Cyber Risk News
As the cyber industry continues to evolve, it becomes increasingly difficult for organizations to stay ahead of the curve, making the ever-changing threat landscape a major concern for many businesses, according to the 2018 Travelers Risk Index published by The Travelers Indemnity Company.
Evolving threats and new digital developments make cyber a top concern for large technology, banking and professional services businesses, second only to the inflation of medical costs, the study found.
Given these concerns, it’s not surprising that 52% of survey respondents believe that suffering a cyber-attack is inevitable; however, the fact that a majority of those surveyed reported not taking adequate steps to protect the business raises alarm.
More than 1,000 companies participated in the survey, which found that 55% of businesses have not completed a cyber-risk assessment. In addition to not assessing their own risks, 63% of respondents also said they have not completed a cyber-risk assessment on vendors who have access to their data.
Well over half (62%) have not developed a business continuity plan, leaving them with no outline of the steps the organization should take in the event of a breach. Despite this lack of preparation, only 50% of survey respondents have cyber insurance.
“Cyber risks carry serious consequences for any business, threatening everything from revenue to operations,” said Tim Francis, enterprise cyber lead at Travelers, said in a press release. “These findings reveal some surprising things about how companies view their cyber exposures, their relative confidence in dealing with them and the clear opportunity that exists for them to be better prepared for a cyber-attack.”
The survey also found an increase in the number of businesses that have actually fallen victim to a cyber-attack. The number of participants citing they had been a victim doubled from 10% in 2015 to 20% in 2018. Additionally, concerns over operational software systems being remotely hacked, insufficient resources to recover from a cyber incident and falling victim to cyber extortion increased by 5% since last year.
Independence Blue Cross, a Philadelphia-based health insurer notified thousands of its members this week that a data breach had exposed some of their protected health information (PHI), according to Healthcare Informatics.
On July 19, 2018, Independence Blue Cross's privacy office announced a breach in which the personal information of approximately 17,000 members – fewer than 1% of the total membership – was potentially accessed by unauthorized individuals after an employee uploaded a file to a public-facing website on April 23, 2018. Unfortunately, the file, which contained the PHI of members remained accessible until it was removed on July 20.
"Information privacy and security are among our highest priorities. Independence has strict security measures in place to protect information in its care. Upon learning of this incident, Independence quickly took steps to ensure the file was permanently removed from the website. We reviewed company policies and procedures and implemented additional technical controls to help prevent future incidents of this kind. We also ensured that the appropriate action was taken with the employee responsible for uploading the subject file," the company wrote.
In addition, the breach notification emphasized that no social security numbers, financial information, or credit card information was included in the exposed data.
“Criminals stealing your medical information or diagnosis codes is no longer a plot twist reserved for TV dramas with the latest records breach,” said Aaron Zander, senior IT engineer at HackerOne.
“Cybercrime damage is expected to hit $6 trillion annually by 2021, and this is just the beginning of medical record breaches, as these records are worth far more than your easily replaceable credit card. Like in the 2016 election with the release of fake medical records for presidential candidate Hillary Clinton, public announcement of a private condition can cause real damage.”
Though the company did conduct a thorough investigation, it was not able to determine whether malicious actors had accessed any of the exposed data. Still, “the Independence Blue Cross data breach represents yet another example of an exposure of sensitive information at the hands of an employee," said Zohar Alon, co-founder and CEO, Dome9 Security.
"This underscores the critical importance of properly training all employees in an organization on cybersecurity best practices and providing continuous educational opportunities as threats evolve. Additionally, because humans are prone to error, companies need to be looking to automate processes as much as possible, minimizing the need for human handling of data and reducing the risk of errors that can lead to data exposure.”
Taking a critical step forward in national cyber defense, the White House yesterday published the National Cyber Strategy, aimed at strengthening America’s cybersecurity capabilities. President Trump wrote, “With the release of this National Cyber Strategy, the United States now has its fully articulated cyber strategy in 15 years.”
"The new national cyber strategy is a great step forward and demonstrates a thoughtful interagency approach to protecting national prosperity and security in our information-enabled world. It builds upon the lessons learned from previous administrations and presents a solid approach to managing cyber risk," said Brigadier General Gregory J. Touhill (ret.), president, Cyxtera Federal Group.
