Cyber Risk News
Evidence suggests that new versions of malware families are linked to the elusive Ke3chang group, along with a previously unreported backdoor, according to researchers at ESET.
The researchers have long been tracking the advanced persistent threat (APT) group and suspect that it operates out of China, according to today’s press release.
Named Okrum by ESET, the malware was first detected in late 2016 when it was used to target diplomatic missions and governmental institutions in Belgium, Slovakia, Brazil, Chile and Guatemala. However, researchers have seen multiple variations of the malware families and attributed the activity to the Ke3chang group.
“In research going back to 2015, ESET identified new suspicious activities in European countries. The group behind the attacks seemed to have particular interest in Slovakia, but Croatia, the Czech Republic and other countries were also affected. Analyzing the malware used in these attacks, ESET researchers found that it was linked to known malware families attributed to the Ke3chang group, and dubbed these new versions Ketrican,” the release stated.
“We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor, compiled in 2017. On top of that, we found that some diplomatic entities that were affected by the Okrum malware and the 2015 Ketrican backdoors were also affected by 2017 Ketrican backdoors,” said Zuzana Hromcova, the ESET researcher who made the discoveries.
The group has remained active in 2019. As recently as March, researchers “detected a new Ketrican sample that has evolved from the 2018 Ketrican backdoor. It affected the same targets as the backdoor from 2018,” according to the research.
“Okrum can impersonate a logged on user’s security context using a call to the ImpersonateLoggedOnUser API in order to gain administrator privileges.” It then automatically collects information about the infected computer, including computer name, user name, host IP address, primary DNS suffix value, OS version, build number, architecture, user agent string and locale info (language name, country name), the report added.
Security experts are warning the public not to partake in the FaceApp craze, which is being exacerbated by the #FaceAppChallenge that is going viral on social media, according to multiple reports.
While security experts and privacy advocates are warning users to avoid the app, Senator Chuck Schumer has requested that the Federal Bureau of Investigation (FBI) and the Federal Trade Commission (FTC) investigate whether there are adequate safeguards in place to protect the privacy of the app’s users.
"FaceApp's location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including foreign governments," wrote Schumer.
Created in 2017 by developers at Wireless Lab in St. Petersburg, Russia, FaceApp now has access to the face and images of over 150 million people, Forbes reported. Users’ photos are being uploaded to the cloud, yet the terms and conditions grant FaceApp the ability to do additional processing locally on their device.
“To make FaceApp actually work, you have to give it permissions to access your photos – ALL of them. But it also gains access to Siri and Search....Oh, and it has access to refreshing in the background – so even when you are not using it, it is using you,” tweeted technology author Rob La Gesse, who warned users who have installed the app to delete it.
“FaceApp serves as an important reminder that free isn't free when it comes to apps. The user and his/her [photo are] the commodity, whether sold for purposes like marketing or more nefarious things like identity theft and creation of deep fakes. Don't use apps that need access to all your data and be sure to read the EULAs to ensure the app gives users some sort of control and protection based on where the data is stored and processed," said Rick McElroy, head of security strategy at Carbon Black.
Weaknesses in the information security of some California state offices were brought to light after the state auditor called for additional oversight and regular assessments, according to the report Gaps in Oversight Contribute to Weaknesses in the State’s Information Security.
In the midst of ongoing conversations around the security of customer data and less than six months before the California Consumer Privacy Act (CCPA) is scheduled to go into effect, the report comes at a time when governments are grappling with the ever-growing threat of cyber-attacks.
According to the report from state auditor Elaine Howle, the personal information of California residents may not be protected because of flaws in the government’s IT systems. “We surveyed 33 non-reporting entities from around the State and reviewed 10 of them in detail. Twenty-nine of the 33 obtained an information security assessment to evaluate their compliance with the specific security standards they selected, 24 learned that they were only partially compliant, and 21 identified high-risk deficiencies,” the report said.
Howle called for state agencies to do more in order to effectively safeguard the information that state government agencies collect, maintain and store. Additionally, Howle noted that “the non-reporting entities we surveyed may be unaware of additional information security weaknesses because many of them relied upon information security assessments that were limited in scope.”
