solved."
French police began investigating the encrypted communication service in 2017 after finding the handsets cropping up repeatedly in criminal seizures. It filed a case with Eurojust, the EU Agency for Criminal Justice Cooperation, in 2019. In April this year, Eurojust set up a joint investigation team comprising French and Dutch police, with support from other countries including the UK, Sweden, and Norway.
The French, which also set up its own task force in March this year, led the investigation into EncroChat's encryption. It was eventually able to insert a device somewhere in the communication chain to access criminal correspondence.
The JIT got access to the network two months ago, harvesting data and sharing it via Europol. UK police used this data to plan Operation Venetic, an attack on the UK organized crime network.
"Operation Venetic is the biggest and most significant operation of its kind in the UK," the NCA said.
Working with local police, the NCA seized over ₤54m in raids on EncroChat users, along with 77 firearms and two tons of class A and B drugs.
The forms of malware most frequently investigated by security analysts are not actually the most widespread ones used by cyber-attackers, according to a new study by Kaspersky. It revealed that whilst Backdoors (24%) and Droppers (23%) are amongst the top three most commonly sent free requests to the Kaspersky Threat Intelligence Portal, they only make up 7% and 3% of all malicious files blocked by the Kaspersky endpoint products, respectively.
The Kaspersky Threat Intelligence Portal is a means to help analysts to better understand the background of an attack following the detection of malicious activity in order to develop effective response and remediation measures.
Anonymized statistics from the portal show that 72% of the free requests sent related to three categories: Trojans (25%), Backdoors (24%) and Droppers (23%). Although figures from the Kaspersky Security Network demonstrate that Trojans are indeed usually the most widespread type of malware, the amount of Backdoors and Droppers are nowhere near as frequent as these requests would suggest.
The reason for this disparity is believed to be because researchers are often interested in the final target of the attack, whereas endpoint protection products aim to prevent attacks at an early stage, before they reach the user’s computer.
Kaspersky added that researchers could also be interested in analyzing certain kinds of threats in extra detail due to factors such as their novelty and media coverage.
Denis Parinov, acting head of threats monitoring and heuristic detection at Kaspersky, said: “We have noticed that the number of free requests to the Kaspersky Threat Intelligence Portal to check viruses, or pieces of code that insert themselves in over other programs, is extremely low – less than 1%, but it is traditionally among the most widespread threats detected by endpoint solutions.
“This threat self-replicates and implements its code into other files, which may lead to the appearance of a large number of malicious files on an infected system. As we can see, viruses are rarely of interest to researchers, most likely because they lack novelty compared to other threats.”