Elements of the strategy include not only defending the homeland by protecting networks but also improving American prosperity by way providing the security that will allow for a thriving digital economy.
“This is the most comprehensive cybersecurity strategy document ever published, firmly stating a vision of the United States as ensuring a secure internet by cooperation or force. It reads like a response to former NSA director Admiral Mike Rogers’ February Congressional testimony where he acknowledged current constraints in responding to the active threat landscape the US faces,” said Bryson Bort, NSI fellow and SCYTHE founder and CEO.
The four primary pillars of the strategy are protecting the American people and their way of life, promoting American prosperity, preserving peace through strength and advancing American influence abroad.
“The national security adviser’s call for an enhanced focus on aggressive cyber defense and offensive cyber operations will result in effective deterrence against the increasing cyberattacks on our critical infrastructures,” said Michael Daly, CTO, cybersecurity and special missions, Raytheon.
“Our electoral systems, healthcare, power and financial systems have all been put at unsustainable risk. Raytheon is prepared to support our government and allies in their cyber operations with our proven tools, solutions and expertise. It’s time to address cyber adversaries with the appropriate response and regain cyberspace for our nation’s security and prosperity.”
A Romanian woman has pleaded guilty to charges relating to a major ransomware operation which took out over two-thirds of the CCTV cameras in Washington DC ahead of President Trump’s inauguration.
Eveline Cismaru pleaded guilty to one count of conspiracy to commit wire fraud and one of computer fraud, with a potential combined maximum sentence of 25 years behind bars.
Cismaru, 28, and a co-defendant, Mihai Alexandru Isvanca, 25, were arrested in the Romanian capital of Bucharest in December last year, but Cismaru managed to escape to the UK, where she was re-arrested and extradited to the US.
According to the DoJ, she hacked 126 of DC’s Metropolitan Police Department (MPD) computers in early January last year, infecting them with ransomware demanding payment of around $60,800.
That put two-thirds of the MPD’s outdoor surveillance cameras out of action at a crucial time, just as the Secret Service was preparing security for the event. In the end, the CCTV camera system was back up-and-running by the time of the event and the security of the inauguration was not put in any danger.
Yet at the time of their arrest, the two co-conspirators were alleged to have been in the process of attacking nearly 180,000 other machines via stolen emails and passwords, and banking credentials, according to the DoJ.
The incident was another timely reminder of the continuing online threat posed by ransomware — which can sometimes spill over into the physical world.
Just last weekend, for example, Bristol Airport was hit by an attack which forced staff to resort to writing flight departure and arrival information on whiteboards.
Europol this week warned that ransomware would continue to remain the biggest malware threat to businesses around the world for several years.
A controversial Canadian data analytics firm that helped Vote Leave target voters during the EU referendum could be facing the first ever GDPR fine to be issued by the UK data protection regulator.
Aggregate IQ (AIQ) processed voters’ personal data including names and email addresses for Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave campaigns, according to the Information Commissioner’s Office (ICO).
An enforcement notice claimed that the firm had failed to comply with articles 5 and 6 of the GDPR.
“This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing,” it explained.
“Furthermore the processing was incompatible with the purposes for which the data was originally collected. AIQ has also failed to comply with Article 14 of the GDPR in that it has not, to the commissioner’s knowledge, provided data subjects with the information set out in Articles 14 (1) and (2) and none of the exceptions set out in Article 14(5) apply.”
The ICO added that damage or distress could be caused for individuals because they have been “denied the opportunity of properly understanding what personal data may be processed about them,” and have not been able to exercise their rights under the GDPR.
Although the data was collected before the GDPR came into force, it was apparently retained and processed after that date.
Although the notice amounts more to a data protection technicality, it will be seized on by anti-Brexit campaigners as yet another example of what they see as an illegal leave campaign fought on lies and half-truths.
Vote Leave has already been fined and referred to the police by the Electoral Commission after it was found to have exceeded spending limits by gaining extra funding via BeLeave.
There are also links between AIQ and the infamous Cambridge Analytica, the firm which helped Donald Trump to the White House on the back of Facebook user data which was acquired by breaking developer rules at the social network. AIQ and Cambridge Analytica have both been suspended by Facebook as a result.