Because California has usually been considered a trailblazer when it comes to information security and data privacy practices, Ben Sadeghipour, head of hacker operations at HackerOne, said the auditor’s report comes as a surprise. “When you are a large government agency like the State of California dealing with the data of almost 40 million residents, it is absolutely critical to have consistency across information security policies, especially among the numerous government entities who are tasked with handling, storing and safeguarding personal data,” said Sadeghipour.
“Cyber-criminals are constantly searching for ways to exploit vulnerabilities, especially in the government sector due to the notion that they are easy targets with a goldmine of data. Every government agency, regardless of budget, should at minimum implement a vulnerability disclosure policy (VDP) so that security researchers or ethical hackers can find those vulnerabilities before the bad guys do.”
Cybersecurity is viewed as the biggest single risk to digital transformation projects, but most organizations aren’t involving CISOs early enough in projects, according to new research from Nominet.
The .uk registry and DNS security organization polled 274 CISOs, CIOs, CTOs and others with responsibility for security in US and UK organizations.
It found that the vast majority (93%) were implementing digital transformation projects, although of the small number who weren’t, more than a quarter (27%) said it is because of security concerns.
Cybersecurity was also far and away the biggest worry for those currently undertaking such projects, with 53% citing it as a top-three threat. Some 95% expressed some concern, with over two-fifths (41%) either “very” or “extremely” concerned.
Topping these concerns were exposure of customer data (60%), cyber-criminal sophistication (56%), an increased threat surface (53%), visibility blind spots (44%), and IoT devices (39%).
Although a third (34%) of respondents claimed security was considered during the development of the digital transformation strategy, many left it to the pre-implementation (28%) and implementation (28%) stages, or even post-implementation (9%). Some 2% said security wasn’t considered at all.
IT leaders may be over-confident in their ability to mitigate cyber-risk in digital transformation. Some 82% of respondents claimed it was considered early enough in their projects and 85% scored it near top marks for effectiveness, despite 86% having suffered a breach in the past 12 months.
What's more, a majority of partners (59%), customers (55%) and industry/regulatory bodies (54%) had queried the robustness of their approach.
“With digital transformation you have to be sure that when you’re bringing in new applications, security is considered from the outset," argued Nominet CISO, Cath Goulding. "More than this though, in a digital transformation project, the real trick is to manage the security considerations of legacy and new applications simultaneously.”
On the plus side, 31% of respondents reported that 11-25% of their digital transformation budget is allocated to cybersecurity, with over a fifth (23%) claiming that 26-50% is set aside.
Business Email Compromise (BEC) scams have rocketed in volume and value over the past two years, making cyber-criminals over $300m each month in 2018 from US victims alone, according to new data.
The findings were revealed by the Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of the Treasury.
They note that the number of BEC reports has climbed rapidly, from around 500 per month in 2016 to more than 1100 last year. The total value of related BEC thefts has also soared over the same period, from around $110m per month to an average of $301m.
Manufacturing and construction was the most targeted sector in 2017 and 2018, accounting for around a fifth and quarter of reports in these respective years.
In 2018, this sector was followed by “commercial services” – which includes shopping centers, entertainment facilities, and lodging – and then real estate.
The former saw reported BEC attacks increase more than any other vertical, tripling from 6% in 2017 to 18% last year.
Interestingly, the vast majority (73%) of BEC attacks seen over the period involved scammers receiving funds into US accounts, rather than ones overseas, taking advantage of money mule networks nationwide, FinCEN claimed.
“Industries that are common in a particular state likely represent the most targeted companies in that state,” it added. “For example, financial firms are the most frequently targeted firms in New York, while manufacturing and construction firms are the most frequently targeted in Texas.”
In terms of attack methodology, CEO impersonation ranked pretty high in 2017, accounting for a third (33%) of scams, but declined to 12% in 2018. On the other hand, use of a fraudulent vendor or client invoices grew from 30% to 39% over the period. Impersonation of an outside entity was 20% in 2018 but not documented in 2017.
The FBI warned earlier this year that BEC losses hit $1.3bn in 2018, almost half of all losses associated with cybercrime in the year. These were linked to just 20,000 victims, highlighting the potential high ROI for the scammers.
The figure works out much lower than the cost of BEC calculated by FinCEN, but this could be down to under-reporting.
Dutch police have arrested a man suspected of developing and selling toolkits designed to build malicious Office documents for use in attacks.
In a statement on Wednesday, the country’s high-tech crime team (THTC) revealed it had apprehended a 20-year-old Utrecht man after monitoring his participation in hacking forums, with help from McAfee.
He’s suspected of selling specialized off-the-shelf toolkits such as Rubella Macro Builder which effectively weaponize Office docs by enabling them to use obfuscated macro code to deliver a malicious payload, bypassing traditional security filters in the process.
However, in one of the man’s suspected posts to a hacking forum, investigators spotted use of a Dutch version of Microsoft Word. Given the relatively small global population that speaks the language, McAfee researchers went on the hunt for more clues.
“During our research we were able to link different nicknames used by the actor on several forums across a time span of many years,” the vendor said in a blog post. “Piecing it all together, Rubella showed a classic growth pattern of an aspiring cyber-criminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.”
On arrest, the suspect was found with data on dozens of credit cards and manuals on carding, as well as access credentials for thousands of websites.
“The suspect has collected an amount of approx. €20,000 in cryptocurrency such as Bitcoins. These have been seized. The investigation into further amounts the young man may have (unlawfully) earned will continue. In due course, a confiscation order will be issued,” a police statement noted.
“The public prosecutor has meanwhile decided that the suspect will have to face trial. No court date has yet been set.”
The 2019 Security Awareness Report published by SANS Security Awareness, a division of SANS Institute, found that across many organizations, there is an increased emphasis on the need for awareness and training programs.
According to the report, more than 75% of those who are currently responsible for security awareness and training are spending less than half of their time on employee education programs.
“The implication is that awareness is simply mounted on to their other job requirements. This is the largest single factor limiting the growth and maturity of programs,” the report said.
Though awareness professionals often bring more dynamic skills to their technical roles, the lack of candidates who possess the much needed soft skills of communication and marketing hinders the organization’s ability to build a program that truly engages employees.
Among the nearly 1,600 respondents who participated in the study, those who reported having programs that are effectively changing employee behavior have at least two full-time employees dedicated to awareness and training.
“While there is a general tendency to isolate individual employees as the cause of security related issues, the data within the report demonstrates that addressing an organization’s human cyber risk is best handled by making consistent systemic training investments. This report examines the most effective steps to address them, enabling you to benchmark your awareness program against your peers and other organizations,” the report said.
The report did find that the number of organizations with no program at all has decreased over the last two years, falling from 7.6% to 4.3% and indicating a slow but steady shift toward success.
“I’m absolutely thrilled about the release of the 2019 Security Awareness Report,” says SANS security awareness director Lance Spitzner. “Every year we are able to gain a better understanding of the most common challenges awareness professionals face and how to best address them, and after five years we are beginning to identify key trends.”
Two reports published independently of each other found that the majority of organizations are moderately to extremely concerned about the state of cloud security.
In Guardians of the Cloud, the 2019 cloud report published annually by Bitglass, researchers found that 93% of organizations are at least moderately concerned about their ability to use the cloud securely. The same number of respondents in the 2019 Cloud Security Report from Synopsys said that they were either moderately or extremely concerned about cloud security.
According to Guardians of the Cloud, 75% of organizations leverage multiple cloud solutions, while a mere 20% actually have visibility over cross-app anomalous behavior. Additionally, only 20% of participating organizations said that they use cloud data loss prevention (DLP), despite storing highly sensitive information in the cloud, including customer and employee data and intellectual property. Not surprisingly, malware is the most concerning data leakage vector.
The majority (67%) of companies said they believe cloud apps are either as secure as or more secure than on-premises apps. Two of the most popular cloud security capabilities among respondents are access control (52%) and anti-malware (46%).