AIQ is reportedly appealing the ICO notice. Infosecurity has reached out to the ICO for more information.
Security in the retail industry has significantly worsened over the past year, to the point that over 90% of domains analyzed recently were found to be non-compliant with PCI DSS.
SecurityScorecard analyzed 1444 domains in the US retail industry from October 2017 to March 2018, discovering that although cyber-criminals had become increasingly sophisticated, IT security departments had largely failed to keep pace.
Application security was a particular challenge, with retail second only to the entertainment sector in its poor performance.
When it came to social engineering, often the first stage of an attack or data breach in the form of phishing emails, the sector performed worst out of the 18 appraised.
In 91% of retail domains analyzed, the business failed four or more requirements of the key PCI DSS standard, with requirement six — dealing with maintaining secure systems and applications — particularly troublesome for 98%.
This includes requirement 6.2, which mandates organizations keep up-to-date with security patches: applying critical ones within one month and others within three. Some 91% failed this requirement.
“A reason many retailers lack compliance with Requirement 6.2 is that the increased number of vendors makes mapping updates more time-consuming,” the report claimed. “A retailer that uses different vendors for cloud storage, operating systems, data backup, mPOS, and POS may have a hard time following every update for each of these. In addition, some updates may be critical security updates while others focus on better usability.”
As part of the PCI DSS requirement, organizations must also understand data flows and the systems, servers, and networks that need to be protected: another area of weakness for retailers, according to the report.
“As part of the process, organizations need to build firewall and router rules that restrict inbound and outbound traffic,” it explained. “These restrictions need to specify all ‘untrusted’ networks and hosts, especially wireless ones. As part of this restriction, no public access can occur between the internet and system components in the Cardholder Data Environment (CDE).”
The challenge is ensuring retailers move from “point-in-time” compliance to continuous efforts, SecurityScorecard argued.
The infamous Magecart code has struck again, with an attack group this time using it to skim card details from customers of online retailer Newegg for a full month, according to researchers.
The US-based, tech-focused e-tailer has yet to release a statement on the news, but RiskIQ, which has been following Magecart closely over the past couple of years, posted an analysis of the attack yesterday.
Threat researcher Yonathan Klijnsma explained that, just like in the recently disclosed BA breach, the attackers made a concerted effort to blend in to the background to avoid detection.
They did this by first registering a domain similar to the primary newegg.com domain, certifying it with a Comodo certificate for authenticity. The linked IP address hosted a back-end server where skimmed card info was apparently stored.
The attackers then struck on around August 14, inserting the Magecart code on the retailer’s payment processing page, where it remained hidden for a month.
“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways, explained Klijnsma.
“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script.”
The code worked on both mobile and desktop versions of the site, and with estimated visitors to Newegg regularly numbering over 50 million per month, this could point to another significant breach of card data, according to RiskIQ.
“The attack on Newegg shows that while third parties have been a problem for websites — as in the case of the Ticketmaster breach — self-hosted scripts help attackers move and evolve, in this case changing the actual payment processing pages to place their skimmer,” concluded Klijnsma.
“We urge banks to issue new cards or added protection through OTP on cards they can correlate belonging to transactions that occurred on Newegg between August 14 and September 18.”
Newegg claims it is still determining which customer accounts have been affected.
Craig Young, security researcher at Tripwire, argued that organizations should be monitoring certificate transparency logs more closely to spot the early warning signs of an attack.
“In this case, the attack campaign started with the attackers setting up an HTTPS server at neweggstats.com,” he explained. “For Newegg, seeing this domain come online wouldn’t immediately indicate a breach, but it should be enough for a security team to investigate further and likely reveal the newly added references to this domain in their checkout code.”
Newegg later posted a tweet to its timeline, saying it had learned that one of its servers had been injected with malware which was identified and removed from our site. "We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted."
Three men responsible for creating and operating the infamous Mirai botnet have escaped jail time after agreeing to provide “substantial assistance” to the FBI in ongoing cases.
Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, were charged with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet. Jha and Normal also pleaded guilty to charges related to operating a click fraud botnet.
However, the three will not serve time behind bars. Instead, they have each been sentenced to five years of probation, 2,500 hours of community service, and restitution of $127,000 as well as giving up “significant amounts” of cryptocurrency seized by the Feds during their investigation.