“Data is now being stored in more cloud apps and accessed by more devices than ever before,” said Rich Campagna, chief marketing officer of Bitglass, in today’s press release. “This report found that...the adoption rates of basic cloud security tools and practices are still far too low. Many organizations need to rethink their approach to protecting data, as traditional tools for safeguarding data on premises are not capable of protecting data in the cloud.”
Synopsys’ latest cloud security report likewise found that organizations have a wide range of cloud security concerns. Most notable, organizations are worried about data loss and leakage (64%) and data privacy and confidentiality (62%).
For 43% of organizations, monitoring new vulnerabilities in cloud services is one of the most challenging aspects of cloud compliance.
“As workloads continue to move to the cloud, cybersecurity professionals are realizing the complications of protecting these workloads. The top two security headaches SOCs are struggling with are compliance (34%) and lack of visibility into infrastructure security (33%). Setting consistent security policies across cloud and on-premises environments (31%) and the continuing lack of qualified security staff (31%) are tied for third place,” the report said.
Researchers have said with high confidence that the publicly reported adversary dubbed StrongPity has been engaged in an unreported and ongoing malware campaign, according to research from AT&T Alien Labs.
Threat actors are using the new malware and infrastructure to control compromised machines and deploying malicious versions of the WinBox router management software, WinRAR, as well as other trusted software to compromise their targets, researchers said.
“StrongPity was first publicly reported on in October 2016 with details on attacks against users in Belgium and Italy in mid-2016. In this campaign, StrongPity used watering holes to deliver malicious versions of WinRAR and TrueCrypt file encryption software,” researchers wrote in a blog post.
StrongPity was reported on again in 2017 and 2018. New samples that strongly resembled the work of StrongPity were again identified in early July 2019.
These most recent samples of the malware have been, as of yet, unreported but mirror those created and deployed to targets following a toolset rebuild that came after public reporting of the malware during the fourth quarter of 2018, researchers said.
“The malicious version of the software installs StrongPity malware without any obvious signs to the victim, and then operates as if it were a standard unaltered version of the trusted software.”
While researchers were unable to identify specific details about how the malicious installers are delivered, they noted, “It is likely that methods previously documented by the previous reports of StrongPity, such as regional download redirecting from ISPs, is still occurring. Based on the type of software used as the installer (WinRAR, WinBox, IDM, etc.), the type of targets may continue to be technically-oriented, again similar to past reports.”
A lack of CEO awareness and engagement with cybersecurity could be placing their organizations at unnecessary risk of attack, according to new findings from RedSeal.
The security vendor polled over 500 IT professionals in the UK to better understand the cyber-risks posed by business leaders.
Over half (54%) said they don’t believe their CEO follows correct security procedure and in so doing is potentially exposing their organization to compromise. Over a third (38%) weren’t sure what technology their CEO used at home, with the majority (95%) claiming to be concerned that home smart devices could be hacked.
Over one in 10 (11%) respondents claimed that CEO or senior managers’ actions had put corporate security at risk, and three-quarters (75%) argued that their CEOs should pay more attention to cybersecurity in the future.
However, poor security policies and processes also seem to be to blame: 14% of UK CEOs still haven’t had any security training, while only 29% of respondents said they provide a daily cyber-report to their boss. A quarter (26%) said they only report major breaches to the CEO, perpetuating disengagement from cyber-related issues at the highest level.
In reality, cyber matters to CEOs as breaches could have a major impact on the bottom line and corporate reputation. Following a major incident, a third of respondents said they lost customers, 34% said it damaged reputation and over a fifth (23%) lost revenue.
“CEOs have wide access to their organization’s network resources, the authority to look into most areas, and frequently see themselves as exempt from the inconvenient rules applied to others. This makes them ideal targets,” argued RedSeal CTO, Mike Lloyd.
“The internet is a dangerous place where new security threats can evolve and rapidly mutate. Perfect defense is illusory; in a complex and interdependent world, some attacks are bound to succeed. Organizations must look to a strategy of resilience. They’ll survive only by planning in advance for how the inevitable successful attacks will be handled.”
UK government workers have lost over 500 mobile devices and laptops over the past year, with just a small percentage ever recovered, according to new research from MobileIron.
The security vendor issued Freedom of Information (FOI) requests to nine government departments, all but one of which replied.
It found that public sector employees managed to lose 508 mobiles and laptops between January 2018 and April 2019.
It’s unclear whether these devices were password protected and/or if the data on them was encrypted, or if they had a remote wipe functionality to protect sensitive information. However, attackers could theoretically gain access to sensitive accounts if a device gets into the wrong hands without proper security controls in place.
“As the amount of business data that flows across devices, apps, networks, and cloud services continues to increase, it is essential that organizations have the right security protocols in place to minimize risk and prevent unauthorized access to sensitive data if a device is lost or stolen. Even one lost or stolen device provides a goldmine of readily accessible and highly critical data to potential fraudsters and hackers,” argued MobileIron UK and Ireland regional director, David Critchley.
The answer is to implement a zero-trust model, whereby users are forced to authenticate at all times, he said.
“This approach validates the device, establishes user context, checks app authorization, verifies the network, and detects and remediates threats before granting secure access to a device or user,” he added. “The zero-trust model allows organisations, including government departments, to significantly reduce risk by giving them complete control over their business data – even on lost or stolen devices.”
It’s not just the government that has been found wanting regarding the loss of devices. Last year, an FOI request revealed that the BBC had reported over 170 lost or stolen devices over the previous two years.
The UK’s National Cyber Security Centre (NCSC) has dismantled tens of thousands of phishing campaigns and fraudulent websites over the past year as its Active Cyber Defence (ACD) program continues to lead by example globally.
In an update on Tuesday, the GCHQ off-shoot revealed a successful second year for the initiative.
It dismantled over 22,000 phishing campaigns hosted in UK IP space, linked to over 142,000 attacks, and removed more than 14,000 phishing sites, as part of an overall takedown of over 192,000 fraudulent sites – most (64%) of which were offline within 24 hours.
The NCSC also pointed to a 100-fold increase in the number of web checks run, with a total of 111, 853 advisories issued to public sector users. This comes on top of a Protective DNS service which now prevents 1.4m public sector employees from visiting malicious sites, DMARC to prevent email attacks, and other initiatives designed to bolster the security of the UK’s internet space and set an example for other governments.
“By taking down phishing and malware attacks when we see them in UK IP space, regardless of the brand abused, we intend to make the UK a more difficult place to host these attacks. While in and of itself this doesn’t affect the global attacks against the UK, we hope to lead by example,” the report claimed.
“If we can show that a relatively simple set of actions can make a delegated IP space a harder place to host badness, we can get on our high horse and try to get other responsible countries and entities to do similar things. Coordinated action would make hosting badness globally much harder and therefore increase the cost of launching these attacks in the first place and reduce the return on investment.”
The NCSC is not stopping there: it’s working with Action Fraud to produce a new automated fraud reporting system for the public; developing an Internet Weather Centre to provide insight into the digital landscape of the UK; and producing a vulnerability scanning tool for CNI and public sector providers.
Passengers heading to Tampa, Florida, experienced an unusual delay on Tuesday. Those on board a JetBlue flight out of Newark, New Jersey, were evacuated after a person used the AirDrop feature on the Apple phone to send an image of a suicide vest to multiple iOS devices on the plane, according to the Daily News.
Several passengers on the flight surprisingly received the image through Apple’s AirDrop feature, which allows users to share content with nearby devices through Bluetooth technology. Given that the person delivering the photo had to be within Bluetooth range, it was presumably a passenger as the plane had already left the gate and was on the runway waiting for takeoff, the report suggested.
There’s no real way to trace a Bluetooth MAC address to an individual or their device unless all devices were confiscated from the passengers on the flight, according to Dr. Richard Gold, head of security engineering at Digital Shadow. “Even then, it’s unlikely you’d be able to figure the originating MAC address without forensically examining the devices which received the pictures.”
The issue is just the latest concern with Bluetooth. There have been a number of reports of people abusing the AirDrop feature on iOS devices that uses Bluetooth technology to send unwanted photos of various natures to unsuspecting receivers since the feature was introduced in 2011, Gold said.