Their involvement in Mirai is said to have ended in autumn 2016, when Jha posted the source code on a criminal forum.
It was used to launch some of the biggest DDoS attacks ever seen, against the website Krebs on Security and DNS provider Dyn, the latter taking down some of the biggest names on the web including Twitter, Spotify and Reddit.
The trio’s work did not end with Mirai, however: from December 2016 until February 2017 they apparently built a click fraud botnet comprising 100,000 mainly US-based devices including home routers.
The three have already co-operated extensively with the FBI, providing help which “substantially contributed” to complex investigations and broader defensive efforts by law enforcers and researchers, according to the DoJ.
But as part of their plea agreement they must continue to “cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.”
Jake Moore, security specialist at ESET, argued that injecting hacker knowledge into the government may not be a bad thing, and could even save law enforcement money in the long-run.
“Although law enforcement lacks money and young blood, it does need updating with ethical hacking techniques that could be time consuming to train the older generations, not to mention it is a far more inviting and romanticized option than jail time for the criminals,” he added.
The £500,000 penalty is only the second time the UK privacy watchdog has used the full extent of its powers and comes after a major incident at the credit agency exposed data on 15 million UK customers.
The breach itself affected nearly 146m customers around the world, mainly in the US, and involved highly sensitive data including Social Security numbers, driver’s license numbers, tax IDs and much more.
Equifax was widely criticized at the time for failing to patch a know Apache Struts vulnerability for several months. It was this flaw that hackers ultimately exploited to attack the firm.
The ICO’s investigation, carried out with the Financial Conduct Authority, found that Equifax contravened five out of eight data protection principles of the Data Protection Act 1998. These included: failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizens’ data.
Data management systems were “inadequate and ineffective” and there were issues with data retention, IT system patching, and audit procedures, the ICO claimed.
Information commissioner, Elizabeth Denham, said the incident would have caused many UK consumers particular distress because they would not have been aware that the firm even held their personal data.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data,” she added.
“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”
It’s certain that the fine would have been many times greater had Equifax been investigated under the new GDPR regime.
Because the need for application security continues to grow with the rise of cloud technology, Moss Adams, an accounting, consulting and wealth management firm, announced today that it has combined with cyber-risk management firm AsTech Consulting to augment its application security capabilities.
Moss Adams will essentially acquire AsTech Consulting as of November 1, 2018, though the terms of what the company prefers to call a "combination" are not yet being disclosed. The deal, however, will give AsTech Consulting access to the existing Moss Adams infrastructure, resources and client relationships.
In an interview with Infosecurity Magazine, Eric Miles, partner in charge of the Moss Adams Advisory Services Practice, said, “When we add services or capabilities, it’s because our customers ask about them, and the need for application security is starting to skyrocket. Whether its with our technology clients or those who are not using self-developed software, they are beginning to recognize that their risks don’t sit within the perimeter any longer but within the app itself.”
AsTech Consulting has been in the application security business for 21 years, which is part of what made them such an appealing partner for Moss Adams. “We have a great reputation, but we are small,” said Greg Reber, CEO and founder of AsTech Consulting.
“For us, we wanted to expand our reputation to be able to reach a bigger audience and help more companies be secure. It was both the culture and the reputation of Moss Adams that made the company the best fit for us.”
Sixteen members of the AsTech Consulting team will join Moss Adams, including Reber, who will become a partner.
In preparing for the combining of the companies, AsTech Consulting has worked with the existing cybersecurity team at Moss Adams. “There is some overlap, but working together helped us understand each other. We found we have a common language through working on projects together,” Reber said.
“We are reaching an inflection point in public awareness in the need for this kind of security. Many mid-market companies are becoming more aware of the need for both perimeter and application security – or source code security, especially if they are developing their own apps, and we understand the source code issues.”
Attackers are successfully stealing the credentials of employees and using them in account takeover (ATO) incidents more frequently, which makes business email compromise (BEC) one of the most prevalent types of cyber fraud, according to Barracuda Networks.
The latest Threat Spotlight, looked at the motives behind ATOs and found that while hackers have myriad objectives, many will commonly use ATOs to launch phishing campaigns.
“Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalized attacks,” researchers wrote.