In addition to being difficult to trace, people typically leave the Bluetooth function on, said Chris Morales, head of security analytics at Vectra. “I used to admittedly walk around with my laptop scanning for exposed Bluetooth listening devices and could send commands to the owner. It is very easy. The easiest way to not receive things over Bluetooth is to require a pin for connectivity or to just turn it off.”
The issues surrounding shadow IT that have long plagued security because of unmonitored and unsupported cloud applications and devices are increasingly coming under proper control, according to the 2019 Duo Trusted Access Report.
The report found that threats from applications and devices that have traditionally been lurking in IT environments are being mitigated through the implementation of a zero-trust model. Enterprises appear to be catching up with cloud expansion and addressing concerns of shadow IT because the report found that the average number of organizations protecting cloud apps reportedly surged 189% year-over-year.
The report assessed the security of thousands of the world’s largest and fastest-growing organizations and examined 24 million devices used for work. Research showed that the use of out-of-date devices has dropped precipitously, which could be a function of the ever-growing remote workforce. According to today’s press release, a third of all work is done on a mobile device, a 10% increase year-over-year. In turn, organizations are hardening mobile defenses against malware.
In addition, biometric verification has seen a double-digit jump to more than 77% of business devices, and organizations are outright rejecting authentication based on policies for location-rooted devices, device locks not enabled or a lack of disk encryption.
“Without proper protections, such as strong user authentication and device hygiene checks, accessing business applications from mobile devices can increase exposure to threats that exploit user identities,” the press release said.
As organizations continue to experience shifts in digital transformation, they are enforcing security controls that establish user and device trust through a zero-trust security model.
“For years, security teams have had little visibility into the cloud applications users were accessing and the personal devices they were using,” said Wendy Nather, head of advisory CISOs at Duo. “The findings in this report make clear that security leaders are taking back control of these apps and devices thanks to a zero-trust approach to security. This approach, in many cases, even allows organizations to adapt quickly to pending threats.”
The US Coast Guard recommended that ships update their cybersecurity strategies after a malware attack “significantly” degraded the computer systems of a deep draft vessel in February, according to a press release.
In the marine safety alert, the Coast Guard wrote that the vessel involved in the February cyber incident was inbound to the Port of New York and New Jersey during an international trip when it reported that its onboard network was being impacted by a cyber incident.
The Coast Guard responded, and after an analysis conducted alongside an “interagency team of cyber experts” it concluded that while the functionality of the boat’s computer system was impacted, control systems were not. The computer system was used for managing cargo data and communicating with the Coast Guard and shore-side facilities.
“Prior to the incident, the security risk presented by the shipboard network was well known among the crew. Although most crew members didn’t use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business – to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard,” the alert said.
Targeting governmental and military assets will continue to be valuable for those seeking to disrupt our society, said Tim Mackey, principal security strategist for the Cybersecurity Research Center at Synopsys.
“This incident highlights lessons for everyone to take – whether you’re in government or in a corporate setting – vigilance starts with preparedness. All systems contain weaknesses, and software systems are no different. An up-to-date inventory of all software assets, including versions, origins and update procedures, is a bare minimum operational requirement for deployed software,” said Mackey.
“This asset inventory should also include a detailed accounting for all known weaknesses, and procedures should be in place to ensure newly disclosed weaknesses or vulnerabilities are amended to the inventory. The goal of this process to ensure that systems are both patched and that the potential attack surface for the asset can be quantified. Armed with this information, threat models can be created which then guide mitigation efforts.”
The UK’s National Cyber Security Centre (NCSC) has issued a warning about DNS hijacking threats, as reports emerge of widespread attacks in Brazil affecting 180,000 users.
The NCSC posted the advisory on Friday as a follow-up to one issued in January. DNS hijacking attackers typically take control of an authoritative DNS server, change the entries stored there and in so doing covertly redirect users to servers under their control, in a Man in the Middle attack.
However, DNS hijackers are also targeting consumers with a slightly different modus operandi, Avast revealed in a recent blog post.