“The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a business email compromise (BEC) attack from the real employee's email address.”
From April to June 2018, 60 incidents occurred among the 50 randomly selected organizations. Of the 50 organizations, four to eight reported having at least one account takeover incident. The result for those companies that were compromised was that accounts were used for nefarious purposes.
A large majority (78%) of the total incidents resulted in a phishing email where the attacker usually impersonated the employee and requested that the recipients click on malicious links or open infected attachments.
Analysis of the incidents revealed that 17% were platforms for spam campaigns that appeared to come from reputable domains, while 5% of incidents involved internal email traffic in which the attacker asked the recipient to download an attachment.
Over the course of the three-month study, 50 different email accounts were compromised. Through examining the roles of the compromised employees, some of whom were compromised multiple times, researchers found that the total number of compromised employees was 60, with 6% of those identified as executives and 22% reportedly in sensitive departments.
Barracuda recommends that any request involving money made via email, particularly something like a wire transfer request coming from the CEO, not be honored without first having an in-person conversation or, at the very least, a phone call where the sender's identity has been verified.
The new 2018 State of the Internet/Security Credential Stuffing Attacks report is out, and according to the report publisher, Akamai, worldwide malicious login attempts are on the rise.
Analyzing data gathered from its Intelligent Platform and attack data from across the company's global infrastructure, researchers found approximately 3.2 billion malicious logins per month from January through April 2018. In addition, 2018 has seen 1.4 million compromised usernames and passwords.
Botnets caused a monthly average increase of 30% between May and June 2018. During those two months, researchers detected over 8.3 billion malicious login attempts from bots.
The report clarifies that not all bots are bad, but credential-stuffing botnets are particularly malicious as the goals of credential-stuffing bots are to assume identity, collect information and steal money or goods.
Reviewing an eight-month period, from November 2017 through June 2018, researchers discovered more than 30 billion malicious login attempts. Using botnets to steal login information across the web, also known as credential stuffing, results in malicious login attempts. Given the likelihood that users repeat passwords across multiple sites, financially motivated hackers are known to target login pages for banks and retailers, which is why the report focused on the financial and retail sectors.
In examining one attack in which three botnets simultaneously targeted a credit union, researchers found that one of the botnets was not triggering a spike in malicious login attempts. The stealthiest of the three turned out to be the most concerning.
“Our research shows that the people carrying out credential-stuffing attacks are continuously evolving their arsenal. They vary their methodologies from noisier, volume-based attacks through stealth-like ‘low and slow’ style attacks,” said Martin McKeay, senior security advocate at Akamai and lead author of the State of the Internet/Security report, in a press release.
“It’s especially alarming when we see multiple attacks simultaneously affecting a single target. Without specific expertise and tools needed to defend against these blended, multi-headed campaigns, organizations can easily miss some of the most dangerous credential attacks.”
New Mexico’s attorney general, Hector Balderas, announced a lawsuit, filed against Google, Twitter, Tiny Lab Productions, MoPub, AerServ, InModi PTE, AppLovin and IronSource, on allegations that nearly 100 gaming apps targeting children contain illegal tracking software.
The apps, designed by Tiny Lab Productions, are marketed in the Google Play Store and are reported to collect personal data from children under 13 without first acquiring parent consent. Collecting the data give not only the defendants but also whoever they sell the data to the ability to track and profile children who can then be targeted for marketing purposes.
“These apps can track where children live, play, and go to school with incredible precision,” said Balderas. “These multi-million-dollar tech companies partnering with app developers are taking advantage of New Mexican children, and the unacceptable risk of data breach and access from third parties who seek to exploit and harm our children will not be tolerated in New Mexico.”
In total, 91 gaming apps are developed by Tiny Lab. Of all the apps, only five have not been a part of Google’s Designed for Families (DFF) program. Some of the apps include Angry Bunny Race: Jungle Road, Arctic Roads: Car Racing Game, DexLand, Dragon Fight: Boss Shooting Game, Dragon Panda Racing, Fun Kid Racing, Magic Elf Fantasy Forest Run and Pet Friends Park Racing.
As children gain more access to the internet both at home and in school, the games they download can pose unique risks to them, which has long been a concern for Balderas.
“Parents should be aware of these risks and should know how to protect their children before purchasing an internet connected device for their children. Parents should be extremely selective of the apps they choose for their children,” Balderas’s office wrote in a press release.
In addition to listing all 91 apps, the AG’s office included six pages with instructions on how to limit ad tracking across multiple devices.
In surveying 500 small to medium-sized businesses (SMBs) across the US, Webroot discovered that many businesses fail to recognize the many cybersecurity threats their businesses face, in large part because they lack in-house security expertise. According to The 2018 Webroot SMB Pulse Report, phishing scams ranked the number-one threat to SMBs.
The report also found that while 24% of respondents viewed phishing as the number-one threat to their organization, 20% of smaller businesses – those with up to 19 employees – believed they should be focused on defending against ransomware.
Overall, 24% of SMBs were unable to identify their top threat, with the smallest organizations being the least likely to state their greatest risk. Of those companies classified as medium-sized (20-99 employees), 28% fear human error as their greatest threat. However, SMBs do realize that implementing awareness training programs would potentially help mitigate risks from cyber threats.
“Phishing is a tried-and-true tactic for bad actors. Employees are likely to click on things they shouldn’t, despite what businesses try to do to prevent it,” said Gary Hayslip, chief information security officer, Webroot, in a press release.
“But humans get taken in by phishing scams out of simple curiosity or lack of security awareness, which underscores the need for continuous awareness training. For SMBs who feel overwhelmed by all the new cybersecurity challenges they face, partnering with an MSP is a great option to provide security expertise and management.”
Despite their fears of falling victim to a phishing scam or a ransomware attack, SMBs aren’t providing comprehensive, ongoing security awareness training for their employees, according to the report. The majority (66%) of participating businesses with up to 19 employees offer no cybersecurity training to employees.
As businesses grow in size, the numbers tend to get a little bit better, with only 29% of companies in the medium-sized and 13% of large companies (those with 100 to 500 employees) failing to provide a cybersecurity training in the workplace.
“Phishing attacks are one of the most common security challenges companies face in keeping their information secure. It’s easy and it’s effective. Cybercriminals set the bait and people click. Security awareness training with phishing simulations improve user behavior and get people to think before they click,” said Aaron Sherrill, senior analyst at 451 Research.
“Yet 451 Research Voice of the Enterprise surveys reveal that a large majority of businesses are cobbling together homegrown (and often ineffective) awareness solutions, wasting a lot of time and resources in the process. Small to medium-sized businesses need a solution that is cost effective, quick to deploy and easy to manage. Effective training programs do not need to be time consuming, cumbersome or costly.”
New IoT malware detections have soared over 200% since 2017 to reach over 120,000, according to new stats from Kaspersky Lab.
The Russian AV vendor claimed to have spotted 121,588 modifications of malware targeted at smart devices in the first half of 2018, a 273% increase on the 32,614 detected for the whole of last year.
The most popular way to spread malware is brute-forcing of passwords: used in 93% of detected attacks. Most of the remaining cases used well-known exploits to access the devices, according to the vendor.
The most commonly compromised devices were routers, accounting for 60% of the total, followed by a long tail of other connected devices including DVRs, printers and even smart washing machines.
IoT endpoints represent an attractive target for hackers as they’re always on, connected to the internet and often not secured adequately with strong passwords and updated firmware.
The threat is such that the FBI was forced to issue a public service announcement recently warning home users of the dangers of unsecured devices: most notably that they could be conscripted into botnets to launch DDoS attacks, crypto-mining, click fraud and more.
“For those people who think that IoT devices don’t seem powerful enough to attract the attention of cyber-criminals, and that won’t become targets for malicious activities, this research should serve as a wake-up call. Some smart gadget manufacturers are still not paying enough attention to the security of their products, and it’s vital that this changes — and that security is implemented at the design stage, rather than considered as an afterthought,” argued Kaspersky Lab principal security researcher, David Emm.
“At this point, even if vendors improve the security of devices currently on the market, it will be a while before old, vulnerable devices have been phased out of our homes. In addition, IoT malware families are rapidly being customized and developed, and while previously exploited breaches have not been fixed, criminals are constantly discovering new ones.”
Earlier this year the British Standards Institution launched a kitemark scheme designed to improve baseline security in the IoT space by making it easier for buyers to spot reliable kit.