These attacks look to modify the settings on home routers, potentially via cross-site request forgery (CSRF) web-based attacks, so that they use rogue DNS servers. Once again, the end goal is to secretly redirect the user to a phishing page or one capable of installing malware on their machine.
Avast claims to have blocked over 4.6m CSRF attacks during February and March alone in Brazil, adding that 180,000 users have had their DNS hijacked in the first half of 2019.
The initial CSRF attack often happens via malvertising when a user visits a compromised website.
“When visiting a compromised site, the victim is unknowingly redirected to a router exploit kit landing page, which is usually opened in a new window or tab, initiating the attack on the router automatically, without user interaction,” it said.
“In general, the exploit kit attempts to find the router IP on a network, and subsequently attempts to guess the password using various login credentials. Once the hacker successfully logs into the router, the exploit kit attempts to alter the router’s DNS settings using various CSRF requests.”
GhostDNS, Navidade and SonarDNS are the three exploit kits being used in these attacks. Once a rogue DNS server is installed, the attackers look to monetize their efforts via phishing to steal Netflix and banking credentials from consumers; replacing good ads with malicious ones to steal traffic for profit; and installing browser-based crypto-jacking scripts.
Avast urged consumers to stay on the latest router firmware version; use strong and unique log-ins for online banking and routers; and to check their banking sites have a valid certificate.
The NHS still has over 2,000 machines running Windows XP, the government had revealed, despite official support for the operating system running out in 2014.
The figures came in response to a parliamentary written question tabled by Jo Platt, the shadow Cabinet Office minister.
Parliamentary under secretary of state at the Department of Health, Jackie Doyle-Price, replied that the health service was running around 2300 XP computers as of July this year.
Platt criticized the figures as an indictment of the government’s failure to prioritize cybersecurity.
“The government is seriously lacking the leadership, strategy and co-ordination we need across the public sector to keep us and our data safe and secure. How many more warnings will it take before they listen and take action?” she said.
“The next Labour government will provide not only the resourcing but also the vital leadership, organization and dedication needed to get our public sector fit and resilient to fight the cyber-threats of the 21st century.”
The NHS was famously caught out by the WannaCry ransomware worm of 2017, which affected around a third of trusts and led to the cancellation of an estimated 19,000 operations and appointments.
Despite repeated warnings, and patches being made available by Microsoft, even for XP, systems were not updated quickly enough, leading to the ensuing chaos which is said to have cost the NHS around £92m to clean-up.
However, the government has been taking steps to address the problems, with a £150m cash injection announced last year said to be for Windows 10 upgrades, along with other measures.
Doyle-Price was also keen to put the 2300 figure in context: the NHS runs a total of around 1.4 million computers.
“This equates to 0.16% of the NHS estate,” she said. “We are supporting NHS organizations to upgrade their existing Microsoft Windows operating systems, allowing them to reduce potential vulnerabilities and increase cyber resilience.”
A report from Centrify last week revealed that the NHS has successfully repelled over 11.3 million email-based cyber-attacks over the past three years.
Cybersecurity incidents have cost UK mid-market firms a combined £30bn over the past year as automated attacks become the norm, according to Grant Thornton.
The accounting and consulting giant interviewed 500 UK business leaders from firms with revenue of between £15m and £1bn to compile its latest study, Cyber security: the board report.
It revealed that more than half of those polled had reported losses of between 3-10% of revenue following a cybersecurity breach. For those hit hardest, losses were up to 25% of revenue.
Reputational loss (58%) was the most commonly reported impact of a cyber-attack, followed by clean-up costs (45%), management time (44%), loss of turnover (39%), and customer churn/behavior change (35%).
Part of the problem is that many mid-market firms still believe they are able to avoid the scrutiny of cyber-criminals, and therefore pay less attention to security best practice.
Less than a third (31%) claimed to follow minimum cybersecurity standards, versus 46% of large companies; just half (48%) conduct risk assessments versus 69% in larger enterprises; and 55% do cyber health checks compared to 64%.
Risks will only increase as automated attack techniques grow in popularity – enabling vulnerability identification, credential stuffing, and open source information scraping en masse.
“It’s the equivalent of thieves driving down a street to see who’s left their door open. Criminals exploit the vulnerable networks they identify or sell the list of promising targets on to others eager to exploit the opportunity. If your defenses are not up to scratch, you could already be on a list,” argued Grant Thornton head of cybersecurity, James Arthur.
“The reality is that it’s not the size or profile of a business that attracts the interest of cyber-criminals. They have increasingly sophisticated targeting tools and are using these to launch an increasing volume of attacks against anyone who looks like they have weak defenses. It’s not personal – it’s just business.”
Putting cyber risk on the board agenda is one of the best ways to regain the initiative and minimize the chances of a successful attack, but challenges persist, the consultancy claimed.
Only two-fifths (41%) of respondents claimed to have an incident response plan in place, and even fewer (37%) said their board formally reviews cybersecurity, or that there’s a security-specific role on the board (37%). Just 36% said they had provided all staff with security training over the past year.
In most cases the board member with responsibility for cyber is the CIO (31%), CTO (23%), CEO (16%) or CFO (15%). Chief security officer doesn’t feature at all.
“While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory,” Oracle wrote.
The Critical Patch Update is a collection of patches for multiple security vulnerabilities, and the July 16 update contains 322 new fixes. Six of the security vulnerabilities were reportedly discovered by the Onapsis Research Labs team.
"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the announcement stated.
Two of the six different patches that were originally reported by the Onapsis Research Lab team addressed "critical vulnerabilities in the Oracle E-Business Suite (EBS), which has been deeply researched by Onapsis in the last few years,” researchers wrote. “Successfully exploiting these vulnerabilities may allow an attacker three critical scenarios compromising the integrity and availability of EBS: remote code execution in the server, remote code execution in the client and a Denial of Service.”
The two vulnerabilities reported by Onapsis are an unrestricted file upload, which was originally reported in November 2018 and leads to remote code execution (CVSS 9.1), and a reflected server-side request forgery, which was originally reported in April 2019 and can lead to a denial of service (DoS) and a client-side remote code execution (CVSS 9.6).
If left unpatched, these vulnerabilities have the potential to allow remote execution and DoS, disrupting critical services such an ERP system convert this attack into a critical one, since it affects all availability, confidentiality and integrity of the data.
“Both vulnerabilities allow remote command execution, one in any EBS client and the other one directly on the server side. Even though all the announced CPUs should be applied, these critical vulnerabilities must be immediately addressed, and customers should prioritize implementation of the patches in order to avoid malicious exploitation,” the blog stated.
Multiple campuses of Monroe College have had their systems downed after a ransomware attack reportedly struck the for-profit institution on July 11.
The attack reportedly affected each of Monroe’s campuses in Manhattan and New Rochelle, New York, and St. Lucia, and emails have been compromised. Infosecurity contacted Monroe College via the email listed on its website, but the message was returned as undeliverable, indicating that systems are still downed.
The college took to Twitter to share the news with its online students.
In a statement, Marc Jerome, president of Monroe College, said, “Our team is working feverishly to bring everything back online, and we are working with the appropriate authorities to resolve the situation as quickly as possible,” according to Insider Higher Ed.
“In the meantime, Monroe continues to operate. We’re simply doing it the way colleges did before email and the internet, which results in more personal interactions. As we have done throughout our 86-year history, we are coming together to assure that our students, faculty and staff are well served."
An attacker demanded the college pay $2 million to have its files decrypted. Jackie Ruegger, executive director of public affairs at the college, reportedly told Inside Higher Ed that the college knows who conducted the attack. Infosecurity attempted to call the numbers listed on the Twitter message, but the recipient disconnected the calls.
The attack follows a number of university cyber-attacks, including the recent OSU, Graceland University and Missouri Southern State University email-based breaches in the last few months. According to recent data from Mimecast’s State of Email Security report, 56% of organizations in the education sector saw an increase in phishing with malicious links or attachments in the last year. It took 31% two to three days to get back to a recovered state upon suffering an email-based attack. Nearly half (42%) of organizations say ransomware has impacted their business operations in the last 12 months and 73% have experienced two to five days of downtime as a result of the ransomware attack.